How to NotCreate NotSecure Policies: A dive into AWS Policies Not* Fields and the insecurities around them

By Bleon Proko

Elevator Pitch

Deny all, allow only what is needed is probably the best way to maintain least privileges. Some vendors, understanding this, provide by default an empty identity, with no privileges. What happens though, when that vendor decides to make life easier by allowing all and filtering what is not needed?

Description

AWS defines the privileges identities will have using the IAM Policies. These policies define what is allowed and what is not. A default identity in AWS will be only allowed the privilege to run sts:GetCallerIdentity, the AWS API equivalent of whoami command. Everything else is defined by the policy. The policy will define action, that being Allow or Deny, the privileges the identity will have, the target resources and the conditions for the access. So, an identity will have everything denied by default, and all the privileges can be added to it by the administrator. To make life easier for the defender, and also to maintain the policy size, AWS allows an administrator to also use Not* definitions, which are the opposite of the normal definitions. This in itself is not much different than normal policy definitions, until they start to not be properly implemented, resulting in an over-privileged identity. The worst part is that a lot of them are not even detected by policy analyzers, which can be a problem for vulnerability detection tools, both attack and defense tools. This talk will present how those definitions can be misused and give identities more privileges, how attackers can utilize them to bypass detections and how they can be utilized to persist in a cloud environment. The talk will also present a tool that can detect them, based on how different Not* Definitions are utilized by the policy, in order to clearly analyze the access an identity have. It will be created in a way that used as least privileges as possible to allow Red Teamers to use them on their assessment, as well as Blue Teamers, without a need for an overly-privileged identity. By the end of the presentation, the audience will be able to detect insecurities that come from the misuse of Not* Definitions, how to detect, understand the privileges that come with them and how to contain the privileges, without completely giving up on those definitions.

Notes

There will be a demo using a tool I have been working on to detect the overly privileged policies that utilize Not*, so a device with Docker or a Python3.11 installed will be needed, unless my laptop is allowed to be used. Of course I will be needing Internet Access, as I will need to access AWS API using the tool. This is a research I have been doing and continuing to do for the last 4 months and it is planned to be a blog released along with the tool after the conference, or if I’m not accepted, after the rejection notice.