Introduction to AWS Serverless Exploitation

sankal pansi he is an AWS Cloud Captain boosting two times AWS certifications including AWS certified Solutions architect associate and AWS certified Cloud practitioner additionally he has been contributing to communities by giving technical talks for Community growth and development get ready for an eye openening session on introduction to AWS server serverless exploitation give him a big round of applause so hi everyone how are you all are you guys excited to dive into serverless security so let's get started so let me introduce myself so I am uh uh SRI intern at intangle labs in Pune also I'm a final year student graduating next month apart from that I was selected as one of the AWS Cloud Club captains where

AWS selected 10 students from India and 50 students around the globe back in 2023 and at that time I was selected also uh I am a cloud security and Dev seov Enthusiast and learning and exploring this field so let's get started with our topic so uh agenda of this particular session so first we will uh be briefly introducing AWS serverless Services uh the services which are provided by AWS where we can deploy our applications then we will see uh basically the shared responsibility model for the security so how security is implemented uh what are the responsibility of the cloud provider as well as what are the security related respons responsbility of the customer so this is something related to uh shared

responsibility model after that uh serverless services and after that we will be seeing the top 10 vulnerabilities related to uh serverless applications and one demo uh we will see uh and see how we will be exploiting that particular injection vulnerability so let's get started so what is serverless what is serverless why serverless so is it no servers so actually it is uh servers are there but we are not managing uh cloud provider is managing servers for us and we are uh working on our application codes so it help us to uh stay focused on building our application uh building our business rather than managing the infrastructure and uh patching or uh related to infrastructure management so

this is how serverless helps us to scale our business and focus more towards our product rather than infrastructure so here comes first we will see shared responsibility model where AWS uh help us help the customers to uh implement the security and later we'll see for the serverless so AWS provides us with uh different Services the compute storage database and networking these are basic Services as well as uh the custo we have some of our data customer data also AWS provides us with the security services like encryption or after that firewall network but it is our responsibility so there comes two things Security in the cloud security of the cloud so Security in the cloud that is our responsibility

where we are having our data we have to configure that and providing that particular uh service or computer like these uh basic services that is AWS part now what is different uh in serverless how it is different in ser lless so uh when we execute uh Lambda functions there is a service called AWS Lambda which uh we execute so in that uh the customer writes the functions codes and libraries those are the customers responsibility how he is going to write and underlying infrastructure or the compute Services execution environment runtime environment those things are managed by AWS so we are independent we can manage our product and focus building our product now uh coming to serverless First benefit was that we are

uh able to uh take our idea to Market very fast with serverless as well as we need not to worry about patching uh vulnerabilities of the server management uh CR critical those stuffs then uh lower the cost then adapted scale we can scale our applications so since we are not managing AWS is directly managing so we can directly scale our application ations now few AWS Services include uh AWS Lambda which we'll be seeing in this talks to how to exploit Lambda functions uh to gain the access then there's something called API Gateway Dynamo DB and uh there are list of services which we can uh check on AWS website now how uh actually uh these Services work so

for a brief introduction let us go through the three services those are AWS Lambda API when Amazon Cognito so we'll go through very basic introduction of these particular services and later we'll dive into the security vulnerabilities so AWS Lambda basically uh provides us to run our code without provisioning of an infrastructure we need not to worry about the infrastructure also we can write uh those particular Lambda functions in our languages like using nodejs Java or Python and other languages apart from that uh AWS uh Lambda functions are deployed as a container so you can you so those are encrypted with one of the service called Key Management Service so hence your container and Lambda function

is secure okay also there are uh different uh policies and different privileges that we can uh create which will help us to secure the Lambda functions so this is from the defensive side later uh let us dive into the offensive side of it so API Gateway so it is fully managed service for creating updating publishing maintaining the uh secure apis so for API management we use particular this service then Amazon Cognito so this this particular service is used for authorization and used for authorization and authentication so it provides uh customer identity and access management uh for using that particular authentication authorization service in your product now there are some event sources so how this Lambda function will get

triggered how this particular uh uh Lambda function will execute how this particular action will happen so there are some different event sources one is the cloud storage events so that is S3 data events or there are events for Azure and Google Cloud as well also no SQL datab base event so there are different different uh sources HTTP API calls or there are messaging qes involved so these events uh execute the Lambda functions and where we execute a Lambda function there there something unusual happens and there is a vulnerability now we will see uh top 10 serverless risks so first is injection broken authentication broken Access Control insecure serverless deployment uh server uh sensitive data disclosure

then security misconfiguration insecure thirdparty dependencies insecure application and secret storage in ocate monitoring and uh inate function monitoring and login and dos so let us dive deep into each of the vulnerabilities now uh this is one of the use case which we can exploit for uh resume uh analytics basically uh this particular Lambda function is there which is uh doing use for C capturing your resume do then uh generating uh its uh basically extracting a Tex text and then uh generating for resume analytics now here there is no input validation and because of that uh attacker will be able to upload any file and again uh it will be able to get the shell now how to mitigate so we

shouldn't trust any input we should always have input validation always uh we should uh provide least privileges so there is a principle of least PR VES where uh we should give least privileges required for that particular task to that particular role apart from that uh if we have uh threat modeling then we should consider all entry points all events from where the event will trigger for for what particular purpose this Lambda function is written so we should analyze everything at the threat modeling uh stage now uh broken authentication so uh Amazon Cognito is basically used to implement authentication and authorization so when client uh tries to uh authenticate basically the token gets verified through Amazon Cognito and

authentication occurs so here uh there is uh some misconfiguration occurs if it is not uh uh properly used by developer or if developer creates his own authentication so that is not recommended actually so building own authentication schemes is not recommended we can directly use single signon or Cognito so those particular things are recommended to uh mitigate the service after that uh we should not uh interact we should basically use secure API keys and certificates to uh authenticate and mitigate this issue now broken access control so what happens is that uh if we do not follow lease privilege uh the access control uh there's a issue with the access control because if you are giving access to all

this three buckets then it is wrong because the user or uh the person has to access some specific things and uh it should be like we should give them specific access else you might not know what will be wrong further and uh this uh giving uh access to all the resources is uh wrong back wrong practice so we can mitigate it we can give a specific action that uh the user can put the object in the S3 bucket and uh the bucket specific bucket also we are mentioning in the policy so this is one of the best practices to use the least privilege [Music] principle okay so one is the sensitive data exposure so uh in this uh you you

have uh uh while implementing that particular Lambda function or uh any function you have uh accidentally stored the credentials there so instead we should use uh secret manager or key manager which will we can use to rotate uh at the later stage so we shouldn't hardcode our credentials now uh security misconfigurations so in this uh basically if you have not granted the least privilege we are able to access the bucket we are able to copy the bucket because there is no permission it's it's one of the misconfigurations so we are able to uh use the Prof random attacker profile and then we are able to copy all our uh bucket data of the S3 bucket now uh there are possibilities

that uh your application uh would be using any third party dependencies so uh those third party dependencies should be used from a verified Source basically if they are consumed from any Third Party Source so we should be aware that it should be secure so we should uh perform uh the sca The Source software composition analysis SAS Dash to basically uh prevent uh these types of uh uh further issues now mitigation so first uh we should maintain inventory list of software packages and dependencies also uh we should scan our vulnerability dependency so in each phase of software development life cycle we can integrate security that is devops also apart from that uh we can remove the unnecessary

dependencies which are not required which are not required by the serverless functions or those Lambda functions after that uh we should upgrade all the packages or uh St with the latest versions and apply all the relevant software patches now insecure storage of secrets so uh there are so many Lambda functions which we use during a deployment of uh applications with in the serverless stack so these many Lambda functions would be using many secrets so how to manage them so we we we instead use a manager and using that we can uh directly rotate the secret after specific uh duration hence there will be uh no hardcoded secrets no pushing pushing to any repositories and nothing

like that so hence it will be uh stored uh securely so this is one of the mitigation from AWS so this Lambda function can request the secrets to the secrets manager then Secrets manager uh will uh basically uh decrypt the secret and transmit the secret so here a service called Key Management Service is involved uh so for the key for encryption and decryption purpose now Doss so there are uh different Lambda functions which has time limit of 15 minutes okay so those are running in parallel now uh bot bot is Bots are there so those are trying to put many requests upon the API Gateway because your request is going through API Gateway now again

malicious request will be taking all the sources all the Lambda functions so it will uh result in resource exhaustion so to pre prevent it basically it was one of the uh multi-art parsal vulnerable uh Ros so this function is vulnerable uh to uh uh dos attack so let's get uh with the demo or I have recorded a video for you so let's get started with the video okay so uh I have recorded a demo and uh I have deployed a vulnerable application using cloud formation so cloud formation is one of the infrastructure as a code provided by AWS so here you can see I have deployed a particular vulnerable application uh so this this particular application takes a

file we upload a file and uh this will convert that particular file uh into the into uh HTML means Word document will be converted to HTML so here is a document file uh which I have uh taken and uh the URL is there so we have uploaded it we will uh press the submit button so it's one of the uh input box so we will press press the submit button before that uh we will uh use the bub suit and make the intercept on and we will intercept the particular request we are able to see that we have uh intercepted the particular request and we will send it to repeater now uh basically uh we are able

to see that uh the particular endpoint there are different headers X Amazon request ID API Gateway these uh headers are there so we are able to identify that this particular application from attacker's point of view we should we do not know that at the back end we are using AWS right now the uh Endo basically uh is of the Amazon AWS but it will be in real case it will be behind the DNS so attacker how attacker will uh basically get to know through these headers that this particular application is behind uh AWS or Wireless Services now we are able to see uh the text was converted to HTML Word document was converted to HTML now we will try to execute Comm

command we will try to execute a command and check if we are able to exploit any V any injection

vulnerability and we will uh intercept that particular

request Okay so we are able to Eco that particular high so again we will try what other commands we are able to uh uh use and if it gets

executed okay so again uh we will be able to get that we are able to execute the commands and hence there is a command injection here after that later we'll be seeing how we will exploit the keys so again we are able to uh get the

ID now we will try to uh cat this Etc password file and check basically check for these particular file so we are able to get uh the contents of the ETC password file as well now uh after that uh we will check if we are able to get any environment variables as well so if we are able to get the environment variables we will get the exess keys and uh we will log in to that particular uh uh uh through console we will log in through CLI to that particular AWS so yes we are able to see that we are getting the session token we are getting uh basically the access Keys access key ID and everything

we are able to get so this is one of the misconfiguration and now using these particular Keys we can log to that particular uh account and uh again we can we or attacker can basically launch uh the different uh P4 instances those are those cost very high and uh this will uh result in high billing uh for the organization so this was a small demo which I recorded So moving to moving further so some of the best practices so we should uh follow the principle of least privilege and we can use IM access manager to verify that there's a feature of IM access manager which will uh basically help us to verify all the permissions and all the

accesses after that we should use Secrets manager we shouldn't store any uh credentials in the Lambda functions or any of the codes after that we should uh use SCA tools to scan the dependencies also uh if we are using API Gateway we should use dashed tools to scan uh after that uh we should have a basic incident response process apart from that there are some security Frameworks specifically for serverless stack so first is was top 10 serverless then AWS startup security Baseline uh CIS foundational Benchmark and AWS well architectured framework so we should uh implement the control specified in these particular Frameworks apart from that we should continuously monitor uh our environment there are services like Cloud watch cloud trail uh

Amazon detective is there so if any incident occur detective will help us to detect uh if any incident is there so what is the root cause of it so it will help us to uh detect uh incident now references so uh here we come towards the end of our talk so let us connect over uh social media so LinkedIn Twitter and my website so uh towards the end of the talk thank you everyone [Applause]