Axel Springer Tech
Published in

Axel Springer Tech

Exploiting AWS Cross-Account access

Your S3 Bucket might be exposed to the latest cross-account vulnerability

Introduction

This writeup is for anyone willing to learn what a Confused Deputy Attack on AWS might look like and how to fix it.

Earlier this year security researchers presented a Confused Deputy Attack on S3 Buckets at Black Hat 2021. A Confused Deputy Attack is a security issue where an entity that doesn’t have permission to perform an action or access data can use a more-privileged entity to perform that action.

Usually one might think that given an AWS Account that it is completely isolated from other AWS Accounts/Customers.
In theory this is true, but real world scenarios look different.
Simply spoken AWS offers possibilities to grant to other AWS Accounts and resources. IAM policies allow different services to access one another.
An example for that is allowing multiple accounts to invoke a centralized api gateway authorizer.

According to the OWASP TOP 10 List of 2021 “94% of applications were tested for some form of broken access control”.
As these numbers are quite critical security misconfiguration is the number one security risk, even on AWS.
Nowadays most customers, including my employer, make us of a multi-account approach. Instead of deploying every single application in one account, one divides everything into several accounts, each of which for a specific purpose.
It’s quite common for a company to have hundreds if not thousands of accounts in AWS. Due to maintenance reasons customers grant AWS services across their multiple accounts.

That’s where a confused deputy attack comes into play:
If you do not have access to certain resources one of the AWS Services might have them. You just need to find a way to trick the AWS Service into performing actions on your behalf. That’s it. 😄😈

AWS Serverless Repository is a platform service that allows customers to store and deploy serverless applications. It needs to pull objects from S3 Buckets.
Due to a misconfigured sample IAM policy that AWS initially provided in their documentation it is possible to exploit the Service to read from other private S3 Buckets. This can lead to leaked sensitive information like passwords or source code.

coarse iam policy

The policy allows Serverless Repository to access any object in the bucket.
The problem: it does not define or limit who can use the service to access the bucket.

As an attacker all you have to do is create a private application in SAR and update it’s readme url using the aws cli:

All the attacker has to do is guess the bucket and file names. As there’s a cli command for updating the readme-url one can easily automate this.

For demo purposes i setup another AWS account as well as another private serverless application and tried to access sensitive data using my first one. Guess what: It worked.

leaked sensitive file using SAR

In short SAR makes it effortless for attackers to move from one account to another, reading sensitive information and inflict damage.

Since this vulnerability was discovered AWS has fixed the default policy in their documentation. It’s quite straight forward as all you have to do is restrict the access to your own source account.

Sadly AWS can’t fix this issue all on its own as it is not allowed to modify or update resource policies of its customers. Whenever user-action is involved the fixing a vulnerability is always less effective. All Amazon was able to do was sending emails and security notifications in the Personal Health Dashboard.

At the time of this blog post i was able to identify that at least 5 out of 10 SAR application buckets that i tested were still improperly configured.

ACT NOW!

AWS has a strict security standard (which btw is high-level) yet customers are prone to the #1 security issue. Even AWS can do mistakes. This type of cross-account vulnerability is fairly new, most users are completely unaware. We don’t even know how many vulnerabilities inside of AWS have not been found yet, similar issues likely exist.

Stay vigilant when creating IAM policies!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store