Cloud Security , DEF CON , Events

Exposed AMIs: The Hidden Risk in AWS Environments

Matei Josephs and Eduard Agavriloae on Public AMIs and Vulnerabilities
Eduard Agavriloae, AWS offensive security expert, and Matei Josephs, senior security researcher and founder, HiveHack

Public Amazon Machine Images, or AMIs, pose significant risks to enterprises, especially when they contain sensitive information. Developers often make AMIs public to share them across accounts, but this practice can expose critical data. Once public, these images can be accessed by anyone, leading to potential breaches, said Eduard Agavriloae, AWS offensive security expert.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

Matei Josephs, senior security researcher and founder of HiveHack, shared a proof of concept in which researchers discovered a public AMI that contained a supposedly private Git repository. Inside the repository, they found sensitive information, including a Stripe API key linked to an account with $30,000. To demonstrate the vulnerability, they subscribed to a service and processed a refund using the compromised key, showing how easily a threat actor could have stolen the entire amount.

"AMI is like having a virtual machine with a snapshot, and you have access to everything that's inside the AMI. So every file, every source code, every secret that we've put in the AMI, if it's public, anyone on the internet can access it," Agavriloae said.

In this video interview with Information Security Media Group at DEF CON 2024 Agavriloae and Josephs also discussed:

  • Consequences for large enterprises if sensitive data is exposed through public AMIs;
  • Challenges and processes involved in responsible disclosure of vulnerabilities found in public AMIs;
  • Lessons for developers and companies that use cloud services, based on the research findings.

Josephs is a cybersecurity professional with expertise in penetration testing and vulnerability management. As the founder of HiveHack, he helps organizations identify and exploit cybersecurity vulnerabilities within their products.

Agavriloae is a security researcher and ethical hacker. His areas of expertise include penetration testing, cloud security and system architecture. He previously worked as an associate manager at KPMG Romania.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.