SlideShare a Scribd company logo

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

Download as PPTX, PDF
Tenchi Security
Tenchi Security

Slide deck of the presentation at DEF CON 28 "Safe Mode" Cloud Village by Alexandre Sieira. In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts. SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.

Technology
1 of 24
SaaSpocalypse The Complexity and Power of AWS Cross-Account Access
arn:aws:iam:sa-east-1:*:user/AlexandreSieira ● Founder @ Tenchi Security ● Cloud Security Posture Chiropractor (h/t @swagitda_) ● Previously: ● Manager of the Product Management Team for the MSS Detect Portfolio @ Verizon ● Co-Founder and CTO @ Niddel ● Co-Founder and CTO @ CIPHER Security ● São Paulo, Brazil 🇧🇷 sts:GetCallerIdentity asieira@tenchisecurity.com @AlexandreSieira
Motivation Why should you care? https://attack.mitre.org/techniques/T1199/
● AWS accounts are self-contained entities with resources, identities and policies. ● Some resources can be shared with other accounts or publicly: S3 buckets, EBS snapshots and EC2 AMIs are common examples. ○ https://github.com/SummitRoute/aws_exposab le_resources by Scott Piper ● Most operations require an identity with privileges, so that’s what SaaS vendors will use. AWS IAM Overview Identities and Resources Theme song of people that do all their work logged in as root…
AWS IAM Overview Assuming Roles ● Root and IAM user credentials last indefinitely. ● AWS Security Token Service (STS) generates temporary credentials from roles. ● Roles have three key settings: ○ Trust policy – who can assume the role. ○ Permissions policy – what privileges this role has. ○ Maximum session duration. ● Trust policy is not enough, caller also needs privileges to the sts:AssumeRole action.
Cross Account Access Option 1: Stored Credentials Customer ● Creates an IAM user: ○ Identity policy assigns privileges needed by SaaS / MSP. ○ Creates long-lived access keys. ● Sends credentials to SaaS / MSP via a trusted channel. SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key).
Cross Account Access Option 1: Stored Credentials SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key). SECRET!!!
Cross Account Access Option 2: naïve cross-account access Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it. ○ Permissions policy assigns privileges needed by SaaS / MSP. SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role. ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path)
Cross Account Access Option 2: naïve cross-account access SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path) NOT A SECRET!!!
Cross Account Access Confused Deputy Problem ● Pre-requisites: ○ Attackers obtain account ID of target. ○ Customer has naïve cross-account access to SaaS / MSP. ● Attack: 1. Attacker on-boards target account on SaaS / MSP claiming to own it. 2. SaaS / MSP accesses target account through cross- account access. 3. Attacker obtains information or functionality intended exclusively for target via SaaS / MSP.
Cross Account Access External ID
Cross Account Access Option 3: External ID as Proof of Ownership SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it if correct external ID is provided. ○ Permissions policy assigns privileges needed by SaaS / MSP.
Cross Account Access SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. STILL NO SECRETS!!! Option 3: External ID as Proof of Ownership
Cross Account Access RoleRequiresExternalID? NoYes Correct External ID passed to sts:AssumeRole? Yes No ✅ ✅ ✅ 🛑
Cross Account Access Vendor Worker Privileges
Cross Account Access SCP Fail
Cross Account Access CloudTrail is Your Friend
Cross Account Access Incorrect Implementations ● Kesten Broughton from Praetorian published amazing research on this: https://bit.ly/xacct_assume_role ● Out of 200 vendors tested: ○ 50% only work with IAM user credentials; ○ 50% use assumed roles, and of those: ■ 98% don’t check whether customers actually added external ID as a condition on the trust policy. ■ 37% allow use of arbitrary external IDs on the UI. ■ 15% unwittingly allow use of arbitrary external IDs through various other means. @kestenb
Cross Account Access PRIVILEGES
Cross Account Access
Cross Account Access
Cross Account Access ● Prior and regular review of new 3rd party access to AWS accounts: ○ Ensure business need and least privilege. ○ Use CloudSplaining (https://github.com/salesforce/clo udsplaining) by Kinnaird McQuade. ○ Use Parliament (https://github.com/duo- labs/parliament ) by Scott Piper. ● Monitor using CloudTrail. Recommendations for Customers
Cross Account Access Recommendations for SaaS / MSP ● Minimize privileges asked of customers. ● Impose unique external IDs chosen by your back-end (random UUIDs also an option). ● Ensure customers correctly implemented the trust policy. ● Use CloudFormation to automate customer setup. ● Limit attack surface and blast radius at the account customers trust. ● Monitor using CloudTrail.
Questions? asieira@tenchisecurity.com @AlexandreSieira

Recommended

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
Tenchi Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
Adam Englander
 
Hunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesHunting for AWS Exposed Resources
Hunting for AWS Exposed Resources
Tenchi Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the Cloud
Atlassian
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and Authorisation
Amazon Web Services
 

Recommended

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
Tenchi Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
Adam Englander
 
Hunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesHunting for AWS Exposed Resources
Hunting for AWS Exposed Resources
Tenchi Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the Cloud
Atlassian
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and Authorisation
Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
Amazon Web Services
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using Swagger
Salesforce Developers
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
Bhavin Desai, CCIE Security
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
Amazon Web Services
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaModernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
Amazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
Amazon Web Services
 
Mobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSMobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWS
Amazon Web Services
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
Teri Radichel
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
Amazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
Amazon Web Services
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Gustavo De Vita
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
Amazon Web Services
 
Building CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsBuilding CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless Applications
Amazon Web Services
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
Amazon Web Services
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
Amazon Web Services
 

More Related Content

What's hot

Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
Amazon Web Services
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
Amazon Web Services
 

What's hot (20)

ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using Swagger
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaModernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Mobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSMobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWS
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Building CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsBuilding CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless Applications
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
 

Similar to SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Amazon Web Services
 
Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns
WSO2
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Amazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
Amazon Web Services
 
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Amazon Web Services
 

Similar to SaaSpocalypse - The Complexity and Power of AWS Cross Account Access (20)

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
 
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 

More from Tenchi Security

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
Tenchi Security
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Tenchi Security
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Tenchi Security
 
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Tenchi Security
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Tenchi Security
 
Webinar Segurança de DevOps
Webinar Segurança de DevOpsWebinar Segurança de DevOps
Webinar Segurança de DevOps
Tenchi Security
 

More from Tenchi Security (10)

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ails
 
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
 
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
 
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
 
Introdução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e KubernetesIntrodução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e Kubernetes
 
Webinar Segurança de DevOps
Webinar Segurança de DevOpsWebinar Segurança de DevOps
Webinar Segurança de DevOps
 
Latinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide OpenLatinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide Open
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

  • 1. SaaSpocalypse The Complexity and Power of AWS Cross-Account Access
  • 2. arn:aws:iam:sa-east-1:*:user/AlexandreSieira ● Founder @ Tenchi Security ● Cloud Security Posture Chiropractor (h/t @swagitda_) ● Previously: ● Manager of the Product Management Team for the MSS Detect Portfolio @ Verizon ● Co-Founder and CTO @ Niddel ● Co-Founder and CTO @ CIPHER Security ● São Paulo, Brazil 🇧🇷 sts:GetCallerIdentity asieira@tenchisecurity.com @AlexandreSieira
  • 3. Motivation Why should you care? https://attack.mitre.org/techniques/T1199/
  • 4. ● AWS accounts are self-contained entities with resources, identities and policies. ● Some resources can be shared with other accounts or publicly: S3 buckets, EBS snapshots and EC2 AMIs are common examples. ○ https://github.com/SummitRoute/aws_exposab le_resources by Scott Piper ● Most operations require an identity with privileges, so that’s what SaaS vendors will use. AWS IAM Overview Identities and Resources Theme song of people that do all their work logged in as root…
  • 5. AWS IAM Overview Assuming Roles ● Root and IAM user credentials last indefinitely. ● AWS Security Token Service (STS) generates temporary credentials from roles. ● Roles have three key settings: ○ Trust policy – who can assume the role. ○ Permissions policy – what privileges this role has. ○ Maximum session duration. ● Trust policy is not enough, caller also needs privileges to the sts:AssumeRole action.
  • 6. Cross Account Access Option 1: Stored Credentials Customer ● Creates an IAM user: ○ Identity policy assigns privileges needed by SaaS / MSP. ○ Creates long-lived access keys. ● Sends credentials to SaaS / MSP via a trusted channel. SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key).
  • 7. Cross Account Access Option 1: Stored Credentials SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key). SECRET!!!
  • 8. Cross Account Access Option 2: naïve cross-account access Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it. ○ Permissions policy assigns privileges needed by SaaS / MSP. SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role. ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path)
  • 9. Cross Account Access Option 2: naïve cross-account access SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path) NOT A SECRET!!!
  • 10. Cross Account Access Confused Deputy Problem ● Pre-requisites: ○ Attackers obtain account ID of target. ○ Customer has naïve cross-account access to SaaS / MSP. ● Attack: 1. Attacker on-boards target account on SaaS / MSP claiming to own it. 2. SaaS / MSP accesses target account through cross- account access. 3. Attacker obtains information or functionality intended exclusively for target via SaaS / MSP.
  • 12. Cross Account Access Option 3: External ID as Proof of Ownership SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it if correct external ID is provided. ○ Permissions policy assigns privileges needed by SaaS / MSP.
  • 13. Cross Account Access SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. STILL NO SECRETS!!! Option 3: External ID as Proof of Ownership
  • 14. Cross Account Access RoleRequiresExternalID? NoYes Correct External ID passed to sts:AssumeRole? Yes No ✅ ✅ ✅ 🛑
  • 15. Cross Account Access Vendor Worker Privileges
  • 18. Cross Account Access Incorrect Implementations ● Kesten Broughton from Praetorian published amazing research on this: https://bit.ly/xacct_assume_role ● Out of 200 vendors tested: ○ 50% only work with IAM user credentials; ○ 50% use assumed roles, and of those: ■ 98% don’t check whether customers actually added external ID as a condition on the trust policy. ■ 37% allow use of arbitrary external IDs on the UI. ■ 15% unwittingly allow use of arbitrary external IDs through various other means. @kestenb
  • 22. Cross Account Access ● Prior and regular review of new 3rd party access to AWS accounts: ○ Ensure business need and least privilege. ○ Use CloudSplaining (https://github.com/salesforce/clo udsplaining) by Kinnaird McQuade. ○ Use Parliament (https://github.com/duo- labs/parliament ) by Scott Piper. ● Monitor using CloudTrail. Recommendations for Customers
  • 23. Cross Account Access Recommendations for SaaS / MSP ● Minimize privileges asked of customers. ● Impose unique external IDs chosen by your back-end (random UUIDs also an option). ● Ensure customers correctly implemented the trust policy. ● Use CloudFormation to automate customer setup. ● Limit attack surface and blast radius at the account customers trust. ● Monitor using CloudTrail.

Editor's Notes

  1. Migration to the cloud at a frantic pace. SaaS has great business benefits: Easier to scale and manage for vendors side. Easier to setup (often self-service) and maintain for customers. IT management, CSPM, “single pane of glass”, IdP, backup and more. Concentrates risk on vendors.
  2. Azure is different (AD tenant, assign permissions to several subscriptions).
  3. Credentials are secret, can be leaked anywhere they are used. Credential need to be rotated regularly. Mass rotation if leaked.
  4. ***QUANTOS CLIENTES