An undocumented API in AWS’ management console could have allowed attackers an undetectable surveillance channel, a security researcher has said.
AWS quietly fixed the issue in October 2022 after being alerted by Datadog in March 2022.
The Datadog researchers who discovered the API realised it could bypass AWS CloudTrail logging.
The API, documented here, would mean specific identity and access management (IAM) requests would not be logged.
“This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account—without leaving any trace of their actions in CloudTrail”, Datadog’s senior security researcher Nick Frichette wrote.
Datadog discovered the API, called “iamadmin”, by watching connection requests in the browser developers’ tools while browsing the AWS Management Console.
From there, the researchers discovered 13 methods they could invoke with iamadmin, allowing them to list group policies and user counts, list users, and more.
“Being able to bypass CloudTrail logging and getting the results of those calls has serious implications for defenders, because it limits their ability to track what an adversary has done in an environment and what actions they’ve taken”, Frichette’s post states.
“Furthermore, this technique also makes it possible to bypass GuardDuty for findings such as IAMUser/AnomalousBehavior, because GuardDuty uses CloudTrail as a data source, and it can’t alert on something it can’t see.”