Amazon Web Services APIs could be exploited to steal user data

Get a free Techzine subscription!

Attackers can abuse APIs to leak user identities and Access Management info.

Unit 42 researchers have discovered a class of Amazon Web Services (AWS) APIs that are vulnerable to abuse. The abuse by attackers could leak the AWS Identity and Access Management (IAM) users and roles in arbitrary accounts.

Researchers confirmed that malefactors could abuse 22 APIs across 16 different AWS services the same way. Moreover, the exploit works across all three AWS partitions (aws, aws-us-gov or aws-cn).

Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS) and Amazon Simple Queue Service (SQS) are among the AWS services that attackers can abuse this way.

How attackers can use the exploit

It starts when a malicious actor may obtain the roster of an account. Once the attacker has the roster, they can learn the organization’s internal structure and launch targeted attacks against individuals.

In a recent Red Team exercise, Unit 42 researchers compromised a customer’s cloud account with thousands of workloads. They did this using a misconfigured IAM role identified by this technique.

The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys.

Resource-based policies usually include a Principal field that specifies the identities (users or roles) allowed to access the resource. If the policy contains a nonexistent identity, the API call that creates or updates the policy will fail with an error message.

Resource-based policies provide an entry point

The error message feature is very convenient. However, attackers can abuse this feature to check whether an identity exists in an AWS account. Hackers can invoke these APIs repeatedly, using different principals to identify the users and roles in a targeted account.

To make matters worse, the targeted account can’t observe this user and role enumeration. This is because the API logs and error messages only appear in the account the hackers used to manipulate the resource policies.

The “stealthy” property of the hacking technique makes detection and prevention difficult, according to Unit 42. Attackers can take as much time as they need to perform reconnaissance on random or targeted AWS accounts without worrying that an admin will notice.

Tip: AWS emphasises the importance of a Well Architected Framework