all InfoSec news
No keys attached: Exploring GitHub-to-AWS keyless authentication flaws
Datadog Security Labs securitylabs.datadoghq.com
In this post, we discuss the GitHub-to-AWS keyless authentication flow using OpenID Connect (OIDC). We also demonstrate that a number of AWS identity and access management (IAM) roles in the wild were misconfigured, allowing untrusted GitHub Actions to assume them and retrieve AWS credentials. Finally, we discuss a specific misconfiguration we identified in the AWS environment of a UK government entity.
GitHub-to-AWS keyless authentication
Previous research has shown that long-lived, static credentials such as IAM user access keys are …
access access management actions authentication aws aws credentials aws identity connect credentials discuss flaws flow github github actions iam identity identity and access identity and access management keyless keys management misconfiguration openid openid connect roles untrusted