2024-06-17 –, Breakout 1
The state of AWS security is rapidly evolving; AWS continues to mitigate use of IMDSv1, protecting customers from a well-known cause of cloud breaches. While long-lived access keys are not going away anytime soon, security teams are more aware of the threat that these credentials pose than ever before. These advancements are a problem for attackers who need to establish a foothold in an AWS environment. What methods are left for initial access?
In this talk we will explore how adversaries can abuse existing trusts in various AWS services to gain initial access to an AWS environment.
We will start by looking at how IAM roles with misconfigured trust relationships to AWS services could allow anyone in the world the ability to assume them. We will dive into Amazon Cognito and GitHub Actions OIDC identities, demonstrating how an attacker could access these misconfigured roles. Next, we’ll take a look at a vulnerability we found in a popular AWS service which made roles associated with it publicly vulnerable.
Finally, we will also look at a worst-case scenario: what happens when an attacker finds a vulnerability in PassRole and is able to assume roles in other accounts? Sound far-fetched? We’ll cover a real world example of a vulnerability we found in AWS AppSync that lets us do just that. We’ll also discuss how security practitioners can secure their environments, even against a zero-day like this one.
Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in AWS offensive security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.