Digging For Buried Treasure In The Cloud

By now we have all heard of the security benefits that the private cloud brings. However, we still see organisations making mistakes when it comes to securing their data within the cloud.

Scenarios can range from sensitive data stored within publicly available storage services such as S3 buckets in AWS or unauthorised access to cryptographic secrets and keys found within code repositories such as git. Although these problems are not unique to cloud services the rapid/cheap/easy deployment model of cloud services are increasing the frequency of these incidents and, in many cases, is making detection more difficult.

Common causes for these mistakes include:

• Shadow IT - many services can be brought online without involvement from IT teams, so we find business teams owning systems that they are ill-equipped to understand or control;
• Inadequate or lack of organisation policy, procedures and standards governing cloud usage; and/li>
• In many cases a lack of user training and awareness regarding the use of cloud and the shared responsibility model.

Recent instances of sensitive data being made public through cloud services include SSL firmware keys for drones, “ Top Secret” military CV's being leaked through S3, keys for databases containing Uber service user information and various instances of access keys being discovered within Github repositories such as the Ryan Hellyer and DXC incidents.

These incidents caused various tangible and intangible damages including, but not limited to:

• Reputational damage;
• Enforcement action including financial (fines) or operational sanctions;
• Reduction of share price;
• Large bills from unauthorised use of cloud services;
• Loss of trust in the organisation by stakeholders, consumers and the public; and
• Abuse misuse and unavailability of IT services.

It can be safely assumed that many other incidents have occurred which have not been brought into the public eye. The current threat landscape contains a diverse set of threat actors and when combined with a plethora of freely available tools, it is no surprise that this is a very popular attack vector.

Popular opensource tools used to audit cloud repositories can be found below.

Bridewell provide no assurance, guarantee or recommendation for these tools.

• Repo Security Scanner - https://github.com/UKHomeOffice/repo-security-scanner
• Repo Supervisor - https://github.com/auth0/repo-supervisor
• GitLeaks - https://github.com/zricethezav/gitleaks
• TruffleHog - https://github.com/dxa4481/truffleHog
• S3Scanner - https://github.com/sa7mon/S3Scanner
• BucketDump - https://github.com/jordanpotti/AWSBucketDump

The barrier to entry for using these tools can be considered low and it's important to note that these tools can effectively be utilised by anyone with a computer and internet connection.

These tools can be used standalone or automated into your DevOps environment to run code checks both duringdevel deployment of S3 buckets and to audit existing S3 infrastructure. 

In general, the tools enable the detection of secrets and sensitive data that has been made public, enabling responsible teams to remediate. In many cases cloud services are already secure by default and require human interaction to make resources public. However, organisations should ensure processes are in place to ensure cloud services are configured securely and that monitoring is in place to alert on deviations from an approved security baseline.

It is recommended that internal teams review the use of tools such as these to enhance current capabilities and bring value to the business. As part of a layered defence this can help reduce the attack surface presented by your public cloud environment.

It has never been more important than now to ensure that cloud services are configured in accordance with security best practices and that organisational policies are in place to govern cloud usage. It is equally important to embed security within your development and operations teams ensuring they have the knowledge and resources to be able to monitor and respond to security misconfigurations.