MoinQ:

1. DNS/ManagedDNS/awsdns/darkreading/blackhat/2

について、ここに記述してください。

https://www.blackhat.com/us-21/briefings/schedule/#breaking-the-isolation-cross-account-aws-vulnerabilities-22945

参考: https://www.youtube.com/watch?v=bNTex3TgWTU

1.1. Breaking the Isolation: Cross-Account AWS Vulnerabilities

Multiple AWS services were found to be vulnerable to a new cross-account vulnerability class.

An attacker could manipulate various services in AWS and cause them to perform actions on other clients' resources due to unsafe identity policies used by AWS services to access clients' resources. The vulnerabilities have been proven on three major AWS services (AWS Config, Cloudtrail, and Serverless Repository) and have allowed a potential attacker to write and read certain objects from private S3 buckets.

In this presentation, we will review the discovered vulnerabilities and explain their root cause. We will show how an attacker can perform actions on any account in AWS using these services via the discovered cross-account vulnerability. We believe this is a new class of vulnerabilities that may affect many other services in AWS because the tenant scope is implicitly defined in AWS IAM policies, causing services that allow multi-tenant access to perform unintended actions.

While reporting and working with the AWS security team on resolving these issues, we concluded that the process of updating IAM-related vulnerabilities is sub-optimal. Although AWS acted very quickly to fix the issues, the cloud provider relies on customers to perform the IAM policy updates, which often does not happen. IAM vulnerabilities are not tracked by NIST, do not have a CVE, and do not have scanning tools that provide IAM vulnerability scanning results. The result is that most customers are running with vulnerable IAM policies and have no process to fix them. Furthermore, we discovered that AWS issues hundreds of security updates to its IAM policies, but security teams lack tools to scan for them and prioritize fixing them. It is vital to raise the community awareness of the issue of IAM CVEs because identity-related vulnerabilities are a key attack surface in cloud environments.

We will review the specific mitigations provided to the IAM vulnerabilities we found and discuss the current gaps in the way the vulnerability management process for IAM is handled today.

MoinQ: DNS/ManagedDNS/awsdns/Darkreading/blackhat/2 (last edited 2021-07-08 19:58:58 by ToshinoriMaeno)