© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New tactics and techniques for
proactive threat detection
Ben Fletcher
TDR 432
(he/him)
AWS EMEA CIRT LEAD
Amazon Web Services
Steve de Vera
(he/him)
AWS CIRT Manager
Amazon Web Services

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• About AWS CIRT
• Statistics
• Current threat actor tactics
• New threat actor tactics
• Security best practices
Agenda

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
THIS SESSION IS INTERACTIVE!
Feel free to ask questions,
make comments, participate

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
About AWS CIRT

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Customer Incident Response Team (CIRT)
A specialized team that assists and advises customers during suspected
active security events, on the customer’s side of the AWS Shared
Responsibility Model
Global team 24/7, follow-the-sun model
Respond
Assist and advise customers
with active triage and
recovery from their security
event on AWS
Recover
Assist in root cause
analysis of a customer’s
AWS service logs for their
active security event
Learn
Provide advice to
customers for long-term
recovery from their
active security event
Educate

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Statistics

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account
permissions
Vulnerable
web apps
#1 #2
Brute force
Lost/leaked access
keys/credentials
#3
#4
Open S3 buckets DDoS
#5 #6
Threat actors use which initial access method
most often?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lost/leaked access
keys/credentials
#4
Threat actors use which initial access method
most often?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
valid IAM credentials
66%
Lost/leaked access
keys/credentials
#4
Threat actors use which initial access method
most often?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
valid IAM credentials
66%
Lost/leaked access
keys/credentials
#4
of those are root credentials
1/3
[20% of all initial access method use]
Threat actors use which initial access method
most often?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
valid IAM credentials
66%
Lost/leaked access
keys/credentials
#4
Public-facing EC2 instance
13%
of those are root credentials
1/3
[20% of all initial access method use]
Threat actors use which initial access method
most often?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Opportunistic
Resource hijack Ransom events destruction
A zero trust strategy
Threat primary tactics

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Get the keys MITRE ATT&CK
Tactic: Initial access
Technique: Valid cloud credentials

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
~Two weeks ~One week
#1 #2
24 hours
4 hours
#3
#4
Minutes, if not
seconds
#5
If keys are posted on GitHub, how long until they
are used?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GitHub
https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
MITRE ATT&CK
Tactic: Initial access
Technique: Valid cloud credentials
Minutes, if not
seconds
#5

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current threat actor tactics

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DISCLAIMER:
Tactics and techniques presented
do not constitute vulnerabilities
within AWS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Premise
1)
2)
3)
•
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Premise
1) Threat actor obtains access to AWS
account or hosted resource
2)
3)
•
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Premise
1) Threat actor obtains access to AWS
account or hosted resource
2) Threat actor will mine cryptocurrency
from the resource
3)
•
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Premise
1) Threat actor obtains access to AWS
account or hosted resource
2) Threat actor will mine cryptocurrency
from the resource
3) Resources created in AWS account:
• RunInstances
• CreateStack
• CreateCluster
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Premise
1) Threat actor obtains access to AWS
account or hosted resource
2) Threat actor will mine cryptocurrency
from the resource
3) Resources created in AWS account:
• RunInstances
• CreateStack
• CreateCluster
4) Resources created in unused
AWS Regions
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource hijacking: Mitigations
• Use SCPs to prevent resource creation – especially in unused Regions
• Apply principle of least privilege to assigned permissions
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
1)
2)
3)
MITRE ATT&CK
Tactic: Impact
Technique: Defacement

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
1) Customer has CNAME pointing to a resource (S3 bucket, EC2
instance, Elastic IP)
2)
3)
MITRE ATT&CK
Tactic: Impact
Technique: Defacement

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
1) Customer has CNAME pointing to a resource (S3 bucket, EC2
instance, Elastic IP)
2) The resource is deleted, but the CNAME still exists
3)
MITRE ATT&CK
Tactic: Impact
Technique: Defacement

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
1) Customer has CNAME pointing to a resource (S3 bucket, EC2
instance, Elastic IP)
2) The resource is deleted, but the CNAME still exists
3) Threat actor creates a resource that the CNAME still points to
MITRE ATT&CK
Tactic: Impact
Technique: Defacement

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
Customer

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random
S3 bucket
Customer

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website
Customer

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer
X X

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer
Threat
actor
X X

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer
Threat
actor
X
s3-newco-random
S3 bucket
recreated
X

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer
Threat
actor
X
s3-newco-random
S3 bucket
recreated
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket configured as static website
with malicious content
X

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Premise
s3-newco-random http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
CNAME: app1.newco.com
points to:
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket
configured as static website
Customer
Threat
actor
X
s3-newco-random
S3 bucket
recreated
http://s3-newco-random
.s3-website-us-east-1.amazonaws.com
S3 bucket configured as static website
with malicious content
X

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubDomain takeover: Mitigations
• Review hosted zones and delete unused CNAMEs
• When de-provisioning, remove CNAMEs first

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data destruction: Premise
1)
2)
3)
•
•
•
•
•
•
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data destruction: Premise
1) Threat actor obtains access to AWS account or resource (Amazon S3
or Amazon RDS)
2)
3)
•
•
•
•
•
•
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data destruction: Premise
1) Threat actor obtains access to AWS account or resource (Amazon S3
or Amazon RDS)
2) Threat actor will attempt to delete resources or data
3)
•
•
•
•
•
•
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data destruction: Premise
1) Threat actor obtains access to AWS account or resource (Amazon S3
or Amazon RDS)
2) Threat actor will attempt to delete resources or data
3) Resources deleted in AWS account:
• DeleteBucket
• DeleteObject
• DeleteDBInstance
• DeleteDBCluser
• DeleteDBSnapshot
• AuthorizeSecurityGroupIngress
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data destruction: Mitigations
• Apply and review policies (resource policies and lifecycle policies),
S3 Object Lock
• Principle of least privilege
• Use and test backup methodologies
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
1)
2)
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
1) Threat actor obtains ability to obtain IMDSv1 credentials
from resource
2)
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
1) Threat actor obtains ability to obtain IMDSv1 credentials
from resource
2) Threat actor exports and uses credentials
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
Virtual private cloud (VPC)
Public subnet
Web application
on EC2
Attached
Threat role (webdev)
actor
AWS account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
Virtual private cloud (VPC)
Public subnet
Web application
on EC2
Attached
Threat role (webdev)
actor
AWS account
Use SSRF to exploit web application
vulnerability

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
Virtual private cloud (VPC)
Public subnet
Web application
on EC2
Attached
Threat role (webdev)
actor
AWS account
Obtain credentials using IMDSv1 API
Use SSRF to exploit web application
vulnerability

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise
Virtual private cloud (VPC)
Public subnet
Web application
on EC2
Attached
Threat role (webdev)
actor
AWS account
Obtain credentials using IMDSv1 API
Use credentials to access AWS account
Use SSRF to exploit web application
vulnerability

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IMDSv1 credential access: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
•
•
•
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials
IMDSv1 credential access:
Mitigations

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Use require IMDSv2
•
•
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials
IMDSv1 credential access:
Mitigations

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Use require IMDSv2
• Use principle of least privilege on EC2
instance profile
•
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials
IMDSv1 credential access:
Mitigations

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Use require IMDSv2
• Use principle of least privilege on EC2
instance profile
• Use the
aws:EC2InstanceSourceVPC
or
aws:EC2InstanceSourcePrivate
IPv4 global condition keys in Service
Control Policies
MITRE ATT&CK
Tactic: Credential access
Technique: Unsecured credentials
IMDSv1 credential access:
Mitigations

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1) Credentials exported
MITRE ATT&CK
Tactic: Persistence
Technique: Additional cloud
credentials
GetFederationToken: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
2) Federation token generated
GetFederationToken: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3) Threat actor exports and assumes federation token credentials
GetFederationToken: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
4) Use exported
credentials from
federation token
GetFederationToken: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• The session name or ‘user
name’ can be changed
• Still need to review actions
by ‘masked’ user
GetFederationToken: Premise

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• GetSessionToken also used
• Generally considered unauthorized if observed
• With both GetFederationToken and
GetSessionToken, you can delete the originating
access key and the session will persist
• Can delete/recreate the user
GetFederationToken: Mitigations

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GetFederationToken: Mitigations
• Apply inline policy to IAM user (deny based on
aws:TokenIssueTime)

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Novel threat actor tactics

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor creates an account
in an AWS organization
2)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor creates an account
in an AWS organization
2) Created account is used for
defense evasion, resource
hijacking
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Alternative
1) Threat actor creates a standalone
account with a stolen credit card
2)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Alternative
1) Threat actor creates a standalone
account with a stolen credit card
2) Invites account to compromised
AWS organization
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor can remove
OrganizationAccountAccessRole
2)
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor can remove
OrganizationAccountAccessRole
2) Victim can apply SCPs, but
this prevents new actions
(existing threat actor resources
not affected)
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor can remove
OrganizationAccountAccessRole
2) Victim can apply SCPs, but
this prevents new actions
(existing threat actor resources
not affected)
3) May need support case to
remove account
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Premise
1) Threat actor can remove
OrganizationAccountAccessRole
2) Victim can apply SCPs, but
this prevents new actions
(existing threat actor resources
not affected)
3) May need support case to
remove account
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create account: Mitigations
• Create custom groups or roles
• Use principle of least privilege to restrict
account creation
• Amazon CloudWatch alarm/SCP for
InviteAccountToOrganization API call
MITRE ATT&CK
Tactic: Defense evasion
Technique: Unused/unsupported
cloud regions

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lifecycle deletion: Premise
1) Threat actor uses S3 lifecycle
policies to set parameters to
delete objects within 1 day
2)
3)
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lifecycle deletion: Premise
1) Threat actor uses S3 lifecycle
policies to set parameters to
delete objects within 1 day
2)
3)
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lifecycle deletion: Premise
1) Threat actor uses S3 lifecycle
policies to set parameters to
delete objects within 1 day
2) Form of data destruction
3)
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lifecycle deletion: Premise
1) Threat actor uses S3 lifecycle
policies to set parameters to
delete objects within 1 day
2) Form of data destruction
3) Bypasses permissions and
detections against
DeleteObject
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lifecycle deletion: Mitigations
• Apply SCPs to prevent use of PutBucketLifecycle
• Use principle of least privilege
• AWS Config rule for s3-lifecycle-policy-check
MITRE ATT&CK
Tactic: Impact
Technique: Data destruction

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SMS pumping: Premise
1) Threat actor obtains block of high rate SMS phone numbers from
telecom provider
2) Threat actor identifies service that sends SMS text messages
3) Service used to send numerous text messages
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SMS pumping: Premise
4) Amazon Cognito used
5)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SMS pumping: Premise
4) Amazon Cognito used
5) APIs observed are SignUp or
ResendConfirmationCode
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SMS pumping: Mitigations
• Change attribute verification and user account confirmation
• Apply AWS WAF to present CAPTCHA
• Apply web ACL rule to inspect request body and match the
SMS area code
• Amazon Fraud Detector (may require rearchitected solution)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leave organization: Premise
1) Threat actor attempts to leave
an AWS organization
2)
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Indicator removal

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leave organization: Premise
1) Threat actor attempts to leave
an AWS organization
2)
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Indicator removal

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leave organization: Premise
1) Threat actor attempts to leave
an AWS organization
2) Prevents SCPs from being
applied, used for resource
hijacking
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Indicator removal

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leave organization: Premise
1) Threat actor attempts to leave
an AWS organization
2) Prevents SCPs from being
applied, used for resource
hijacking
3) Form of defense evasion,
AWS billing reports migrate
MITRE ATT&CK
Tactic: Defense evasion
Technique: Indicator removal

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leave organization: Mitigations
• Apply SCPs to prevent LeaveOrganization API
call in member account
• Use principle of least privilege to limit use of
RemoveAccountFromOrganization in
management account
MITRE ATT&CK
Tactic: Defense evasion
Technique: Indicator removal

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Premise
1) Threat actor gains access to an
AWS organization
2)
3)
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Premise
1) Threat actor gains access to an
AWS organization
2) AWS IAM Identity Center
enabled to provision access
to accounts
3)
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Premise
1) Threat actor gains access to an
AWS organization
2) AWS IAM Identity Center
enabled to provision access
to accounts
3) Adds extra steps to containment
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Alternative
3) Access to a specific account/s
within an AWS organization
4)
5)
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Alternative
3) Access to a specific account/s
within an AWS organization
4) IAM used to add a SAML or
OpenIDC provider
5)
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Alternative
3) Access to a specific account/s
within an AWS organization
4) IAM used to add a SAML or
OpenIDC provider
5) Look for CreateSAMLProvider
or CreateOIDCProvider events
in AWS CloudTrail
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Mitigations
• Remove identity provider from
IAM Identity Center or IAM
•
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create identity provider:
Mitigations
• Remove identity provider from
IAM Identity Center or IAM
• Use Amazon EventBridge to
watch for StartSSO,
CreateSAMLProvider or
CreateOIDCProvider events
in CloudTrail
MITRE ATT&CK
Tactic: Persistence
Technique: Create account

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
1)
•
•
2)
3)
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
1) Threat actor identifies vulnerable
version of Laravel
• CVE-2021-3129
• Debug mode
2)
3)
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
1) Threat actor identifies vulnerable
version of Laravel
• CVE-2021-3129
• Debug mode
2) Debug mode allows access to .env file
3)
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
1) Threat actor identifies vulnerable
version of Laravel
• CVE-2021-3129
• Debug mode
2) Debug mode allows access to .env file
3) .env configured with AWS credentials
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
3) For server in debug mode, specific
data sent generates a debug file
4)
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Premise
3) For server in debug mode, specific
data sent generates a debug file
4) File contains .env variables including
AWS credentials
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laravel framework access:
Mitigations
• Confirm Laravel is up-to-date and fully patched
• Disable debug mode in production – set APP_DEBUG = FALSE
• Use principle of least privilege for credentials in Laravel .env
• AWS Secrets Manager for hardcoded secrets
MITRE ATT&CK
Tactic: Initial access
Technique: Exploit public-facing
application

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Premise
1) Threat actor gains access to
AWS account
2)
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Premise
1) Threat actor gains access to
AWS account
2) Modifies CloudTrail using
PutEventSelectors
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Premise
1) Threat actor gains access to
AWS account
2) Modifies CloudTrail using
PutEventSelectors
3) Prevents logging of
mutating events
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Alternative
1) Threat actor gains access to
AWS account
2) Modifies CloudTrail using
PutEventSelectors
3)
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Alternative
1) Threat actor gains access to
AWS account
2) Modifies CloudTrail using
PutEventSelectors
3) Prevents logging of
management events
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Alternative
1) Threat actor gains access to
AWS account
2) Modifies CloudTrail using
PutEventSelectors
3) Prevents logging of
management events
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail modification:
Mitigations
• Use SCPs to restrict CloudTrail modification including
use of PutEventSelectors API
• Consider AWS Config remediation rules for CloudTrail
MITRE ATT&CK
Tactic: Defense evasion
Technique: Impair defenses

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking: Premise
1) Threat actor obtains access to AWS account
2)
3)
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking: Premise
1) Threat actor obtains access to AWS account
2) Threat actor enables access to LLMs
 through Amazon Bedrock
3)
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking: Premise
1) Threat actor obtains access to AWS account
2) Threat actor enables access to LLMs
 through Amazon Bedrock
3)
•
•
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking: Premise
1) Threat actor obtains access to AWS account
2) Threat actor enables access to LLMs
 through Amazon Bedrock
3) Models used and prompts sent:
• InvokeModel
• InvokeModelWithResponseStream
4)
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking: Premise
1) Threat actor obtains access to AWS account
2) Threat actor enables access to LLMs
 through Amazon Bedrock
3) Models used and prompts sent:
• InvokeModel
• InvokeModelWithResponseStream
4) Can be performed in unused
AWS Regions
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LLM resource hijacking:
Mitigations
Use SCPs to limit access to Amazon Bedrock using
• Specific principals
• Specific Regions
MITRE ATT&CK
Tactic: Impact
Technique: Resource hijacking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security best practices

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Swiss cheese model (industrial accidents)
A failure cannot be traced back to a
single root cause;
accidents are often the result of a
combination of factors

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lack of continuous
vulnerability management
Unintended disclosure of
credentials and secrets
Ineffective response to
detective controls
Inaccurate AWS account
contact information
Insecure AWS resource
configuration
Get the basics right