The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles

Presented at ToorCamp 2016, June 11, 2016, 2:30 p.m. (30 minutes).

Over the past year and a half I have been able to get to know Amazon Web Services (AWS) through the eyes of an attacker. Red teaming AWS accounts has become both a learning experience as well as a deep dive into the Identity and Access Management (IAM) aspects of AWS. AWS IAM is an awesome tool that can help make your account and instances more secure. However, when used without granularity and thought the use of IAM instance profiles can lead to a full AWS account compromise. This talk will focus on the offensive side of IAM hacking and show how AWS instances with bad IAM roles can lead to a full AWS account takeover. I'll go over some of the good, bad and ugly things that can be done with AWS IAM and demonstrate a full AWS account takeover through overly permissive AWS IAM permissions.

Presenters:

• Ian Allison/evade
  Ian has been working in the offensive security field for longer than he wants to admit. When he's not helping put up the Mega Dome at Toorcamp he likes to do infosec research, play with his kids and help further the work of DevSecOps.

Similar Presentations:

• CackalackyCon 2 (2023) / AWS Security Reference Architecture: A Well-Structured Foundation
• Disobey 2024 / Identifying Cross-Account Attack Paths in AWS Environments at Scale
• DEF CON 32 (2024) / Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access