When Ben Morris presented his findings in “More Keys than a Piano: Finding Secrets in Publicly Exposed EBS Volumes” back at DEF CON 27, he found all sorts of secrets and associated data—passwords, SSH private keys, TLS certificates, application source code, API keys, and anything else that might be stored on a server hard disk. Even more surprising, some of this sensitive information was found on “internal-only” resources that are hosted on AWS. So by searching exposed EBS volumes, an attacker can steal secrets from a server that isn’t even exposed to the internet!
To help identify these exposed EBS volumes and allow individuals and businesses to secure their secrets, the Bishop Fox team developed Dufflebag, an open source tool now available on GitHub. We waited until now to release this tool, to give affected parties time to secure their secrets.