GuardDuty bypass via S3 permission modification
Published Thu, May 18th, 2023
Platforms
Summary
Threat actors in possession of IAM active credentials that had the power to update S3 bucket policies could have bypassed GuardDuty’s S3 detections and silently updated permissions for S3 resources, resulting in a bucket configuration that allowed anonymous data access. This gap in GuardDuty’s alert coverage occurred only when S3’s Block Public Access was not enabled on the account or the bucket, and when KMS-based server-side bucket encryption was not in use. In order to trigger on opening public access, GuardDuty needs to invoke two API calls: GetBucketPublicAccessBlock and GetBucketPolicyStatus. Blocking these specific API calls essentially blocked GuardDuty’s ability to trigger the alerts. Following disclosure, AWS added GD alerts on the creation of any policy that both allows data access but seeks to deny access to configuration information.
Affected Services
GuardDuty
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
-
Exploitability Period
Until 2023/04/28
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Gem Security
