Monday, January 16, 2023
HomeCyber SecurityBackdoors and Privilege Escalation Through Cloud Account Customers | by Teri Radichel...

Backdoors and Privilege Escalation Through Cloud Account Customers | by Teri Radichel | Cloud Safety | Jan, 2023


ACM.134 Stopping a consumer from leveraging one other consumer with permissions they don’t have

  • Change a consumer’s password, MFA machine, and/or create a brand new developer key for the consumer.
  • Do no matter that consumer is allowed to do by leveraging that consumer’s credentials.
  • Create a brand new consumer.
  • Create a brand new coverage with no matter permissions they need.
  • Assign that coverage to the consumer.
  • Login as that consumer.
  • Do no matter that consumer is allowed to do.
  • Past the omnipotent root consumer and ROOT automation credentials, solely enable IAM directors to create customers with a particular permission boundary.
  • That permission boundary ought to restrict customers to solely altering their very own credentials (password, MFA machine, and any automation credentials).
  • Embrace the lack to alter anybody else’s password however their very own within the IAM administrator’s permissions.
  • An IAM administrator can’t change the password for a consumer.
  • No consumer can change anybody else’s password or credentials.
  • We now have improved non-repudiation within the case of unauthorized or non-compliant actions.
  1. The HR division initiates the creation of a brand new consumer by way of an automatic course of which notifies the IT and safety division {that a} new consumer is being added to group.
  2. An company login and e mail account is routinely generated for the brand new consumer.
  3. The credentials for the company login and e mail are offered by the one who generated them in IT to the consumer (one other potential safety hole — how does a brand new consumer get his or her preliminary credentials with out anybody seeing them?) Right here we’re at our catch 22. However we are able to leverage a number of further steps to forestall an IT admin from utilizing these credentials to entry a cloud account with them.
  4. The consumer should login and alter their password and arrange MFA on their company login and e mail account earlier than they’ll take another motion.
  5. The consumer sends an e mail to their supervisor who confirms that this has all taken place and solely the right consumer has entry to their very own e mail. I suppose there might be some man-in-the-middle or proxy assault at this level the place the consumer modified their consumer identify and password in a faux system however now we’re getting very superior for an attacker.
  6. The supervisor sends the consumer directions for some fundamental safety coaching. For the reason that supervisor should full this step they’re accountable for ensuring the right consumer has the directions through the e-mail tackle, not an IT admin.
  7. The coaching consists of data on phishing, malicious hyperlinks and attachments, smishing (textual content messages), and so forth. Maybe the consumer has to log right into a system with their new credentials which verifies they undergo the coaching and that they’ll cross a fundamental check through human interplay (i.e. with captchas and bot detection).
  8. As soon as the consumer has accomplished the coaching HR will get notified, at which level they kick off the method to create a consumer’s cloud account and different accounts required all through the group by way of an automatic mechanism, primarily based on permissions assigned by the consumer’s supervisor.
  9. The IAM staff has created roles for the group within the cloud account and people guidelines are routinely assigned by the HR course of signifies primarily based on the permissions assigned by the supervisor.
  10. The consumer can’t take any motion of their account till the password is modified and MFA is ready up (or maybe MFA and passwords are offered by way of the credentials already granted.)
  • Create a coverage within the domains account with permissions to handle domains.
  • Create a consumer within the domains account that leverages the coverage.
  • Login as that consumer to entry the domains.
  • Disallow creation of customers within the domains account.
  • Create a coverage within the domains account.
  • Create a job to handle domains within the domains account.
  • Create a belief coverage with cross-account entry for a consumer or position to leverage that position.
  • Create a consumer and/or assign the position with entry to the domains account through the belief coverage.
  • Solely the ROOT automation account has entry to vital features comparable to creating and deleting domains, or transferring domains in our domains account. This account requires MFA and is disabled when not in use.
  • We solely grant area directors the power to configure DNS.
  • The ROOT account creates the belief coverage and IAM coverage that permits the IAM administrator to create permissions within the distant account. The IAM coverage for managing permissions has an acceptable Permissions Boundary to restrict actions in that account to solely what ought to be allowed.
  • Create alerts to for any adjustments to those settings.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments