Money, secrets and mass exploitation: This research unveils a quarry of sensitive data stored in public AMIs.
As a best practice, AMI creators should not include credentials, including AWS account credentials, in published AMIs.
We wanted to scan all public AMIs, so our work completes Dolev's by covering the other 26+ AWS regions and the AMIs from Dolev's region that we're left out.
While in theory we are scanning the AMI's volumes, in our case the EBS volume is not public by default just because the AMI is public.
Dig for secrets in every public AMI across every AWS region.
So we wanted to find out if there are secrets exposed in public AMIs by searching through all of them, have fun while doing it and responsible disclose to issue to the affected companies if it's the case.
This number represents all the public AMIs from 27 AWS region available in December 2023.
Well, we again assumed that there is no point in searching for secrets in AWS owned AMIs.
While our objective was not to reduce the number of AMIs, but rather to construct a list of high potential targets, seeing a more feasible number of AMIs gives us the hope that we can scan all the AMIs worth scanning.
Analyzing the remaining sample of AMIs, we noticed that we still have some AWS account with a large number of public AMIs.
Checking the owners with the most AMIs we noticed that they are some kind of unofficial vendors, publishing new versions of their AMIs.
If a single AWS account owns more than X AMIs, then that AWS account is likely to be an unofficial vendor and we can exclude it.
In the search of that threshold, we checked how many unique AWS accounts are out there with a maximum number of 25 public AMIs.
Imagine this: an AWS account has more than 50 public AMIs unintentionally left out there with source code, secrets, keys and so on.
We set this threshold of maximum 50 public AMIs per AWS account.
We removed 488 AWS accounts and their associated public AMIs.
To put things in perspective, as a mean, each AWS account removed had about 2000 public AMIs.
We recommended AWS to put some limitations or throttling in place when multiple community AMIs are spawned in a short period of time from a single AWS account.
Finding the AMI of a company among 3.1 million public ones might be hard, but when scanning every public AMI then the AMI surely won't be missed.
As Matei likes to say it, what good to hide your secrets in private repositories if the repositories are put in public AMIs.
This Cyber News was published on packetstormsecurity.com. Publication date: Thu, 09 May 2024 15:43:06 +0000