Rodrigo Montoro
Rodrigo Montoro has more than 22 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several opensource and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).
Session
There are multiple methods to access an AWS account: IAM Users, Cross Accounts, Federated users, and Identity Center. Since the name change from AWS SSO to Identity Center, AWS is putting more effort into customers using more Identity Center. Using it, you have some significant advantages such as short-term keys, centralized logging when using Organizations and multiple accounts, easier management, etc.
Many tools and projects handle permissions management for IAM users, but using Identity Center, we have new challenges trying to map excessive permission. There are no easy and visual ways to match users and permissions that are riskier. Based on this new challenge, we extended Cloudsplaining and created a flow based only on open-source stuff to map those Identity Center Risks.
Explaining the flow, we map all accounts belonging to an Organization, mapping accounts, users, permission sets, and related policies associated (both Managed and Customer policies). With that, we start mapping permissions in those accounts that belong to this organization using our Risk Score research based on Cloudsplaining and putting them all together, showing all risk findings that an Identity User is capable of. More importantly, in a visual way, with Kibana, you will graphically have a dashboard to help your prioritization and map Identity Center users with their risks in a single place.
The audience will learn a step-by-step method to replicate this at the end of the talk, using only open-source projects such as sso-reporter, Cloudsplaining, and Elastic stack. We'll provide all scripts and risk-scoring enrichments based on Cloudsplaining findings, logstash configurations, and kibana visualizations. And on top of this, we will discuss some Identity Center actions that you should monitor closely to avoid privilege escalation attempts.