As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.
First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github. https://twitter.com/VickerySec/status/1220346787455627267
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://twitter.com/RhinoSecurity/status/1253397992255582208
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://twitter.com/SpenGietz/status/1252971138352701442
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://twitter.com/__steele/status/1316909785607012352
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://twitter.com/kestenb/status/1273044494154424320
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://twitter.com/__steele/status/1273748905826455552
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://twitter.com/wunderwuzzi23/status/1278392848950325250
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://twitter.com/benbridts/status/1280934515305824256
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie https://twitter.com/SchmiegSophie/status/1292930639772004352
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://twitter.com/colmmacc/status/1295461636241854469 and https://twitter.com/arkadiyt/status/1180174359840862209?lang=en
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://twitter.com/awswhatsnew/status/1298307036078149632 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://twitter.com/BenReser/status/1305973626827489280 https://twitter.com/0xdabbad00/status/1332480228950634497
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://twitter.com/__steele/status/1308318261394567168
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://twitter.com/KarimMelhaoui/status/1310237483100237825
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://twitter.com/XorNinja/status/1310587707605659649
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://twitter.com/iann0036/status/1310835121017090050
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://twitter.com/Frichette_n/status/1317547956199882752
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://twitter.com/SpenGietz/status/1322229302327308288
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.
You can follow @0xdabbad00.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.