👨🔬Exploiting AWS Misconfigurations
Basic AWS Services
VPC - Virtual Private Cloud
Logical Data Center in AWS
EC2 - Elasitic Cloud Compute
Runs instances that are similar to VMs
S3 - Simple Storage Solution
Object storage organized into Buckets
IAM - Identify Access Management
How AWS provisions access
The Problem
The problem exists with an AWS EC2 "feature" called Instance Metadata and an attack known as a Server Side Request Forgery (SSRF).
Tool
Setup
Nginx running on AWS EC2
S3 Buckets with sensitive data
IAM Roles with read access to S3 buckets
Instance Profile with IAM Roles attached to EC2 instance
Misconfiguration
The proxy server should be allowed to retrieve information from the web application server and nothing else.
The attack
Discover the Proxy Server that allows access to the Instance Metadata service
Craft a request against the web server that can return data from Instance Metadata Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role
This returns temporary credentails that can be used to access resources allowed by the IAM role
Get Meta-Data
View the directories
View the meta-data directory
View the iam directory
View the buckets using leaked creds
List bucket objetcts
Get Encryption details
Sync the bucket objects into the laptop
Prevention
Use least privilege when creating IAM Roles
If you do not need the Instance Metadata API (you don't) then firewall it
Do not store sensitive data in your provisioning scripts because these can also be read by the Instance Metadata API
Last updated
Was this helpful?