SlideShare una empresa de Scribd logo

Here for a good time, not a long time: exploiting AWS loopholes with temporary credentials

C
CloudVillage

"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits. I'll explore the limitations of temporary tokens including: - the lack of visibility/management - minimal logging - limited remediation options and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation. In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."

Tecnología
1 de 39
Descargar para leer sin conexión
1 jhwong@netskope.com @jenkohwong defcon cloud-village August 10, 2019 Here for a good time, not a long time 1 Exploiting AWS loopholes with temporary credentials
@jenkohwong • netskope threat research team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering 2
Agenda • Attack Scenario: Temporary Tokens • Defender Viewpoint: Challenges • Do & Don't 3
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
Discovery
Discovery
Discovery
can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Privilege Escalation
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
Defender Viewpoint 20
Defender Viewpoint • Assumptions • AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 21
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
Defender Viewpoint: Challenges • GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • Same fields in AssumeRole actions but GetSessionToken is new • Reading up...we see we have another set of access keys floating around 28
STS Temp Tokens • Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 29
Defensive Viewpoint: Temp Tokens Assess/Analyze • Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • They are logged but you would have to parse and persist from CloudTrail 30
Defensive Viewpoint: Temp Tokens 31 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken 2. No MFA on GetSessionToken 3. IAM permissions boundaries 4. Restrict sts:AssumeRole 5. Revoke active sessions for Role AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_test_user max perms
RED - Generate temp credentials for backdoor access - Combine temp credentials with presigned urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 37
BLUE • Get a plan in place ASAP to manage temp token usage esp remediation/recovery • Prevention: lockdown access keys, isolate temp token usage in separate accounts, minimal privileges for AssumeRole/PassRole • Detection: alert on GetSessionToken, alert on temp tokens (ASIA*), harden CloudTrail/CloudWatch/SIEM • Mitigation/Remediation: review/revise remediation playbook, do not use GetSessionToken, use AssumeRole, use revoke active sessions for role, create/test a recovery plan from compromised temp tokens • Provisioning/Inventory: track temp tokens that are created in a datastore, use wrapper code for custom apps that need temp tokens, for AWS-generated tokens (IoT, AssumeRole) have to parse logs 38
Thank you jhwong@netskope.com @jenkohwong Slide deck and recap can be found at: https://www.netskope.com/blog/aws-loopholes-with-temporary-credentials 39

Recomendados

Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud eraCloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudCloudVillage
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSCloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceCloudVillage
 

Recomendados

Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud eraCloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudCloudVillage
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSCloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceCloudVillage
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Más contenido relacionado

Último

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Destacado

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destacado (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Here for a good time, not a long time: exploiting AWS loopholes with temporary credentials

  • 1. 1 jhwong@netskope.com @jenkohwong defcon cloud-village August 10, 2019 Here for a good time, not a long time 1 Exploiting AWS loopholes with temporary credentials
  • 2. @jenkohwong • netskope threat research team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering 2
  • 3. Agenda • Attack Scenario: Temporary Tokens • Defender Viewpoint: Challenges • Do & Don't 3
  • 4. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario
  • 5. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 6. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 7. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 8. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 9. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 13. can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
  • 14. can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
  • 15. AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
  • 16. AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
  • 17. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Privilege Escalation
  • 18. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
  • 19. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
  • 21. Defender Viewpoint • Assumptions • AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 21
  • 22. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
  • 23. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 24. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 25. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
  • 26. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 27. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 28. Defender Viewpoint: Challenges • GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • Same fields in AssumeRole actions but GetSessionToken is new • Reading up...we see we have another set of access keys floating around 28
  • 29. STS Temp Tokens • Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 29
  • 30. Defensive Viewpoint: Temp Tokens Assess/Analyze • Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • They are logged but you would have to parse and persist from CloudTrail 30
  • 31. Defensive Viewpoint: Temp Tokens 31 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*
  • 32. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
  • 33. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
  • 34. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
  • 35. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
  • 36. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken 2. No MFA on GetSessionToken 3. IAM permissions boundaries 4. Restrict sts:AssumeRole 5. Revoke active sessions for Role AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_test_user max perms
  • 37. RED - Generate temp credentials for backdoor access - Combine temp credentials with presigned urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 37
  • 38. BLUE • Get a plan in place ASAP to manage temp token usage esp remediation/recovery • Prevention: lockdown access keys, isolate temp token usage in separate accounts, minimal privileges for AssumeRole/PassRole • Detection: alert on GetSessionToken, alert on temp tokens (ASIA*), harden CloudTrail/CloudWatch/SIEM • Mitigation/Remediation: review/revise remediation playbook, do not use GetSessionToken, use AssumeRole, use revoke active sessions for role, create/test a recovery plan from compromised temp tokens • Provisioning/Inventory: track temp tokens that are created in a datastore, use wrapper code for custom apps that need temp tokens, for AWS-generated tokens (IoT, AssumeRole) have to parse logs 38
  • 39. Thank you jhwong@netskope.com @jenkohwong Slide deck and recap can be found at: https://www.netskope.com/blog/aws-loopholes-with-temporary-credentials 39