CloudFormation Templates: What’s in That Stack?

What would happen if someone provisioned a stack from a blog post that created new identity access management (IAM) roles, disabled logging services or created new security groups? Would you know?

In preparation for a research project I needed to create the AWS infrastructure that would be used to run Docker, Kubernets and our containerized app. I also needed to enable and configure multiple AWS resources, which included EC2 instances, SecurityGroups, Subnets and IAM Roles. With a working knowledge of the basic resources needed for the project I turned to Google in the hope of locating an example. I quickly stumbled upon a few helpful CloudFormation templates (CFTs) from someone who had undertaken a similar project.

CloudFormation templates can be used to spin up individual resources or entire environments. The templates are text files and are commonly formatted in json, yaml or template. Templates define the properties of the resource(s) a user seeks to provision. These templates are managed, updated and deployed as a unit known as a stack. After a formation template is written, it can be used in other AWS environments simply by changing a few resource parameters.

To launch the CloudFormation template I located in my Google search all I had to do was click a button to the blog post, which then pivoted into my AWS management console and began the deployment.

Easy, right? All too easy.

Once the underlying infrastructure of the project was provisioned and working, I went back and took a deeper look at one of the templates and wondered what the file was doing. I provisioned first and asked questions later.

Not the best idea.

Scrolling through the yaml file I saw code that had the EC2 instance installing and executing commands as part of the provisioning process.

My curiosity was piqued. How easy would it be to backdoor a CloudFormation template? I decided to add two commands to the CFT: the first installs nmap-ncat and the second uses netcat to connect to a remote listener.

Upon creation of the stack, I now had a working EC2 instance, but there was already a remote root shell connection.

Great, but somewhat obvious to anyone who took a second to glance at the CFT. How could I hide the malicious commands from the user? AWS CFT allows for nested stacks. The top-level stack is called a root stack. A root stack can have one or more nested stacks beneath it that provision additional resources.

 

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html

 

The image below shows that root stack calls a nested stack for the resource GitlabInstance. The nested stack uses another CFT template located on an open S3 bucket.

As before, the complete stack is deployed using the AWS console and success. The formation template spins up a working EC2 instance that connects back to the listener.

Conclusion: CFTs need to be analyzed first.

This is an example of a basic formation template attack. It’s opportunistic and it would be very hard to target a specific organization in this manner, but it clearly illustrates that CloudFormation templates (CFTs) need to be analyzed prior to deployment.

We suggest prevention tools.

From a security perspective it is critical to understand the actions within the formation template before it is deployed. If there are nested stacks being called, they need to be analyzed as well.

Analyze what resources are being provisioned, what they’re used for and if the resources are labeled. For example, if a security group is created look closely at inbound and outbound rules. Most CFTs I’ve seen only create security groups that lock down incoming connections, leaving outbound wide open. This was the case for the formation template used in the example above.

Make sure users deploying the formation templates don’t have overly permissive permissions. If the formation templates are compromised, then users may not have the appropriate resources to deploy malicious resources.

Several cybersecurity solution providers have the ability to scan formation templates for malicious behavior. Use them.