Sneaky recon on roster of AWS users is possible, Unit 42 says
Knowing exactly who manages a certain cloud service can be valuable information for malicious hackers, and a cybersecurity company says it has found that kind of weakness in products run by one of the biggest cloud providers.
More than 20 application programming interfaces (APIs) associated with 16 Amazon Web Services products can be abused to give up basic information about users and their roles, according to Unit 42, the research arm of cybersecurity giant Palo Alto Networks.
“A malicious actor may obtain the roster of an account, learn the organization’s internal structure” and then perhaps “launch targeted attacks against individuals,” Unit 42 researcher Jay Chen says in a report released Tuesday morning. Palo Alto Networks says AWS gave permission to release the research.
The problem is within a feature that validates “resource-based policies” for things like the commonly used Amazon Simple Storage Service (S3), Unit 42 says. A resource-based policy is basically a rule that governs who can access a specific resource in the cloud.
Those policies can be created or updated with API calls, and those calls must include a “Principal” specifying “the identities (users or roles) allowed to access the resource,” Chen says. If the Principal field is blank, the API call produces an error message, and that’s where things get interesting: An attacker can keep trying different pieces of information in the Principal field to see what produces an error message and what doesn’t.
And more importantly, those repeated attempts aren’t detectable, Chen says. The targeted account “can’t observe the enumeration because the API logs and error messages only appear in the attacker’s account where the resource policies are manipulated,” the researcher says. “The ‘stealthy’ property of the technique makes detection and prevention difficult.”
To be clear, it’s not the kind of vulnerability that would give an adversary direct access to the actual data stored in AWS services. Indeed, the error messages are a “convenient feature” for cloud management, Chen writes. But doing reconnaissance about who runs an S3 bucket — and what their access privileges are — would hypothetically allow an attacker to target a specific person, like an IT administrator, with the hopes of stealing their cloud credentials.
Beyond S3 buckets, other affected products include Amazon Key Management Service and Amazon Simple Queue Service, Unit 42 says.
Unit 42 notes that penetration-testing company Rhino Security Labs published research on a similar technique involving the “role trust policy” for AWS Identity and Access Management (IAM).
Unit 42 says that “good IAM security hygiene can still effectively mitigate the threats from this type of attack.” Suggestions include making sure that inactive users and roles are nixed, adding random extra characters to usernames to make them harder to guess, and enabling two-factor authentication for all users and roles.