Embed Size (px)
Citation preview
SESSIONID:SESSIONID:
#RSAC
JavierGodinez
DevSecOps ontheOffense:AutomatingAmazonWebServicesAccountTakeover
IDY-W10
FoundingMemberDevSecOps.org@isomorphix
IanAllisonFoundingMemberDevSecOps.org@iallison
#RSAC
Disclaimer
2
ThisisnotanAmazonWebServices(AWS)issue
ThisisaDevOpseducationissue
Itistheuser’sresponsibilitytounderstandthetechnologybeingused
Withpoweruserprivilegescomegreatresponsibilities
#RSAC
HowourGrandfathersRanaStack
3
GlenBeck(background)andBettySnyder(foreground)programENIACinBRLbuilding328.(U.S.Armyphoto)
#RSAC
HowourMothersRanaStack
4
LawrenceLivermoreNationalLaboratory[Attribution],viaWikimediaCommons
#RSAC
©2007Nuno Pinheiro &DavidVignoni &DavidMiller&JohannOllivier Lapeyre &KennethWimer &RiccardoIaconelli / KDE,viaWikimediaCommons
5
aws ec2run-instancesami-12345678 -tm3.large-k$my-key-pair-g$my-security-group
HowWeRunaStack
#RSAC
6
AttackSurface+MisunderstandingofTechnology==LowHangingFruit
TheCloudisRipeforthePicking
#RSAC
AccelerationintotheCloud
7
InformationSecurityJobPostings DevOpsJobsPostings
#RSAC
UnderstandingtheTechnologyYouUse
8
HowfastcanImovewhilestillstayingsafe?
Alwaysdevelopinseparateaccount(BlastRadiusContainment)
Readthedocsforeverythingandmakeconsciousdecisionsanddocumentthosedecisions
Attackerswilltrytoleverageeverything againstyou
Bleedingedgedoesnotmeanstableandsecure.However,itcanbewithenoughtesting
#RSAC
Instance
9
Virtualhost
VirtualenvironmentonXenhypervisor
Feelsverymuchlikeahostrunningonbaremetal
Hypervisor
Instance
OperatingSystem
#RSAC
MetadataService
10
InternalHTTPservicethatprovidesInstancesinformationaboutitsenvironemt
Availablefromhostathttp://169.254.169.254/
Providestemporarycredentialstohostswithinstanceprofiles
Hypervisor
Instance
Metadata
OS
Instance
OS
#RSAC
InstanceProfile
11
AWSconstructthatmapsaroletoaninstance
Instancemayormaynothaveaprofileassociatedwithit
Instance
#RSAC
AWSIdentityandAccessManagementOverview
12
Users
Groups
Roles
PoliciesEffectActionsResourcesCondition
#RSAC
TheGood
13
Policyisspecificallycreatedfortheapplication
Leastprivilege
Madetobeasgranularaspossible
#RSAC
TheBad
14
ec2:*
iam:*
anything:*
#RSAC
TheUgly
15
AllAccess
GreatforDevelopment
ReallyBadforSecurity
#RSAC
16
WhatDoesUglyReallyLookLike?
Thebestwaytodeterminewhetheryoutrulyhaveanuglyduckisbyexploitingthemostdangerousvulnerabilities.
#RSAC
Howdowecatchup?
17
ThroughautomationwithadashofRuby
#RSAC
AWSCreateIAMUser(CIAMU)Module
18
AllowsforthecreationofauserwithAdminPrivilegestotheAWSaccountNeedsaccesstoAWSAccessKeysorInstanceRolewith:iam:CreateUseriam:CreateGroupiam:PutGroupPolicyiam:AddUserToGroupiam:CreateAccessKey
Ifyouhaveinstances/instanceroleswiththiscombinationofIAMprivilegesit’sverydangerous.
#RSAC
AWSLaunchInstancesModule
19
LaunchesanEC2instancewithaPublicIP
RequiredPrivileges:ec2:RunInstancesec2:ImportKeyPairec2:CreateSecurityGroupec2:AuthorizeSecurityGroupIngressec2:Describe*
CanlaunchinstancewithInstanceProfile
CanlaunchclusterofInstances
Canautomatetasksviabootstrap
#RSAC
AWSIAMAccountLockoutModule
20
RequiresanIAMadminrole(createdbyCIAMUmodule)
Enumeratesallusersandaccesskeys
Acceptsausertokeep
Locksoutallotheraccounts
Allowssecurityteamstoprotectpotentiallycompromisedaccounts
#RSAC
DemonstrationNetworkDiagram
#RSAC
Demonstration
#RSAC
UpcomingModulesandOngoingProjects
23
AWSIAMprivilegeenumerationmodule
AWSLambdamodule
AWSs3bucketandaccessenumerationmodule
CumulusCloudAttackToolkitAWSGoogleCloudPlatform
DevSecOps.org Community
https://github.com/devsecops/lambhack
#RSAC
24
Helpingyougetfromuglyto…
#RSAC
HowApplyThisKnowledge
25
ReadtheAWSIAMBestPracticesDocuments:http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
MonitorIAMactionsusingAWSCloudTrailGetcreativewithAWSservices:Config +CloudWatch Events+LambdaAudityourAWSAccountIAMPoliciesandRolesRedTeamyourapplicationsandinstancesThinktoyourself:“Howwouldanattackerusethisagainstme?”Userepeatablesecurepatterns:https://github.com/devsecopsHelpbuildawarenessthroughcommunity:http://www.devsecops.org
#RSAC
AppendixDemoSlides
26
#RSAC
LoadMetasploit
#RSAC
Usesshexec togainafoothold
#RSAC
Instantiateashell
#RSAC
Retrievetemporarycredentials
#RSAC
Enumeratethenetwork
#RSAC
EnumeratetheMetadataservice
#RSAC
EnumeratetheMetadataservice
#RSAC
EscalateprivilegesonaccountA
#RSAC
Login
#RSAC
Exploreaccount
#RSAC
DiscoverNetworks
#RSAC
Explorethenetwork
#RSAC
Discoverservices
#RSAC
Setupatunnelandscanforvulns
#RSAC
ExploitJenkins
#RSAC
Retrievetemporarycredentials
#RSAC
LaunchanewinstancewithAdminprivs
#RSAC
LaunchanewinstancewithAdminprivs
#RSAC
LaunchanewinstancewithAdminprivs
#RSAC
Establishasessionwithnewhost
#RSAC
Establishasessionwithnewhost
#RSAC
Establishasessionwithnewhost
#RSAC
EscalateprivilegesonaccountB
#RSAC
Opentheconsole
