Cloud misconfigurations continue to cause major headaches for organisations – and a recent report from Palo Alto Networks has uncovered an identity and access management (IAM) flaw that could have been worth ‘millions.’
The finding appears in the security provider’s Cloud Threat Report 2H 2020. The disclosure (28 pages, PDF, email required) came about after the Unit 42 cloud threat intelligence team – the research arm of Palo Alto – was contacted by a customer requesting a test of its Amazon Web Services (AWS) infrastructure defences. The customer ran ‘thousands’ of workloads and ‘hundreds of S3 buckets.
The researchers found, within a week, two ‘critical’ IAM misconfigurations which “rippled through all the customer’s AWS accounts… either of which could be crippling for any organisation,” as the report put it.
The first misconfiguration allowed the research team to access sensitive data within internal, non-public S3 buckets, while the second was over-privileged IAM roles assigned to non-administrator user accounts.
It is worth noting that the age old issue of shared responsibility again rears its head. Palo Alto was keen to stress that AWS ‘tries its best’ to detect and alert users when an IAM trust policy is misconfigured. This has been something CloudTech has reported on several occasions; through reports from Check Point among others, while AWS has launched extra UX to help ensure buckets don’t become misaligned, such as Amazon S3 Block Public Access.
The report also noted how using an infrastructure as code (IaC) approach, with a vulnerable configuration, could lead to a ‘catastrophic ripple effect.’ “The misconfigured trust policy in this customer’s IaC template was replicated to multiple roles across multiple accounts,” the researchers wrote. “Unit 42 researchers found more than 30 vulnerable entry points in the customer’s cloud environment that could all have been exploited the same way.”
Forensic work indicated that no malicious actors had successfully exploited these IAM misconfigurations, and the customer was able to remediate the issues.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.