Default Configurations
By default, SSH 22 and RDP 3389 are closed, but these are suggested to be opened when creaing them, warning how dangeroud this is. What’s traffic mirroring? Using this functionality with open-source tools.
Custom Config
If SSM is enabled (System Manager Service), then activity is logged in CloudTrail. At least, AmazonSSMManagedInstanceCore
needs to be attached to the instance profile role. Look at the policies and which users are granted the access. Also, commands run can be also restricted.
If the organization uses Terraform, you could look for any resources that were NOT created via Terraform.
Dangerous Policies
Policies, security groups and roles define what level and type of access and to which resources this entity has. That’s why overpermissive policies or overpowerful roles might cause the most damage if compromised.
SSH Access
One of the worst since this permission would give the attacker access to the OS level of the EC2 instance. Of course, they would require a password, that’s why they would try bruteforcing it first and this is where a good password policy would really pay off since you would have more time to detect and respond to the alert. What if you still need SSH access to the machine? Make sure to use VERY complex passwords, or much better - public key authentication, or better still use the ssh from the AWS GUI Console and block any SSH from outside AWS.The more security - the less usability and the fewer functionality. But it’s better then biting your elbows in the court afterwards. Even if you don’t have anything of much value on this particular instance, it doesn’t mean the attacker won’t be able to move laterally. Here are several techniques from MITRE: https://attack.mitre.org/techniques/T1534/, https://attack.mitre.org/techniques/T1080/ and https://attack.mitre.org/techniques/T1550/ with examples.
Network Configuration
Some policies allow an entity change network settings.
ð BTFM
Get credentials
# Get current creds and region for aws CLI
~/.aws/credentials
~/.aws/config
Terraform Init
Terraform prerequisites: account on AWS, Google, Azure or another Cloud provider, Terraform isntalled locally on the PC, credentials from the cloud in question (for example, for AWS these are AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
). For full instructions refer to [2].
terraform init
# create some tf file or make changes to the existing one
terraform apply
terraform destroy # to delete what was deleted
S3 Buckets. Check for Public Access
First, if you have multiple profiles, set them following the instuctions:
ð TODO
cat ~/.aws/config| grep [accnumber] -B3 | grep profile --color=always # get the account name
aws s3api get-bucket-acl --bucket [bucketname] --profile=profilename # get the policy for this bucket.
# option 1. Bucket doesn't exist
An error occurred (NoSuchBucket) when calling the GetBucketAcl operation: The specified bucket does not exist
# option 2. Bucket exists.
Will show a json with permissions
IMDS
Following the best practices, one would use IMDSv2, but if it’s not the case, then one can ssh
into EC2 and run the following command:
curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
> my-ec2
curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/my-ec2"
# if you see something juicy here, not that great. If it's IMDSv1, even worse.
The result is something like the following:
{
"Code" : "Success",
"Last Updated": "2021-01-16T08:00:00Z",
"Type": "AWS-HMAC",
"AccessKeyId": "1234567890",
"SecretAcessKey": "12345678901234567890",
"Token": "a very long base64 encoded string",
"Expiration": "2025-04-16T08:00:00Z"
}
How to use IMDSv2 - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. IMDSv2 has several protections in place to ensure SSRF is not possible: TTL=1 (IP, network layer, of TCP/IP, network), req,uire PUT request (most WAF don’t support it), deny all requests with X-Forwarded-For
, X-aws-ec2-metadata-token-ttl-seconds
and X- aws-ec2-metadata-token
custom headers are required. One only needs to make sure they have IMDSv2 instead of version 1.
If one uses Terraform, try using the below settings:
...
metadata_options {
http_endpoint = "enabled" // better set disabled in case it's not required by EC2
http_tokens = "required" // one way to prevent SSRF
http_put_response_hop_limit = 1 // requests will be blocked if requested by any other machine other then the EC2 itself.
}
...
Get IMDS version
curl -s http://169.254.169.254/
# I guess, if you get 1.0 in response, then it's not well.
Check for SSM with IMDSv2
sudo snap install amazon-ssm-agent --channel=candidate
𧰠Toolkit
Pacu, AWS exploitation framework. Might be good to use when you need to find the flaw in your infrastructure.
Parliament. Find vulnerabilities in IAM policies statically.
References
[1] Udemy Course on Terraform
[2] Terraform official website with tutorials