Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nick Frichette Profile picture
@Frichette_n
Mar 3 24 tweets 7 min read Read on X
It's a beautiful Sunday, so let's chat about hacking AWS environments! In this thread, I want to talk about an interesting quirk with Amazon Cognito, demo why least privilege is the most important thing in the cloud, and emphasize that mitigations aren't always enough. A 🧵
For the demo we have an Identity pool which supports guest access and has a user pool attached for authenticated access. The Identity pool does NOT have the classic flow enabled, and the user pool does NOT allow registration (this is important later). Image
This Identity pool has a glaring misconfiguration! The role used for guest access mistakenly has the AdministratorAccess policy attached! Oh no! Anyone can interact with our pool, assume this role, and have admin access to our AWS account! Image
With a couple unauthenticated API calls we can get credentials for this misconfigured "cognito-guest-role". We now have admin access to this AWS account because of a simple mistake. It's over right? Ransomware city? Build a crypto-mining kingdom?
Image
Image
Well......no. Actually not. If we try to do something like iam:ListUsers....it fails? How can this be? The "cognito-guest-role" has the AdministratorAccess policy attached? Image
The reason is that when you call cognito-identity:GetCredentialsForIdentity, Cognito will silently apply a session policy in the background. A session policy is a special type of policy you can apply when a role is assumed that limits its permissions for that session. Image
This session policy, "is used as a guardrail against overly permissive policies attached for roles in an identity pool". It is defense in depth in case you accidentally provide crazy permissions to guest users. It is ONLY applied to guest users (not auth)
docs.aws.amazon.com/aws-managed-po…
Now, to be clear, it's still pretty broad. Don't go thinking you can give all your Cognito guests AdministratorAccess and everything will be secure. If we look at this policy there is a ton of access including: lambda:*, sns:*, sqs:*, dynamodb:*, logs:*, s3:*, etc. Image
However, there is a really interesting entry in that session policy. An entry that theoretically would undo this protection entirely. Can you guess what it is?
If you notice, cognito-identity is included. That's.....weird. Couldn't you abuse this to disable this protection?
See, there are 2 ways to get credentials for Cognito Identity Pools: The "enhanced" flow and the "basic" flow. The enhanced flow is what we did previously, and utilizes GetCredentialsForIdentity. It is that flow which adds the session policy.
docs.aws.amazon.com/cognito/latest…
The "basic" flow, to contrast, does NOT attach a session policy. If you have the basic flow enabled (which is not the default), and you overprivilege your guest policy, an adversary has free reign to your account (and hence ransomware city can be founded on your dime)
Going back to the session policy, if we have privileges for that, couldn't we just enable the basic flow (which does not attach the session policy), get new credentials and suddenly have access to everything in the account? Well.....no. Turns out there is something extra.
If you try, you get a "These credentials are not valid for accessing this resource" error. It seems that AWS expected an adversary would try this (or someone reported this to them) and added an extra protection. Image
Even if you, on paper, have the permissions to modify an identity pool, you can't actually do it. This goes for just about every cognito-identity API call excluding GetId, GetCredentialsForIdentity, and GetOpenIDToken.
Now, to further stress, this session policy is NOT enough. An adversary can still cause all sorts of harm. For example, here are the steps to go from unauthenticated to authenticated with the identity pool.
First, we are going to list the user pools in the account and create a user. We'll then confirm that user.

Image
Image
Image
We have now created a Cognito user pool user using the guest access credentials! Now let's authenticate to the Identity pool using these created credentials. Image
And boom! We managed to go from guest access to the identity pool to authenticated access in just a few minutes all because of a misconfiguration. There are other privilege escalation opportunities that could be explored, such as the aforementioned Lambda access.

Image
Image
Image
So what have we learned:
- LEASE PRIVILEGE is king in the cloud. Regularly audit your Cognito identity pools for guest access and what level of privilege they have. They are basically wildcard principals in a trust policy with an extra step.
- Cognito will try to protect you from yourself! It adds a session policy as a sort of guardrail to protect you from over privileged identities. However, we learned that it ONLY does that for the "enhanced" flow. Double check to see if you have the "basic" flow enabled...
and if you do, you should probably disable it for extra protection. If you have a particularly old identity pool this becomes doubly important.
- Don't rely on mitigations or guardrails to protect you, there are still opportunities for an adversary to do harm. Scoping your IAM policies to the bare minimum is the best choice to defend yourself.
If you enjoyed this thread checkout @HackingthCloud. An open-source encyclopedia of offensive security techniques to use in cloud environments.

hackingthe.cloud

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick Frichette

Nick Frichette Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Frichette_n

Nick Frichette Profile picture
Feb 3
As someone involved in the AWS offsec space, I want to share why I strongly do NOT recommend the HackTricks AWS Red Team Expert course. The author of it is a plagiarist, stealing content from other creators and is directly profiting off of it through sponsorships. A 🧵
The nature of the plagiarism depends per article. Sometimes it's entirely copy-pasted from another source. Sometimes it's only a couple paragraphs. Sometimes there is a "reference" (a link at the bottom of the page where it was copied from), but that hardly fits the meaning.
Sometimes there is 0 attribution at all to the original researcher/creator! First, some backstory: A little over a year ago, when HackTricks Cloud started, it was immediately pointed out to me that it contained copies of articles I had written.
Read 42 tweets
Nick Frichette Profile picture
Jan 31
Today is an interesting day! I read a report about a threat actor, and for once I'm impressed! This is the first I can remember in which a TA has displayed NEW tradecraft, before researchers have shared it widely. Let's review in this 🧵
invictus-ir.com/news/the-curio…
Okay, starting off rough. There was an access key that was exposed that had AdministratorAccess. This happens way too frequently and is always a major risk. Security Teams: Delete these keys and these IAM users! They are a major risk to you. Let's see what the TA does with this Image
It's important to note, unless the IAM user was named something like "Admin", the TA has no idea what permissions are associated with the user. They have to enumerate those. They start off a little silly, immediately checking for SES access which is a major focus for bad guys. Image
Read 34 tweets
Nick Frichette Profile picture
Nov 7, 2022
As security researchers, we don’t often discuss failed research projects. While it may be a bit embarrassing to not succeed, there are still lessons learned from the project. In this thread, I’d like to share research I’ve been doing on-and-off on identifying AWS honeytokens. 🧵
(Side note before diving in: If you do find a way around this, I would love to feature your work on Hacking the Cloud)
Some background first: What is a honeytoken? In AWS, a honeytoken is a set of IAM credentials that are “booby trapped”. If the creds are used, automation will see their usage in CloudTrail and alert defenders that someone has used the keys.
Read 27 tweets
Nick Frichette Profile picture
Feb 7, 2022
Thinkst (who I love btw) has a great post about attackers targeting AWS API keys. I'd like to expand on this a bit and discuss a technique not mentioned in the post (but it is on Hacking the Cloud) 1/x hackingthe.cloud/aws/enumeratio…
Please note: I'm not focusing on the CanaryToken product itself. Instead I'll be describing validating regular stolen AWS credentials.
As an attacker, I will always look for AWS credentials. Whether its on a developers workstation, in a CI/CD pipeline, or on an EC2 instance (via the Metadata Service or otherwise). Don't get me wrong, we can persist at the data plane (EC2, ECS, Lambda, etc.) 2/x
Read 12 tweets
Nick Frichette Profile picture
Jan 20, 2022
Tremendous news everyone (in offsec)! There's a bypass for the new GuardDuty InstanceCredentialExfiltration finding! It's via VPC endpoints! (I caution this is with limited testing) ImageImageImageImage
So it looks like you can steal IAM credentials from a EC2 instance and then you can create your own EC2 but stick it in a private subnet along side a ton of VPC Endpoints (to be clear this is still remarkably painful and annoyting, but at least for now it wont show in GuardDuty
docs.aws.amazon.com/vpc/latest/pri…
Read 4 tweets
Nick Frichette Profile picture
Sep 27, 2021
So uhh, someone managed to foil my plan of going to bed early tonight. I got a notification to my personal email that I successfully registered a Cloudflare account......I don't use Cloudflare. Join me in my journey to figure out what happened...
This had me scrambling. Why would someone register a Cloudflare account in my name? What would someone get out of doing this? Did I accidentally do this? What do I know about Cloudflare? Is this phishing? (Couldn't be phishing, this is a terrible pretext. Domains checked out).
What about hypothetical attacks? Could someone create an account, register an API key, and then wait for me to verify and gain control of the account (the vuln I found in Terraform Enterprise was basically that flow). If they did this on mass eventually they would get a winner?
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(