Exfiltrate Secrets via Amazon SNS Abuse

This hands-on lab guides students through the process of understanding this attack technique and implementing defenses against AWS SNS service abuse for data exfiltration by gaining practical experience that emphasizes real-world scenarios and provides students with both the technical knowledge and practical skills needed to identify and mitigate similar cloud service exploitation techniques.

Huge Logistics operates a centralized internal portal where DevOps Engineers manage API secrets via AWS Secrets Manager, providing a single point of control for sensitive credential management across their cloud infrastructure. An attacker compromised a Huge Logistics DevOps Engineer's AWS access keys found on a public GitHub repository, unfortunately a common oversight, that provides the initial foothold into the organization's cloud environment. Using these legitimate credentials, the attacker then performs systematic reconnaissance across the multiple AWS services including IAM, Secrets Manager, Lambda, and SNS, methodically mapping the organization's cloud architecture and identifying potential attack vectors.

• Good understanding of AWS services (IAM, SNS, Lambda and Secret manager)
• An external email address (e.g. GMail)
• Basic understanding of AWS CLI Commands
• Basic understanding of API endpoints
  
  

• Understand how attackers can abuse legitimate AWS SNS services and automated lambda workflow for data exfiltration.
• Understand how a compromised AWS access key with broad permissions enables data exfiltration.
• Learn defensive strategies to prevent SNS-based exfiltration.

This lab mirrors real-world cloud security incidents where attackers exploit overlooked AWS services such as SNS to exfiltrate sensitive data without triggering alarms. Many web applications rely on SNS for sending notifications, and when developers overlook what is included in these messages, they risk exposing sensitive data to unverified endpoints. In environments with misconfigured IAM policies and limited monitoring of notification services, SNS becomes an attractive target for sophisticated threat actors who recognize its potential as a covert communication channel.

Attackers leverage SNS's deep integration into automated workflows and its broad permissions to silently deliver confidential information outside the organization. The service's legitimate business purpose provides perfect cover for malicious activity, as data exfiltration disguised as routine notifications rarely raises suspicions among security teams focused on traditional attack vectors like direct database access or file transfers. This technique has proven particularly effective because most organizations implement robust monitoring for their databases and storage systems while neglecting to scrutinize the content and recipients of their notification streams, creating a blind spot that experienced adversaries are quick to exploit.