Cloud security incidents are becoming increasingly sophisticated, leveraging vulnerabilities within cloud services to gain unauthorized access to sensitive data. This lab walkthrough focuses on an attack scenario where an adversary exploits a Server-Side Request Forgery (SSRF) vulnerability in a web application hosted on an AWS EC2 instance. The breach allowed the attacker to retrieve IAM role credentials from the AWS Instance Metadata Service (IMDSv1), enabling them to perform unauthorized operations within the cloud environment. This incident highlights the risks of misconfigured IAM roles, excessive permissions, and the dangers of using IMDSv1, which lacks request authentication and is vulnerable to exploitation.
Through forensic investigation, we will analyze network traffic and AWS CloudTrail logs to track the attacker's movements, reconstruct the timeline of events, and determine the extent of the breach. Using Wireshark, we will examine packet captures (PCAPs) to identify suspicious HTTP requests that may indicate SSRF exploitation. Additionally, by querying CloudTrail logs with JQ, we will uncover unauthorized API calls, including attempts to list, access, and delete sensitive data from Amazon S3 buckets. Our goal is to understand the attack methodology, assess the compromised resources, and identify key indicators of compromise (IOCs) within the AWS environment.
This investigation will provide insights into cloud forensics, AWS security best practices, and attacker behavior within cloud environments.