Sunday, December 22, 2024
HomeCyber SecurityPrivilege Escalation Through a Cloud Compute Useful resource | by Teri Radichel...

Privilege Escalation Through a Cloud Compute Useful resource | by Teri Radichel | Cloud Safety | Jan, 2023


ACM.133 Limiting Move Position permissions utilizing AWS IAM insurance policies

  • This permits an utility to entry *all* S3 buckets and logs as a substitute of the logs particularly assigned to that utility. See why this was an issue by having a look at what occurred within the Capital One Breach. You would possibly be capable of repair that by way of a constant naming conference and a few asterisks within the ARN Within the coverage.
  • You’ll most likely want extra permissions for some purposes. There’s usually not a one measurement suits all coverage for all of the purposes a corporation must construct.
  • You’ll most likely find yourself granting overly permissive insurance policies as you add increasingly permissions to your “generic” utility coverage. What when you’ve got an utility that wants no entry to S3? Do you create a bucket for that utility anyway? Do you let it have S3 permissions it doesn’t want?
  • Let’s say we wished to forestall our IAM customers from accessing Route 53. We might arrange a limitation of their coverage that they’ll solely assign the IAM administration function to a useful resource. Nevertheless, that function has a whole lot of permissions that gained’t be required for a single batch job if we begin creating batch jobs to hold out IAM features. Once more we have now the issue with an excessively permissive function.
  • The opposite drawback with this method is that you could’t even use a task that requires MFA on a compute useful resource. I defined that in additional element in earlier posts. So there’s no level to this explicit restriction for our IAM directors.
Medium: Teri Radichel
Electronic mail Checklist: Teri Radichel
Twitter: @teriradichel
Twitter (firm): @2ndSightLab
Mastodon: @teriradichel@infosec.change
Publish: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Shows by Teri Radichel
Speakerdeck: Shows by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I obtained into safety: Lady in tech
Purchase me a espresso: Teri Radichel
Firm (Penetration Checks, Assessments, Coaching): 2nd Sight Lab
Request companies through LinkedIn: Teri Radichel or IANS Analysis



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments