From 45f98dc1d95d63c8a069dea9cbe899ae625a7910 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Tue, 13 Feb 2024 23:20:07 +0100 Subject: [PATCH] added details --- Enumeration/AWS.md | 146 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 134 insertions(+), 12 deletions(-) diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 1d40409..6a99bb5 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -49,14 +49,19 @@ roles to gain permissions. A `*` represents every principal. Set the `*` to make an instance of a service public through the Internet. +Identify an unknown accountname by using an access key + +```sh +aws sts get-access-key-info --access-key +``` The IAM is not necessarily used by S3. AK/SK is sufficient for authentication and authorization. * An AWS unqiue Account ID has a length of 12 digits. -* Access key ID, starts with `AKIA` + 20 chars +* Longterm Access key ID, starts with `AKIA` + 20 chars * Secret access key (SK) -* Session token, `ASIA` + sessionToken +* Shortterm Session token, `ASIA` + sessionToken * AWS Organizations control accounts who joined * Third party identity providers are supported * IAM identity center of an organization allows provision of accounts from third parties through the AWS SSO @@ -83,11 +88,15 @@ the account the vulnerable root belongs to is part of an AWS Organization. If the email address is also linked to an Amazon retail account and it is shared between people, everyone has full root access. -### (User) Policies +### Principal, Resource & Service Policies Policies are an authorization measurement. After authentication of a user (or principal) policies of the account are checked if the request is allowed. -A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). There are resource and identity based policies. +A policy may also be attached to a resource or (in an organization) a service. +Policy evaluation can be found in +the [AWS +docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). +There are resource and identity based policies. ```sh aws iam get-policy --policy-arn @@ -108,13 +117,27 @@ aws iam get-policy --policy-arn } ``` -Policy enforcement is done via the `Effect` keys and either has `allow` or `deny` keys set in the JSON object. Deny is default. +Policy enforcement is done via the `Effect` keys and either has `allow` or +`deny` keys set in the JSON object. Deny is default. -The `Action` keyword contains a Service and an API keyword on on that service in the scheme `:`. +The `Action` keyword contains a Service and an API keyword on on that service +in the scheme `:`. The Resource key contains the ARN of the resource the policy is set for. -The `Principal` key is only set for resource policies and contains the principal who is able to act on the resource. For example a `*` value allows public access. +The `Principal` key is only set for resource policies and contains the +principal who is able to act on the resource. For example a `*` value allows +public access. + +[Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) can be used to set conditions [using key value pairs inside policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) +```json +"Condition": { + "IPAddressIfExists": {"aws:SourceIp": ["xxx"] }, + "StringEqualsIfExists": {"aws:sourceVpc": ["yyy"]} + } +``` + +Principals, resources and actions can also be excluded specifically through `NotPrincipal`, `NotResource` and `NotAction`. The following graph is taken from the documentation, it shows the evaluation logic inside an account @@ -126,8 +149,14 @@ A principal can have multiple policies attached. Policies like `assume-role` and `switch-role` can lead to the gain of roles with higher permissions -A `*` inside a policy represents every principal. Set the `*` to make an instance of a service -public through the Internet. +A `*` inside a "Principal" value represents every principal. Set the `*` to make an instance of a service +public through the Internet like this + +```json +"Principal": { + "AWS": "*" +} +``` Administrator access policies can be queried to see who has elevated permissions. @@ -195,7 +224,7 @@ Find username to an access key aws sts get-caller-identity --profile PROFILENAME ``` -Listing EC2 instances of an account +List EC2 instances of an account ```sh aws ec2 describe-instances --output text --profile PROFILENAME @@ -207,12 +236,88 @@ In another region aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME ``` +### Credentials + +User credentials are called profiles on the webUI and console +Password is used by the aws cli tool and queried APIs. + +Create a user password via aws cli + +```sh +aws iam create-login-profile --user --password +``` + +Change the password using the aws cli + +```sh +aws iam update-login-profile --user --password +``` + +Take a look at the password policy via aws cli + +```sh +aws iam get-account-password-policy +``` + +### API Access Keys + +Longterm, non-expiring Access key ID start with `AKIA` + 20 chars + +List the access keys via aws cli. + +```sh +aws iam list-access-keys +``` + +Create an access key via the aws cli. + +```sh +aws iam create-access-key --user-name +``` + +Disable, enable or delete an access key via the aws cli + +```sh +aws iam update-access-key --access-key-id +aws iam update-access-key --access-key-id +aws iam delete-access-key --access-key-id +``` + +Session keys are short term, they expire. A session key start +with `ASIA`. + +These are generated by the Security Token Service. + +Use aws cli to create a session token through STS. + +```sh +aws sts get-session-token +``` + +Token can be applied to a user as a second factor. If the user is provided by another +federated entity through idP the MFA needs to be provided +through this solution. + +List users with MFA enabled via aws cli. + +```sh +aws iam list-virtual-mfa-devices +``` + +You can get the username of an account through the STS service using the access-key + +```sh +aws sts get-access-key-info --access-key-id +``` + ### Secrets +Use the secrets manager via + ```sh aws secretsmanager help aws secretsmanager list-secrets -ws secretsmanager get-secret-value --secret-id --region +aws secretsmanager get-secret-value --secret-id --region ``` ### Amazon Resource Name (ARN) @@ -346,8 +451,10 @@ aws s3 cp s3:///foo_public.xml . --no-sign-request #### S3 Policies +Check which policies are set ```sh -aws s3api get-bucket-policy --bucket --query Policy --output text +aws s3api get-bucket-policy-status --bucket +aws s3api get-bucket-ownership-controls --bucket ``` #### ACL @@ -356,3 +463,18 @@ If the ACL is set to * `Anyone`, just `curl` * `AuthenticatedUsers`, `s3` cli with aws key + +### Lambda + + +Execute a lambda function + +```sh +aws lambda invoke --function-name arn:aws:lambda:::function: +``` + +List policies + +```sh +aws lambda get-policy --function-name arn:aws:lambda:::function: --query Policy --output text | jq . +```