Overview

One large cooperative bank is tackling modern cloud security challenges head-on through a comprehensive digital transformation, migrating workloads from on-premises data centers to AWS. The bank is reinventing its digital and customer experiences through innovative new services, while enabling its remote workforce to securely and efficiently access private applications.

During this transition, the bank experienced a security incident involving a Server-Side Request Forgery (SSRF) attack in its AWS environment. The breach highlighted the risks of cloud-native architectures when combined with misconfigurations and legacy service settings. To contain the incident and strengthen their security posture, the bank engaged the Fortinet Incident Response (IR) Team, which conducted a full investigation using the Fortinet FortiCNAPP platform and delivered a comprehensive cloud security remediation plan.

Incident Summary

• Attack Vector: SSRF vulnerability in a public-facing web application
• Impact: Exposure of AWS IAM role credentials
• Initial Entry Point: Application accessed via public IP
• Detection: Unusual activity captured via AWS CloudTrail and anomaly detection alerts from FortiCNAPP

Key Findings

Through the integrated capabilities of Fortinet Lacework FortiCNAPP and AWS CloudTrail, the Fortinet IR team identified several misconfigurations that had contributed to the attack’s success:

1. Lack of IMDSv2 Enforcement

The EC2 instances running the compromised application were configured to use the legacy Instance Metadata Service v1 (IMDSv1), which lacks protections against SSRF attacks. This allowed the attacker to retrieve credentials from the metadata endpoint.

2. Over-permissive IAM Role

The compromised IAM role assigned to the affected service had broad permissions, violating the principle of least privilege. FortiCNAPP’s behavioral analytics and audit trail correlation helped pinpoint risky activity performed using the stolen credentials.

3. Public Exposure of Applications and APIs

The flawed application was publicly accessible via an AWS Application Load Balancer, but no Web Application Firewall (WAF) was enabled at the time of the incident. This lack of protection left the application vulnerable to SSRF attacks.

Response and Remediation

The Fortinet IR team coordinated a multi-phased incident response:

1. Enabled WAF Protection:
• Fortinet IR team engaged and enabled WAF with managed Fortinet rules enables to protect customer application against OWAST top 10 vulnerabilities.
• Ensured all public APIs were accessed through the Application LoadBalancer with Fortinet WAF rules for deeper inspection and protection.
2. IMDSv2 Enforcement
• Updated EC2 launch templates to enforce IMDSv2, blocking metadata exposure to SSRF.
3. Visibility & Monitoring
• Activated Lacework FortiCNAPP continuous monitoring to track lateral movement, anomalous behavior, and misconfiguration drift.
4. Security Posture Review
• Delivered a comprehensive posture assessment report highlighting gaps, attack chain reconstruction, and long-term recommendations for AWS security hardening.

The Fortinet Difference

Fortinet’s rapid response, powered by its integrated cloud security solutions and FortiGuard Threat Intelligence, played a decisive role in helping the customer contain and recover from the SSRF attack. The unique combination of real-time threat detection, deep cloud-native visibility, and automated response allowed the customer to:

• Contain the breach quickly and prevent further credential misuse
• Leverage Lacework FortiCNAPP and FortiGuard Threat Intelligence to identify and block malicious activity in AWS.
• Assurance of AWS environment configuration by enforcing best practices such as IMDSv2 and least privilege access

• Improve cloud governance and threat detection through continuous monitoring with Lacework FortiCNAPP platform.
• Develop robust playbooks and response strategies, reducing the time to detect and respond to future threats.