Exploiting the Cloud Control Plane for Fun and Profit

TL;DR

This paper demonstrates how the AWS Lambda control plane can be exploited to implement stateful services at little to no cost, challenging the assumption that management interfaces are free and highlighting potential provider losses.

Contribution

It reveals vulnerabilities in cloud control plane management interfaces, showing how they can be exploited to reduce costs or cause provider losses, and discusses the implications for cloud service economics.

Findings

Stateful services can be implemented for free using AWS Lambda control plane.

Exploitation can lead to significant monetary loss for cloud providers.

The paper analyzes the consistency model of AWS Lambda.

Abstract

Cloud providers typically charge for their services. There are diverse pricing models which often follow a pay-per-use paradigm. The consumers' payments are expected to cover all cost which incurs to the provider for processing, storage, bandwidth, data centre operation and engineering efforts, among others. In contrast, the consumer management interfaces are free of charge as they are expected to cause only a minority of the load compared to the actual computing services. With new service models and more complex and powerful management abilities, it is time to rethink this decision. The paper shows how to exploit the control plane of AWS Lambda to implement stateful services practically for free and under some circumstances even guaranteed for free which if widely deployed would cause a monetary loss for the provider. It also elaborates on the consistency model for AWS Lambda.