Amazon Web Services (AWS) and other cloud services are billed as an amazingly secure and resilient cloud services provider, but what is the reality? Once you look past that pristine environment and the manicured forests and start to build on top of it you’ll find yourself very quickly in a dark jungle of your own creation.
With concrete examples this presentation will explore “full stack” vulnerabilities and their effect on security and how they create new pitfalls when migrating to and operating in a Cloud world. From the simple (checking in your Cloud credentials to github or embedding them in your app) the unexpected (XXE injection to expose Cloud metadata), to the unintended (data leakage and service exposure and 3rd party cloud management services). Many examples will be shared along side new techniques showing how easy it is to expose your applications and infrastructure to attack through misunderstanding, ignorance or bad actors.
To address these challenges this presentation will also demonstrate a free tool we have designed to assess full stack AWS applications, map out the interactions between infrastructure and code and help individuals and organizations get clarity and bring a machete to the Amazon Cloud.