06-13, 08:00–08:40 (US/Pacific), Salon C
AWS Organizations is a service offered by AWS that allows a user to logically bind together a large number of AWS accounts under one "organization". While this helps for organizational purposes, it presents several unique pathways for a pentester allowing one to tunnel through the inherent boundaries that might exist in a single AWS account. Using AWS Organizations, I show how one can turn a single account takeover into a multi-account takeover drastically increasing the blast radius. The talk hopes to provide both a technical perspective and abstract-enough overview to be useful to both in-the-weeds pentesters and general managers/business owners alike.
The talk covers
- AWS Organization overview
- Easy way to pivot to member account (account creation)
- Trusted access & delegated administration overview
- Using trusted access & delegated administration to indirectly/directly access member accounts
- A new Organization security feature released late last year + security implications
- An overview of available tooling created by the speaker to assist in enumerating organizations in the open source tool Pacu.
Scott Weston is a remote Senior Security Consultant at NetSPI based out of San Diego, CA. He has 2-3 years of experience in information security/pentesting with his involvement including general web applications, GraphQL, and cloud environments (specifically AWS). He has contributed to the open-source AWS pentesting tool, Pacu, by adding an enumeration module for AWS Organizations. He also created a large AWS deck designed for beginners to present to his local San Diego Defcon group located here. He has participated in some bug bounties/VDPs and is mentioned on the International Committee of the Red Cross (ICRC) hall of fame. In his spare time, he enjoys pursuing individual bug bounties and interesting avenues of pentesting.