“Let’s say someone is using these providers and they happen to have a shared identity platform, maybe SailPoint. If SailPoint is passing data flows to AWS, Microsoft, and maybe others, that could allow access to all of that customer’s information in one of these hyperscaler environments. It could allow limited access to data in the cloud. Now let’s say that somehow an attacker targets this AWS API. If that customer is using the same credentials across these cloud platforms, that could provide broad access,” he says.
IMDSv2: What You Don't Know Could Destroy Your Cloud
In March 2024, Amazon quietly rolled out an update to a critical part of the AWS platform: Instance Metadata Service (IMDS). “Some SOCs may not even be aware that they are using IMDS,” says Pluralsight’s Vermont, thus exposing their operations to “a serious security risk related to metadata exposure.”
“AWS uses IMDS to store security credentials used by other applications and services, and makes this information available using a REST API. Attackers can use server-side request forgery (SSRF) to steal credentials from IMDS, allowing them to authenticate as the instance role for lateral movement or data theft,” explains Vermont. “AWS introduced a newer version of IMDS, version 2, to improve security against unauthorized metadata, although many organizations still use the original IMDSv1 by default. To help CISOs close this potential vulnerability, AWS recently announced the ability to default all newly launched Amazon EC2 instances to the more secure IMDSv2.”
“AWS launched IMDSv2 in November 2019 but the ability to set the default for the new version wasn’t introduced until March 2024. As a result, many organizations continued to use the original vulnerable IMDSv1. It’s interesting to note that the default only applies to new instances that were launched, so existing instances with IMDSv1 still need to be reconfigured,” says Vermont.
