Be Aware of EBS Direct APIs
Recently, I blogged about a security incident where CloudTrail was not set up to log S3 data events. But while this is the most common type of data events, there are some more. And one of them has really scary implications. But good news: you can protect yourself about that.
Today, I will talk about the EBS Direct API and you will see that I was not using Clickbait to get you to read one.
EBS Direct APIs (Read)
At re:Invent 2019, Amazon Web Services introduced a new capability to EBS: Direct access to snapshots. Intended for use cases like third-party backup solutions which work on a block basis, these APIs allow downloading parts of snapshots.
For this, there were originally three new API calls: ListSnapshotBlocks
, GetSnapshotBlock
and ListChangedBlocks
.
With these methods, you can easily find out the differences between EBS snapshots and then download them. You could replicate your AWS data locally for testing or DR-solutions - or use it to archive data long-term.
But this also allows for some snaky data exfiltration under certain circumstances. Think about it: access to download snapshots means the ability to download your data. And even if you think you do not have anything of critical value on those snapshots - are you sure? And we are talking about data events, just like with S3. Which means they are not logged by default.
The circumstances where you get access to those APIs are very specific though:
- via Root Account
- Administrator privileges (
"Actions": "*"
or"Actions": "*:*"
) - Explicit permissions (
"Actions": "ebs:*
)
As API keys for the Root Account are hopefully not present in your account, administrative permissions are probably the main attack vector. So this is another case of not following the Lest Privilege principle. Apart from the AdministratorAccess
and PowerUser
permissions, no managed policies include the ebs:*
namespace to my knowledge.
EBS Direct APIs (Write)
To make Disaster Recovery scenarios possible where on-premises data needs to be transfered to AWS, the EBS Direct APIs got extended to allow creation of snapshots from external data a year later. This allows you to use StartSnapshot
, PutSnapshotBlock
and CompleteSnapshot
for your data replication to AWS.
If you immediately thought of ransomware attacks being able to overwrite your snapshots - good thinking. But luckily, AWS seals their snapshots at completion and makes them readonly after that. So we are in no danger of a new class of ransomware attacks using this API.
Security Tools
I learned about the EBS Direct APIs when preparing for a penetration testing certification - there are already some tools for easily downloading snapshots using these APIs. If you want to play around with these, check out Rhino Security Labs’ DSnap tool. Their GitHub page also include an animated image showing the whole thing.
The same capability also got integrated into Rhino Security Labs’ Pacu pentesting solution. It is only one of the integrated commands there, but uses the same principle as the standalone dsnap
tool.
Logging
If you want to enable logging of EBS Direct APIs, this was added in July 2021 but is well-hidden. If you got to your CloudTrail web console, you will only see “S3”, “DynamoDB” and “Lambda” as targets.
But hidden under the Extended properties are more types:
- S3
- DynamoDB
- Lambda
- Managed Blockchain
- EBS
For enabling data event logging, always be aware of the volume of log entries and associated costs. It does not make much sense to enable this for all services in all your accounts. But for production accounts and sensitive data, that is a different story. A good idea is to enable logging to an S3 bucket/prefix with a shorter retention span - or directly adding it to some sort of SIEM system.
Service Control Policies
If you know for a fact that you are not using third-party solutions which is based on EBS Direct APIs you can also add an SCP to the account, Organizational Unit, or the whole Organization and deny them completely:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEBSDirectAPI",
"Effect": "Deny",
"Action": "ebs:*",
"Resource": "*"
}
]
}