AWS Security Masterclass

Riyaz Walikar ● Chief Hacker ● riyaz@kloudle.com

22nd July 2023

Session 9 - AWS RDS

Misconfigurations

Riyaz Walikar

• Building Kloudle for SaaS engineers and infra teams to automate the detection of assets in the cloud, identify misconfigurations in them and provide remediation guidance to save time so that they can continue being productive

​

• Over a decade and a half worth of experience in breaking web & mobile apps, networks, wireless environments, cloud infrastructure and more recently container and Kubernetes environments

​

• @riyazwalikar / @kloudleinc

2

Co-founder & Chief Hacker @ Kloudle

KLOUDLE Online - Code of Conduct

​

Please read and understand the Kloudle Code of Conduct

​

https://bit.ly/kloudle-online-code-of-conduct

​

​

3

Today’s Agenda

• AWS RDS

​

• Setting up the lab for this session

​

• RDS Misconfigurations
• Public Snapshots
• Open RDS
• Discovery via OSINT
• RDS configuration tweaks via Parameter Groups

​

• Undo AWS Changes

4

Session 9

AWS RDS (and Aurora)

• Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud.

​

• Amazon RDS
• MySQL
• MariaDB
• PostgreSQL
• Oracle
• Microsoft SQL Server

​

• Amazon Aurora is a fully managed relational database engine that's built for the cloud and compatible with MySQL and PostgreSQL. Amazon Aurora is part of Amazon RDS.

5

Session 9

Setup the lab - Scenario 1 - Public RDS Snapshots

• Make sure the AWS cli profile “masterclass” exists on your system
• aws sts get-caller-identity --profile masterclass
• This was created in Session 1

​

• Install the mysql client on your Ubuntu machine (skip if you already have a mysql client)
• sudo apt-get install mysql-client
• mysql --version

​

• There are no AWS commands to setup the lab. We will be using pre-created resources for this session.

6

Session 9

Scenario 1 - Public RDS Snapshots

• Find a public RDS Snapshot in the us-east-1 region, created by ACME corporation for this masterclass
• Is the snapshot encrypted?

​

• Create a new DB from the snapshot. From the newly created DB instance
• Can you access the users table in the acmeprod database?

​

7

Session 9

Scenario 1 - Public RDS Snapshot - Finding the Snapshot

Find the snapshot based on the information

• Created by ACME for this masterclass
• us-east-1 region

​

Is the snapshot encrypted?

​

Using the Console

​

1. In the us-east-1 region, go to RDS > Snapshots in the AWS Console
2. Click on the “Public” tab and search for ‘masterclass acme’
3. Click on the snapshot and scroll down to find “KMS Key ID” to identify if the snapshot is encrypted.

8

Session 9

Scenario 1 - Public RDS Snapshot - Creating the DB

• Create a new DB from the snapshot. From the newly created DB instance
• Can you access the users table in the acmeprod database?

​

Using the Console

​

• Select the snapshot and click “Actions” > “Restore Snapshot”
• Keep defaults, except the following
1. Provide a DB instance identifier (name of the instance)
2. Select “Burstable classes” under “Instance configuration” and select “db.t3.micro”
3. Under “Connectivity” select “Yes” for “Public access”
• Click on Restore to start the restore process

9

Session 9

The restore process can take some time as a new DB instance is being created.

​

Let’s look at how we can find RDS instances of other users on the Internet.

10

Scenario 1 - Public RDS Snapshot - Creating the DB

• Create a new DB from the snapshot. From the newly created DB instance
• Can you access the users table in the acmeprod database?

​

Using the Console

​

Once the DB instance is created, we need to modify the DB to change the admin password

​

• Click on Modify and add a new password to the database
• Click on Continue
• Select “Apply immediately” and click “Modify DB instance” to start the modification
• Once the DB state is available, connect to the DB using

​

mysql -u admin -p -h <RDS_HOSTNAME>

11

Session 9

Scenario 1 - Public RDS Snapshot - Accessing the DB

• Create a new DB from the snapshot. From the newly created DB instance
• Can you access the users table in the acmeprod database?

​

Using the CLI

​

In the mysql session

​

1. List databases - show databases;
2. Switch to the production database - use acmeprod;
3. List tables within this database - show tables;
4. List all rows in the users table - select * from users;

12

Session 9

Scenario 2 - Finding Public RDS Instances

All RDS hostnames are DNS compliant

masterclass-acme-prod.cio3jjxaatse.us-east-1.rds.amazonaws.com

​

Some places you can find RDS instances (with credentials sometimes!!!)

1. Google search site:pastebin.com | site: gist.github.com “rds.amazonaws.com”
2. Shodan search for org:Amazon “rds.amazonaws.com”
3. Censys search
4. GitHub code search for “rds.amazonaws.com” pass

​

13

Session 9

14

Session 3

15

Session 3

Scenario 3 - Parameter Group configurations - Demo

RDS Parameter groups are configuration profiles for a given DB software type

​

​

​

​

16

Session 9

Scenario 3 - Parameter Group configurations - Demo

All modifiable parameters are marked as ‘true’. You can change these to modify the configuration of the DB.

​

Interestingly (and very obviously so), no parameter that uses a file system path is modifiable, as RDS is a managed service. Examples are shown on the next slide.

​

The Kloudle Security Research team had identified that AWS RDS does not by default enforce/enable TLS for endpoints. This means clients can connect to the endpoint over plain text!

​

mysql -u admin -p -h masterclass-acme-prod.cio3jjxaatse.us-east-1.rds.amazonaws.com --ssl-mode=DISABLED

​

Full research is published on the Kloudle blog, added to references.

17

Session 9

18

Undo AWS Changes

• Manually delete the following resources
• The RDS instance created
• Verify and delete if any snapshots were created during the deletion of the instance
• Any new security groups you may have created

​

• Links to the resources
• https://kloudle.com/blog/aws-rds-does-not-force-clients-to-connect-using-a-secure-transport-layer/
• https://kloudle.com/academy/fixing-the-default-insecure-network-connection-option-for-rds-instances/
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html

19

Session 9

Short Feedback!

​

• https://tally.so/r/nPDXYQ

20

That’s all for today!

21

Questions?

Sign up for a free trial: https://app.kloudle.com/signup

​

Academy: https://kloudle.com/academy

​

Twitter: @kloudleinc and @riyazwalikar

​

Reach us at: riyaz@kloudle.com

​

Riyaz ● Chief Hacker ● riyaz@kloudle.com

Make Users ❤️ Kloudle