Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Rouge exfiltrates sensitive data from an S3

  • Rouge exfiltrates sensitive data from an S3

  • Антон

    Member
    November 11, 2023 at 8:26 pm

    The question: A company is hosting an application on an EC2 instance that runs within a Virtual Private Cloud (VPC). The application is connected to a proxy server, granting it internet access while blocking requests to known malicious sites. The application and proxy are located in the same availability zone but reside in separate subnets.

    During a threat assessment, a security analyst discovered that a rogue employee with access to the application’s server could exfiltrate sensitive data from an S3 bucket and forward it to their own AWS account.

    How can the security analyst mitigate the threat without affecting other workloads that might be running in the VPC?

    1) Wrong answer one: <strong style=”font-family: inherit; font-size: inherit;”>Configure a Network Access Control List (ACL) on the proxy’s subnet to block outgoing traffic to S3 endpoints is incorrect. While this solution is possible, it might disrupt any workload running on the subnet where the proxy is hosted.Configure a Network Access Control List (ACL) on the proxy’s subnet to block outgoing traffic to S3 endpoints is incorrect. While this solution is possible, it might disrupt any workload running on the subnet where the proxy is hosted.

    Why??? How applying nACL can impact on workload??


    2) How the right answers can restrict the rogue? We changed the access method from “public” S3 endpoints to “private – gateway”, it’s ok. But the rogue can use this “gateway endpoint” the same way, getting the data from one bucket and put to another one within “private AWS network”

  • Carlo-TutorialsDojo

    Member
    November 15, 2023 at 12:56 am

    Hello Антон,

    Thanks for your feedback.

    1.) How applying nACL can impact on workload??

    >> If other applications within the same subnet as the proxy server require access to S3, configuring an NACL on the said subnet that blocks outbound traffic to S3 endpoints would inadvertently block these applications as well.

    2) How the right answers can restrict the rogue? We changed the access method from “public” S3 endpoints to “private – gateway”, it’s ok. But the rogue can use this “gateway endpoint” the same way, getting the data from one bucket and put to another one within “private AWS network”

    >> There are many possible ways one might try to exfiltrate data. VPC gateway, of course, is not an end-be-all solution; rather, it’s just one of the options you can use to mitigate the kind of threat mentioned in the scenario. Using a VPC Gateway Endpoint allows you to connect privately to an S3 bucket, and it lets you configure endpoint policies to restrict who and which bucket can be accessed through that endpoint. This is one of the ways to cut down, or at least put a leash on, a user’s access to the bucket. With the right endpoint policies, a user cannot just transfer data between the S3 bucket and a private AWS network. I understand that the answer could be better worded by mentioning the use of endpoint policies. We’ll review this item and make the necessary revisions to improve it.

    Let me know if you have further questions.

    Regards,
    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now