Dictionary Attack on Aws
How Dictionary Attack Manifests in Aws
Dictionary attacks in AWS environments typically target authentication endpoints, API keys, and service access controls. The most common manifestation occurs when AWS services expose authentication endpoints without proper rate limiting or lockout mechanisms. For example, AWS Cognito User Pools without configured password policies or rate limiting can be brute-forced using common password dictionaries.
Another critical vector is AWS API Gateway endpoints that lack authentication or use weak API key management. Attackers can systematically test common API keys or attempt to guess valid tokens. Lambda functions invoked via API Gateway without proper IAM role restrictions can also be vulnerable to authentication bypass attempts.
AWS Secrets Manager and Parameter Store can be targeted if IAM policies are overly permissive. An attacker with limited IAM access might attempt to enumerate secrets by trying common secret names or paths. Similarly, S3 bucket enumeration attacks use dictionary techniques to discover publicly accessible or misconfigured buckets.
The following code snippet shows a vulnerable Cognito setup:
const AWS = require('aws-sdk');
const cognito = new AWS.CognitoIdentityServiceProvider();
// Vulnerable: No rate limiting, no lockout policy
async function login(username, password) {
const params = {
AuthFlow: 'USER_PASSWORD_AUTH',
ClientId: process.env.COGNITO_CLIENT_ID,
AuthParameters: {
USERNAME: username,
PASSWORD: password
}
};
return await cognito.initiateAuth(params).promise();
}
// Attacker could call this repeatedly without restrictions
This code allows unlimited authentication attempts, making it susceptible to dictionary attacks. The absence of AWS WAF integration or API Gateway throttling creates an ideal environment for credential stuffing attacks.
AWS-Specific Detection
Detecting dictionary attacks in AWS requires monitoring specific CloudWatch metrics and implementing AWS-native security tools. AWS WAF with rate-based rules can detect and block excessive authentication attempts. CloudTrail logs provide visibility into API calls, allowing you to identify suspicious patterns like repeated failed login attempts from the same IP address.
Amazon GuardDuty can detect reconnaissance activities and brute-force attempts across your AWS environment. The service analyzes VPC flow logs, DNS logs, and CloudTrail data to identify anomalous behavior patterns that indicate dictionary attacks.
middleBrick's AWS-specific scanning identifies dictionary attack vulnerabilities by testing authentication endpoints without credentials. The scanner attempts common authentication patterns and evaluates whether rate limiting is properly implemented. For API Gateway endpoints, middleBrick checks if API keys are properly validated and if throttling rules exist.
Here's how to monitor for dictionary attacks using AWS services:
import boto3
from datetime import datetime, timedelta
def detect_brute_force_attempts():
cloudtrail = boto3.client('cloudtrail')
# Look for repeated failed authentication attempts
end_time = datetime.utcnow()
start_time = end_time - timedelta(minutes=60)
events = cloudtrail.lookup_events(
LookupAttributes=[{
'AttributeKey': 'EventName',
'AttributeValue': 'InitiateAuth'
}],
StartTime=start_time,
EndTime=end_time
)
# Analyze events for patterns
failed_attempts = {}
for event in events['Events']:
user = event['Username']
if 'errorMessage' in event['CloudTrailEvent']:
failed_attempts[user] = failed_attempts.get(user, 0) + 1
# Flag users with excessive failed attempts
for user, count in failed_attempts.items():
if count > 10: # Threshold
print(f'Potential brute force: {user} ({count} attempts)')
middleBrick provides AWS-specific findings that map to OWASP API Top 10 categories like Broken Authentication and Excessive Data Exposure. The scanner tests whether your AWS services properly implement authentication controls and rate limiting mechanisms.
AWS-Specific Remediation
Remediating dictionary attack vulnerabilities in AWS requires implementing multiple security controls across your services. For Cognito User Pools, configure password policies with minimum length, complexity requirements, and account lockout thresholds. Enable AWS WAF rate limiting on API Gateway endpoints to prevent excessive authentication attempts.
Implement IAM policies with the principle of least privilege and use temporary credentials through AWS STS rather than long-lived access keys. For S3 buckets, enable bucket policies that restrict access and use VPC endpoints to limit exposure.
Here's a secure Cognito configuration:
const AWS = require('aws-sdk');
const cognito = new AWS.CognitoIdentityServiceProvider();
// Secure: Configured with rate limiting and lockout
async function secureLogin(username, password) {
const params = {
AuthFlow: 'USER_PASSWORD_AUTH',
ClientId: process.env.COGNITO_CLIENT_ID,
AuthParameters: {
USERNAME: username,
PASSWORD: password
}
};
try {
// Rate limiting implemented at API Gateway level
return await cognito.initiateAuth(params).promise();
} catch (error) {
if (error.code === 'NotAuthorizedException') {
// Log and monitor failed attempts
console.warn(`Failed login attempt for ${username}`);
throw error;
}
throw error;
}
}
// API Gateway throttling configuration
const throttling = {
throttle: [
{
type: 'TOKEN',
burstLimit: 100,
rateLimit: 50
},
{
type: 'IP',
burstLimit: 50,
rateLimit: 25
}
]
};
For API Gateway, implement usage plans with throttling limits:
{
"type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": {"Ref": "MyApi"},
"Stage": "prod"
}
],
"Throttle": {
"BurstLimit": 100,
"RateLimit": 50
},
"Quota": {
"Limit": 1000,
"Period": "MONTH"
}
}
}
Enable AWS Shield Advanced for DDoS protection and use CloudFront with geo-restriction to limit access to your API endpoints. Implement CloudWatch alarms to alert on suspicious authentication patterns and integrate with AWS Security Hub for centralized security monitoring.