It’s not every day you stumble upon a technique that enables remote code execution (RCE) in thousands of AWS accounts at once—but that’s exactly what happened with the whoAMI attack. By researching a known misconfiguration through a new lens, we discovered how to gain access to thousands of AWS accounts that unknowingly use an insecure pattern when retrieving AMI IDs.

In this talk, I’ll walk you through how we uncovered the whoAMI attack, how we confirmed the attack works, and how we even identified vulnerable systems that were internal to AWS. We’ll explore the surprisingly diverse ways developers manage to shoot themselves in the foot by omitting the owners attribute, and share how difficult it was to build and refine detections for this anti-pattern that minimized false positives (and false negatives).

Finally, we’ll focus on how you can spot and fix this misconfiguration in your own environment, covering a range of defense-in-depth strategies for both prevention and detection. This is a roller-coaster tale of cloud security research—full of ups and downs and twists and turns. And like every roller coaster I’ve ever been on, it lasted longer than I expected– or wanted it to.