Christophe Tafani-Dereeper

Stop worrying about ‘allowPrivilegeEscalation’

christophetd 14 June 2024 14 June 2024 Leave a Comment

Kubernetes’ ‘allowPrivilegeEscalation’ is a useful but poorly understood security hardening setting. Let’s dive into how it works and debunk some common myths about it.

IMDSv2 enforcement: coming to a region near you!

christophetd 10 April 2024 28 March 2024 Leave a Comment

On March 25, AWS released a new feature that helps enforcing IMDSv2 at the region level by default for newly-launched instances. This represents a long-awaited and feature, that still has some quirks.

A Tribute to Hadrien Milano

christophetd 4 August 2022 4 August 2022 3 Comments

Today’s post is unlike any I ever wrote: a tribute to a dear friend, who, a few months ago, brutally passed away from a heart attack at the age of 28.

MitM at the Edge: Abusing Cloudflare Workers

christophetd 29 June 2022 29 June 2022 Leave a Comment

Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data.

Introducing Stratus Red Team, an Adversary Emulation Tool for the Cloud

christophetd 21 March 2022 28 January 2022 Leave a Comment

Today, I’m thrilled to release a new open-source project I’ve been working on in the past few weeks: Stratus Red Team, an adversary emulation and purple teaming tool, focused on emulating common attack techniques in cloud environments.

Implementing a Vulnerable AWS DevOps Environment as a CloudGoat Scenario

christophetd 11 January 2022 11 January 2022 1 Comment

I’m a huge fan of disposable security labs, both for offensive and defensive purposes (see: Automating the provisioning of Active Directory labs in Azure). After writing Cloud Security Breaches and Vulnerabilities: 2021 in Review, I wanted to build a “purposely vulnerable AWS lab” with a typical attack path including static, long-lived credentials and with a supply-chain security element.

Cloud Security Breaches and Vulnerabilities: 2021 in Review

christophetd 14 March 2022 22 December 2021 10 Comments

As 2021 fades away, we look back on cloud data breaches and vulnerabilities that were publicly disclosed this year. Last updated: March 14th, 2022.

Phishing for AWS credentials via AWS SSO device code authentication

christophetd 9 June 2021 9 June 2021 3 Comments

When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts. In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls suchContinue reading… Phishing for AWS credentials via AWS SSO device code authentication

Retrieving AWS security credentials from the AWS console

christophetd 28 August 2023 5 June 2021 3 Comments

In this short blog post, we describe how to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.

Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues (last updated August 2023)

christophetd 23 August 2023 20 December 2020 7 Comments

In cloud environments, companies usually describe their infrastructure as code using tools like Terraform or CloudFormation. In this post, we review the landscape of tools that allow us to perform static analysis of Terraform code in order to identify cloud security issues and misconfigurations even before they pose an actual security risk.