The Unit 42 research arm of Palo Alto Networks has published a report detailing how 22 application programming interfaces (APIs) across 16 different Amazon Web Services (AWS) platforms can be abused by cybercriminals to surface the identities of the members of the IT team that created them.
Jen Miller-Osborn, deputy director of threat intelligence for Unit 42, said that credential data could then be paired with a credential stuffing attack to compromise an AWS account, for example.
AWS services that can be abused in this fashion include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS) and Amazon Simple Queue Service (SQS), noted Miller-Osborn. In a recent Red Team exercise, Unit 42 researchers compromised a customer’s cloud account with thousands of workloads using a misconfigured identity access management (IAM) role identified using this technique.
Thwarting these types of attacks is difficult because there are no observable logs in the targeted accounts. Therefore, IT teams need to enforce security hygiene that includes removing inactive users and roles to reduce the attack surface, adding random strings to usernames and role names to make them more difficult to guess, rely more on identity provider and federation so that no additional users are created in the AWS account, log and monitor all the identity authentication activities and enable two-factor authentication (2FA) for every user and IAM role.
According to Unit 42 research, the root cause of the issue stems from the fact that AWS proactively validates all the resource-based policies, which usually include a principal field that specifies the identities allowed to access the resource. If the policy contains a nonexistent identity, the API call that creates or updates the policy will fail with an error message. That convenient feature can be abused to check whether an identity exists in an AWS account, noted Miller-Osborn.
For example, cybercriminals can repeatedly invoke these APIs with different principals to enumerate the users and roles in a targeted account. Furthermore, the targeted account can’t observe the enumeration because the API logs and error messages only appear in the attacker’s account where the resource policies are manipulated. As a result, cybercriminals can have unrestricted time to perform reconnaissance on AWS accounts without worrying about being noticed. At present, there are 26 AWS services that support resource-based policies.
Miller-Osborn noted the more consistent an IT organizations is in terms of how they identify services and users, the easier it becomes for cybercriminals to detect a pattern that makes it easier for them to identify the next target in a sequence, which is why many IT teams would benefit from not applying a standard naming convention to their most critical IT assets, she said.
Of course, cybercriminals are targeting platforms such as AWS because that’s where the workloads are. As the number of workloads running in the cloud increases, IT organizations need to adapt to a shared security model. The challenge they face is the shared responsibility approach sometimes obfuscates aspects of the platform operated by the cloud service provider in a way that makes it difficult for cybersecurity teams to understand every facet.