> it's possible a WAF issue allowed the remote attacker to query the internal endpoint from an external source
But then it's literally a configuration issue, right? WAF is just Rule -> Block/Allow. It doesn't proxy traffic or anything, it just attaches to a load balancer, API Gateway or CloudFront.
More puzzling, what is the WAF-Role they're talking about? WAF doesn't use IAM roles, so is this just a role they used to configure the WAF (and also had S3 permissions?)
Yeah, that part is confusing. Since I posted the above a few more details came out, but it seems like the WAF may have been involved because it wasn't configured to block requests to the IAM instance metadata endpoint, which would have allowed the attacker to operate in the scope of the instance, which seems to have had the S3 permissions. But again, entirely conjecture on my part at this point.
But then it's literally a configuration issue, right? WAF is just Rule -> Block/Allow. It doesn't proxy traffic or anything, it just attaches to a load balancer, API Gateway or CloudFront.
More puzzling, what is the WAF-Role they're talking about? WAF doesn't use IAM roles, so is this just a role they used to configure the WAF (and also had S3 permissions?)