Prevent Remote Code Execution with Private Endpoints – Aviata Solo Flight Challenge Chapter 2

As demonstrated in the last workshop in the Aviata Cloud series, public cloud resources pose a major risk. One mitigation, Private Endpoints, allows users and workloads to connect to cloud services without internet access. This allows cloud administrators to isolate workloads from the world while enabling them to continue using the cloud services they need. They can also be used to prevent access to sensitive data in cloud services if the request did not originate from the private network.
Without internet access, it should not be possible to exfiltrate private data or perform Remote Code Execution (RCE). Unfortunately, attackers can leverage improperly configured private endpoints to do both. By creating their own publicly accessible cloud resources, attackers can trick workloads into downloading malicious code and exfiltrate data without a single packet leaving the cloud network.

In this workshop, we will analyze a real cloud application powered by AWS Lambda, exfiltrate data with an RCE executed through a supply-chain attack, and escalate privileges using AWS IAM credentials. We will then lock down the Lambda to a private network with private endpoints and prevent these IAM credentials from being used externally. Next, we will then demonstrate that this configuration is still vulnerable to this attack. Finally, we will lock down the private endpoint policy to block the attack altogether.

This workshop was inspired by the CloudSecNext Summit 2021 talk: "Exfiltration Paths in Isolated Environments using VPC Endpoints" by Jonathan Adler. You can watch it here in preparation for the workshop: https://www.youtube.com/watch?v=mFK-GksgopI

Each monthly workshop in the series is independent of the others. There are no technical or educational dependencies from one to the others.

Who Should Attend

This workshop is ideal for cloud security professionals, network engineers, and system administrators who are tasked with implementing and managing cloud security controls.

Learning Objectives

• Setup two sandbox AWS accounts

• See firsthand how private endpoints can be used to prevent cloud credential theft

• Prove that a misconfigured endpoint policy can enable data exfiltration

• Implement a proper endpoint policy to block exfiltration via AWS services

• Exploit a supply-chain attack to perform Remote Code Execution without internet access

• Analyze how a supply-chain attack can enable bad actors to exfiltrate data from compute instances, including AWS Lambda functions

• Use exfiltrated cloud credentials to escalate privileges for other AWS services

• Isolate the Lambda in a private VPC and use private endpoints to enable legitimate access to AWS services

• Block access to data in AWS services from outside of the private VPC

• Prove that a misconfigured endpoint policy can enable data exfiltration from an isolated environment using AWS services

• Implement a proper endpoint policy to block exfiltration using AWS services.

Please scroll down for prerequisites and laptop requirements.