Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 10: Exploiting Cloud Function Logs (CloudWatch)

by | Mar 13, 2025 | 0 comments

Objective:

Understand how sensitive information in cloud function logs, such as AWS CloudWatch logs, can be misused for reconnaissance or gaining unauthorized access to cloud resources. Learn how to secure logs and monitor for suspicious activities.

Scenario:

You are tasked with assessing an AWS Lambda function that processes sensitive information (e.g., credentials or API keys). During the assessment, you discover that the function logs sensitive data to CloudWatch Logs. Your goal is to demonstrate how an attacker could exploit these logs to gather sensitive data or perform reconnaissance.

Lab Setup:

Prerequisites:

  1. AWS account (free-tier works for this lab).
  2. Installed tools:

Steps to Set Up the Lab:

Deploy a Vulnerable AWS Lambda Function:

Log in to the AWS Management Console and navigate to Lambda > Create Function.

Choose Author from scratch and configure:

Function name: vulnerable-logging-lambda.

Runtime: Python 3.x.

Add the following function code, which intentionally logs sensitive information:

import json

def lambda_handler(event, context):
    sensitive_data = {
        "api_key": "12345-abcde-67890-fghij",
        "password": "SuperSecretPassword"
    }
    print(f"Sensitive Data: {sensitive_data}")
    return {
        'statusCode': 200,
        'body': json.dumps('Function executed successfully')
    }

Deploy the function.

Enable CloudWatch Logs for the Lambda Function:

CloudWatch logging is enabled by default for Lambda functions. Verify this in the Monitor tab of the Lambda function.

Trigger the Lambda function to generate log entries:

Go to the Test tab, create a new test event, and run the function.

Simulate a Weak IAM Policy for CloudWatch Access:

Create an IAM role with the following permissions:

CloudWatchLogsReadOnlyAccess: Allows read-only access to CloudWatch Logs.

Assign the role to a user or role that an attacker could potentially exploit.

Exercise: Exploiting CloudWatch Logs

Objective:

Simulate an attacker retrieving sensitive information from CloudWatch Logs due to misconfigurations or excessive permissions.

Access CloudWatch Logs:

Log in to the AWS Console or use the aws-cli to list log groups:

aws logs describe-log-groups

Identify the log group associated with the Lambda function (e.g., /aws/lambda/vulnerable-logging-lambda).

Retrieve Log Events:

Use the aws-cli to fetch log events:

aws logs get-log-events --log-group-name "/aws/lambda/vulnerable-logging-lambda" --log-stream-name <log-stream-name>

Extract sensitive data, such as the api_key or password, from the log entries.

Demonstrate Potential Impact:

Use the extracted sensitive data (e.g., API keys) to simulate unauthorized access to other cloud services or APIs.

Perform Reconnaissance:

Analyze logs for infrastructure details, such as:

ARN of the Lambda function.

IAM role names or permissions.

Other resource identifiers.

Tools Required:

  1. AWS CloudWatch: For accessing and analyzing logs.
  2. aws-cli: For automating log retrieval.
  3. CloudTrail: For monitoring log access (optional).

Deliverables:

  1. Exploit Report:
    • Evidence of retrieving sensitive information from CloudWatch Logs.
    • Screenshots or logs showing sensitive data (e.g., API keys, credentials).
  2. Recommendations for Securing Logs:
    • Steps to restrict log access and monitor for unauthorized activities.

Solution:

Identified Vulnerabilities:

Sensitive Data in Logs: API keys and passwords were logged, exposing critical information.

Excessive Permissions: IAM roles allowed unrestricted access to CloudWatch Logs.

Lack of Monitoring: No alerts or monitoring for log access.

Consequences:

Credential Leakage: Exposed API keys or passwords can lead to unauthorized access.

Reconnaissance: Logs provide attackers with details about cloud infrastructure and permissions.

Regulatory Non-Compliance: Logging sensitive information may violate GDPR, HIPAA, or other standards.

Prevention Techniques:

Avoid Logging Sensitive Data:

Mask or redact sensitive information before logging.

Use logging libraries with data sanitization features.

Restrict Log Access:

Apply the principle of least privilege to IAM policies.

Example policy to limit CloudWatch Logs access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "logs:GetLogEvents",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalTag/Team": "SecOps"
        }
      }
    }
  ]
}

Enable Logging Alerts:

Use CloudTrail to monitor access to CloudWatch Logs and trigger alerts for suspicious activities.

Encrypt Logs:

Use AWS Key Management Service (KMS) to encrypt CloudWatch Logs.

Rotate IAM Credentials Regularly:

If sensitive data is accidentally logged, rotate the exposed credentials immediately.

Conclusion:

This exercise highlights the risks of logging sensitive information in cloud environments and demonstrates how attackers can exploit misconfigured logs for reconnaissance or unauthorized access. By sanitizing logs, enforcing least privilege, and monitoring log access, organizations can significantly reduce these risks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *