AWS recently patched undocumented IAM APIs that bypassed CloudTrail logging. The vulnerability allowed a malicious user to perform reconnaissance activities on IAM without recording events in CloudTrail or being detected by Amazon GuardDuty.
Last year the security research team at Datadog identified a subset of undocumented IAM API requests that were not logged in CloudTrail, the managed service enabling governance, compliance, operational auditing, and risk auditing on AWS. Nick Frichette, senior security researcher at Datadog, explains:
Being able to bypass CloudTrail logging and getting the results of those calls has serious implications for defenders because it limits their ability to track what an adversary has done in an environment and what actions they have taken. Furthermore, this technique also makes it possible to bypass GuardDuty for findings such as IAMUser/AnomalousBehavior, because GuardDuty uses CloudTrail as a data source, and it cannot alert on something it cannot see.
The issue impacted third-party tools and platforms that depend on CloudTrail logs to monitor account activity, including Datadog itself. Frichette describes how the vulnerability was detected:
A straightforward (albeit slow) way to find undocumented APIs is to monitor network traffic in a web browser’s developer tools. (...) By monitoring this activity, you may notice API calls to unusual or undocumented services. While using the AWS Console, we noticed several requests to a service called iamadmin.
Source: https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/
Undocumented APIs are an important focus in cloud security: security researchers at Rhino Security Labs recently identified an undocumented API for AWS CodeStar that could be used to escalate privileges in an AWS account. In a "Blind Spots in the Cloud" article, Spencer Gietzen, cloud security researcher at CrowdStrike, suggests:
To prevent undocumented APIs from being used maliciously in your environment, it is important to grant permissions on a granular level. That means: Do not grant permissions using wildcards (such as using a * in AWS), and do not use managed permissions sets, as they are often overly permissive.
Radware's latest State of API Security Survey suggests that the threat of undocumented APIs is underestimated:
62% of those surveyed admit a third or more of APIs are undocumented.
According to the disclosure timeline provided by Datadog, researchers report the issue to AWS in March 2022 and AWS worked for many months on different internal changes to align the CloudTrail logging and fix the iamadmin calls. While some users question the long disclosure timeline, user synackk comments on Reddit:
A logging bypass on a read-only API is also not an omega bad exploit that requires all hands on deck to fix. The iamadmin APIs still required authentication and authorization to use.
AWS has not made any public statement regarding the vulnerability or its resolution.