AWS Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 18/03/2017
AWS Security
n|u - The Open security communityChennai Meet
Presenter : Vinoth KumarDate : 18/03/2017
# About Me
Application security engineer @ Freshdesk
Blogger @ http://www.tutorgeeks.net
Email @ [email protected]
https://null.co.in/profile/294-vinothpkumar
What is AWS
Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.
Getting started with AWS
Create an account in AWS and start playing with their services - https://aws.amazon.com/free/
Valid Credit card is required for account creation.
AWS Services
Amazon Elastic Compute - EC2
Amazon Simple Storage Service - S3
Amazon Relational Database Service - RDS
Amazon CloudFront - CDN
Why AWS
No need for a Infrastructure capability - Cost saved
No need for more employee resources - Cost saved
Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)
Accessing AWS using CLIThe AWS Command Line Interface is a unified tool to manage your AWS services.
pip install awscli
cd <path_to_awscli>python setup.py install
aws configure
AWS Access Key ID: ←---------------------->
AWS Secret Access Key: ←---------------------->
Default region name [us-west-2]: us-west-2
Default output format [None]: json
https://aws.amazon.com/cli/
AWS S3 - Internet’s hard drive is down
AWS S3 service was down on Feb28th. What exactly happened?
Human Error - Accidentally deleted 2 main servers supporting S3 operation.
S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.
EC2 Instance IP disclosure
1. Send a GET request to example.com
2. Change the HTTP version from 1.1 to 1.0
3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application hacker’s handbook )
4. Add a traversal attack ( GET /.. ) and forward the request.
5. Observe the IP being disclosed in the location header.
S3 Bucket Misconfiguration“bucketname.s3-ap-southeast-1.amazonaws.com”
Vulnerability : “Write access to any AWS Authenticated user”
Vinoth:~ aws s3 mv malicious.bat s3://bucketname
move. ./malicious.bat s3://bucketname/malicious.exe
The issue has been reported and it is fixed.
Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname
move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
S3 Bucket - Subdomain takeover
Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com
Keep an eye for the following error messages while viewing the subdomains - “No such bucket” / “Bucket doesn’t exist”
Investigate the subdomain - dig / nslookup subdomain.example.com
subdomain.example.com CNAME “bucketname.s3.amazonaws.com”
Create the above bucket in your AWS and host your subdomain takeover page.
Now “subdomain.example.com” will show your hosted page.
Asana - AWS key disclosure
Uploaded 65000x65000 pixel image in the profile picture.
S3 Bucket couldn’t accommodate the huge pixel image.
Error message is shown along with AWS Access and Secret key.
Bounty awarded : 500 USD
https://molico.tomahock.com/lottapixel-my-first-500-bounty-d3e678da1861#.88buoaod6
AWS Keys Exposed
Developers by mistake hardcode their AWS credentials in github.
https://gitleaks.com/search?q=AWS
Murder in the cloud
Code space - AWS Root credentials were hacked.
Attacker asked for Ransom - Code Space refused.
Attacker got pissed off and deleted the AWS account.
Codespace was shut down completely.
Key takeaways : Have offsite backup.
http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
Resources for Learning AWS Security
https://aws.amazon.com/blogs/security/ - Official AWS security blog.
http://flaws.cloud - CTF Challenge to learn AWS security.
https://www.slideshare.net/search/slideshow?searchfrom=header&q=AWS+Security