Beruflich Dokumente
Kultur Dokumente
2
Cloud Admin…Duh Duh Duh.
#RSAC
3
Would Be A Boring Talk…
#RSAC
4
#RSAC
Instead…
5
Some background
#RSAC
Initial Setup
Vanilla Account
— Single Admin User
— Base VPC & defaults
AWS Tutorial: Elastic Beanstalk with WordPress
— https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress-
tutorial.html
AWS Tutorial: Lambda Accessing RDS in VPC
— https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
6
Pilfer Credentials ~ Read Only Access
#RSAC
7
Look for RDS Databases
#RSAC
8
Examine Selected Database Subnets
#RSAC
9
What Traffic Do NACLs Allow?
#RSAC
10
What Traffic Do DB Security Groups Allow?
#RSAC
Port 3306
172.31.0.0/16
11
Find VPC With Access to Database
#RSAC
12
VPC Security Groups ~ 3306 Egress
#RSAC
None…hmm…
13
Security Groups ~ No Outbound Restrictions
#RSAC
14
Check Lambda Functions
#RSAC
15
Query Lambda Code Location
#RSAC
16
Go To URL…Check out the code
#RSAC
17
About that rds_config file…
#RSAC
18
Look for Instances That Can Exfil
#RSAC
19
Exploit Web Site and Exfil
#RSAC
Roles
Least Privilege
Segregation of Duties
IAM Top 10
21
Protecting Credentials
#RSAC
22
IAM Configuration
#RSAC
23
IAM Master - Initial Roles
#RSAC
24
IAM Master - Initial Roles
#RSAC
Sid: AllowUserstoManageOwnAccount
Effect: Allow Actions allow users to manage their
Action:
- "iam:ChangePassword" account – BUT NOT PERMISSIONS
- "iam:CreateAccessKey"
- "iam:CreateLoginProfile"
- "iam:DeleteAccessKey"
- "iam:DeleteLoginProfile"
- "iam:GetLoginProfile"
- "iam:ListAccessKeys"
- "iam:UpdateAccessKey"
- "iam:UpdateLoginProfile"
- "iam:ListSigningCertificates"
- "iam:DeleteSigningCertificate"
- "iam:UpdateSigningCertificate" Resource only allows them to perform on
- "iam:UploadSigningCertificate" their username – can’t modify anyone else
- "iam:ListSSHPublicKeys"
- "iam:GetSSHPublicKey"
- "iam:DeleteSSHPublicKey"
- "iam:UpdateSSHPublicKey"
- "iam:UploadSSHPublicKey"
Resource: "arn:aws:iam::*:user/${aws:username}"
25
IAM ~ User Roles
#RSAC
Sid: AllowUserstoListOnlyThierMFA
Effect: Allow
Action:
- "iam:ListVirtualMFADevices"
- "iam:ListMFADevices"
Resource:
- "arn:aws:iam::*:mfa/*"
- "arn:aws:iam::*:user/${aws:username}"
- • Allows users to manage this MFA
Sid: AllowUsertoManageThierMFA
Effect: Allow
• Must login with MFA to remove device
Action:
- "iam:CreateVirtualMFADevice"
- "iam:DeleteVirtualMFADevice"
- "iam:EnableMFADevice"
- "iam:ResyncMFADevice"
Resource:
- "arn:aws:iam::*:mfa/${aws:username}"
- "arn:aws:iam::*:user/${aws:username}"
-
Sid: AllowUserstoDeactiveTheirMFAWhenUseingMFA
Effect: Allow
Action:
- "iam:DeactivateMFADevice"
Resource:
- "arn:aws:iam::*:mfa/${aws:username}"
- "arn:aws:iam::*:user/${aws:username}"
Condition:
Bool:
"aws:MultiFactorAuthPresent": "true"
26
IAM ~ Assumed Roles
#RSAC
27
IAM Master
#RSAC
Commands work!
28
CloudTrail
#RSAC
Respond
Monitor all API Actions
29
Scan and Secure
#RSAC
31
EC2 Parameter Store
#RSAC
32
Monitoring
#RSAC
AWS GuardDuty
VPC Flow Logs
CloudTrail
Config
Log shipping
Secure log backups
Automate Remediation
33
#RSAC
34
WAF Security
#RSAC
35
Network Architecture
#RSAC
Presentation Layer
Application Layer
Data Layer
36
Network Architecture
#RSAC
BAD NETWORK
NACLs are wide open
Wide open inbound rules on
security groups
Security groups all everything
to talk to internet
37
Network Architecture
#RSAC
BETTER NETWORK
NACLs limit access between
subnets
Security Groups limiting
access to specific servers
Blocking internet where not
needed
38
Conclusion
#RSAC
Red Team:
Attackers can use the same tools used by DevOps teams.
Cloud APIs provide a means for mapping out an entire account.
Read only access can be powerful.
Blue Team:
Restrict access
Automated deployment
Architect networks to minimize open ports and pivoting
Protect secrets - don't embed in code!
Monitor everything
39
#RSAC
THANK YOU!
Teri Radichel Kolby Allen
CEO DevOps Engineer
2nd Sight Lab Zipwhip
@teriradichel @kolbyallen