A lead security engineer at a software bluechip has open sourced a powerfully useful tool designed to help users shore up their cloud security. The freely available tool lets users identify insecure AWS resources, then backdoor exposed account's resources to demonstrate how easy it is to get cloud security wrong -- and help fix it.
Dubbed "Endgame" and freely available on Github, the tool demonstrates "with a bit of shock and awe", as the repo's guide puts puts it, "how simple human errors in excessive permissions (such a granting
s3:* access instead of
s3:GetObject) can be abused by attackers". The release is also designed to encourage AWS's security team to improve the range of support offered via AWS's own "Access Analyzer", which has limitations.
Endgame can be used against IAM roles, S3 buckets, Elasticsearch domains, Glacier Vault access policies, CloudWatch resource policies, ECR Container Repositories; more. One cloud expert told The Stack: "As an example of what can happen when credentials get compromised and the policy is overpermissive, even a simple
s3:* can allow you to backdoor S3 buckets, or a
kms:* can allow you to backdoor the usage of your encryption keys to rogue accounts. This kind of overpermissioning happens at every organization."
Endgame has been released alongside some comprehensive notes for AWS that include a plea to expand service support. (Access Analyzer "helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity" as AWS puts it, but it "does NOT support auditing 11 out of the 18 services that Endgame attacks", as McQuade points out in the Endgame repo.
AWS security expert Scott Piper noted to The Stack: "Access Analyzer can only identify six resource types as being public, of roughly two dozen on AWS that can be made public, which is super annoying as most can be identified in the same way as those six, or even more easily for a few."
A free AWS pentesting tool: careful, now.
To expose every exposable resource, run the following command, note the instructions cheerfully.
endgame smash --service all --dry-run endgame smash --service all endgame smash --service all --undo
*Warning: If you supply the argument
--evil-principal *or the environment variable
EVIL_PRINCIPAL=*, it will expose the account to the internet. If you do this, it is possible that an attacker could assume your privileged IAM roles, take over the other supported resources present in that account, or incur a massive bill. As such, you might want to set
--evil-principalto your own AWS user/role in another account."
"AWS Resource Exposure Attacks are not new - but AWS's ability to detect and prevent these attacks falls short of what customers need to protect themselves", the Endgame team said. While Red Teamers may have a blast with the tool, Blue Teams can also tap its guidance around user-agent detection, API call detection, and behavioral detection (as outlined in guidance here) to dramatically improve their cloud security posture. The release is a powerful reminder of how the open source community can contribute to positively strengthening the security of even some of the best known and well-resourced organisations.