Aqua Security¤Ï¤³¤Î¤Û¤É¡¢¡ÖBucket Monopoly: Breaching AWS Accounts Through Shadow Resources¡×¤Ë¤ª¤¤¤Æ¡¢Amazon Web Services (AWS)¤Î6¤Ä¤Î¥µ¡¼¥Ó¥¹¤Ë±Æ¶Á¤òµÚ¤Ü¤¹²ÄǽÀ­¤¬¤¢¤ë½ÅÂç¤ÊÀȼåÀ­¤Ë¤Ä¤¤¤ÆÅÁ¤¨¤¿¡£¤³¤ÎÀȼåÀ­¤¬°­ÍѤµ¤ì¤¿¾ì¹ç¡¢¥ê¥â¡¼¥È¥³¡¼¥É¼Â¹Ô(RCE: Remote Code Execution)¡¢¥æ¡¼¥¶¡¼¾è¤Ã¼è¤ê¡¢µ¡Ì©¥Ç¡¼¥¿¤Îή½Ð¡¢¥µ¡¼¥Ó¥¹±¿ÍÑ˸³²(DoS: Denial of Service)¤Ê¤É¿¼¹ï¤Ê±Æ¶Á¤ò¼õ¤±¤ë²ÄǽÀ­¤¬¤¢¤ë¡£

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources

¡û±Æ¶Á¤ò¼õ¤±¤ëAWS¥µ¡¼¥Ó¥¹

ȯ¸«¤µ¤ì¤Æ¤¤¤ëÀȼåÀ­¤Î±Æ¶Á¤ò¼õ¤±¤ë²ÄǽÀ­¤¬¤¢¤ë¤È¤µ¤ì¤ëAWS¤Î¥µ¡¼¥Ó¥¹¤Ï¼¡¤Î¤È¤ª¤ê¡£

CloudFormation

Glue

EMR

SageMaker

ServiceCatalog

CodeStar

¡û¥·¥ã¥É¡¼¥ê¥½¡¼¥¹¤È¸Æ¤Ð¤ì¤ë¹¶·â¥Ù¥¯¥È¥ë

ȯ¸«¤µ¤ì¤¿ÀȼåÀ­¤Ç¤Ï¡¢¥·¥ã¥É¡¼¥ê¥½¡¼¥¹¤È¸Æ¤Ð¤ì¤ë¹¶·â¥Ù¥¯¥È¥ë¤¬ÍøÍѤµ¤ì¤Æ¤ª¤ê¡¢ÆäËS3¥Ð¥±¥Ã¥È¤Î¡Ö¥Ð¥±¥Ã¥È¥â¥Î¥Ý¥ê¡¼¡×¤È¸Æ¤Ð¤ì¤ë¼êË¡¤¬ÌäÂê»ë¤µ¤ì¤Æ¤¤¤ë¡£¤³¤Î¼êË¡¤Ë¤è¤ê¹¶·â¼Ô¤¬Èï³²¼Ô¤Î¥¢¥«¥¦¥ó¥È¤Ë¥·¥ã¥É¡¼¥ê¥½¡¼¥¹¤òºîÀ®¤·¡¢´ÉÍý¥¢¥¯¥»¥¹¤ò¼èÆÀ¤¹¤ë¤³¤È¤¬²Äǽ¤Ë¤Ê¤ë¤È¤µ¤ì¤Æ¤¤¤ë¡£

¶ñÂÎŪ¤Ë¤ÏCloudFormation¤Ê¤É¤Î¥µ¡¼¥Ó¥¹¤Ç¼«Æ°À¸À®¤µ¤ì¤ëS3¥Ð¥±¥Ã¥È¤¬Â¾¤Î¥ê¡¼¥¸¥ç¥ó¤Ç¤âƱ¤¸Ì¿Ì¾µ¬Â§¤ÇÀ¸À®¤Ç¤­¤ë¤³¤È¤ò°­ÍѤ·¡¢¹¶·â¼Ô¤¬Æ±¤¸¥Ð¥±¥Ã¥È̾¤òͽ¬¤·¤Æ¥Ð¥±¥Ã¥È¤òºîÀ®¤¹¤ë¤³¤È¤ÇÈï³²¼Ô¤Î¥Ç¡¼¥¿¤Ë¥¢¥¯¥»¥¹¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤ë¡£

ȯ¸«¤µ¤ì¤¿ÀȼåÀ­¤ÏAWS¤ËÊó¹ð¤µ¤ì¤Æ¤ª¤ê¡¢¿×®¤Ë½¤Àµ¤µ¤ì¤Æ¤¤¤ë¡£¤·¤«¤·¤Ê¤¬¤é¡¢Aqua Security¤Ï¤³¤Î¼ï¤Î¹¶·â¤Ï¾¤Î¥µ¡¼¥Ó¥¹¡¢¥×¥í¥À¥¯¥È¡¢¥ª¡¼¥×¥ó¥½¡¼¥¹¥×¥í¥¸¥§¥¯¥È¤Ê¤É¤Ë¤â¸ºß¤¹¤ë²ÄǽÀ­¤¬¤¢¤ë¤È»ØŦ¤·¤Æ¤¤¤ë¡£AWS¥æ¡¼¥¶¡¼¤Ï¾ï¤ËºÇ¿·¤Î¥»¥­¥å¥ê¥Æ¥£Âкö¤ò¹Ö¤¸¤ë¤È¤È¤â¤Ë¥·¥ã¥É¡¼¥ê¥½¡¼¥¹¤Ë´ØÏ¢¤¹¤ë¥ê¥¹¥¯¤òÍý²ò¤·¡¢Å¬ÀڤʴËϺö¤ò¹Ö¤¸¤ë¤³¤È¤¬¿ä¾©¤µ¤ì¤Æ¤¤¤ë¡£