这篇文章提出了一项关于检测从AWS IAM角色获取临时访问密钥的挑战,参与者需通过四种场景(从IMDS v1/v2获取密钥并在AWS内外使用)记录日志以识别潜在威胁,并有机会赢取奖励。 2025-2-16 22:8:0 Author: www.hecfblog.com(查看原文) 阅读量:5 收藏
By
•
February 16, 2025
•
aws
Daily Blog
imds
sunday funday
•
Hello Reader,
It's Sunday! This week's challenge is all about whats left behind when someone is able to get a temporary access key from an IAM role in AWS. Let's see who is able to build out the best detection set!
The Prize:
The Rules:
$100 Amazon Giftcard
- You must post your answer before Friday 2/21/25 7PM CST (GMT -5)
- The most complete answer wins
- You are allowed to edit your answer after posting
- If two answers are too similar for one to win, the one with the earlier posting time wins
- Be specific and be thoughtful
- Anonymous entries are allowed, please email them to [email protected]. Please state in your email if you would like to be anonymous or not if you win.
- In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
- AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize.
The Challenge:
AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred.
1. Retrieve a temporary AWS access key credential from IMDS v1
2. Retrieve a temporary AWS access key credential from IMDS v2
3. Use the temporary access key within an AWS vm
4. Use the temporary access key from outside of AWS
From all four scenarios determine what logs are created.
bonus: Try and document other scenarios of theft and use and additional sources of evidence.
如有侵权请联系:admin#unsafe.sh