Identifying Publicly Accessible Data with Compromised AWS API Keys Part - 4

Identifying Publicly Accessible Data with Compromised AWS API Keys Part - 4

·

7 min read

Introduction

AWS IAM services provide cloud security engineers with the means to implement access control for their resources. To confirm user identity, programmatic access to AWS APIs can be established using AWS access keys, which consist of an access key ID and a secret access key. It is crucial to securely store the secret access keys since they are only available at the time of creation. In an organizational context, these access keys are typically shared with users. However, if they are accidentally leaked or fall into the wrong hands, unauthorized individuals could gain easy access to sensitive information on the organization's AWS resources. Consequently, if the secret keys are lost or stolen, it is imperative to promptly delete the corresponding user account and create a new one to mitigate potential risks.

Lab Objective

The lab aims to demonstrate the potential risks and consequences of unauthorized access to AWS resources and highlights the importance of securing access keys to prevent such incidents.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console.

Lab Task

  • Sign in to your AWS management console and navigate to the IAM dashboard by searching IAM in the top search box.

  • In the IAM dashboard, click on Users on the left pane under Access Management. Then click on Add Users at the top.

  • In the Add user page, enter an appropriate name in the username (here, d3m0-user) and click on Next at the bottom.

  • On the Set Permissions page, click on the third option: Attach policies directly

  • In the Filter Policies search box, type AmazonEC2FullAccess. Then, select the checkbox for AmazonEC2FullAccess. Then click onNext.

  • On the Review and Create page, review the configuration and click on the “Create user” button

  • The IAM user d3m0-user has been successfully created. To generate the Programmatic Access Key ID and Secret Access Key for the IAM user (d3m0-user), click on the user (d3m0-user).

  • On the IAM user (d3m0-user) info Page, navigate to the Security credentials tab and scroll down to the Access keys section, then click on “Create access key.”

  • On the Create Access Key page, click on the radio button Command Line Interface (CLI), then scroll down and click on the Acknowledge check box. Once done, click Next

  • On the Set description tag page, it is optional. Click the Create Access key button.

  • The access key has been successfully created. On the Retrieve access keys page, click on Download .csv file and click Done.

Creating User Group

  • Now, to add the create IAM user (d3m0-user) to a user group, navigate to the IAM Dashboard page, click on User Groups under Access management in the left pane, then click on Create group button at the top right.

  • In the User group name field under the Create user group page, enter Sec-Eng-Grp. Next, scroll down and select the check box for the created IAM user (d3m0-user).

  • Scroll down and search for IAMReadOnlyAccess under Attach permissions policies and Select the checkbox for IAMReadOnlyAccess. Once done, click on Create Group.

  • The user group (Sec-Eng-Grp) is successfully created.

  • Next, click on Users in the left pane. You will see that d3m0-user comes under Sec-Eng-Grp. click on the refresh icon if you don’t get a similar result as shown below

Creating Security Groups

  • Now, you will create a Security Group. From the top search box, search for EC2 and press Enter.

  • In the left pane of the EC2 console, click on Security Groups under Network & Security. Then Click on Create security group at the top right of the EC2 console.

  • Within the "Create security group" page, customize the following details under the "Basic details" section:

    • Security group name: Sec-Eng-Grp-Sg

    • Description: Grant access to Sec-Eng-Grp users

    • VPC: Retain Default value

  • Scroll down and click on Add rule under Inbound rules. Then Configure the Inbound rules: Type as SSH and Source as 0.0.0.0/0

  • Under Outbound rules, click on Add rule and configure Type: All traffic and Destination: 0.0.0.0/0

  • Next, add Tags - optional then scroll down and click on Create security group.

  • The creation of the security group was successful. Please take note of the Security Group ID.

Gather Information on Exposed AWS Resources

Lab Scenario

As a cloud security engineer, assume that the access keys are compromised or misused by an insider for malicious purposes, you have the ability to gather information regarding the AWS resources that have been exposed.

  • In order to accomplish this task, it is assumed that you have installed AWS CLI either on Linux or Windows.

For this lab, the task will be accomplished using AWS CLI on Linux (Parrot)

Check AWS Documentation on how to install on Linux or windows.

You can also check Part 1 of the series for reference on Setting up AWS CLI on Linux.

If you have already installed AWS CLI, you can continue with the next step.

  • Navigate to your terminal (Linux or MacOS) or Command prompt (CMD for Windows) and type the command aws --version to confirm you have AWS CLI installed.

  • Now, use the following command to create a profile with the Programmatic Access key ID and Secret access key you generated created in the previous steps. (.csv file you downloaded)

      aws configure --profile sec-engr
    

    NB: from the above command, the profile name is sec-engr

  • When the above command is executed, it prompts you to enter details such as:

    • AWS Access Key ID [None]: (access_key_ID)

    • AWS Secret Access Key [None]: (secret_access_key)

    • Default region name [None]: us-west-2

    • Default output format [None]: json

Supply the details using the .csv file (above Excel file) that was downloaded

NB: Replace "Default region name" with your selected region

  • Enter the following command for the Security Token Service (STS) to retrieve information regarding the compromised keys, and then press Enter.

      aws sts get-caller-identity --profile sec-engr
    

    By utilizing the STS: Get Caller Identity command, essential information such as the User ID, Account ID, and Amazon Resource Name (ARN) can be collected.

  • Enter the following command to display a list of instances within the specified region (in this case, us-west-2), then press Enter.

aws ec2 describe-security-groups --region us-west-2 --profile sec-engr

Note: Replace us-west-2 with your region if you are using a different region

You will get the instances configured in the region us-west-2. This information is available because d3m0-user has the AmazonEC2FullAccess policy. Also, you will get information regarding the configured security groups. (Press Enter key to view more details)

From the above image, you will get the details of Sec-Eng-Grp-Sg Security group that you have created for this lab.

Press Ctrl + Z to exit

  • When you execute the same command but with the wrong region. E.g in the command us-west-2 was replaced with us-east-1
aws ec2 describe-security-groups --region us-east-1 --profile **sec-engr**

You will get an empty result because no security group was configured in that region.

In summary, a cloud security engineer has the ability to conduct tests for leaked AWS resource data resulting from stolen or compromised access keys and implement suitable security measures to protect their environment.

Deleting Created Resources

Please make sure to delete, shut down, or terminate all resources utilized and created in this lab to avoid incurring any charges.

  • Now, to delete the instances created in this lab, navigate to the Security Groups under EC2 and select the checkbox for the security group you want to delete (here, Sec-Eng-Grp-Sg). Select the Actions dropdown and click on the Delete security groups option. In the pop-up window, click on the Delete button.

  • Navigate to User groups under IAM console and select the checkbox of the instance created in this lab (here, Sec-Eng-Grp). Click on the Delete button. In the pop-up window, enter the user group's name and click on Delete.

  • Navigate to Users under IAM console and select the checkbox of the instance created in this lab (here, d3m0-user). Click on the Delete button. In the pop-up window, enter the user's name and click on the Delete button.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!