Article by Eduard Schwarzkopf

Discover secrets in public AMIs

Original Research

AWS CloudQuarry: Digging for Secrets in Public AMIs by Eduard Agavriloae and Matei Josephs.

For EC2 instances, Amazon Machine Images (AMIs) are crucial as they contain the essential information required to launch instances, including the operating system, configuration files, software, and relevant data. A significant security consideration of these AMIs is that they can be (either accidentally or intentionally) made public, thus accessible for anyone to utilize and potentially exploit.

Finding Exposed AMIs¶

Many instances of resource exposure (and subsequent exploitation) in AWS necessitate knowing the AMI ID. This offers some level of security-by-obscurity as an attacker needs the AMI ID to exploit the resource.

However, if AMIs are marked public, the list of available public AMIs is accessible through the AWS API. If you know the account ID, you can easily run through all regions to see if any public AMIs are available:

aws ec2 describe-images --owners <account_id> --include-deprecated --region <region>

Using Public AMIs and Scanning for Credentials¶

Once you've identified public AMIs, you can use them to launch instances and manually scan for sensitive information, including credentials.

Launching an Instance from a Public AMI¶

To launch an instance from a public AMI, follow these steps:

Launch an Instance:
Using the AWS CLI, launch an instance using the desired AMI:

aws ec2 run-instances --image-id <image_id> --instance-type t2.micro --key-name <key-pair>

Access the Instance:
Once the instance is running, connect to it using Session Manager or SSH:
```
ssh -i <your-key-pair>.pem ec2-user@<public-dns-of-instance>
```

Manually Scanning for Credentials¶

Manual scanning involves checking common locations where credentials may be stored. Here are some typical command-line operations that can help:

Search for AWS Credentials:
```
find / -name "credentials" -type f
```
Search for SSH Keys:
```
find / -name "id_rsa" -type f
```
Look for Configuration Files Containing Sensitive Information: Use grep to locate keywords such as 'password', 'secret', 'key', etc.
```
grep -ri 'password\|secret\|key' /path/to/search
```

Automating the Process¶

While the manual process can be effective for targeted searches, automation provides efficiency and consistency at scale.

You can write scripts or use specialized tools to automate the detection of sensitive information. Here are some approaches:

Using Bash Scripts: Create a script that executes various find and grep commands. Save this as scan.sh:

#!/bin/bash
# Search for AWS credentials
find /home -name "credentials" -print

# Search for SSH keys
find /home -name "id_rsa" -print

# Search for sensitive information in configuration files
grep -ri 'password\|secret\|key' /home

Run the script on each instance:

chmod +x scan.sh
./scan.sh

Using Specialized Tools: Tools like truffleHog and gitleaks can detect sensitive information in codebases and configurations.