Readings: Cloud Identity and Access Management (IAM) with AWS - focodecided/ops401-cybersecurity GitHub Wiki
1. What were the three commands used for the attack?
- Get Credentials - First command obtained security credentials known as ****-WAF-Role account (an IAM account) for an elevated role access AWS Web Application Firewall (WAF)
- List Buckets - Second command used the ****-WAF-Role account to list files and folders (aka S3 buckets)
- Download Files - Third command used the ****-WAF-Role account to download files that were accessible by the credentials.
2. What misconfiguration of AWS components allowed the attacker to access sensitive data?
- A misconfiguration of AWS Web Application Firewall that enabled accessing the corresponding AWS EC2 instance/ECS task metadata using Server-side Request Forgery (SSRF).
- Excessive permissions to an IAM role allowing access to private S3 buckets.
3. What are two of the AWS Governance practices that could have prevented such attack?
- Review all access paths and permissions from identities to data storages (e.g. S3 buckets) and use Cloud Infrastructure Entitlement Management solutions to detect over-privileged identities.
- Scope the permissions of each IAM role to enable access only to the required AWS resources. The “WAF” role did not require access to list S3 buckets.
Sources:
https://www.zscaler.com/resources/white-papers/capital-one-data-breach.pdf