Breaching AWS Through Shadow Resources
Yakir Kadkoda, Michael Katchinskiy, Ofek Itach
DEF CON 32 Main Stage · Day 1 · Main Stage
This talk, presented by Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach from Aqua Security, delves into a critical but often overlooked aspect of cloud security: **Shadow Resources** within AWS. The researchers demonstrate how automatically generated AWS resources, particularly S3 buckets, can be exploited to achieve severe compromises, including remote AWS account takeover by an external attacker assuming an admin role. A central theme throughout the presentation is the long-standing debate surrounding the security implications of AWS account IDs – whether they should be treated as secrets or not. The findings strongly suggest that attackers can leverage publicly available or semi-predictable account IDs to facilitate impactful attacks.
AI review
This research from Aqua Security is a critical deep dive into AWS "shadow resources," demonstrating how seemingly innocuous auto-generated S3 buckets can be weaponized. The team ingeniously combined bucket pre-registration, an OSINT-driven bypass for randomized naming, and a TOCTOU vulnerability in CloudFormation to achieve full AWS account takeover. It fundamentally challenges the perception of AWS account IDs and exposes a sophisticated attack chain that every cloud security professional needs to understand and defend against.