BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:a6cba986-07f5-4505-b292-709389d7aea2
DTSTAMP:20260520T060552Z
SUMMARY:SaaSpocalypse - The Complexity and Power of AWS Cross Account Acces
 s
DESCRIPTION:Title: SaaSpocalypse - The Complexity and Power of AWS Cross Ac
 count Access\n\nDescription:\nAWS is a very complex and ever-changing plat
 form\, which presents a challenge to defenders and an opportunity for atta
 ckers. Among some of the most complex and powerful features of AWS is its 
 IAM functionality\, which allows for very granular control but is famously
  complex to learn and set up.\n\nOne the features of access control in AWS
  is that AWS accounts are a self-contained unit of processing\, storage an
 d access control. Given how AWS itself recommends segregation across accou
 nts as a best practice\, and the fact that many SaaS vendors request acces
 s to their customers' accounts in order to perform their services\, this p
 resents a challenge.\n\nIn this talk we will present in detail the policy-
 fu needed in order to securely allow principals from one account to perfor
 m actions on another\, both inside different accounts in an organization b
 ut especially from the perspective of a SaaS provider that needs to access
  hundreds or thousands of customer accounts. Existing research on defenses
  and possible attacks will be presented and demonstrated to illustrate the
  concepts.\n\nSaaS vendors like "single pane of glass" offerings\, multi-c
 loud solutions and CSPM offerings are huge concentrators of risk since the
 y have access to potentially thousands of customer AWS accounts. By explor
 ing how this access can be uniquely secured due to capabilities only AWS p
 rovides and how vendors can fail at this we hope to allow attendees to bet
 ter understand the risks of using these services\, and also help service p
 roviders mitigate them.\n\n=====\n\nYouTube: https://www.youtube.com/watch
 ?v=gwBG_oKDINQ\n\n#cloudv-general-text: https://discord.com/channels/70820
 8267699945503/732733373172285520\n\nSpeaker(s): Alexandre Sieira\n\nLocati
 on: Cloud Vlg\n\nDiscord: https://discord.com/channels/708208267699945503/
 732733373172285520\n\nEvent starts: 2020-08-08 14:45 (02:45 PM) PDT (UTC -
 07:00)\n\nEvent ends: 2020-08-08 15:30 (03:30 PM) PDT (UTC -07:00)\n\nFor 
 the most up-to-date information\, please either visit https://info.defcon.
 org\, or use HackerTracker\, which is available for iOS and Android. This 
 is an automated message\, and this data was last modified 2020-08-08T05:43
  (UTC).
URL:https://forum.defcon.org/node/234724
DTSTART:20200808T224500Z
DTEND:20200808T233001Z
LOCATION:Cloud Vlg
END:VEVENT
END:VCALENDAR