Owning aws infrastructure services
Download as PPTX, PDF1 like1,354 views
The document covers various aspects of AWS infrastructure, including fundamental concepts, services, and security management. It specifically addresses user and role management using IAM, hunting misconfigured S3 buckets, attacking EC2 instances, and building secure AWS infrastructure. Additionally, it provides tools and techniques for exploiting vulnerabilities within AWS services and recommends further reading for enhanced security practices.
Owning aws infrastructure services
- 1. Pwning AWS Infrastructure Services Suraj Khetani Twitter - @funkyfreestyler
- 2. Agenda • AWS Fundamentals (Boring Stuff) • Understanding AWS Services • Managing Users and Roles in AWS (IAM) • Hunting and Abusing misconfigured S3 buckets • Attacking EC2 Instances • Securing AWS Infrastructure
- 3. AWS Fundamentals • Global Infrastructure
- 4. AWS Global Infrastructure AWS Availability Zone • An AZ is a combination of one or more data centers in a given region. • Interconnected with Hi-Speed LAN for fast communication between availability zones within the same region. • Systems can span multiple AZ • Eg: ap-northeast-1a, ap-northeast-1b, ap- northeast-1c, eu-central-1a, eu-central-1b • Services: EC2, EBS volumes, RDS Instance AWS region • An Amazon AWS region is a physical location spread across globe to host data to reduce latency. • Each region has at least two availability zones for fault tolerance. • Data is not replicated outside of a specified region. • Ability to build and store data across multiple regions • Eg: ap-northeast-1, eu-central-1 • Services: S3Buckets, VPC, EC2/RDS snapshot AWS Edge location • An edge location is where end users access services located at AWS. • Act as gateways between AWS regions and the internet when incorporated in to a workload design. • Chennai, India, Hong Kong, China (2), Melbourne, Australia, Mumbai, India,Osaka, Japan, etc • Services: Amazon CloudFront and Route53, IAM Entities (Users, Roles, Groups, Policies
- 6. Understanding AWS Services EC2 (Elastic Cloud Compute) - VMs on the cloud with SSH / RDP instances S3 (Simple Storage Service) buckets - Storage repository for uploading and downloading data similar to a file server EBS (Elastic Block Storage) - Similar to partitions on a computer RDS (Relational Database Service) - Databases on the cloud ELB (Elastic Load Balancers) - Load balancers on cloud VPC (Virtual Private Cloud) - Networks on cloud Lambda - Allows one to run code without managing servers
- 7. Managing Users and Roles(IAM) • Understanding Users and Roles • Creating IAM Users and Roles • Using AWS CLI
- 8. Managing AWS users and roles Identities (Users, Groups, and Roles) • Users • Root Account The primary AWS account is very powerful in terms of access • IAM Admin Account To avoid losing its keys or secrets, an IAM Administrator account is created which will have the same privileges as a AWS root account except for access to certain features like billing. • IAM User Account Similar to the admin account but has less privileges • IAM Groups An IAM group is a collection of IAM users.
- 9. Managing AWS users and roles • IAM Role • Very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. • A role does not have any permanent credentials (password or access keys) associated with it. • Temporary credentials are primarily used with IAM roles • Use cases of an IAM role: • You're creating an application that runs on an EC2 instance and that application makes requests to AWS.
- 13. Creating IAM User 1. Access key ID 2. Secret access key 3. Unique sign in URL (Bookmark this link)
- 16. AWS CLI • AWS CLI – tool to manage AWS services • Configuring access via aws cli • Checking status
- 17. Hunting and Exploiting S3 buckets • S3 Theory • Recon, Recon, and Recon
- 18. Hunting and Abusing S3 buckets • Files stored in an S3 bucket are called objects • By default, only bucket and object owners have access to the resources • Permissions can be given per object and per bucket. • Use Cases: • Can be used as a platform for serving assets such as images and Javascript. • Can be used for complete server backups to the cloud. • Can be used for hosting static websites. • Common vulnerabilities in S3: • Unauthenticated Bucket Access - allows anonymous users to list, read, and or write to a bucket. • Semi-public Bucket Access - allows any AWS authenticated user i.e. with a valid AWS access key and secret to list, read and or write to a bucket. • Improper ACL Permissions - may reveal which users have what type of access.
- 19. Hunting and Abusing S3 buckets • S3 buckets google dorks: site:*.s3.amazonaws.com
- 20. Hunting and Abusing S3 buckets • nslookup
- 21. Hunting and Abusing S3 buckets • Bruteforce with AWSBucketDump python AWSBucketDump.py -D -l BucketNames_awscloudsec.txt -g s.txt
- 22. Hunting and Abusing S3 buckets • Using bucket-finder to list permissions • Checks to see if the bucket is public, private or a redirect ruby bucket_finder.rb BucketNames_awscloudsec.txt
- 23. Hunting and Abusing S3 buckets • Accessing S3 buckets with aws cli • aws s3 ls s3://<bucket_name> - will list buckets • aws s3 cp s3://<bucket_name> <name_of_file> - will download file from the bucket • aws s3 mv s3://<bucket_name> <name_of_file> - will upload a file to the bucket
- 24. Hunting and Abusing S3 buckets • Auditing s3 buckets with s3-inspector • Checks all your buckets for public access • For every bucket gives a report with: • Indicator if your bucket is public or not • Permissions for your bucket if it is public • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public
- 25. Attacking EC2 Instances EC2 instance attack surface Understanding and Abusing EC2 Metadata Brute-forcing EC2 instances
- 26. Attacking EC2 Instances • Attack surface • EC2 Metadata abuse • Brute-forcing SSH/RDP password • Leaked SSH private keys
- 27. Attacking EC2 Instances • EC2 Metadata • Data about your instance that can be used to configure or manage the instance. Contains the following information: • Local IP Address • User-data • Instance profile: AWS API credentials • Accessible via http://169.254.169.254/
- 28. Attacking EC2 Instances • EC2 Metadata Cont. • Why is meta-data needed? • Needed for auto-scaling the EC2 instance and more • What is user-data? • Once an IAM role is attached, the user-data is available along with the meta-data • Why is user-data needed? • An application hosted on the EC2 instance may need privileges to get data from an S3 bucket. • Anyone who can access the instance can access the meta-data
- 29. Attacking EC2 Instances • Gaining access to EC2 metadata using SSRF
- 30. Attacking EC2 Instances • Gaining access to EC2 metadata using SSRF
- 31. Attacking EC2 Instances • Gaining access to EC2 metadata using SSRF
- 32. Attacking EC2 Instances • Nimbostratus: Tool for fingerprinting and exploiting Amazon cloud infrastructures. • Using Nimbostratus for dumping permissions ./nimbostratus dump-permissions --access-key ....... --secret-key ....... --token .......
- 33. Attacking EC2 Instances • Using Nimbostratus for creating IAM user ./nimbostratus create-iam-user --access-key ........ --secret-key ........ --token ........
- 34. Attacking EC2 Instances • Brute-forcing SSH/RDP Services • nmap to find services
- 35. Attacking EC2 Instances • Brute-forcing SSH/RDP Services • hydra -l ec2-user -P rockyou.txt ssh://10.0.100.11
- 36. Attacking EC2 Instances • Leaked SSH keys or Secrets on GitHub, Gitlogs, Pastebin, S3 buckets, etc
- 37. Building a Secure AWS Infrastructure
- 38. Building a Secure AWS Infrastructure • Use IAM instead of your root account Use IAM generated users with fine grained permissions instead of using the root account credentials from within your EC2 instances. • Different users for different tasks Assign the least possible privilege for each of the instance profiles and users. Split the users into groups and manage fine-grained permissions for each. • Use instance profiles Instance profiles are the safest and simplest way to provide AWS credentials to EC2 instances. The risks associated with other solutions such as hard coding credentials in the (web) application source code are even higher than the ones instance profiles have.
- 39. References and Recommended Articles • https://www.blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds- WP.pdf#tools • https://summitroute.com/blog/2017/08/13/defensive_options_when_using_aws_iam_roles/ • https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/ • https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/ • https://rhinosecuritylabs.com/cloud-security/onelogin-breach-cloud-security-and-protecting-aws- ami-keys/ • https://www.virtuesecurity.com/blog/aws-penetration-testing-s3-buckets/ • https://rhinosecuritylabs.com/cloud-security/aws-security-vulnerabilities-perspective/ • https://www.virtuesecurity.com/blog/aws-penetration-testing-part-2-s3-iam-ec2/ • https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/ • https://www.linuxnix.com/amazon-aws-regions-vs-availability-zones-vs-edge-locations-vs-data- centers/
- 40. Topics for Next session • Attacking AWS Lambda Endpoints • Abusing public EBS snapshots • Attacking RDS instances • OSINT Techniques on cloud • Auditing and Monitoring AWS infrastructure