41. VERIFY
(remove the spaces around the = character for easier scripts)
Preparation
• New EC2 Instance
• Setup AWSTools
• Leverage Secrets
AWS CLI AWS Cloud
49. NO MULTI
aws --profile api_cloudtrail configure set region us-east-1
aws --profile api_cloudtrail cloudtrail update-trail --name "arn:aws:cloudtrail:us-east-
1:…:trail/…" --no-is-multi-region-trail --no-include-global-service-events
Stops logging in all regions…
• EXCEPT the HomeRegion
AWS
CloudTrail
64. AZURE META
Metadata Service: 169.254.169.254
curl http://169.254.169.254/metadata/v1/maintenance
curl http://169.254.169.254/metadata/v1/InstanceInfo
(these are mostly useless for hackers…) but useful information is copied into the …
/var/lib/waagent directory when the instance is created… (root access needed)
• IP address, hostname, subscription ID, resource group name, etc…
…
66. HARD BOOT
Bryce Kunz - @TweekFawkes
…
Horrible OPSEC but it works…
- Power off a server
- Mount the server’s hard drive using another EC2
- Modify the server for remote access (e.g. add an SSH key to root user)
- Power back on the server & PROFIT!
67. MITIGATIONS
• Single Purpose Secrets
• Limited the Access of each Secret
• Create roles and limit the access of each role
• You can ACL off secrets to only work from certain IP addresses
• Log API calls (e.g. cloudtrail)
• Never use root secrets (use as a break glass account only)
• Rotate Secrets Frequently
• Encrypt secrets within GIT and other data stores
…