SlideShare a Scribd company logo

Dev secops on the offense automating amazon web services account takeover

Priyanka Aash, profile picture
Priyanka Aash

This document discusses how automation can be used to take over Amazon Web Services (AWS) accounts by abusing permissions. It describes how modules have been created to automate actions like creating administrative IAM users, launching EC2 instances, and locking out other accounts. The presentation demonstrates how these modules could be used by an attacker to escalate privileges within an AWS account and eventually take it over if the permissions are not restricted properly. It emphasizes the importance of following security best practices like least privilege when working with AWS.

Technology
1 of 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
SESSION ID:SESSION ID: #RSAC Javier Godinez DevSecOps on the Offense: Automating Amazon Web Services Account Takeover IDY-W10 Founding Member DevSecOps.org @isomorphix Ian Allison Founding Member DevSecOps.org @iallison
#RSAC Disclaimer 2 This is not an Amazon Web Services (AWS) issue This is a DevOps education issue It is the user’s responsibility to understand the technology being used With power user privileges come great responsibilities
#RSAC How our Grandfathers Ran a Stack 3 Glen Beck (background) and Betty Snyder (foreground) program ENIAC in BRL building 328. (U.S. Army photo)
#RSAC How our Mothers Ran a Stack 4 Lawrence Livermore National Laboratory [Attribution], via Wikimedia Commons
#RSAC © 2007 Nuno Pinheiro & David Vignoni & David Miller & Johann Ollivier Lapeyre & Kenneth Wimer & Riccardo Iaconelli / KDE, via Wikimedia Commons 5 aws ec2 run-instances ami-12345678 -t m3.large -k $my-key-pair -g $my-security-group How We Run a Stack
#RSAC 6 Attack Surface + Misunderstanding of Technology == Low Hanging Fruit The Cloud is Ripe for the Picking
#RSAC Acceleration into the Cloud 7 Information Security Job Postings DevOps Jobs Postings
#RSAC Understanding the Technology You Use 8 How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious decisions and document those decisions Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing
#RSAC Instance 9 Virtual host Virtual environment on Xen hypervisor Feels very much like a host running on bare metal Hypervisor Instance Operating System
#RSAC Metadata Service 10 Internal HTTP service that provides Instances information about its environemt Available from host at http://169.254.169.254/ Provides temporary credentials to hosts with instance profiles Hypervisor Instance Metadata OS Instance OS
#RSAC Instance Profile 11 AWS construct that maps a role to an instance Instance may or may not have a profile associated with it Instance
#RSAC AWS Identity and Access Management Overview 12 Users Groups Roles Policies Effect Actions Resources Condition
#RSAC The Good 13 Policy is specifically created for the application Least privilege Made to be as granular as possible
#RSAC The Bad 14 ec2:* iam:* anything:*
#RSAC The Ugly 15 All Access Great for Development Really Bad for Security
#RSAC 16 What Does Ugly Really Look Like? The best way to determine whether you truly have an ugly duck is by exploiting the most dangerous vulnerabilities.
#RSAC How do we catch up? 17 Through automation with a dash of Ruby
#RSAC AWS Create IAM User (CIAMU) Module 18 Allows for the creation of a user with Admin Privileges to the AWS account Needs access to AWS Access Keys or Instance Role with: iam:CreateUser iam:CreateGroup iam:PutGroupPolicy iam:AddUserToGroup iam:CreateAccessKey If you have instances/instance roles with this combination of IAM privileges it’s very dangerous.
#RSAC AWS Launch Instances Module 19 Launches an EC2 instance with a Public IP Required Privileges: ec2:RunInstances ec2:ImportKeyPair ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:Describe* Can launch instance with Instance Profile Can launch cluster of Instances Can automate tasks via bootstrap
#RSAC AWS IAM Account Lockout Module 20 Requires an IAM admin role (created by CIAMU module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts Allows security teams to protect potentially compromised accounts
#RSAC Demonstration Network Diagram
#RSAC Demonstration
#RSAC Upcoming Modules and Ongoing Projects 23 AWS IAM privilege enumeration module AWS Lambda module AWS s3 bucket and access enumeration module Cumulus Cloud Attack Toolkit AWS Google Cloud Platform DevSecOps.org Community https://github.com/devsecops/lambhack
#RSAC 24 Helping you get from ugly to…
#RSAC How Apply This Knowledge 25 Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail Get creative with AWS services: Config + CloudWatch Events + Lambda Audit your AWS Account IAM Policies and Roles Red Team your applications and instances Think to yourself: “How would an attacker use this against me?” Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org
#RSAC Appendix Demo Slides 26
#RSAC Load Metasploit
#RSAC Use sshexec to gain a foothold
#RSAC Instantiate a shell
#RSAC Retrieve temporary credentials
#RSAC Enumerate the network
#RSAC Enumerate the Metadata service
#RSAC Enumerate the Metadata service
#RSAC Escalate privileges on account A
#RSAC Login
#RSAC Explore account
#RSAC Discover Networks
#RSAC Explore the network
#RSAC Discover services
#RSAC Setup a tunnel and scan for vulns
#RSAC Exploit Jenkins
#RSAC Retrieve temporary credentials
#RSAC Launch a new instance with Admin privs
#RSAC Launch a new instance with Admin privs
#RSAC Launch a new instance with Admin privs
#RSAC Establish a session with new host
#RSAC Establish a session with new host
#RSAC Establish a session with new host
#RSAC Escalate privileges on account B
#RSAC Open the console

More Related Content

PPTX
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
PDF
Red Team vs. Blue Team on AWS
Priyanka Aash
 
PDF
Security precognition chaos engineering in incident response
Priyanka Aash
 
PDF
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
Beyond the mcse red teaming active directory
Priyanka Aash
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Security precognition chaos engineering in incident response
Priyanka Aash
 
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Beyond the mcse red teaming active directory
Priyanka Aash
 
AllDayDevOps 2019 AppSensor
jtmelton
 

What's hot (19)

PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
PDF
Guy Podjarmy - Secure Node Code
DevSecCon
 
PPTX
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
PDF
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PDF
A Pragmatic Union: Security and SRE
James Wickett
 
PDF
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
PPTX
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
PDF
Serverless Security: What's Left To Protect
Guy Podjarny
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
Collaborative security : Securing open source software
Priyanka Aash
 
PDF
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PDF
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
PDF
[OPD 2019] Life after pentest
OWASP
 
PDF
Securing 100 products - How hard can it be?
Priyanka Aash
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Guy Podjarmy - Secure Node Code
DevSecCon
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
A Pragmatic Union: Security and SRE
James Wickett
 
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Serverless Security: What's Left To Protect
Guy Podjarny
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Collaborative security : Securing open source software
Priyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
The path of secure software by Katy Anton
DevSecCon
 
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
[OPD 2019] Life after pentest
OWASP
 
Securing 100 products - How hard can it be?
Priyanka Aash
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Ad

Similar to Dev secops on the offense automating amazon web services account takeover (20)

PDF
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
PDF
Secure Cloud Development Resources with DevOps
CloudPassage
 
PDF
Cloud security : Automate or die
Priyanka Aash
 
PDF
Security Process in DevSecOps
Opsta
 
PPTX
API Security: Assume Possible Interference
Julie Tsai
 
PDF
DETECTE E INVESTIGUE LAS AMENAZAS AVANZADAS
Cristian Garcia G.
 
PDF
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
PPTX
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
RSA 2015 Realities of Private Cloud Security
Scott Carlson
 
PPTX
AWS Lambda Security Inside & Out
PureSec
 
PDF
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
PDF
How Security can be the Next Force Multiplier in DevOps
Andrew Storms
 
PPTX
Red Team vs Blue Team on AWS - RSA 2018
2nd Sight Lab
 
PDF
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
PDF
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
PPTX
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Secure Cloud Development Resources with DevOps
CloudPassage
 
Cloud security : Automate or die
Priyanka Aash
 
Security Process in DevSecOps
Opsta
 
API Security: Assume Possible Interference
Julie Tsai
 
DETECTE E INVESTIGUE LAS AMENAZAS AVANZADAS
Cristian Garcia G.
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps in Baby Steps
Priyanka Aash
 
RSA 2015 Realities of Private Cloud Security
Scott Carlson
 
AWS Lambda Security Inside & Out
PureSec
 
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
How Security can be the Next Force Multiplier in DevOps
Andrew Storms
 
Red Team vs Blue Team on AWS - RSA 2018
2nd Sight Lab
 
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Dev secops on the offense automating amazon web services account takeover