Securing Amazon S3: Learn Red Team exploits and Blue Team defenses (DEV344)

Securing Amazon S3: Red Team Exploits and Blue Team Defenses

Red Team vs. Blue Team

  • The Red Team's goal is to access "Crown Jewel" data from S3 using stealth techniques to avoid detection.
  • The Blue Team's goal is to detect and stop the Red Team's activities.

Types of Encryption for Amazon S3

  1. No Encryption: No longer possible.
  2. Amazon S3 Managed Key: Not very secure.
  3. AWS Managed KMS Key: Not very secure.
  4. Customer Managed Key: Recommended option.
  5. Dual Layer KMS Key: Most secure option.

Securing Customer Managed KMS Key

  1. Disable IAM permissions on the KMS key to ensure all permissions go through the KMS key resource policy.
  2. Implement Separation of Duties:
    • Key Administrator: Can create and manage the key, but cannot use it.
    • Key User: Can use the key, but cannot create or manage it.

Red Team Tactic: Privilege Escalation Using a Cloud Boot Hook

  1. Assume the role of a junior system admin with limited permissions (only ec2 start/stop and modify instance attribute).
  2. Stop the target EC2 instance.
  3. Modify the instance's user data to include a Cloud Boot Hook directive, which runs code every time the instance is started/stopped/rebooted.
  4. The code retrieves the instance's temporary credentials and sends them to a listener.
  5. Start the instance back up, and the listener receives the temporary credentials.
  6. Use the retrieved credentials to access the target S3 bucket.

Blue Team Defenses

  1. AWS Config Rules:
    • S3 Default KMS Encryption
    • Custom Config Rule (checks for default encryption, IAM permissions, and Separation of Duties)
  2. Event Bridge and Lambda:
    • Detect changes to the user data (via the "modify instance attribute" event)
    • Automate actions like revoking sessions, stopping/quarantining the instance, restoring user data, or blocking the principal.
  3. VPC Endpoint and S3 Bucket Resource Policy:
    • Deny remote access to the S3 bucket, even with valid credentials, if the request does not originate from the specified VPC endpoint.

Summary

  • Securing S3 buckets with proper encryption and KMS key management is crucial.
  • Implementing Separation of Duties for KMS keys can further strengthen the security.
  • Red Team tactics like using a Cloud Boot Hook can lead to privilege escalation and data access.
  • Blue Team defenses like AWS Config Rules, Event Bridge, and VPC Endpoint/Bucket Resource Policies can help detect and mitigate such attacks.

Your Digital Journey deserves a great story.

Build one with us.

Talks
reinvent24
Securing Amazon S3: Learn Red Team exploits and Blue Team defenses (DEV344)
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

 Talk to us