👨🔬Exploiting AWS Misconfigurations
Last updated
Last updated
VPC - Virtual Private Cloud
Logical Data Center in AWS
EC2 - Elasitic Cloud Compute
Runs instances that are similar to VMs
S3 - Simple Storage Solution
Object storage organized into Buckets
IAM - Identify Access Management
How AWS provisions access
The problem exists with an AWS EC2 "feature" called Instance Metadata and an attack known as a Server Side Request Forgery (SSRF).
Nginx running on AWS EC2
S3 Buckets with sensitive data
IAM Roles with read access to S3 buckets
Instance Profile with IAM Roles attached to EC2 instance
The proxy server should be allowed to retrieve information from the web application server and nothing else.
Discover the Proxy Server that allows access to the Instance Metadata service
Craft a request against the web server that can return data from Instance Metadata Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role
This returns temporary credentails that can be used to access resources allowed by the IAM role
Use least privilege when creating IAM Roles
If you do not need the Instance Metadata API (you don't) then firewall it
Do not store sensitive data in your provisioning scripts because these can also be read by the Instance Metadata API
