diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 6a99bb5..76f3a33 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -2,15 +2,17 @@ ## Regions -[A list of services by region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) is maintained by AWS +[A list of services by +region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) +is maintained by AWS There are global and regional services. Watch out for the global and regional __Security Token Service__ (STS) which provides temporary access to third party identities, since regional STS are also valid in other regions. Global STS are only valid in default regions. -In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region` - +In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) got +the cli argument `--region` ## Identity Access Management (IAM) @@ -27,14 +29,14 @@ aws iam list-users Users can be put into groups instead of direct role assignment, to specify permissions for a collection of users. - ```sh aws iam list-groups ``` Roles can be assumed by other trusted users through policies. Assumed roles are -needed, so that aws support has access to some resources or external identity Provider (idP) is -connected to AWS SSO as a part of federated access. E.g. the Role for support is `AWSServiceRoleForSupport`. +needed, so that aws support has access to some resources or external identity +Provider (idP) is connected to AWS SSO as a part of federated access. E.g. the +Role for support is `AWSServiceRoleForSupport`. ```sh aws iam list-roles @@ -121,7 +123,9 @@ Policy enforcement is done via the `Effect` keys and either has `allow` or `deny` keys set in the JSON object. Deny is default. The `Action` keyword contains a Service and an API keyword on on that service -in the scheme `:`. +in the scheme `:`, e.g. +`"Action":["ec2:Get*","ec2:Describe*", "s3:*"]`. See the [Service Authorization +Docs](https://docs.aws.amazon.com/service-authorization/latest/reference/) The Resource key contains the ARN of the resource the policy is set for. @@ -129,7 +133,10 @@ The `Principal` key is only set for resource policies and contains the principal who is able to act on the resource. For example a `*` value allows public access. -[Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) can be used to set conditions [using key value pairs inside policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) +[Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) +can be used to set conditions [using key value pairs inside +policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) + ```json "Condition": { "IPAddressIfExists": {"aws:SourceIp": ["xxx"] }, @@ -137,7 +144,8 @@ public access. } ``` -Principals, resources and actions can also be excluded specifically through `NotPrincipal`, `NotResource` and `NotAction`. +Principals, resources and actions can also be excluded specifically through +`NotPrincipal`, `NotResource` and `NotAction`. The following graph is taken from the documentation, it shows the evaluation logic inside an account @@ -149,8 +157,8 @@ A principal can have multiple policies attached. Policies like `assume-role` and `switch-role` can lead to the gain of roles with higher permissions -A `*` inside a "Principal" value represents every principal. Set the `*` to make an instance of a service -public through the Internet like this +A `*` inside a "Principal" value represents every principal. Set the `*` to +make an instance of a service public through the Internet like this following rule. ```json "Principal": { @@ -165,6 +173,21 @@ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1 ``` +The `AdministratorAccess` policy looks like this + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] +} +``` + ### AWS Organizations An organization is a tree structure, made out of a single root account and @@ -310,6 +333,12 @@ You can get the username of an account through the STS service using the access- aws sts get-access-key-info --access-key-id ``` +The session token can be found via the cloudshell through the use of curl. + +```sh +curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI +``` + ### Secrets Use the secrets manager via @@ -337,6 +366,17 @@ An [action on an API](https://docs.aws.amazon.com/service-authorization-/latest/reference/reference_policies_actions-resources-contextkeys.html) of a service is structured like `:`. +Session tokens can also be created for services for temporary access of +resources. This can be done through metadata service on an EC2 instance. The +session token and AK/SK are also visible in the environment variables of AWS +Lambda. + +The session token can be found via the cloudshell through the use of curl. + +```sh +curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI +``` + ### Virtual Private Cloud (VPC) Is a logic network segementation method using its own IP address range. @@ -362,10 +402,16 @@ and 169.254.169.251. The instance (Openstack) Metadata service can be found under 169.254.169.254. It can be used to gain information about the EC2 via a GET request to -http://169.254.169.254/latest/meta-data . +`http://169.254.169.254/latest/meta-data`. The task metadata service can be found at 169.254.170.2 and is used for the -Elastic Container Service (ECS). +[Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) + +From inside a container curl can be used to get the credentials + +```sh +curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +``` The instance metadata service has been used for information disclosure of security credentials before. @@ -452,6 +498,7 @@ aws s3 cp s3:///foo_public.xml . --no-sign-request #### S3 Policies Check which policies are set + ```sh aws s3api get-bucket-policy-status --bucket aws s3api get-bucket-ownership-controls --bucket @@ -466,15 +513,19 @@ If the ACL is set to ### Lambda - -Execute a lambda function +Execute a lambda function via aws cli. ```sh -aws lambda invoke --function-name arn:aws:lambda:::function: +aws lambda invoke \ +--function-name arn:aws:lambda:::function: ``` List policies ```sh -aws lambda get-policy --function-name arn:aws:lambda:::function: --query Policy --output text | jq . +aws lambda get-policy \ +--function-name arn:aws:lambda:::function: \ +--query Policy \ +--output text \ +| jq . ```