Compromising AWS for fun and profit

A presentation at Northern Ireland Developer Conference in June 2019 in Belfast, UK by Simon Whittaker

Slide 1

Slide 1

® AWS Compromising fun and profit Simon Whittaker Cyber Security Director - Vertical Structure Ltd for

Slide 2

Slide 2

Simon Whittaker - Lukasz Mrozowski © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 3

Slide 3

Prepare, Protect, Persist® • Prepare • We help you and your partners to understand how to identify and resolve potential security issues at the earliest stages with hands on ‘hack yourself first’, threat modelling and GDPR compliance workshops as well as security training for non-technical colleagues. • Protect • Using automated and manual penetration testing techniques, we provide a comprehensive security report for your Web and mobile applications, including API testing, and networks. The report highlights potential issues and their resolutions. • Persist • We ensure that your organisation benefits from continual improvements in security levels through information assurance processes, auditing and certification including ISO27001:2013 and Cyber Essentials. © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 4

Slide 4

Bingo https://vsltd.co/bsBingo © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 5

Slide 5

Qualifications © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 6

Slide 6

Shared Responsibility Model Image from: https://aws.amazon.com/compliance/shared-responsibility-model/ © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 7

Slide 7

What do attackers want? © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 8

Slide 8

Working fast • IAM is confusing • Use principle of least privilege • Never commit credentials https://technodrone.blogspot.com/2019/03/the-anatomy-ofaws-key-leak-to-public.html © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 9

Slide 9

IAM © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 10

Slide 10

Let’s have a play All exploits are being performed in a safe environment © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 11

Slide 11

Example 1 – EC2 escalation © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 12

Slide 12

Bob’s permissions © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 13

Slide 13

The process © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 14

Slide 14

Example 2 - Escalation to IAM Administrator © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 15

Slide 15

Joe’s permissions © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 16

Slide 16

The process © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 17

Slide 17

Consequences © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 18

Slide 18

Fun and Profit © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 19

Slide 19

Try for yourself • Cloudgoat https://github.com/RhinoSec urityLabs/cloudgoat © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 20

Slide 20

Protection Measures • Ask questions • Some great advice from UK NCSC • Secure users • Reduce privileges • Implement tools to help you © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 21

Slide 21

Bingo results © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 22

Slide 22

Questions? Simon.Whittaker@verticalstructure.com @szlwzl https://vsltd.co/NIDevConf19