SlideShare uma empresa Scribd logo

AWS security - NULL meet chennai

Transferir como PPTX, PDF
vinoth kumar
vinoth kumar

At the end of this presentation, audience will be aware of the following topics. 1. Introduction to AWS 2. Accessing AWS console via cli. 3. Launching and logging into an EC2 instance 4. Creating a S3 bucket and uploading an image. 5. Security misconfigurations in S3 bucket. 6. Subdomain takeover via S3 bucket. 7. Hardcoded AWS credentials in github. 8. Aasna AWS credentials leak using pixel flood attack 9. Murder in the cloud - Codespace hack

Tecnologia
1 de 15
AWS Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 18/03/2017
# About Me Application security engineer @ Freshdesk Blogger @ http://www.tutorgeeks.net Email @ vinothpkumar333@gmail.com https://null.co.in/profile/294-vinothpkumar
What is AWS Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Getting started with AWS Create an account in AWS and start playing with their services - https://aws.amazon.com/free/ Valid Credit card is required for account creation.
AWS Services Amazon Elastic Compute - EC2 Amazon Simple Storage Service - S3 Amazon Relational Database Service - RDS Amazon CloudFront - CDN
Why AWS No need for a Infrastructure capability - Cost saved No need for more employee resources - Cost saved Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)
Accessing AWS using CLI The AWS Command Line Interface is a unified tool to manage your AWS services. pip install awscli cd <path_to_awscli> python setup.py install aws configure AWS Access Key ID: ←----------------------> AWS Secret Access Key: ←----------------------> Default region name [us-west-2]: us-west-2 Default output format [None]: json https://aws.amazon.com/cli/
AWS S3 - Internet’s hard drive is down AWS S3 service was down on Feb28th. What exactly happened? Human Error - Accidentally deleted 2 main servers supporting S3 operation. S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.
EC2 Instance IP disclosure 1. Send a GET request to example.com 2. Change the HTTP version from 1.1 to 1.0 3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application hacker’s handbook ) 4. Add a traversal attack ( GET /.. ) and forward the request. 5. Observe the IP being disclosed in the location header.
S3 Bucket Misconfiguration “bucketname.s3-ap-southeast-1.amazonaws.com” Vulnerability : “Write access to any AWS Authenticated user” Vinoth:~ aws s3 mv malicious.bat s3://bucketname move. ./malicious.bat s3://bucketname/malicious.exe The issue has been reported and it is fixed. Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
S3 Bucket - Subdomain takeover Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com Keep an eye for the following error messages while viewing the subdomains - “No such bucket” / “Bucket doesn’t exist” Investigate the subdomain - dig / nslookup subdomain.example.com subdomain.example.com CNAME “bucketname.s3.amazonaws.com” Create the above bucket in your AWS and host your subdomain takeover page. Now “subdomain.example.com” will show your hosted page.
Asana - AWS key disclosure Uploaded 65000x65000 pixel image in the profile picture. S3 Bucket couldn’t accommodate the huge pixel image. Error message is shown along with AWS Access and Secret key. Bounty awarded : 500 USD https://molico.tomahock.com/lottapixel-my-first-500-bounty-d3e678da1861#.88buoaod6
AWS Keys Exposed Developers by mistake hardcode their AWS credentials in github. https://gitleaks.com/search?q=AWS
Murder in the cloud Code space - AWS Root credentials were hacked. Attacker asked for Ransom - Code Space refused. Attacker got frustrated and deleted their AWS account. Unfortunately, their backup data was also stored in their AWS account. Codespace was shut down completely. No means of retrieving the data. Key takeaways : Have offsite backup. http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
Resources for Learning AWS Security https://aws.amazon.com/blogs/security/ - Official AWS security blog. http://flaws.cloud - CTF Challenge to learn AWS security. https://www.slideshare.net/search/slideshow?searchfrom=header&q=AWS+Security
AWS security - NULL meet chennai

Recomendados

(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Amazon Web Services
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Amazon Web Services
 
Amazon AWS Free-Tier
Amazon AWS Free-TierAmazon AWS Free-Tier
Amazon AWS Free-Tier
Thanh Nguyen
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
Amazon Web Services
 

Recomendados

(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Amazon Web Services
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Amazon Web Services
 
Amazon AWS Free-Tier
Amazon AWS Free-TierAmazon AWS Free-Tier
Amazon AWS Free-Tier
Thanh Nguyen
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
Amazon Web Services
 
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Amazon Web Services
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
Yan Cui
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
Amazon Web Services
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
Amazon Web Services
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
Amazon Web Services
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
white paper
 
Federation
FederationFederation
Federation
Amazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
Amazon Web Services
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day
Amazon Web Services
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile Developers
Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
Amazon Web Services
 
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar SeriesAddressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Amazon Web Services
 
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaFebruary 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
Amazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit Atlanta
Chris Farris
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
Amazon Web Services
 
Intro To Serverless Architectures
Intro To Serverless ArchitecturesIntro To Serverless Architectures
Intro To Serverless Architectures
Adi Challa
 
Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP
vinoth kumar
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 

Mais conteúdo relacionado

Mais procurados

Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Amazon Web Services
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
Yan Cui
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
Amazon Web Services
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
Amazon Web Services
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
white paper
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
Amazon Web Services
 
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar SeriesAddressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Amazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 

Mais procurados (20)

Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
 
Federation
FederationFederation
Federation
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile Developers
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar SeriesAddressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
Addressing Amazon Inspector Assessment Findings - September 2016 Webinar Series
 
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaFebruary 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit Atlanta
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
Intro To Serverless Architectures
Intro To Serverless ArchitecturesIntro To Serverless Architectures
Intro To Serverless Architectures
 

Destaque

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
Amazon Web Services
 
Konversio optimointi
Konversio optimointiKonversio optimointi
Konversio optimointi
Jani Aaltonen
 

Destaque (20)

Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Implementing Your Own Chatbot Platform!
Implementing Your Own Chatbot Platform!Implementing Your Own Chatbot Platform!
Implementing Your Own Chatbot Platform!
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
 
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
[FOSSASIA 2017] Nico-Tech, Tech for fun community and culture in Japan
[FOSSASIA 2017] Nico-Tech, Tech for fun community and culture in Japan[FOSSASIA 2017] Nico-Tech, Tech for fun community and culture in Japan
[FOSSASIA 2017] Nico-Tech, Tech for fun community and culture in Japan
 
Guardaviñas Marzo 2017
Guardaviñas Marzo 2017Guardaviñas Marzo 2017
Guardaviñas Marzo 2017
 
Introduzione a Wikipedia
Introduzione a WikipediaIntroduzione a Wikipedia
Introduzione a Wikipedia
 
Standartu loma tehniskās dokumentācijas sagatavošanā
Standartu loma tehniskās dokumentācijas sagatavošanāStandartu loma tehniskās dokumentācijas sagatavošanā
Standartu loma tehniskās dokumentācijas sagatavošanā
 
DEALING WITH HARASSMENT AND DISCRIMINATION- ETHICS
DEALING WITH HARASSMENT AND DISCRIMINATION- ETHICSDEALING WITH HARASSMENT AND DISCRIMINATION- ETHICS
DEALING WITH HARASSMENT AND DISCRIMINATION- ETHICS
 
Family-friendly practices at Finnish workplaces in 2014 and in 2015
Family-friendly practices at Finnish workplaces in 2014 and in 2015Family-friendly practices at Finnish workplaces in 2014 and in 2015
Family-friendly practices at Finnish workplaces in 2014 and in 2015
 
Les taxonomies, un système flexible et puissant - WordCamp Bordeaux 2017
Les taxonomies, un système flexible et puissant - WordCamp Bordeaux 2017Les taxonomies, un système flexible et puissant - WordCamp Bordeaux 2017
Les taxonomies, un système flexible et puissant - WordCamp Bordeaux 2017
 
Konversio optimointi
Konversio optimointiKonversio optimointi
Konversio optimointi
 
eTapas erstellen - kann ich das auch?
eTapas erstellen - kann ich das auch?eTapas erstellen - kann ich das auch?
eTapas erstellen - kann ich das auch?
 
Introducing DocumentDB
Introducing DocumentDB Introducing DocumentDB
Introducing DocumentDB
 

Semelhante a AWS security - NULL meet chennai

Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214
Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 

Semelhante a AWS security - NULL meet chennai (20)

Sec301 Security @ (Cloud) Scale
Sec301 Security @ (Cloud) ScaleSec301 Security @ (Cloud) Scale
Sec301 Security @ (Cloud) Scale
 
SEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) ScaleSEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) Scale
 
윈도 닷넷 개발자를 위한 솔루션 클라우드 데브옵스 솔루션
윈도 닷넷 개발자를 위한 솔루션 클라우드 데브옵스 솔루션윈도 닷넷 개발자를 위한 솔루션 클라우드 데브옵스 솔루션
윈도 닷넷 개발자를 위한 솔루션 클라우드 데브옵스 솔루션
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214
 
Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013
 
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
 
AWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT OperationsAWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT Operations
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
 
Serverless architecture with AWS Lambda (June 2016)
Serverless architecture with AWS Lambda (June 2016)Serverless architecture with AWS Lambda (June 2016)
Serverless architecture with AWS Lambda (June 2016)
 
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 

Mais de vinoth kumar

Mais de vinoth kumar (6)

G suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, ChennaiG suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, Chennai
 
Github security bug bounty hunting
Github security bug bounty huntingGithub security bug bounty hunting
Github security bug bounty hunting
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Securing your vpc in aws
Securing your vpc in awsSecuring your vpc in aws
Securing your vpc in aws
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

AWS security - NULL meet chennai

  • 1. AWS Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 18/03/2017
  • 2. # About Me Application security engineer @ Freshdesk Blogger @ http://www.tutorgeeks.net Email @ vinothpkumar333@gmail.com https://null.co.in/profile/294-vinothpkumar
  • 3. What is AWS Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Getting started with AWS Create an account in AWS and start playing with their services - https://aws.amazon.com/free/ Valid Credit card is required for account creation.
  • 4. AWS Services Amazon Elastic Compute - EC2 Amazon Simple Storage Service - S3 Amazon Relational Database Service - RDS Amazon CloudFront - CDN
  • 5. Why AWS No need for a Infrastructure capability - Cost saved No need for more employee resources - Cost saved Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)
  • 6. Accessing AWS using CLI The AWS Command Line Interface is a unified tool to manage your AWS services. pip install awscli cd <path_to_awscli> python setup.py install aws configure AWS Access Key ID: ←----------------------> AWS Secret Access Key: ←----------------------> Default region name [us-west-2]: us-west-2 Default output format [None]: json https://aws.amazon.com/cli/
  • 7. AWS S3 - Internet’s hard drive is down AWS S3 service was down on Feb28th. What exactly happened? Human Error - Accidentally deleted 2 main servers supporting S3 operation. S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.
  • 8. EC2 Instance IP disclosure 1. Send a GET request to example.com 2. Change the HTTP version from 1.1 to 1.0 3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application hacker’s handbook ) 4. Add a traversal attack ( GET /.. ) and forward the request. 5. Observe the IP being disclosed in the location header.
  • 9. S3 Bucket Misconfiguration “bucketname.s3-ap-southeast-1.amazonaws.com” Vulnerability : “Write access to any AWS Authenticated user” Vinoth:~ aws s3 mv malicious.bat s3://bucketname move. ./malicious.bat s3://bucketname/malicious.exe The issue has been reported and it is fixed. Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
  • 10. S3 Bucket - Subdomain takeover Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com Keep an eye for the following error messages while viewing the subdomains - “No such bucket” / “Bucket doesn’t exist” Investigate the subdomain - dig / nslookup subdomain.example.com subdomain.example.com CNAME “bucketname.s3.amazonaws.com” Create the above bucket in your AWS and host your subdomain takeover page. Now “subdomain.example.com” will show your hosted page.
  • 11. Asana - AWS key disclosure Uploaded 65000x65000 pixel image in the profile picture. S3 Bucket couldn’t accommodate the huge pixel image. Error message is shown along with AWS Access and Secret key. Bounty awarded : 500 USD https://molico.tomahock.com/lottapixel-my-first-500-bounty-d3e678da1861#.88buoaod6
  • 12. AWS Keys Exposed Developers by mistake hardcode their AWS credentials in github. https://gitleaks.com/search?q=AWS
  • 13. Murder in the cloud Code space - AWS Root credentials were hacked. Attacker asked for Ransom - Code Space refused. Attacker got frustrated and deleted their AWS account. Unfortunately, their backup data was also stored in their AWS account. Codespace was shut down completely. No means of retrieving the data. Key takeaways : Have offsite backup. http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
  • 14. Resources for Learning AWS Security https://aws.amazon.com/blogs/security/ - Official AWS security blog. http://flaws.cloud - CTF Challenge to learn AWS security. https://www.slideshare.net/search/slideshow?searchfrom=header&q=AWS+Security