A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Ben Feinstein & Jeff Jarmoc – Get Off of My Cloud: Cloud Credential Compromise and Exposure Derbycon 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

Ben Feinstein & Jeff Jarmoc – Get Off of My Cloud: Cloud Credential Compromise and Exposure
Derbycon 2011

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. We will explore how AWS credentials and keys may end up being persisted within an AMI, allowing these credentials and key materials to be unintentionally shared with 3rd parties. We will discuss the risks and potential impacts of compromise of this sensitive information. A new tool, “AMIexposed” will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We’ll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs, both from the AMI creator and the AMI user perspective.

Back to Derbycon 2011 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast