[ManWith2Plans]

I work with AWS a lot every day and lead a team responsible for building workloads on AWS for some customers with very high security requirements. This tool terrifies me.

The sheer amount of potential for misconfiguration of resources that this tool can exploit with no effort whatsoever is absolutely insane. I feel like every AWS environment I've ever seen is suddenly at risk of some angry employee compromising everything very very quickly.

I'm betting over at AWS they're almost as terrified by this as I am.

[cddotdotslash]

I can almost guarantee you that attackers focusing on AWS environments have all sorts of similar (if not worse) tools. The fact that this is public hopefully terrifies AWS into improving their security usability and making these kinds of exposures more difficult. What's important to remember is that there isn't actually any _vulnerability_ here (the tool still requires valid authentication to work); it just makes it 100x easier to automate.

[xahrepap]

The scary part is who has built tools like this before but people didn't know they existed?

At least now we all have access to the same tool. Maybe this one won't have everything the "secret" tools have. But it's a good start!

[stjohnswarts]

Initially stuff like this is scary but it leads to good things in the end. Tighter security, opening customers eyes. Etc. Probably the better black hatters already knew about these and your organization wasn't really worth anything to them so they skipped it. At least tools like these help us security neophytes have a little bit of a fighting chance out there on the Wild Wild Web.

[guywhocodes]

Working currently with a cloudsecurity project, the sheer amount of surface area that AWS exposes combined with the amount of asterisks I see in various types of policies is terrifying. Enumeration is incredibly dangerous when there are so many poor service roles blindly trusting an entire AWS service, not realizing this is trust across accounts.

[poxrud]

There are a lot of other tools in this space and people that specialize in AWS pentesting. Another popular tool is Pacu: https://rhinosecuritylabs.com/aws/pacu-open-source-aws-explo...

[Jimmc414]

404 on this today so I guess they were terrified.