AWS Security Edition

Sponsor: MSG Romania

Agenda:
18:00 - 18:20 - Intro - Lucian Revnic, Andrei Stefanie, Andreea Misaras
18:20 - 18:50 - AWS Eventual Persistence: Performing Actions with Deleted Identities - Eduard Agavriloae

Every AWS IAM action has a ~4 seconds delay before coming into effect, but the data plane is instantly updated. This discrepancy can be weaponized by attackers for ensuring persistence.
In this talk we'll explore how this consistency window can be abused, why the standard incident response playbooks fail (including AWS's own recommended approach), and what actually works. We'll also look at how this extends across multiple IAM resources and actions including detaching policies, using deleted identities and keys, and what CloudTrail actually logs when this happens. Finally, we'll take a look at how the vulnerability affects the other big cloud providers.
This vulnerability exposed a gap in every identity-based incident response containment procedure. Learn about this unpatched vulnerability and how to protect against it.