Oops, I Leaked It Again - How we found PII in exposed RDS Snapshots

Presented at BSidesLV 2023, Aug. 9, 2023, 6 p.m. (Unknown duration).

The Amazon Relational Database Service (Amazon RDS) is a Platform-as-a-Service (PaaS) that provides a database platform based on a few optional engines (e.g., MySQL, PostgreSQL, etc.). A Public RDS snapshot is a useful feature that allows a user to share public data or a template database to an application, but when wrongly used, may accidentally leak sensitive data to the world, even when using highly secure network configuration. We at Mitiga, discovered hundreds of databases being exposed monthly, with extensive Personally Identifiable Information (PII) leakage. In this talk we cover the main aspects of RDS snapshots and how easy it is to accidentally expose sensitive data widely to the world. Our research process is based on extensive investigation of the RDS service, its configurations, and limitations. In the session the participants will get relevant knowledge about RDS snapshots, including real-life examples of the risk of using this service, and recommendation of how to prevent, detect and remediate the risk of accidentally sharing RDS snapshots publicly. We will share an in-depth description of our automated process, which includes procedures to constantly monitor for public snapshots, and remove any if found.

Presenters:

  • Ariel Szarf
    Ariel Szarf works as a Senior Cloud Security Researcher at Mitiga. Prior to that, Ariel was a Cyber Security Specialist Officer in the IDF. In addition, Ariel has a Master's degree in Computer Science. Today, Ariel researches potential attacks on cloud services and SaaS, and investigates incidents.
  • Doron Karmi
    Doron Karmi has worked in the field of cyber security since 2011. Doron began their career as a Team Lead and Data & Intelligence Analyst at 8200 Unit in 2011. In 2014, they joined The DigiTrust Group as an Information Security Analyst. In 2016, they were a Cyber Security Analyst at Check Point Software Technologies, Ltd. From 2017 to 2020, they worked at CyberInt as a Threat Hunter and Cyber Security Incident Responder. In 2020, they were a Senior Threat Hunter at Palo Alto Networks. Currently, Doron is a Cloud Security Researcher and Senior Incident Responder at Mitiga. Doron Karmi has obtained a GIAC GCFA from the SANS Technology Institute in 2018, as well as certifications from Akamai Technologies in Bot Manager Foundations and Kona Site Defender, and a GIAC Certified Forensic Analyst (GCFA) from GIAC Certifications.

Links:

Similar Presentations: