Palo Alto Networks researchers announced that they have found 22 Amazon Web Services (AWS) APIs across 16 AWS that can allegedly be manipulated to steal user data. According to researchers, this class of AWS APIs can be harmed to circulate the AWS Identity and Access Management (IAM) users ahttps://aws.amazon.com/nd roles in arbitrary accounts across all three AWS partitions.
“APIs are fast becoming the vehicle for customer experience personalization, These APIs in question dramatically reduce the effort required by organizations to build cloud-based and cloud-native applications. However, APIs are a double-edged sword – when implemented poorly, they provide unprecedented access to core transactional business systems”, said Setu Kulkarni, vice president, strategy at application security provider WhiteHat Security Inc.
AWS services that can be potentially abused by attackers comprise Amazon Simple Queue Services (SQS), Amazon Key Management Service (KMS), and Amazon Simple Storage Service (S3). The exploitation begins when a vicious attacker may attain the listing of an account. Once the attacker has the listing, they can understand the organization’s internal structure and then takeoff targeted attacks against individuals.
“Often, API security is narrowly and wrongly defined to only include API management,” said Setu Kulkarni. “API security should include API security testing to make sure that the APIs do not suffer from AppSec vulnerabilities. One may even argue that API security testing should also include ‘business logic assessments.’ They provide organizations the visibility into how a poorly designed API can reveal information that can be used as input into another API to get unprecedented access into not just more customer data but also to executing functionality on behalf of the customer.”
The root cause of the problem is said to be that the AWS backend proactively assesses all of the resource-based policies connected to resources such as customer-managed keys and S3 buckets. Resource-based policies mostly comprise a Principal field that indicates the identities authorized to access the resource. The researchers say that though this is a useful feature, it can also be utilized to check whether an identity prevails in an AWS account. Policy validation is a feature from AWS that facilitates the user understanding.
While most of the customers benefit from this feature, adversaries may also discover the feature helpful for conducting reconnaissance in another account. According to the researchers, detecting and deterring identity reconnaissance using this method is hard as there are no noticeable logs in the targeted accounts.