DEF CON Forum Site Header Art


No announcement yet.

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

  • Filter
  • Time
  • Show
Clear All
new posts

  • SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

    Title: SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

    AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.

    One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.

    In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.

    SaaS vendors like "single pane of glass" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.




    Speaker(s): Alexandre Sieira

    Location: Cloud Vlg


    Event starts: 2020-08-08 14:45 (02:45 PM) PDT (UTC -07:00)

    Event ends: 2020-08-08 15:30 (03:30 PM) PDT (UTC -07:00)

    For the most up-to-date information, please either visit, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T05:43 (UTC).
    August 8, 2020 14:45
    August 8, 2020 15:30
    Cloud Vlg
    Last edited by aNullValue; August 8, 2020, 00:20.