Prevent Remote Code Execution with Private Endpoints – Aviata Solo Flight Challenge Chapter 2

  • Thursday, 16 May 2024 10:00AM EDT (16 May 2024 14:00 UTC)
  • Speaker: Brandon Evans

As demonstrated in the last workshop in the Aviata Cloud series, public cloud resources pose a major risk. One mitigation, Private Endpoints, allows users and workloads to connect to cloud services without internet access. This allows cloud administrators to isolate workloads from the world while enabling them to continue using the cloud services they need. They can also be used to prevent access to sensitive data in cloud services if the request did not originate from the private network.
Without internet access, it should not be possible to exfiltrate private data or perform Remote Code Execution (RCE). Unfortunately, attackers can leverage improperly configured private endpoints to do both. By creating their own publicly accessible cloud resources, attackers can trick workloads into downloading malicious code and exfiltrate data without a single packet leaving the cloud network.

In this workshop, we will analyze a real cloud application powered by AWS Lambda, exfiltrate data with an RCE executed through a supply-chain attack, and escalate privileges using AWS IAM credentials. We will then lock down the Lambda to a private network with private endpoints and prevent these IAM credentials from being used externally. Next, we will then demonstrate that this configuration is still vulnerable to this attack. Finally, we will lock down the private endpoint policy to block the attack altogether.

This workshop was inspired by the CloudSecNext Summit 2021 talk: "Exfiltration Paths in Isolated Environments using VPC Endpoints" by Jonathan Adler. You can watch it here in preparation for the workshop: https://www.youtube.com/watch?v=mFK-GksgopI

Each monthly workshop in the series is independent of the others. There are no technical or educational dependencies from one to the others.

Who Should Attend

This workshop is ideal for cloud security professionals, network engineers, and system administrators who are tasked with implementing and managing cloud security controls.

Learning Objectives

  • Setup two sandbox AWS accounts

  • See firsthand how private endpoints can be used to prevent cloud credential theft

  • Prove that a misconfigured endpoint policy can enable data exfiltration

  • Implement a proper endpoint policy to block exfiltration via AWS services

  • Exploit a supply-chain attack to perform Remote Code Execution without internet access

  • Analyze how a supply-chain attack can enable bad actors to exfiltrate data from compute instances, including AWS Lambda functions

  • Use exfiltrated cloud credentials to escalate privileges for other AWS services

  • Isolate the Lambda in a private VPC and use private endpoints to enable legitimate access to AWS services

  • Block access to data in AWS services from outside of the private VPC

  • Prove that a misconfigured endpoint policy can enable data exfiltration from an isolated environment using AWS services

  • Implement a proper endpoint policy to block exfiltration using AWS services.

Please scroll down for prerequisites and laptop requirements.

Aviata Cloud Solo Flight Challenge Chapter 2

System Requirements

1 . Accounts and Keys

  • Two AWS Accounts - one for attack and one for detect (Yes, TWO separate accounts are needed.)
  • Need AWS accounts? Create a free tier account with root access at https://aws.amazon.com/free/
  • Ability to run Terraform locally to configure the first account
  • A set of IAM Access Keys for the first account to enable the Terraform deployment

2. Local Device

  • A modern, up-to-date web browser
  • Access to a Bash terminal
    • this will automatically be available for Linux and Mac workstations
    • for Windows, two options are Windows Subsystem for Linux or Git for Windows
  • Install the Git CLI if not already available (it comes bundled with Git for Windows)
  • Install the Terraform Command-Line Interface (CLI)

Prerequisite Knowledge

  • Comfortability with the Bash Command Line
  • Basic Knowledge of the AWS Console
  • Basic Knowledge of AWS Networking and IAM

This workshop supports content and knowledge from SEC510: Cloud Security Controls and Mitigations.

Future Workshops

Follow the Aviata Cloud Solo Flight Challenge Workshop Series throughout 2024 with free monthly cloud security workshops that will walk you through how various knowledge and hands-on skills work together to create a secure cloud environment for your organization. Read the associated blog post here.