Non-Production Endpoints as an Attack Surface in AWS – InfoQ

Original link (2024-06-29)

Datadog Security TeamSecurity issues have recently been uncovered in AWS.In this issue, a non-production endpoint was used as the target of the attack, and privilege enumeration was performed silently. AWS has since fixed these specific abuses.

In June 2023, Datadog identified two new scenarios for bypassing AWS CloudTrail, according to the announcement. Using specific non-production endpoints with API actions that access account-level information, and using API calls that generate multiple events in CloudTrail. I am a staff security researcher at Datadog.Nick FreakettHe explains:

We determined that a non-production AWS API endpoint could be used to enumerate permissions without logging into CloudTrail. Since we first deployed this technique, we have worked closely with AWS to demonstrate how adversaries could use this method to surreptitiously assess the privileges of compromised credentials.

This research demonstrates that attackers can exploit misconfigurations and vulnerabilities in these non-production endpoints, which are often overlooked by security measures, to gain unauthorized access or escalate privileges to compromise production environments.

Since this issue was reported to AWS, cloud providers have updated the CloudTrail Bypass for AWS Cost Explorer (ce: Get cost and usage) and CloudTrail bypassing Route 53 (route53resolver:Firewall configuration list) was released last September, fixing two specific breaches. The AWS Security Outreach team requested that the publication of Datadog’s findings be delayed until additional mitigations are deployed. Corey Quinn, chief cloud economist at The Duckbill Group, said:commenta job.

AWS Security went down for 11 months when this vulnerability was disclosed. What on earth is happening?

Instead, Frechette emphasizes the importance of securing all endpoints to prevent security breaches, even those considered low risk or used for testing and development.

Aside from bypassing CloudTrail, non-production endpoints have a potential use case for obfuscating event sources to evade defenses.

Cloud providers acknowledge vulnerabilities.

For isolated, non-production endpoints that do not log into CloudTrail, but are callable with normal credentials and exhibit normal IAM permissions behavior, AWS also provides security protections to bypass CloudTrail logging for these endpoints, and I believe this is an issue.

At the same time, AWS emphasizes that not all endpoints require remediation.

Non-production endpoints that access production resources but generate CloudTrail events that do not match those generated by standard endpoints will not be processed unless it is clear what services or processes are involved.

Along with this announcement, Datadog documented how the vulnerability was discovered.videoPublished. Recent Articles “Expanded Exposure: How AWS Flaws Left Amplify IAM Roles Vulnerable to TakeoverCovers a vulnerability in AWS Amplify that exposed an IAM role associated with a project.