News of yet another company exposing its data to all and sundry on cloud storage is so normal now that you can pre-write the news and insert the name of the company. This time, however, Amazon Web Services Inc. itself allegedly allows hackers to get access to user data through its application programming interfaces.

The claim came Tuesday from security researchers at Unit 42, the cybersecurity research arm of Palo Alto Networks Inc. The researchers have detailed 22 APIs across 16 different AWS services that can be used to leak the AWS Identity and Access Management users and roles in arbitrary accounts.

AWS services that allegedly can be abused by attackers include Amazon Simple Storage, Amazon Key Management Service and Amazon Simple Queue Service. “A malicious actor may obtain the roster of an account, learn the organization’s internal structure and launch targeted attacks against individuals,” the researchers noted.

The cause of the issue is said to be that the AWS backend proactively validates all of the resource-based policies attached to resources such as S3 buckets and customer-managed keys. The researchers say that though this is a convenient feature, it can also be used to check whether an identity exists in an AWS account.

In a recent Red Team exercise, Unit 42 researchers said, they “compromised a customer’s cloud account with thousands of workloads using a misconfigured IAM role identified by this technique.”

Reached by SiliconANGLE, AWS declined to provide a statement on the report.

“APIs are fast becoming the vehicle for customer experience personalization,” Setu Kulkarni, vice president, strategy at application security provider WhiteHat Security Inc., told SiliconANGLE. “These APIs in question dramatically reduce the effort required by organizations to build cloud-based and cloud-native applications. However, APIs are a double-edged sword – when implemented poorly, they provide unprecedented access to core transactional business systems.”

In this case, he said, the implementation of error and exception handling creates an inadvertent opportunity to exploit a combination of the APIs to get access to account information.

“Often, API security is narrowly and wrongly defined to only include API management,” he explained. “API security should include API security testing to make sure that the APIs do not suffer from AppSec vulnerabilities. One may even argue that API security testing should also include ‘business logic assessments.’ They provide organizations the visibility into how a poorly designed API can reveal information that can be used as input into another API to get unprecedented access into not just more customer data but also to executing functionality on behalf of the customer.”

Charles Ragland, security engineer at digital risk software firm Digital Shadows Ltd., noted that appropriately configuring identity and access management policies can be complicated and time-consuming.

“The research performed by Unit 42 demonstrates what is possible when an IAM policy is misconfigured and leaking information,” Ragland said. “An organization’s DevOps team could use one of the available IAM configuration auditing tools to look for potential weaknesses or misconfigurations and mitigate them before they become an issue in an ideal world.”

Image: AWS