Monday, January 9, 2023
HomeCyber SecurityAWS CLI for an SSO Consumer. ACM.127 AWS CLI instructions with an...

AWS CLI for an SSO Consumer. ACM.127 AWS CLI instructions with an AWS… | by Teri Radichel | Cloud Safety | Jan, 2023


ACM.127 AWS CLI instructions with an AWS SSO (AWS Identification Heart) session — menace modeling and assault floor

$ aws sso login --profile my-dev-profile
  1. Configure a login profile (which solely requires the beginning URL and a area as Ben Kehoe explains within the weblog put up above.)
  2. Run the login command within the CLI.
  3. Get the URL and code after working the command.
  4. Craft a hyperlink that routinely visits the URL and submits the code.
  5. Trick a consumer into clicking the hyperlink after which getting into their AWS SSO (IAM Identification Heart) credentials.
  6. Increase. The attacker has an lively CLI session that may do no matter that consumer can do — together with entry any AWS account the consumer has entry to as defined in Ben Kehoe’s put up above.
  • The logout course of is inconvenient and doubtlessly complicated.
  • I’m unsure how one can terminate a session. I discovered this put up which feels like a cumbersome method to terminate a session for an AWS SSO consumer however I suppose it might work:
  • This can be a shared URL not a URL that you simply management and may monitor for suspicious exercise.
  • You may’t restrict visitors to it from your individual personal community since it’s a shared AWS URL.
  • Are there any confused deputy assaults which are potential utilizing this method? I haven’t considered this in any respect but.
  • What if a consumer used their SSO credentials to login and provoke a session after which handed the bearer token to the batch job. Then the consumer would have entry to manufacturing credentials and the manufacturing bearer token. That possibility doesn’t meet my necessities.
  • They to begin with have so as to add a consumer for me into their major AWS SSO / IIC listing (versus granting my distant account and consumer permission to make use of a job of their account).
  • I’d need to enter my MFA gadget into their AWS account and listing to allow them to implement MFA, which I don’t wish to do. I solely wish to retailer my MFA gadget data in my very own account.
  • Is the SAML Implementation safe and free from potential Golden SAML and different varieties of SAML assaults? I haven’t had time to look into any of this. I presume AWS is doing job right here however I haven’t personally analyzed and verified this or seen any documentation on it.
  • I’ve not but had time to check imposing all of the situations we’re imposing on this weblog sequence, however I not suppose we will implement MFA on the AWS SSO roles if I keep in mind accurately. Extra testing is required.
  • I discover AWS SSO complicated. The UI is cumbersome to me. Maybe I’m nonetheless used to AWS IAM however I discover it simpler to determine what permissions a consumer or group has and during which accounts when utilizing AWS IAM.
  • I have to discover that touch upon the bearer token above additional.
  • I would wish to check all of it out to show or disprove my theories — however given I’ve so many reservations on it already I’m not going to spend extra time on it.
  • Can I even disable automation for AWS SSO customers? I don’t see an possibility to decide on both programmatic entry, console entry, or each when creating an AWS SSO consumer. Does that imply that even when I by no means wish to use automation with my AWS SSO customers I can’t flip it off?



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments