Cyberthreat researchers have singled out Amazon S3, KMS and SQS and a dozen other APIs that can be exploited.

Security researchers have discovered a class of Amazon Web Services (AWS) application programming interfaces (APIs) across 16 AWS services that can be exploited to leak information. 

The major services involved include the Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS) and Amazon Simple Queue Service (SQS), among others. 

Any exploit of these APIs can be difficult to track because AWS CloudTrail logs and error messages only appear in the resource owner or the attacker’s account. Attackers can thereby have unrestricted time to perform reconnaissance on random or targeted AWS accounts without worrying about being noticed.

The potential danger of these vulnerabilities can lead to cloud misconfigurations: A malicious actor may obtain the roster of an account, learn the organization’s internal structure, and then launch targeted attacks against individuals.

In a recent Red Team exercise, Palo Alto Network’s Unit 42 researchers compromised a customer’s cloud account with thousands of workloads using a misconfigured Identity and Access Management (IAM) role identified by this technique.

Resource-based policy APIs

Policy validation is a feature from AWS that facilitates the user experience. While most users benefit from the feature, adversaries may also find the feature useful for performing reconnaissance in another account. Because the policy validator checks whether the specified principal exists, it gives adversaries a way to build up knowledge of a targeted account’s roster gradually.

Thus, adversaries may abuse policy validators in multiple AWS services that support resource-based policies. When defining a principal in a resource-based policy, users can request AWS to authenticate and authorize the principal to access the resources in an AWS account. If an invalid username or role name is provided, the authentication will fail. One of the authentication best practices for implementing a secure authentication process is to avoid giving out account-specific information in error messages.

However, the AWS policy validator inadvertently leaks account-specific information in the error messages, explicitly revealing if the specified principal exists or not. An adversary could use the error messages to check whether a user or an IAM role exists in a targeted account. By repeating this process with a wordlist, an adversary can enumerate and discover the existing identities in a targeted account. services’ resource policies. These policies are rejected and can’t be saved. The process can also be performed programmatically using AWS APIs, making the enumeration scalable.

As the vulnerabilities are disclosed and addressed, AWS users and cyber defense teams are advised to harden their IAM configurations to review trust policies.