Ben Reser Profile picture
Principal Cloud Security Architect @Vibes, @TheASF Member (SVN/httpd), @Tesla Fan, Casual Gamer. Opinions my own, RTs ≠ endorsement. He/him.
May 31, 2022 13 tweets 3 min read
I found a security vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA) it's been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert AWS IAM credentials into tokens that can be used to login to Airflow. #AWS The CreateCliToken and CreateWebLoginToken APIs were logging the tokens to Cloudtrail. The event included the hostname for the airflow server, so everything required to login to Airflow was in the event.
Jul 20, 2020 12 tweets 3 min read
Back in January of this year I found that @Okta's multi-account @awscloud integration had overly excessive permissions. Specifically sts:AssumeRole for resource *. It's nearly been 6 months since I reported this to Okta so I'm describing this publicly. 1/13 The problem with this is that this permission allows the IAM user to assume any role in the account the user is in as well as any role that the account's root ARN is allowed to assume. In practice this means that the IAM user can trivially gain unrestricted permissions. 2/13