Open in app

Sign in

Write

Sign in

Exploring the Clouds Above

Vincent Le
7 min readJul 30, 2018

--

Introducing Team Snow White

Welcome to a new year in the ever-evolving cycle of Cyber Security! This year, our Cyber Defenders program proudly presents their Cloud Security team: Team Snow White. Members Jeremey Ho, Aaron Murray, Hana Ra, and Vincent Le are working diligently and rapidly to develop their skills and aptitude by immersing themselves in the Amazon Web Services cloud space. Team Snow White hopes to find their start in Amazon’s S3 Buckets(Amazon’s object storage in their public cloud) and then continue to discover areas of compromise within S3 Bucket’s Identity and Access Management (IAM).

The team will share a glance on their first week of service as well as a Tl;dr at the very bottom. So valued readers and security enthusiasts, thank you for joining Team Snow White on this beautiful journey and stay tuned for inspiring future updates!

Source: aws.amazon.com

Snow White Project Mission Statement:

Develop/improve an area that better secures a more vulnerable part of the public cloud service.

-Jeremy Ho

AWS Baby Steps

Before the team can understand and ultimately achieve their mission statement, they must first understand the security measures in place for the AWS Public Cloud.

AWS offers many security features that are proficient at protecting users data. For instance, AWS already offers a tool, AWS CloudTrail, that allows for a user to monitor and record any actions made in their AWS account. Another tool, Amazon Inspector, automatically checks off for better security measures that may not be configured on a users AWS account.

The truth is CloudTrail and Inspector are just two of a plethora of cloud security tools offered by AWS. However, there are still areas where pose potential security threats. Specifically, there are two alarming spaces within the public cloud that have potential areas of compromise: S3 Buckets and Identity and Access Management(IAM).

By the end of the first day, the team came to a conclusion that more research about S3 Buckets and IAM was required to further develop themselves.

Research and Development

In lieu of the team’s effort to search for valuable insight on S3 Buckets and IAM, the team’s R&D Director, Aaron Murray, compiled an extensive list documenting information based around a few questions the team considered critical. Below is a shortened list followed by some insight on what the team plans to do with the research.

What security tools do cloud platforms already have?

  • DDOS Protection — Autoscaling, Amazon CloudFront and Amazon Route 53
  • Encryption — AWS storage and database services, such as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift.
  • ConfigurationAmazon Inspector automatically assesses applications for vulnerabilities.
  • Monitoring and loggingAWS CloudTrail, Log aggregation options, Alert notifications through Amazon CloudWatch.
  • Identity and access controlsAWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources, AWS Multi-Factor Authentication for privileged accounts, AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
  • Penetration Testing — To request permission, we must be logged into the AWS portal using the root credentials associated with the instances we wish to test. AWS policy only permits testing of EC2 and RDS instances that we own. AWS policy does not allow testing small or micro Amazon Relational Database Service (Amazon RDS) instance types.

What are S3 buckets and how are they vulnerable?

  • Amazon S3 is cloud storage for the internet.
  • You can upload photos, documents, and other data
  • All S3 buckets are private by default
  • The resource owner can optionally grant access permissions to others by writing an access policy.
  • Are we able to find vulnerabilities with S3 bucket UI

How could we improve IAM security?

  • ACL (Access Control List)
  • you can use ACLs to grant basic read/write permissions to other AWS accounts.

The comprehensive list provided the team with more insight and more importantly, more questions. The team figured that more research was needed in order to fully recognize how to fulfill our mission statement (Refer to Snow White Project Mission Statement:). The team then established that learning by doing is how they acquire the fundamentals.

In the meantime, Lead Project Manager, Jeremy Ho, and Head of Program Development, Hana Ra, worked hard to complete the group’s ambitious next big step: Develop a program that will help the team familiarize themselves in the AWS S3 Bucket space. Remember learning by doing? This was it.

First, the team all set up their S3 Buckets on AWS. Then the team decided to make their newly contrived buckets public. Ho then developed a python tool that allowed users to upload objects and files onto a public S3 Bucket, provided an access key, secret key, and S3 Bucket name. Ho tested this by uploading a text file and a PNG. This marked the first step in comprehending what the team could do within the bounds of Amazon’s bucket.

The team described the success of the small project, “A huge first step in the right direction.” This marked the start of the development stage in Team Snow White’s cherished project; The team’s spirits had never been higher.

Below is Ho’s simple, and straightforward code that set the wheels into motion.

Ho’s Upload Python Tool

The above code accesses a user’s S3 bucket and uploads a file to the S3 cloud from the computer. The requirements include the user’s access key id and access secret key” — Jeremy Ho

Likewise, Hana Ra began her own cycle of development. Ra started by exploring and analyzing public AWS S3 Buckets. With enough time, Ra was able to find a name of a random public bucket and then using the name of the public bucket, Ra was able to extract the IP address and was even able to see specific files inside public bucket.

Ra’s contributions to the team gave them better understanding on how to access to the public S3 buckets and the feasibility of reading in files in those buckets. As a basic level of comprehension is now met, the team is now building more ideas on top of it by utilizing the knowledge.

Below is Ra’s development and documentation on the public S3 Buckets.

Extracting IP Address for public bucket, named flaws.cloud. -Hana Ra

Listing items inside of public bucket — specific bucket name and region was used. -Hana Ra

Looking into specific html file among the list of items. -Hana Ra

Delving Deeper

While exploring buckets in the public cloud space, a few GitHub projects and Python packages caught the team’s eye. The team began to narrow a list of potential projects and tools that would assist them to accomplish their mission statement(Refer to Snow White Project Mission Statement:).

In our quest to find a suitable project to contribute to, open source projects quickly caught our eye. The team thought it would be for the best to contribute to open source projects because of the fact that they could give back to the community. It also goes without saying, but open source projects give the team a lot of different ideas and resources to improve our own project.

One of the names of a potential project was S3Scanner. The team began to fork and clone the project but did not make much progress yet. The team is thrilled to continue working on their contributions for S3Scanner and many other projects.

The team is also actively looking for more python packages and applications that will service the project.

Looking Forward

In the weeks to come, the team hopes to finish 3 important tasks:

  1. Master S3 Buckets and learn more about IAM

The team believes that learning about IAM is the next step in furthering our knowledge and project.

2. Contribute to a GitHub project

This would allow the team to incorporate some other projects into their own.

3. Reach out to a professional in the Cloud security space

This would allow the team to have industry knowledge; The team very clearly lacks industry knowledge.

Here is an attached presentation about the progress of the project of the first week.

With that, Team Snow White will leave a conclusive statement:

Dear valued reader,

Team Snow White would like to extend their appreciation and thanks to you personally. A big thank you for reading the first installment of our blog posts.

Our team hopes to make the cloud space more secure so please, join us as we face adversity and beat it with sheer determination.

Until next time,

Team Snow White

Tl;dr — This is Team Snow White’s first blog post. The team’s project is making a vulnerable area in the public cloud space more secure. The team is working with AWS S3 Buckets and hopes to make progress in the following weeks.

AWS
Cybersecurity
Cloud Computing
Amazon
Open Source

--

--

Vincent Le

Written by Vincent Le

12 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams