by Heidi Porter
Even if you or your clients are not hosting your FileMaker Server in the cloud or using FMCloud, your clients may use one or many services in AWS or another cloud provider. For example, clients might use S3 for external container storage or to store backups. This talk will demonstrate how some common AWS oversights can be exploited using both manual and tool-based penetration testing techniques. We’ll look at how attackers can access AWS keys, S3 file contents, take over subdomains, spin up an S3 backup on an EC2 server to gain access to its contents, use SSRF to log on to a secure Web site hosted on AWS, attack serverless architectures, and disrupt logging. Best practices for defense of the above will be the primary concern of the talk. If you install the AWS CLI and get a free tier account, you can play/attack alongside me.