search
githubEdit

👨‍🔬Exploiting AWS Misconfigurations

hashtag
Basic AWS Services

  • VPC - Virtual Private Cloud

    • Logical Data Center in AWS

  • EC2 - Elasitic Cloud Compute

    • Runs instances that are similar to VMs

  • S3 - Simple Storage Solution

    • Object storage organized into Buckets

  • IAM - Identify Access Management

    • How AWS provisions access

hashtag
The Problem

The problem exists with an AWS EC2 "feature" called Instance Metadata and an attack known as a Server Side Request Forgery (SSRF).

hashtag
Tool

LogoGitHub - RhinoSecurityLabs/cloudgoat: CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment toolGitHubchevron-right

hashtag
Setup

  • Nginx running on AWS EC2

  • S3 Buckets with sensitive data

  • IAM Roles with read access to S3 buckets

  • Instance Profile with IAM Roles attached to EC2 instance

hashtag
Misconfiguration

The proxy server should be allowed to retrieve information from the web application server and nothing else.

hashtag
The attack

  • Discover the Proxy Server that allows access to the Instance Metadata service

  • Craft a request against the web server that can return data from Instance Metadata Service

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role

  • This returns temporary credentails that can be used to access resources allowed by the IAM role

hashtag
Get Meta-Data

hashtag
View the directories

hashtag
View the meta-data directory

hashtag
View the iam directory

hashtag
View the buckets using leaked creds

hashtag
List bucket objetcts

hashtag
Get Encryption details

hashtag
Sync the bucket objects into the laptop

hashtag
Prevention

  • Use least privilege when creating IAM Roles

  • If you do not need the Instance Metadata API (you don't) then firewall it

  • Do not store sensitive data in your provisioning scripts because these can also be read by the Instance Metadata API

PreviousAttacks & MethodologyNextAWS Pentest Methodology

Last updated