More Keys Than A Piano: Finding Secrets In Publicly Exposed Ebs Volumes

Conference:  Defcon 27



The presentation discusses the findings of a research project on the vulnerability of unencrypted AWS disks and the importance of remediation.
  • Unencrypted AWS disks are vulnerable to attacks that can result in the theft of sensitive information such as source code, private keys, and API tokens.
  • Remediation involves searching for public disks, taking down the snapshot, rotating credentials, and conducting a post-mortem to understand how the vulnerability occurred.
  • Anecdotes include finding source code for government contractors and large tech companies, private keys, SQL files containing personal information, WordPress backups, and VPN credentials.
  • The presentation emphasizes the importance of designing for multi-region upfront, having tests for code, and understanding the AWS butterfly effect.
  • The speaker delayed the release of their tool to coordinate with Amazon and responsibly disclose the vulnerabilities.
The speaker found SQL files containing thousands of people's personal information, including usernames, hashed passwords, email addresses, and phone numbers. These files were often left on disks by developers who borrowed data from production environments for debugging purposes but failed to properly secure the disks. This highlights the importance of proper hygiene around SQL files and the potential risks of leaving sensitive information on unencrypted disks.


Did you know that Elastic Block Storage (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see. I tore apart the petabytes of data for you and have some dirty laundry to air: encryption keys, passwords, authentication tokens, PII, you name it and it's here. Whole (virtual) hard drives to live sites and apps, just sitting there for anyone to read. So much data in fact that I had to invent a custom system to process it all. There's a massive Wall of Sheep out there on the internet, and you might not have even noticed that you're on it. Actually, you should stop reading and go check that out right now.