AWS Organizations is a service offered by AWS that allows a user to logically bind together a large number of AWS accounts under one "organization". While this helps for organizational purposes, it presents several unique pathways for a pentester allowing one to tunnel through the inherent boundaries that might exist in a single AWS account. Using AWS Organizations, I show how one can turn a single account takeover into a multi-account takeover drastically increasing the blast radius. The talk hopes to provide both a technical perspective and abstract-enough overview to be useful to both in-the-weeds pentesters and general managers/business owners alike. The talk covers - AWS Organization overview - Easy way to pivot to member account (account creation) - Trusted access & delegated administration overview - Using trusted access & delegated administration to indirectly/directly access member accounts - A new Organization security feature released 2022 + security implications - An overview of available tooling created by the speaker to assist in enumerating organizations in the open source tool Pacu.
Scott Weston is a Senior Security Consultant at NetSPI originally from southern CA and currently based out of Minneapolis, MN. He has 3ish years of experience in information security/pentesting with his involvement including general web applications, GraphQL, and cloud environments (specifically AWS). He has contributed to the open-source AWS pentesting tool, Pacu, by adding a modules for AWS Organizations. He also created a large AWS deck designed for beginners to present to the San Diego Defcon group located https://www.linkedin.com/posts/webbinroot_aws-from-zero-to-pacu-activity-6996999634782994432-q0oy. He has participated in some bug bounties/VDPs and is mentioned on the International Committee of the Red Cross (ICRC) https://www.icrc.org/en/vulnerability-disclosure/hall-of-fame. In his spare time, he enjoys pursuing individual bug bounties and interesting avenues of pentesting.
We proudly present SecretCon, an entirely unparalleled conference for the state of Minnesota, built for our new digital reality. This conference is dedicated to the many specialties of our hacker, cybersecurity, and privacy community. We have taken it upon ourselves to construct a conference that not only embraces our past, but also looks to the future. Join us!
