Presentation Material
Abstract
Cloud infrastructure security is an oft-neglected topic when businesses invest in securing their web apps. Ensuring that a once-secured environment remains secure is even more challenging. In this presentation, we demonstrate common types of attacks against cloud infrastructure, taking the example of AWS. We show how scarily easy it is to attack misconfigured services such as AWS Security Groups, databases, S3 buckets and Network ACLs. After our demonstration of the exploits, we discuss techniques for automated scanning of various AWS services and resources.
Presented at Security Fest 2022.
AI Generated Summary
The talk addresses the critical security gap in cloud infrastructure configuration, arguing that while web application security is systematically addressed via SDLC and secure CI/CD, cloud infrastructure security is often neglected by customers under the misapprehension that the cloud provider is fully responsible. It introduces the shared responsibility model, using AWS as a primary example, to clarify that customers must securely configure their resources and data.
Key findings demonstrate that common misconfigurations—such as publicly accessible S3 buckets, non-encrypted data, overly permissive IAM roles, and publicly exposed RDS instances—lead to severe data breaches, exemplified by the Capital One incident. The speakers analyze these attacks, showing how an SSRF vulnerability combined with an open EC2 port and a misconfigured role allowed access to a private S3 bucket. They assert that while industry standards like CIS Benchmarks provide a vital baseline (covering IAM, storage, logging, monitoring, and networking), they are insufficient alone; organizations must implement additional controls for comprehensive security.
The practical contribution is a proof-of-concept automated monitoring tool designed for AWS. It scans for over 60 misconfigurations, combining CIS Benchmark checks with custom rules that go “above and beyond” the standard. The tool outputs a summary dashboard, a detailed report pinpointing failures with remediation guidance, and a CSV file for integration with ticketing systems. It uses AWS SDK with security-audit credentials, ensuring it scans configurations without accessing customer data. The tool’s scope covers services like S3, EC2, RDS, and VPCs.
The primary implication is that manual evaluation of cloud configurations is impractical for modern, dynamic environments. Automated, continuous monitoring against both established benchmarks and organization-specific policies is essential to mitigate the extensive threat surface in cloud infrastructure, particularly for resource-constrained organizations.