From Keyless to Careless - Abusing Misconfigured OIDC Authentication in Cloud Environments

Explore the security risks associated with misconfigured OpenID Connect (OIDC) authentication in cloud environments in this 17-minute conference talk from BSidesLV. Delve into the concept of "keyless authentication" supported by major cloud providers like AWS, Azure, and Google Cloud, and understand its popularity in CI/CD pipelines. Discover how easily misconfigured AWS IAM roles using keyless authentication can be exploited by unauthenticated attackers to retrieve cloud credentials and compromise entire environments. Learn from real-world examples, including a case study involving the UK government's AWS account. Gain insights on identifying vulnerable roles in your own environment and implementing higher-level guardrails to prevent human errors from escalating into data breaches. Presented by Christophe Tafani-Dereeper, this talk offers valuable knowledge for cloud security professionals and developers working with OIDC authentication.