The security team at Datadog recently disclosed a security issue on AWS where non-production endpoints were used as an attack surface to silently perform permission enumeration. AWS has since remediated these specific bypasses.
According to the announcement, Datadog identified two new scenarios in June 2023 for bypassing AWS CloudTrail: using certain non-production endpoints with API actions that access account-level information, and using API calls that generate multiple events in CloudTrail. Nick Frichette, staff security researcher at Datadog, explains:
We determined that non-production AWS API endpoints could be used for permission enumeration without logging to CloudTrail. Since our initial public disclosure of this technique, we have collaborated closely with AWS to illustrate how adversaries could leverage this method to stealthily assess the privileges of compromised credentials.
The research highlights that attackers can exploit misconfigurations and vulnerabilities in these non-production endpoints, often overlooked in security measures, to gain unauthorized access, escalate privileges, and potentially compromise production environments.
Since the issue was reported to AWS, the cloud provider has remediated two specific bypasses, releasing a fix last September for the CloudTrail bypass in AWS Cost Explorer (ce:GetCostAndUsage) and the one in Route 53 (route53resolver:ListFirewallConfigs). The AWS Security Outreach team requested delaying the publication of Datadog's findings until additional mitigation processes were rolled out. Corey Quinn, chief cloud economist at The Duckbill Group, comments:
AWS Security dragged its feet for 11 months on this vulnerability disclosure. What the hell is going on over there?
Frichette emphasizes instead the importance of securing all endpoints, including those considered low-risk or used for testing and development, to prevent security breaches:
While this specific example is no longer vulnerable, it is important to note that there are thousands of non-production endpoints, any number of which could exhibit similar behavior.Aside from bypassing CloudTrail, non-production endpoints have an additional potential use case when it comes to defense evasion: event source obfuscation.
The cloud provider acknowledges the vulnerability:
For isolated non-production endpoints that do not log to CloudTrail but are otherwise callable with normal credentials and exhibit normal IAM permission behavior, AWS considers the CloudTrail logging bypass of such endpoints also to be a security issue.
At the same AWS highlights that not every endpoint must be remediated:
Non-production endpoints that have access to production resources but generate CloudTrail events that do not match the events generated by the standard endpoint will not be remediated unless it is unclear what service and operation is involved.
Along with the announcement, Datadog released a video documenting how the vulnerabilities were discovered. This is not the only disclosure from Datadog this year; the recent article "Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover" covers a vulnerability in AWS Amplify that exposed IAM roles associated with projects.