Talk

From keyless to careless: Abusing misconfigured OIDC authentication in cloud environments

April 26, 10:30 (CLOUD)

In cloud environments, static and long-lived credentials are discouraged as they often get leaked. To solve this problem, cloud providers such as AWS, Azure and Google Cloud support “keyless authentication” through OpenID Connect (OIDC), allowing you to exchange JSON Web Tokens (JWTs) signed by trusted identity providers for cloud credentials. Keyless authentication is especially popular for CI/CD, and enables pipelines to seamlessly authenticate to a cloud environment.

Keyless authentication is easy to configure — and unfortunately, to misconfigure. In this talk, we demonstrate that AWS IAM roles using keyless authentication are, in many cases, insecurely configured allowing unauthenticated attackers to retrieve cloud credentials and further compromise the environment. We share our research where we identified dozens of vulnerable roles in the wild; in particular, we were able to compromise AWS credentials of an account belonging to the UK government, and pivot from there to an internal code repository. Finally, we showcase not only how to identify vulnerable roles in your environment, but also how to use higher-level guardrails to ensure that a human mistake doesn’t turn into a data breach.

Speaker

Christophe Tafani-Dereeper

Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe is the maintainer of several open-source projects such as Stratus Red Team, GuardDog, CloudFlair, Adaz, and the Managed Kubernetes Auditing Toolkit (MKAT).

Organized by

Technology partners

Partner events

Scroll to Top