Title: SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.

One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.

In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.

SaaS vendors like "single pane of glass" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.


YouTube: https://www.youtube.com/watch?v=gwBG_oKDINQ

#cloudv-general-text: https://discord.com/channels/7082082...33373172285520

Speaker(s): Alexandre Sieira

Location: Cloud Vlg

Discord: https://discord.com/channels/7082082...33373172285520

Event starts: 2020-08-08 14:45 (02:45 PM) PDT (UTC -07:00)

Event ends: 2020-08-08 15:30 (03:30 PM) PDT (UTC -07:00)

For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T05:43 (UTC).