“Let’s say someone uses those providers and it happens that they have the same identity platform, maybe SailPoint. If SailPoint forwards data streams to AWS and Microsoft and perhaps others, it can allow access to all of that client’s information in one of those hyperscaler environments. It may allow limited data access to the cloud. Now let’s say that somehow an attacker targets that AWS API. If that client were to use the same credentials across all these cloud platforms,” it would provide broader access, he said.
IMDSv2: What you don’t know can kill your cloud
In March 2024, Amazon quietly introduced an update to a key part of the AWS platform: the Instance Metadata Service (IMDS). Some SOCs “may not even realize they are using it [IMDS]” therefore exposing their operations to “a security risk related to metadata exposure,” Pluralsight’s Firment said.
“AWS uses IMDS to store security credentials used by other applications and services, and makes that information available using a REST API. Attackers can use Server-Side Request Forgery [SSRF] stealing IMDS information, which allows them to confirm as a role for example a side trip or data theft,” explained Firment. “AWS launched a new version of IMDS, version 2, to improve security of unauthorized metadata, although many organizations still use the original IMDSv1 as the default. To help CISOs close this potential security hole, AWS recently announced the ability to set all newly launched Amazon EC2 instances to the more secure IMDSv2 by default.
IMDSv2 was “launched by AWS in November 2019 but the ability to set up automation in the new version was not introduced until March 2024. As a result, many organizations continued to use the vulnerable original IMDSv1. It is interesting to note that the default only applies to newly introduced events, so existing scenarios with IMDSv1 still need to be reconfigured,” said Firment.
Source link