15 ideas for cloud security research

Want to break into AWS security research but don’t know where to start? Sometimes finding the right idea is the hardest part. fwd:cloudsec North America CFP closes March 29 and fwd:cloudsec Europe opens April. Here are 15 simple ideas anyone can follow through for submission.

1️⃣ How to make and find malicious cloud formation - There’s a cloud formation registry with re-usable components. Make some of your own. How could an attacker abuse these? How can defenders identify and block malicious cfn?

2️⃣ How I hacked [pick an AWS service] - Take the MITRE ATT&CK framework stages and describe how to do each for the service. No new techniques. Just a nice package anyone can use for a pen test or red team exercise.

3️⃣ Inference: What I deduced about your AWS environment - Look at DNS responses, API error messages, certificates, IAM policies, etc. and see what you can infer about environments and AWS itself.

4️⃣ I read every warning in AWS documentation - AWS threat modelling is really on point. Look through all of their warnings and see what you can find.

5️⃣ I scan the AWS IP space every day - Grab the big JSON file with AWS IPs in it and start do regular non-intrusive scans. What do you notice? Are some services more vulnerable? What can attackers take advantage of? What should defenders know?

6️⃣ Honey account - Make a constrained permission access keys and dump them all over the internet. Which places are actively trawled by attackers? What do they do with the keys they find? Just be careful you don’t get yourself pwned.

7️⃣ Burning $: How an attacker could cost you your wallet - Get creative with the documentation. Look for services and configurations that could escalate costs quickly and that are difficult to reverse. Let everyone know how to protect against them.

8️⃣ Error message mapping - Write some code to trigger errors in API calls one by one. Two pizza teams lead to inconsistent error messages. Figure out what layers they come from. What do they tell you about a target infrastructure?

9️⃣ Endpoint mapping - Pull up the web console and an attack proxy and make a list of all the APIs, beyond the documented ones. There are plenty. Go beyond the console and look at all the registries and satellite apps. Understand how they work and share your insights.

1️⃣0️⃣ Tagging for security - Security automation is limited by metadata. Who should fix the thing? How bad is it? Where are the crown jewels? Come up with a schema and tooling to help keep this stuff up to date and show people how to automate security in the cloud.

1️⃣1️⃣ Zero $ CSPM - Cobble together open source tools and teach folks how they can get a bunch of the technical capability of major cloud security platforms. Discuss the trade offs and help people get their cloud security journey started.

1️⃣2️⃣ Extend someone else’s research - Dive into some of the awesome work others are doing like Gafnit Amiga , Aidan Steele , Scott Piper , Ian Mckay , Ben Bridts and try and take the next step. There’s gold to be found in extending other people’s great work.

1️⃣3️⃣ Improve a compliance framework - Take a cloud security framework and make it better, more complete. There are always gaps. It’s hard to keep up with service releases. What patterns can you apply globally? Submit the updates as open source so everyone can benefit.

1️⃣4️⃣ AWS advice on the internet sux - Look at all the places people post answers to technical questions about AWS. Find the really bad ones and discuss what better advice looks like. Submit the answers back to the source.

1️⃣5️⃣ IaC backdoors - Pick an infrastructure as code framework and be creative with how you would introduce persistence mechanisms covertly. Talk about the commonalities and how you could detect them.

We can’t guarantee your talk will be accepted but we can guarantee you will learn a lot if you have a go. And if you decide to share your findings, we will all be smarter and more secure because of your work.