Misconfigured CloudFormation Vulnerability in AWS

Play AWS Labs on this vulnerability with SecureFlag!

1. Misconfigured CloudFormation Vulnerability in AWS
   1. Description
   2. Impact
   3. Prevention
      1. Data Protection
         1. Dynamic Parameters
         2. Encryption at rest
         3. Internetwork traffic privacy
      2. Access Control
      3. Logging and Monitoring
   4. References

Description

AWS CloudFormation is a service that helps deploy instances and services based on pre-defined templates. This is a service that enables infrastructure as code on AWS by deploying services defined in templates as CloudFormation stacks . Using CloudFormation, solution architects and cloud engineers can easily manage infrastructure, accelerate replication and handle deployments with rapid changes to the infrastructure.

Impact

Since CloudFormation touches most services on AWS and the fact that CloudFormation templates can be tailored to suit a wide variety of requirements, the attack surface is significantly high as compared to other AWS services. A poorly crafted template can lead to a misconfigured stack and cause escalated privileges, exposed services, un-logged events and data loss.

Prevention

Data Protection

Dynamic Parameters

If the utilisation of sensitive information in CloudFormation is unavoidable, use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.

Encryption at rest

To ensure your Cloudformation templates are encrypted when stored on the cloud, enable at-rest encryption for templates stored in S3 buckets or other storage services. Similarly define encryption settings for any data storage systems provisioned by CloudFormation. On S3 this can be done using SSE-S3 or SSE-KMS

Internetwork traffic privacy

AWS CloudFormation service communications are securely encrypted by default between Regions or Availability Zones.

Access Control

AWS Cloudformation requires access controls to be put in place for the resources that are created within the Cloudformation stack as well as for the action that can be taken on Cloudformation itself like viewing stack templates, creating stacks, or deleting stacks. The access controls measures are put in place by IAM and enforced through IAM policies.

In order to allow a user to perform Cloudformation actions, AWS recommends creating an IAM group and adding the users to the group. The group would then need a IAM policy like the one below to allow Cloudformation actions.

{
  "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Action":[
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:DescribeStackResource",
        "cloudformation:DescribeStackResources"
      ],
      "Resource":"*"
    }]
}

Further control can be established by using ‘Condition’ property within a policy to manage when the policy will be in effect.

"Condition": {
  "ForAllValues:StringEqualsIgnoreCase": {
      "cloudformation:TargetRegion": [
          "us-east-1",
          "eu-west-1"
      ]
  }
}

Users managing Cloudformation stacks would also require access to the resources created within the stacks. Also by default, AWS uses temporary sessions that are generated from user credentials to perform stack operations. Cloudformation and the users using it need not have the same level of permissions.

Therefore it is best to delegate permission to Cloudformation using a service role. But remember if the role includes permissions that the user should not have, you can unintentionally escalate a user’s permissions.

Logging and Monitoring

Enable CloudTrail Logs as CloudTrail provides a record of activities taken place in Cloudformation and will be stored in a S3 bucket.

References