In the event of a company inviting the wrong user to the wrong channel, a Slack security lapse, or an inside threat at Slack itself, there’s now an entirely new attack vector against a company’s AWS environment. There’s a whole mess of fiddly-to-troubleshoot bits in Chatbot setup that people often override, saying, “The hell with it, I trust the team, we’ll just grant them admin-level access and fix it later.” “Later” never comes, leaving Slack users with access to do truly terrible things in sensitive environments due to the rise of the ChatOps phenomenon. I mean, look at this terrifying thing! Users can be assigned roles, they can change roles, they can assume roles, and at least some of these roles we’re talking about are IAM roles.įolks are rarely as diligent as we (and, belatedly, they) wish they were when it comes to security.
#AWS CHATBOT LOGO HOW TO#
With the magic of ChatOps, I fear that among the profound secrets Slack holds is full root access to your company’s AWS accounts.ĪWS Chatbot has a deep dive into how to configure Chatbot permissions, which approximately nobody reads or implements. It’s roughly here that, as they say, our troubles begin.
Never one to spy an ill-defined buzzword without enthusiastically launching a service into the category, AWS created a full-on service called, of course, AWS Chatbot. If it isn’t, your deepest chat secrets are but a SQL query away.Īnyway, some enterprising folks eventually instrumented Slack a bit, because “Jimothy, do you want to go to lunch?” isn’t that far removed from “AWS, deploy to production.” The sound effect Slack plays when that message arrives is the creeeeak of Pandora’s Docker Container opening. Slack’s security team is excellent, because it pretty darn well has to be. All of your Slack messages live not in some ephemeral database like an early version of MongoDB, but rather as rows in MySQL. People treat chat as if it were ephemeral, with messages gone soon after they’re sent - but this isn’t Snapchat we’re talking about here. This is largely considered a boon for regulators looking to simplify their e-discovery.
#AWS CHATBOT LOGO CODE#
Why? While people store code and databases and naughty videos in their AWS accounts, they talk about things ranging from lunch plans to mergers and acquisitions to their passwords to their extramarital affairs to their insider trading crimes within Slack. Slack, a Salesforce company, is also the single organization I would attempt to breach if I were looking to do some real damage. I do not understand nor endorse this behavior and neither should you, because Teams is trash.
Yes, some people use Microsoft Teams for work instead. Unless you’ve been living in a hole for the last decade, you’ve encountered Slack. You see, there seems to be a large-scale aversion to discussing the risks of ChatOps in public, and I can’t shake the feeling that this is going to bite all of us in the end. I’m afraid that’s going to be a big problem. People tend to think of ChatOps as “a conversation-driven means of running software.” But that, my friends, is an oversimplification that misses a crucial point.ĬhatOps is “the novel operational practice of expanding your security perimeter to anyone who has access to the right Slack channel or to Slack’s production infrastructure.” This is obviously my own definition, and people tend not to talk about it this way.
0 kommentar(er)
