Scott Piper
@0xdabbad00
Followers
19K
Following
38K
Media
476
Statuses
10K
https://t.co/EXe2MI3bAU Cloud security historian. Developed https://t.co/ZXFwkuyseC, CloudMapper, and Parliament. Organizer for @fwdcloudsec. Researcher at @wiz_io ✦
Salt Lake City, UT
Joined August 2012
In 2016, @dagrz gave one of the greatest cloud security talks ever, filled with new techniques that have been rediscovered repeatedly in the years since. I've remastered it from video obtained from an audience member and the slide deck.
13
73
310
Google Cloud accidentally deleted a company's entire cloud environment (Unisuper, an investment company, which manages $80B). The company had backups in another region, but GCP deleted those too. Luckily, they had yet more backups on another provider.
504
4K
18K
😱😱😱 This is worse than ChaosDB for AWS. @orcasec gained access to all AWS resources in all AWS accounts! They accessed the AWS internal CloudFormation service. Separately, they did something similar for Glue.
25
473
1K
AWS has posted a post-mortem of Nov 25 incident. From the info there, we learn some of the internal service dependencies that caused the cascade of failures across services.
21
312
1K
I've begun a list of security mistakes made by Cloud Service Providers (AWS, GCP, Azure). Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
14
293
885
For red teams and pentesters, and defenders wanting to know attacks to look for and protect against, I've written down the techniques I would use to attack AWS environments.
5
278
790
There are 5985 AWS privileges. 2505 (42%) have no condition restrictions possible (other than the global conditions) and can only use a resource of *. ec2 is the "worst" service with 259/338 (76%) privileges that cannot be restricted beyond * access. :(.
14
272
647
AWSSupportServiceRolePolicy just got s3:GetObject. 😱 That role is supposed to only have metadata visibility. @AWSSecurityInfo you need to roll that back.
AWSSupportServiceRolePolicy .
15
149
653
This chart shows the counts of APIs by AWS service, grouped by the categories in the web console. It's interesting seeing how "large" some categories of the AWS ecosystem are that you may not have much knowledge of.
14
185
586
AWS outage in us-west-2 and us-west-1 for all you that thought you'd be safe from us-east-1.
5
102
528
Genie: You have 3 wishes.Me: I wish the status page was updated more often. Genie: Granted. There will be more outages. What else?.Me: 😱 . I wish AWS support was more helpful. Genie: Granted. They have read access to all your data now. Me: 😱 I'm not doing this anymore. 😭.
8
89
509
There has never been an encryption related announcement from AWS that I didn't stare at thinking "You weren't doing that already?!?" 😳.
AWS Secrets Manager now automatically enables SSL connections when rotating database secrets. AWS Secrets Manager now transparently supports SSL connections when rotating database secrets for Amazon RDS MySQL, MariaDB, SQL Server, PostgreSQL, and Mo.
14
73
465
Big news! I'm shutting down my consulting business and just had my first day with @aurora_inno where I'll be leading AWS security. We're hiring!. I suspect I'll be busy for a while, so I wanted to write down some project ideas I wasn't able to get to:
63
31
429
I took a first pass at mapping out how AWS security services all connect to one another and where to categorize them. Given all the cycles, PowerPoint was a poor choice given the minimal edge flexibility.
19
98
434
CISA is requiring all Federal agencies to disconnect Ivanti products by Friday at midnight (Ivanti Connect Secure & Ivanti Policy Secure). This is roughly 48 hours notice, to not patch, but rip it out! Ivanti is an American company. This is unprecedented.
16
184
389
We've hit the 30 minute mark into us-east-1 being down (based on the first post to hacker news) and no updates to the AWS status page yet. 🔥.
32
61
362
My general guidance for AWS has been to trust AWS is securing their side of the shared responsibility model (ex. don't spend much time worrying about the possibility of guest-to-host-escapes, CPU side channels, etc from other customers). That is not my belief for Azure. 🧵.
6
86
340
My 3rd annual "AWS Security Maturity Roadmap" is out! This is my guide for the steps to securely run on AWS. See what changed this year and download it at
5
142
328
flAWS 2 is out! Learn to hack serverless (Lambda) and containers (ECS/Fargate)! This time there is also a Defender track to learn log analysis wit jq and Athena and common defender skills. Play it now at
5
180
310
S3 is designed to lose only 1 object per year for every 100B objects (which is really good!), but it means it now loses 2000 objects per year.
Welcome to #AWS Pi Day 2022 - . Amazon S3 now holds more than 200 trillion (2 x 10^14) objects (almost 29,000 objects for each resident of planet Earth) and averages over 100 million requests per second!.
9
45
263
Happy anniversary to Summit Route! 3 years ago today I started my AWS security consulting business. With recent tech layoffs happening, perhaps I can offer some advice as I've had some success with this life path and believe there are similar consulting opportunities.
10
43
248
The AWS whitepaper "Building a Scalable and Secure Multi-VPC AWS Network Infrastructure" is the best AWS whitepaper I've read. It does a great job of tying together the different network options, the situations they'd be used, and their limitations. 💯
0
59
248
Yikes! 😱 Project Zero found an issue that allows an attacker to impersonate any AWS IAM role (and similar GCP attack) to obtain secrets from Hashicorp Vault. The concept generically applies to likely lots of other software that tries to prove an AWS identity to something else.
Enter the Vault: Authentication Issues in HashiCorp Vault
2
102
245
Looks like an ability to directly call Lambdas over the Internet without an API Gateway was just added to the SDK. 👀
13
43
247
Happy birthday AWS IAM policy language! 10 years old for the current version, with the original being from 2008-10-17.
4
43
234
Almost one year ago after attending re:Inforce, I wanted there to be a cloud security conference that was independent of the cloud providers. I'm so excited that this is actually happening tomorrow as after so many hours by the organizers and speakers.
10
54
227
Open-source Windows x86,x64 debugger http://t.co/gKefR9GO5W with IDA-like jump target side bar. http://t.co/dGlw76KbrW.
13
223
229
AWS open-sourced a fuzzer. "load a raw memory dump and register state into a KVM virtual machine (VM) for execution. At a point in execution, this VM can be reset to its initial state"
2
68
222
A reminder, my "AWS Security Maturity Roadmap" from April is my most useful thing for giving you direction on how to secure your AWS environments.
7
61
223
Cool AWS attack research by @Ryan_Jarv! If you have the ability to change route tables in a VPC and control an EC2 there, you can give custom userdata to all EC2s to get code exec on them. Presented at @BSidesDetroit. Slides and video:
1
56
215
As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.
5
71
204
If you have shell access on an EC2 and want to extract creds, instead of remembering how to get them from the 169.254.169.254 path, recent versions of the AWS CLI allow you to use `aws configure export-credentials --format env`.
4
41
198
Oof, AWS had a bug that allowed Transit Gateway peering requests to be accepted by the requestor, so an attacker could accept their own requests and peer to any gateway. The prevention logic for this was only in the web console UI, not the API. 😞
7
65
201
Someone asked me for a copy of document that doesn't exist because a genAI hallucinated it to them and said I authored it. It feels weird that a robot had a dream about me.
5
40
186
Cool new AWS security tools coming out of @NCCGroupInfosec recently:.- - These have some similarities to CloudMapper command's, but do some things differently.
1
85
188
I've started working on a list of the resource types on AWS that can be made public:
11
62
182
s3:Put* is more dangerous than it seems. At first glance you think it just means it grants the ability to put objects (ie. write), but it also grants:.- s3:PutBucketAcl or s3:PutBucketPolicy for anonymous read/write/list. 1/2.
4
46
174
MS incident timeline:.April 5th, 2016: Key was issued.April 4th, 2021: Key expired.April 2021: System that used the key crashes.May 15, 2023: Storm-0558 gained access to email accounts affecting approximately 25 organizations using that expired key.🧵1/3.
2
42
171
Default budget controls is the single most important thing AWS employees could do both for ensuring long-term revenue growth by making it more approachable for beginners that will turn into larger customers AND to help low income groups have opportunities to safely learn.
5
28
157
This update exposes a lot of the internals of how Lambda works. Ex. Lambda runs on EC2 nitro bare metal instances and invokes are done using SQS behind the scenes.
1
45
160
I've reached 10K followers 🎉 .I can afford to lose some, so I finally gotta say it, some of you baby your cast iron too much. Seasoning doesn't matter. Just cook with more butter. I don't clean with soap, but I would or even an angle grinder if needed. It's made to take abuse.
14
7
157
The biggest infosec story of this week was the BGP hijack of the payment processor. Multiple operators compromised or colluded to hijack the same routes, routing through the breakaway eastern Ukraine province, same as the BGP hijack against Amazon in April
3
115
153
Don't hire consultants that break NDAs and publicly shame their clients in order to win Internet points.
This Associated Press story includes references and quotes from a guy who did an audit (not strictly security) for Colonial in 2017 that found “atrocious” information management practices and “a patchwork of poorly connected and secured systems.”
7
19
151
Cloud vulns of the past 4 weeks 🧵:.Azure:.- ChaosDB: - Azurescape - OMIGOD: - Log Analytics role privesc:
This took almost a year to get through the disclosure approval process, but here's the @NetSPI blog that covers the privilege escalation issue (now fixed) that we found with the Azure Log Analytics Contributor role -
4
63
153
This is amazing and terrifying. Azure Sentinel looks to be more capable of monitoring AWS environments than AWS's own GuardDuty. 😮 Specifically, the ability to detect IAM role credential exfil
#AzureSentinel❤️#AWS. See ⬇️as @ashwinpatil sets the stage to executes a cloud kill chain - from abusing IAM previliges in AWS to exfilling data, mimicking the Capital One Breach -- followed by detection logic. cc: @0xdabbad00.
2
54
149
The AWS SDK just got a command ec2:ExportImage for converting an AMI to a VM image, which should be helpful for analyzing AMIs without having to spin up an EC2. I once analyzed a malicious AMI and it was not ideal from a forensics view to have to boot it as an EC2 to do so.
5
47
149
Access Denied errors are going to say why type of policy is denying them! (SCP vs resource vs IAM vs boundary vs VPC end-point, etc.) This is going to be a huge help for debugging these.
The AWS Security, Identity & Compliance Blog #AWSSecurity.By: Guaravee Gandhi*.
12
31
145
I put all of the checks of PacBot, Security Monkey, and Prowler into a table, and then compared them to Trusted Advisor, Managed AWS Config Rules, and CloudMapper. Not all checks of the latter 3 tools are listed.
5
45
144
It's out! Open-source tool for visualizing #awscloud environments developed at @duosec: Demo: #cloudsecurity.
4
76
147
Happy Birthday Two years ago I released flAWS while running security for a company to teach the team there. The positive feedback I received motivated me to focus on AWS security full-time and start my consulting business. 😊
8
29
138
The AWS Security Forum slack has been renamed to the Cloud Security Forum, with channels for AWS, GCP, and Azure security. DM for invite.
11
24
139
Only available in Tokyo and only for R7g instances. 🤔 Congrats to the one customer that held firm on their requirement.
Amazon Time Sync Service now supports microsecond-accurate time. The Amazon Time Sync Service now gives you a way to synchronize time within microseconds of UTC on.
7
14
141
Infinite loop created between two Lambdas resulted in "several-hundred-thousand dollar bill in a couple of hours". ♾💸 .
6
32
137
Finally finished a guest room bed. No screws or nails. Glue only on the top rails and on the spacers for the slats. Hickory wood, which was a horrible choice for chiseling mortise holes, but it’s rock solid. Can be disassembled by popping out the dowels.
9
1
134
Interesting issue where the password reset flow can allow account take-over if you register an account with a similar email domain with a unicode case collision. More interesting, it impacts Django.
2
69
131
Slides from my talk at #IRespondCon. Main points: For IR on AWS if you don't have logs already in ELK/Splunk:.- Use CloudTrail Event History for 90 days of guaranteed to exist CloudTrail logs that an attacker can't touch. - Learn jq and Athena.
2
55
131
Mailchimp compromised -> Used to compromise the password resets for DigitalOcean accounts -> Used to compromise crypto companies.
0
83
137
Fun fact: Route53 is the only AWS service with a 100% uptime SLA. Unfun fact: AWS SLAs are mostly meaningless and Route53 is having issues right now.
5
52
131
AWS Engineer: Oh no, I gotta fix these services!.Manager: First, break CloudWatch and don't update the status page!.Engineer: What?!?.Manager: We have to provide refunds due to SLA if customers can prove the service was down. If we break CloudWatch, they can't prove anything.
4
15
130
I've started monitoring IAM privileges by scraping the docs at These fluctuate more than I expected, meaning that not only do new privileges appear (as expected), but some get removed. Those privs will still work, they just aren't documented anymore.
6
25
128
AWS has a different classification of public than you may have for S3 buckets. If you allow access to a bucket from an IP range that is a /2 or smaller (25% of the Internet, 1 billion IPs), then it is not viewed as public and will not be stopped by S3 Public Block Access.
8
51
126
AWS Terms and Conditions added a hugely important and much needed addition, §1.19 "We will not use Individualized Usage Data or Your Content to compete with your products and services." (added Jan 28).
2
25
125
I hadn't seen this. If an attacker compromises your AWS account, they can backdoor the DNS responses you'll get without you being able to detect it. It can be spotted in CloudTrail logs, but there is no API to review these, only manual web console browsing.
6
57
129
Thank you @cloudflare for your R2 announcement 2 months ago to force AWS to reduce their egress charges.
#AWS Free Tier Data Transfer Expansion – 100 GB From Regions and 1 TB From Amazon CloudFront Per Month -
3
23
128
I am in constant awe of Aidan's ability to quickly jump onto a new feature, figure out how it works, develop a new tool that uses that, write a blog post, and in this case communicate findings to AWS security and create a diagram! This was 75 hours from announcement to all this!.
I published a blog post (and PoC CLI) describing how the new Systems Manager Default Host Management Configuration (what a mouthful) provides a new way to pass an IAM role to all EC2 instances in your account+region - even those without instance profiles.
6
10
129
AWS just released a security bulletin about their addition of s3:GetObject to the support role: Below is what I wrote in 2020, where I reference various previous blunders. A few short months later they had the ReadOnlyAccess disaster. 🧵.
It is insane that AWS doesn't appear to have any controls over who at AWS can update Managed Policies. In the past month they've clearly made two innocent blunders here, but what if someone removed key privileges from a commonly used policy? What about insider threats?.
2
32
128
Last night a blog post showed that AWS charges for access denieds on S3 buckets, resulting in one person being charged over $1300 for 100M requests against a private S3 bucket in one day. I believe the only solution is for AWS to change their pricing.🧵1/6
2
37
129
AWS just announced an on-prem version. They'll sell the same hardware to you as they use, with the same software. This means people could more easily, and with less risk, figure out how to do things like guest escapes and other attacks.
7
38
118
Dan Urson has been the voice of AWS security to many of us. He's the person external researchers interact with when they find issues (or think they find issues) with AWS. Any team would be lucky to have him.
3
27
119
Come work on the AWS security team at Square with me and other great folks! No cloudsec or security experience needed. Remote.
We're hiring early career software engineers who are looking to break into cloud security. No previous security experience required - we'll teach you!. Apply here:.
4
36
120
I am very curious to learn more about the new Roles Anywhere service that hit the SDK today. "Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications running outside of AWS to obtain Temporary AWS credentials.".
AWS SDK for Go has a new release "Release v1.44.48", published at 2022-07-05 18:24:57 (UTC). #pcb_aws.
5
21
120
GuardDuty's UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS is finally arriving on January 20! From the Guardduty SNS:
1
30
120
You can now get access to the DNS logs of the VPC DNS resolver! Previously only GuardDuty had access to those.
3
36
119
Multi-account AND multi-region 🤯🤯🤯 Every team at AWS, go talk to the Systems Manager team on how they did multi-region aggregation (looking at you GuardDuty, Access Analyzer, and CloudWatch Events).
AWS Systems Manager Explorer now provides a multi-account, multi-region summary of AWS Compute Optimizer recommendations. Starting today, AWS Systems Manager Explorer provides a summary of AWS Compute Optimizer recommendations to help you improve c.
0
20
116
VPC Flow Logs can now include the instance id, subnet id, and vpc id, along with a way to better identify the actual initiator of traffic.
1
40
116
New research by me on what attackers might go after in AWS if people stopped making S3 buckets public. Check your ElasticSearch.
5
79
116
I bet that now there is a CloseAccount API, folks will cycle accounts more often, and AWS will need to expand account IDs beyond 12 digits sooner than they may have expected.
11
11
119
AWS Lambda API names will no longer include the version in their CloudTrail records on Oct 20. Check your detection rules. Ex. CreateFunction20150331 will now be just CreateFunction. There is no public notice, only an email to select customers. #aws_breaking_change.
3
37
114
😱 If an AWS IAM user is phished, the cookies allow access to be maintained despite changing the password, logging out, or changing MFA. Only defense is DenyAll the user for 12 hours until the cookies expire. Great find @SpenGietz !.
We just released some new research on the power of phished persistent cookies in AWS. Read it on our website here!
6
66
117
The average lifetime of a Lambda run-time between AWS support for it to EOL is 2 years and 23 days (for those that have been given EOL dates so far). The idea of only needing to worry about your code with serverless has some exceptions. #aws_breaking_changes
6
43
112
There was a TLS issue that impacted AWS ALBs which could have allowed MitM attacks. Will AWS inform impacted customers? Nice work by the folks at Paderborn and Ruhr universities for discovering the issue.
8
45
112
"IMDSv2 enabled by default" 😍😍😍.
Announcing Amazon Linux 2023. Today, we are announcing the general availability of Amazon Linux 2023 (AL2023), our new Linux-based operating system for AWS that is designed to provide a secure, stable, high-performance environment to develop and run.
4
13
113
The proactive community engagement by @notdurson of AWS security is a huge asset to the trust us cloudsec folks have in AWS. Thank you.
3
13
109
Second log4j2 bulletin from AWS (published 7:30 PM PDT on Saturday): More AWS services are impacted. Subtle acknowledgements that S3 and other services are now patched or are being patched. 😬.The recommended WAF rules do not look comprehensive.
AWS security bulletin on the log4j issue: Doesn't say much other than you should use their WAF product. which can be bypassed.
0
39
113
I’d forgotten to mention it on Twitter, but I started working for Wiz recently. I’m at re:Invent and can be found at our booth if you want to say hi.
8
2
111
The nice thing about AWS AZ's is a guarantee that they are physically spread out ("many kilometers"). GCP zones on the other hand are located within the same building, so a physical incident impacting one zone (a flood in this case), impacts all within the region.
Update: High Multiple Products incident: Multiple Google Cloud services in the europe-west9 region are impacted. Summary: Multiple Google Cloud services in the europe-west9 region are impacted 1/11.
7
18
108
Hey @TwitterSupport, please re-enable this account: @awswhatsnew It just tweets the links from Amazon's RSS feed.
5
10
105
CloudMapper has reached 2,000 stars on Github! If you thought that project only visualized networks, you'll be pleasantly surprised to see there are 8 other commands now. It's the swiss army knife of AWS auditing.
1
42
108
This is a REALLY good read. Shows how the team explored and chained multiple issues together in a cloud environment and how a number of mistakes by Azure led to this devastating outcome.
Here it is-.
2
40
106
CloudMapper can now identify IAM users and roles in an account with specific privileges, such as s3:ListAllMyBuckets in order to help identify over-privileged principals (such as what seems to have happened with Capital One):
0
49
109
AWS re:Invent 2021 Youtube playlists are up. Here is Security and Compliance and Identity. h/t @zoph.
1
33
110
My table of features AWS services support now includes whether they have CloudFormation support, thanks to a PR from Pat Myron!
5
31
108
If an AWS tool requires you to enter access keys or specify a profile, it does not use best practices. Beware. Developers: Let the AWS SDK do its thing, it'll obtain creds automatically via the environment vars, config file, metadata service, etc.
9
29
102
Steps AWS can take to help customers avoid breaches like Cap One's (based on some assumptions of what happened) #awswishlist:.- HTTP Host Header check the metadata service to prevent SSRF. Easy game changing win. - Improve granularity of Access Advisor to action level. 1/2.
15
35
107
AWS has caused a lot of unneeded stress in the past 24 hours by sending incorrect info about log4shell compromises in customer accounts: non-existing instance IDs, resources with no Java, etc. 😔.
8
23
103