"Get Off of My Cloud": Cloud Credential Compromise and Exposure

Presented at DEF CON 19 (2011), Aug. 6, 2011, 2 p.m. (50 minutes)

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. In this presentation we will explore how AWS credentials and keys may end up being persisted within an AMI. If persisted within a public or shared AMI, these credentials and key materials may be unintentionally shared with 3rd parties. We will discuss the different types of AWS credentials and key materials, how they are used to access different Cloud services, and the risks and potential impacts of compromise of this sensitive information. A new tool, "AMIexposed" will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We'll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs. These will include specific steps for ensuring you organization's AWS credentials and key materials are not unintentionally persisted within public or shared AMIs, and recommendations regarding usage of 3rd party public AMIs.

Presenters:

• Jeff Jarmoc - Security Researcher, Dell SecureWorks Counter Threat Unit (CTU)
  Jeff Jarmoc: A first time DEF CON presenter, Jeff has been hacking most of his life. He got his start in the early days of the 312 BBS scene, moved on to IRC and USENET, and eventually pursued a career in enterprise infrastructure and security. His latest passion is abusing ubiquitous infrastructure devices and systems in an attempt to bring renewed focus on the security of these systems everyone has come to rely on. Jeff has previously spoken at Black Hat USA. When not abusing software and hardware he enjoys spending time with his wife and daughter. Twitter: @jjarmoc
• Ben Feinstein - Director of CTU Operations & Analysis, Dell SecureWorks Counter Threat Unit (CTU)
  Ben Feinstein is Director of CTU Operations & Analysis with the Dell SecureWorks Counter Threat Unit (CTU). Ben is an author of RFC 4765 and RFC 4767, and has over a decade of experience designing, implementing and operationalizing security-related information systems. His major areas of expertise include network IDS/IPS, digital forensics and incident response, and security operations. Ben has previously presented at Black Hat USA, DEF CON, ToorCon, DeepSec, the U.S. Department of Defense Cyber Crime Conference, and many other events. He is active in his local DEF CON group, DC404.

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Feinstein
• https://www.youtube.com/watch?v=HfEgvlx-G7U

Similar Presentations:

• DerbyCon 1.0 (2011) / “Get Off of My Cloud”: Cloud Credential Compromise and Exposure
• Black Hat USA 2016 / Hardening AWS Environments and Automating Incident Response for AWS Compromises
• AppSec USA 2014 / Bringing a Machete to the Amazon