Prevent Remote Code Execution with Private Endpoints – Aviata Solo Flight Challenge Chapter 2
As demonstrated in the last workshop in the Aviata Cloud series, public cloud resources pose a major risk. One mitigation, Private Endpoints, allows users and workloads to connect to cloud services without internet access. This allows cloud administrators to isolate workloads from the world while enabling them to continue using the cloud services they need. They can also be used to prevent access to sensitive data in cloud services if the request did not originate from the private network. Without internet access, it should not be possible to exfiltrate private data or perform Remote Code Execution (RCE). Unfortunately, attackers can leverage improperly configured private endpoints to do both. By creating their own publicly accessible cloud resources, attackers can trick workloads into downloading malicious code and exfiltrate data without a single packet leaving the cloud network.
In this workshop, we will analyze a real cloud application powered by AWS Lambda, exfiltrate data with an RCE executed through a supply-chain attack, and escalate privileges using AWS IAM credentials. We will then lock down the Lambda to a private network with private endpoints and prevent these IAM credentials from being used externally. Next, we will then demonstrate that this configuration is still vulnerable to this attack. Finally, we will lock down the private endpoint policy to block the attack altogether.
This workshop was inspired by the CloudSecNext Summit 2021 talk: "Exfiltration Paths in Isolated Environments using VPC Endpoints" by Jonathan Adler. You can watch it here in preparation for the workshop: https://www.youtube.com/watch?v=mFK-GksgopI
Requirements to complete this lab:
1 . Accounts and Keys
Two AWS Accounts - one for attack and one for detect (Yes, TWO separate accounts are needed.)
Need AWS accounts? Create a free tier account with root access at https://aws.amazon.com/free/
Ability to run Terraform locally to configure the first account
A set of IAM Access Keys for the first account to enable the Terraform deployment
2. Local Device
A modern, up-to-date web browser
Access to a Bash terminal
this will automatically be available for Linux and Mac workstations
for Windows, two options are Windows Subsystem for Linux or Git for Windows
Install the Git CLI if not already available (it comes bundled with Git for Windows)
Install the Terraform Command-Line Interface (CLI)
Each monthly workshop in the series is independent of the others. There are no technical or educational dependencies from one to the others.
Learning Objectives:
Setup two sandbox AWS accounts
See firsthand how private endpoints can be used to prevent cloud credential theft
Prove that a misconfigured endpoint policy can enable data exfiltration
Implement a proper endpoint policy to block exfiltration via AWS services
Exploit a supply-chain attack to perform Remote Code Execution without internet access
Analyze how a supply-chain attack can enable bad actors to exfiltrate data from compute instances, including AWS Lambda functions
Use exfiltrated cloud credentials to escalate privileges for other AWS services
Isolate the Lambda in a private VPC and use private endpoints to enable legitimate access to AWS services
Block access to data in AWS services from outside of the private VPC
Prove that a misconfigured endpoint policy can enable data exfiltration from an isolated environment using AWS services
Implement a proper endpoint policy to block exfiltration using AWS services.
Prerequisite Knowledge
Comfortability with the Bash Command Line
Basic Knowledge of the AWS Console
Basic Knowledge of AWS Networking and IAM
This workshop supports content and knowledge from SEC510: Cloud Security Controls and Mitigations.
Follow the Aviata Cloud Solo Flight Challenge Workshop Series throughout 2024 with free monthly cloud security workshops that will walk you through how various knowledge and hands-on skills work together to create a secure cloud environment for your organization. Read the associated blog post here.
