AWS APIs can be abused to leak information

(Image credit: Shutterstock)

UPDATE: An AWS spokesperson told TechRadar Pro, "AWS is aware of the report published by Palo Alto Networks, "Unit 42 Cloud Threat Report 2H 2020". AWS's services and infrastructure are not affected by the issues mentioned in the report. While customers do not need to take any specific action to protect themselves against these issues, customers should always configure their access controls in line with our best practices. IAM roles are secure by default. Role permissions should be carefully configured and managed via a combination of IAM principal policies and role trust policies so that roles can be assumed only by appropriate principals. IAM Access Analyzer is a free service that can help to identify misconfigured or overly permissive IAM policies and apply the policy of least privilege permissions to roles and accounts."

New research has discovered that 22 APIs across 16 AWS services could be abused to leak information about AWS users. Unit 42, the threat intelligence team at Palo Alto Networks that discovered the vulnerability, found that the bug could potentially lead to cloud misconfigurations and is difficult to track.

The problem stems from the fact that the AWS backend infrastructure proactively validates resource-based policies, which usually contain a field detailing the identities of individuals allowed to access them. If a policy contains a non-existent identity, the API will respond with an error message.

This particular feature is open to abuse, however, by a rogue agent. By repeatedly invoking these APIs, they can check whether an identity exists within an AWS account. Plus, targeted accounts won’t realize that this malicious activity is taking place, as only the attacker sees the API logs and the subsequent error messages.

Mitigation strategies

By misusing AWS services in this way, an attacker could potentially discover the names and roles of individuals within a particular AWS account. Once an attacker has acquired the information that he or she needs, targeted attacks could then follow.

“Detecting and preventing identity reconnaissance using this technique is difficult as there are no observable logs in the targeted accounts,” Jay Chen, a Senior Cloud Vulnerability and Exploit Researcher at Palo Alto Networks, explained

“However, good IAM security hygiene can still effectively mitigate the threats from this type of attack. Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance.”

Some of the techniques that users of vulnerable AWS services can employ include removing inactive users, adding random strings to usernames and role titles to make them more difficult to guess, and logging all identity authentication activities.

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.