Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access

Presented at DEF CON 32 (2024), Aug. 9, 2024, 12:30 p.m. (45 minutes).

In this talk we will explore vulnerabilities in Amazon Web Services (AWS) products which allowed us to gain access to cloud environments. Traditionally, adversaries have abused misconfigurations and leaked credentials to gain access to AWS workloads. Things like exposed long-lived access keys and exploiting the privileges of virtual machines have allowed adversaries to breach cloud resources. However, these mistakes are on the customer side of the shared responsibility model. In this session, we will cover vulnerabilities in AWS services that have been fixed and that previously allowed us to access cloud resources. We will start with an exploration of how Identity and Access Management (IAM) roles establish trust with AWS services and cover the mechanisms that prevent an adversary from assuming roles in other AWS accounts. We’ll then demonstrate a vulnerability that bypassed those protections. We’ll cover a real world example of a confused deputy vulnerability we found in AWS AppSync that allowed us to hijack IAM roles in other accounts. Next, we'll highlight potential misconfigurations involving IAM roles leveraging sts:AssumeRoleWithWebIdentity. These misconfigurations cloud permit unauthorized global access to these roles without the need for authentication, affecting services like Amazon Cognito, GitHub Actions, and more. Finally, we’ll cover a vulnerability we found in AWS Amplify that exposed customer IAM roles associated with the service to takeover, allowing anyone the ability to gain a foothold in that victim account. We’ll also discuss how security practitioners can secure their environments, even against a zero-day like one we’ll demonstrate. Join us to learn how attackers search for and exploit vulnerabilities in AWS services to gain access to cloud environments. - [link](https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/) - [link](https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/)

Presenters:

• Nick Frichette - Staff Security Researcher at Datadog
  Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in offensive AWS security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.

Similar Presentations:

• Black Hat USA 2016 / Hardening AWS Environments and Automating Incident Response for AWS Compromises
• THOTCON 0x8 (2017) / Transitioning to AWS in a Hurry Without Getting Owned
• ToorCamp 2016 / The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles