Showing Articles About
aws
-
Tom Taylor-MacLean 
Mohit Gupta - 19 Aug 2025
Another ECS Privilege Escalation Path
ECS has a range of known privilege escalation vectors. We discovered another which relies on using functionality designed for the ECS agent to self-register a compromised EC2 and override a task definition. A variant of this for ECS on Fargate is also discussed.
-
Leonidas Tsaousis - 6 Jan 2025
CloudWatch Dashboard (Over)Sharing
A security vulnerability was discovered in AWS CloudWatch dashboard sharing that allowed unauthorized viewers to access EC2 tags. The issue stemmed from a misconfiguration in Cognito Identity Pools' authentication flow, specifically an undefined setting for the Classic authentication flow. By exploiting this misconfiguration, attackers could retrieve sensitive account information through a multi-step authentication process.
-
Max Keasley - 12 Apr 2024
Exploiting the AWS Client VPN on macOS for Local Privilege Escalation (CVE-2024-30165)
A local privilege escalation vulnerability was discovered in AWS Client VPN 3.9.0 for macOS. The flaw stemmed from an XPC service lacking proper client verification, allowing an attacker to uninstall the application and execute malicious scripts with root privileges. The vulnerability enabled unauthorized root-level actions through the XPC service's insufficient validation of message origins.
- 11 Oct 2023
Enumerating Cognito Clients Exposed to the internet
This article details a methodology for discovering and enumerating potential misconfigurations in AWS Cognito at scale. The approach involves finding ways to identify vulnerable Cognito instances using SEO backlink tools, AWS CLI commands, and systematic scanning techniques. The project highlights the challenges of cloud service security and the potential for large-scale vulnerability discovery through programmatic scanning.
-
Matthew Keogh Tom Taylor-MacLean - 17 Jan 2023
Dangers of a Service as a Principal in AWS Resource-Based Policies
A critical AWS security vulnerability involves overly permissive resource-based policies that can allow cross-account access to services like SNS and Lambda. These policies enable attackers to interact with resources without direct account permissions, potentially bypassing network restrictions. The attack can exploit AWS service principals to gain unauthorized access to sensitive resources across different AWS accounts.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #1
This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #2
This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #3
This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.
- 17 Jan 2020
Misadventures in AWS
This article details manual techniques for AWS security assessment and privilege escalation during penetration testing. The approach involves generating temporary access keys for multiple AWS roles and systematically collecting data across different accounts using AWS CLI tools. The methodology demonstrates how an attacker with limited initial access can enumerate AWS resources, analyze IAM policies, and potentially escalate privileges within an AWS environment.
- Craig Koorn
- 4 Dec 2019
AWS: Such auspices are very hard to read
awspx is a proof-of-concept tool designed to visualize and analyze complex AWS access management relationships. The tool helps identify potential attack paths by mapping out resource interactions and effective access within AWS cloud infrastructure. It addresses the challenge of understanding intricate AWS policy interactions by creating a graph-based representation of resource and action relationships.
- Alex Kaskasoli
- 23 Aug 2018
DNS Rebinding Headless Browsers
A DNS rebinding attack technique targeting headless browsers running on AWS was demonstrated. The attack can exploit the AWS metadata endpoint by manipulating DNS and causing browsers to hang, potentially allowing exfiltration of sensitive AWS credentials. The method bypasses same-origin policy restrictions by dynamically changing domain IP addresses during browser interactions.
- Craig Koorn
- 17 Jul 2018
EC2 Policies: security, freedom, and both
This article explores how to balance security and flexibility when configuring AWS EC2 permissions. It demonstrates how carefully crafted IAM policies can enable precise infrastructure management while maintaining granular access controls. The solution involves using AWS policy conditions and resource tags to create specific permission boundaries for EC2 instance management.
- 25 Apr 2013
MWR HackLab - Chubby Data
A team analyzed a massive 9TB internet scan dataset using cloud and NoSQL technologies. Multiple approaches were explored to make the data searchable, including Amazon CloudSearch for FTP banners, SQL databases for NBTStat scan results, and NoSQL databases like CouchDB and ElasticSearch for HTTP headers. The project focused on developing efficient parsing and search techniques for large-scale internet infrastructure data.