Presented at
DEF CON 32 (2024),
Aug. 11, 2024, 10 a.m.
(45 minutes).
Join us as we unravel another story of public resources from AWS, digging in 3.1 million AMIs for secrets. Beyond the findings, we'll delve into the ominous connection between exfiltrated AWS access credentials from these AMIs and the heightened risk of AWS account takeover. This talk will highlight key methodologies, tools, and lessons learned, emphasizing the critical need for robust security measures in the cloud to prevent both data exposure and potential account compromise.
We started and developed this research without references of existing work. However, here are two links that can be viewed as related/previous work:
This article shows a research on a subset of public AMIs from a single region in AWS
[link](https://blog.lethalbit.com/hunting-for-sensitive-data-in-public-amazon-images-ami/)
This research shows a similar issue where public EBS are scanned. However, this technique does not work for most public AMIs
[link](https://www.youtube.com/watch?v=HXM1rBk_wXs)
Presenters:
-
Matei Josephs
- Senior Penetration Tester
Matei is a Senior Penetration Tester who loves exploring the internet for vulnerabilities. Matei has discovered several CVEs and has the OSCP, CRTO, eWPT and a few other certifications alongside a Master's degree in Cybercrime and Intelligence. Although his daily job requires him to conduct thorough tests across a limited scope, after work, Matei enjoys doing simple tests across the whole internet.
-
Eduard Agavriloae
- Threat Detection Cloud Engineer at CrowdStrike
Eduard is a Threat Detection Cloud Engineer at CrowdStrike and focuses on cloud and offensive security. In the last years he started doing novel research, writing articles, tools like EC2StepShell and presenting at security conferences.
Similar Presentations: