Amazon Web Services APIs can allegedly be exploited to steal user data – SiliconANGLE News

UPDATED 22:02 EDT / NOVEMBER 17 2020
by Duncan Riley
News of yet another company exposing its data to all and sundry on cloud storage is so normal now that you can pre-write the news and insert the name of the company. This time, however, Amazon Web Services Inc. itself allegedly allows hackers to get access to user data through its application programming interfaces.
The claim came Tuesday from security researchers at Unit 42, the cybersecurity research arm of Palo Alto Networks Inc. The researchers have detailed 22 APIs across 16 different AWS services that can be used to leak the AWS Identity and Access Management users and roles in arbitrary accounts.
AWS services that allegedly can be abused by attackers include Amazon Simple Storage, Amazon Key Management Service and Amazon Simple Queue Service. “A malicious actor may obtain the roster of an account, learn the organization’s internal structure and launch targeted attacks against individuals,” the researchers noted.
The cause of the issue is said to be that the AWS backend proactively validates all of the resource-based policies attached to resources such as S3 buckets and customer-managed keys. The researchers say that though this is a convenient feature, it can also be used to check whether an identity exists in an AWS account.
In a recent Red Team exercise, Unit 42 researchers said, they “compromised a customer’s cloud account with thousands of workloads using a misconfigured IAM role identified by this technique.”
Reached by SiliconANGLE, AWS declined to provide a statement on the report.
“APIs are fast becoming the vehicle for customer experience personalization,” Setu Kulkarni, vice president, strategy at application security provider WhiteHat Security Inc., told SiliconANGLE. “These APIs in question dramatically reduce the effort required by organizations to build cloud-based and cloud-native applications. However, APIs are a double-edged sword – when implemented poorly, they provide unprecedented access to core transactional business systems.”
In this case, he said, the implementation of error and exception handling creates an inadvertent opportunity to exploit a combination of the APIs to get access to account information.
“Often, API security is narrowly and wrongly defined to only include API management,” he explained. “API security should include API security testing to make sure that the APIs do not suffer from AppSec vulnerabilities. One may even argue that API security testing should also include ‘business logic assessments.’ They provide organizations the visibility into how a poorly designed API can reveal information that can be used as input into another API to get unprecedented access into not just more customer data but also to executing functionality on behalf of the customer.”
Charles Ragland, security engineer at digital risk software firm Digital Shadows Ltd., noted that appropriately configuring identity and access management policies can be complicated and time-consuming.
“The research performed by Unit 42 demonstrates what is possible when an IAM policy is misconfigured and leaking information,” Ragland said. “An organization’s DevOps team could use one of the available IAM configuration auditing tools to look for potential weaknesses or misconfigurations and mitigate them before they become an issue in an ideal world.”
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.
IT observability unicorn Grafana Labs valued at $3B in new $220M round
Solo.io adds API gateway to its service mesh management platform
Tango gets $5.7M seed funding to automate creation of process documentation
Bitcoin tech firm Blockstream raises $210M at $3B valuation
Nvidia’s partnership with VMware aims to enable AI across enterprise for every workload
Fetch.ai launches platform for AI-generated collaborative NFT art
IT observability unicorn Grafana Labs valued at $3B in new $220M round
CLOUD – BY MARIA DEUTSCHER . 53 MINS AGO
Solo.io adds API gateway to its service mesh management platform
CLOUD – BY PAUL GILLIN . 2 HOURS AGO
Tango gets $5.7M seed funding to automate creation of process documentation
AI – BY MIKE WHEATLEY . 2 HOURS AGO
Bitcoin tech firm Blockstream raises $210M at $3B valuation
BLOCKCHAIN – BY KYT DOTSON . 2 HOURS AGO
Nvidia’s partnership with VMware aims to enable AI across enterprise for every workload
AI – BY MIKE WHEATLEY . 5 HOURS AGO
Fetch.ai launches platform for AI-generated collaborative NFT art
BLOCKCHAIN – BY KYT DOTSON . 5 HOURS AGO
Forgot Password?
Like Free Content? Subscribe to follow.

source