Next, we will want to check out the values under "Outputs" when we described the CloudFormation stacks earlier. We are looking at something essentially the same as what was in "Parameters", but these values are ones that were generated during the creation of the stack. Again, we want to look for sensitive information. There may not be any output values for some stacks, so there won't be anything to look at for this part of the demo if that is the case you have run into. In our demo, this is what showed up under the Outputs section of our stack when describing it:
"Outputs": [
{
"OutputKey": "WebsiteURL",
"OutputValue": "http://ec2-34-221-86-204.us-west-2.compute.amazonaws.com",
"Description": "URL for newly created LAMP stack"
}
]
As we can see, there isn't anything too sensitive in here, but it does give us the public endpoint of an EC2 instance that was likely created during the creation of the stack. Given the "SSHLocation" parameter being set to 0.0.0.0/0, we should likely find an open SSH port (22) on this server. We can use nmap to run a service scan to (-sV) verify this:
We have verified that there is an open SSH port on that server, like we expected. Just by looking at the output values of this CloudFormation stack, we were able to identify the public endpoint of this EC2 instance, which has port 22 open, running an SSH server.
It is possible for the output values to include sensitive information, such as credentials or API keys. An example of this might be when a template needs to create a new IAM user along with a set of access keys for that user. Those access keys would then likely be shown in the output values of the stack, as there needs to be some way for a user to access them after creating the stack (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-accesskey). Those keys might be able to grant us further access to the environment in hopes of escalating privileges higher than we already have.