2023-06-12 –, Salon C
Security research is not something that's only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from "that's not how I expect it to work" to "that's not how it's supposed to work".
In this talk we'll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what's going wrong and ended up finding an API that didn't check iam:PassRole correctly.
We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.
Ben has been using AWS professionally since 2015 and, as an AWS Technologist at Cloudar, works with businesses ranging from start-ups to enterprises. Being part of a Premier AWS Consulting Partner, he provides architectural and operational support and shares his experiences along the way. He is also an AWS Authorized Instructor and gives AWS Classroom Training at The Campus.
He has a broad interest in serverless, automation and enabling builders. Currently, he counts CloudFormation, Lambda, and KMS among his favorite services. Still, he has a soft spot for everything related to operational tasks, like Systems Manager.
Sometimes Ben likes to use AWS APIs in non-standard ways. Previously he did that to turn public S3 Buckets in AWS Account IDs.