avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3360

Abstract

y encryption controls.</li></ul><div id="0167" class="link-block"> <a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/restore.html"> <div> <div> <h2>Restoring from an Amazon EBS snapshot or an AMI</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><ul><li>If a developer has permission to detach a volume then they could attach it to a different host.</li></ul><div id="84ed" class="link-block"> <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html"> <div> <div> <h2>Detach an Amazon EBS volume from a Linux instance</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><div id="5348" class="link-block"> <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html"> <div> <div> <h2>Attach an Amazon EBS volume to an instance</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><ul><li>If a user has permission to change the security groups on an instance (which is part of the ec2.* permission set) then they can add their own user-specific security group to a different ec2 instance.</li></ul><div id="a248" class="link-block"> <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#changing-security-group"> <div> <div> <h2>Work with security groups</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="93fc"><b>No resource policies for EC2 instances or Security Groups</b></p><p id="0d8f">EC2 instances do not offer resource policies. Neither do security groups. (#awswishlist). I have wished that you could apply policies to networking since I was working on the Capital One cloud network and cloud engineering teams.</p><p id="7df2">When I implemented the networking for bastion hosts and a proxy on AWS these hosts needed direct access to other networks. Anyone with permission to change the security groups and networking or deploy a new EC2 instance (VM) could deploy it in that networking with broad access.</p><p id="4c5e">In fact, I remember when the person who approved network security changes noticed that someone had put security groups associated with different

Options

tiers in a three tier network to their EC2 instance. He wasn’t too happy. I think our NACLs and routes would have helped somewhat but he was worried that the person had effectively created a proxy to bypass our networking standards.</p><p id="af53"><b>User-Specific and zero-trust IAM Policies for EC2 Instance Actions</b></p><p id="5b69">This is where your IAM policies can help you. You’d want to disallow risky actions or limit them to an VM with a name that matches the user taking the action.</p><ul><li>Disallow users from taking EC2 actions on any instance but one that matches a particular naming convention (and make sure they cannot soehow bypass the naming convention)</li><li>Disallow users from reassigning security groups to those they shouldn’t be able to use.</li><li>Disallow EC2 deployments with SSH access to any IP other than their own via their own user-specific SSH security group.</li><li>Disallow attaching and reattaching volumes or making snapshots unless required.</li><li>Leverage an automated backup process — that is not associated with a single user’s credentials! (Yes, I’ve seen that. I won’t say where.)</li><li>Be cautious in your architecture regarding who can get to or leverage the backup credentials. This also helps you protect against ransomware infecting all your backups.</li><li>Make sure users cannot assign permissions greater than their own to an EC2 instance.</li></ul><p id="fb16">I’m not going to write the code to protect against all of the above right now, but something to consider when trying to protect your EC2 resources.</p><p id="b122">The next post will cover saving money when you start EC2 instances by automatically stopping them if they don’t need to be running immediately.</p><p id="0cbc">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Bypassing the User-Specific Restrictions We Created for Cloud VMs

ACM.116 Other security controls and policies to consider for user-specific EC2 instances

Part of my series on Automating Cybersecurity Metrics. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post we created a user-specific EC2 instance.

Now that we have deployed our user-specific VM we can think about how the controls we put in place may be bypassed.

We have created a number of restrictions to try to lock down access to a VM to a single user.

As it is now:

  • We only have one SSH key associated with the instance for the specific user that is allowed to login to that instance.
  • The security group only allows that specific user’s IP address to access the instance (in the scenario where you have remote users and each user has a different remote IP address.)
  • If one user tries to log into another user’s instance, their SSH key won’t work.
  • They won’t be able to get through the network controls.

What could a user do to get around these restrictions?

  • As explained in a prior post there is a way to add or change an SSH key. If the user can swap out an SSH key on an EC2 instance with their own, they could login.
  • If a user in the developer group has backup and restore permissions they might be able to back up a volume and attach it to their own instance. Since we created a single KMS key for all members of the developer user group, they would not be restricted by encryption controls.
  • If a developer has permission to detach a volume then they could attach it to a different host.
  • If a user has permission to change the security groups on an instance (which is part of the ec2.* permission set) then they can add their own user-specific security group to a different ec2 instance.

No resource policies for EC2 instances or Security Groups

EC2 instances do not offer resource policies. Neither do security groups. (#awswishlist). I have wished that you could apply policies to networking since I was working on the Capital One cloud network and cloud engineering teams.

When I implemented the networking for bastion hosts and a proxy on AWS these hosts needed direct access to other networks. Anyone with permission to change the security groups and networking or deploy a new EC2 instance (VM) could deploy it in that networking with broad access.

In fact, I remember when the person who approved network security changes noticed that someone had put security groups associated with different tiers in a three tier network to their EC2 instance. He wasn’t too happy. I think our NACLs and routes would have helped somewhat but he was worried that the person had effectively created a proxy to bypass our networking standards.

User-Specific and zero-trust IAM Policies for EC2 Instance Actions

This is where your IAM policies can help you. You’d want to disallow risky actions or limit them to an VM with a name that matches the user taking the action.

  • Disallow users from taking EC2 actions on any instance but one that matches a particular naming convention (and make sure they cannot soehow bypass the naming convention)
  • Disallow users from reassigning security groups to those they shouldn’t be able to use.
  • Disallow EC2 deployments with SSH access to any IP other than their own via their own user-specific SSH security group.
  • Disallow attaching and reattaching volumes or making snapshots unless required.
  • Leverage an automated backup process — that is not associated with a single user’s credentials! (Yes, I’ve seen that. I won’t say where.)
  • Be cautious in your architecture regarding who can get to or leverage the backup credentials. This also helps you protect against ransomware infecting all your backups.
  • Make sure users cannot assign permissions greater than their own to an EC2 instance.

I’m not going to write the code to protect against all of the above right now, but something to consider when trying to protect your EC2 resources.

The next post will cover saving money when you start EC2 instances by automatically stopping them if they don’t need to be running immediately.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Ec2
Zero Trust
Cloud Security
Cybersecurity
Recommended from ReadMedium