AWS Security
Posted: 2019-08-12 12:59:06 Expiration: 2019-11-19 16:34:04
AWS security and SSRF attacks
For those worried about the Capitol One intrusion and how it impacts your AWS environment.
There are two key configurations that could put you at risk.
1. An ec2 server running a web server (or web cache) configured to proxy web requests
2. The same ec2 server has an IAM role attached to it that is too permissive
The two best solutions for you if you do is AWS GuardDuty and/or AWS WAF
–GuardDuty, designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places.
–The AWS WAF, which Amazon says can detect common exploitation techniques, including SSRF attacks;
If you have this configuration and wish to do an audit your API history for attempts Netflix has an open source tool for looking for SSRF attacks like the one that impacted CapitolOne.
https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection
-- Public Cloud: Eric Straavaldsen