added more details

Enumeration/AWS.md

@@ -60,6 +60,7 @@ aws sts get-access-key-info --access-key <AKIAkey>
 The IAM is not necessarily used by S3. AK/SK is sufficient for authentication
 and authorization.
 
+* AWS got [unique ID prefixes](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes)
 * An AWS unqiue Account ID has a length of 12 digits.
 * Longterm Access key ID, starts with `AKIA` + 20 chars
 * Secret access key (SK)
@@ -241,6 +242,13 @@ Find account ID to an access key
 aws sts get-access-key-info --access-key-id AKIAEXAMPLE
 ```
 
+List the (current) user details
+
+```sh
+aws sts get-caller-identity
+aws sts --profile <username> get-caller-identity
+```
+
 Find username to an access key
 
 ```sh
@@ -259,6 +267,24 @@ In another region
 aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
 ```
 
+Create a user via cloudshell.
+
+```sh
+aws iam create-user --user-name <username>
+```
+
+Add a user to a group via cloudshell.
+
+```sh
+aws iam add-user-to-group --user-name <username> --group-name <groupname>
+```
+
+List groups for a user using aws cli. GroupIds begin with `AGPA`.
+
+```sh
+aws iam list-groups-for-user --user-name padawan
+```
+
 ### Credentials
 
 User credentials are called profiles on the webUI and console
@@ -306,6 +332,8 @@ aws iam update-access-key --access-key-id <AKIAkey>
 aws iam delete-access-key --access-key-id <AKIAkey>
 ```
 
+### Shortterm Session Keys (STS)
+
 Session keys are short term, they expire. A session key start
 with `ASIA`.
 
@@ -339,6 +367,38 @@ The session token can be found via the cloudshell through the use of curl.
 curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI
 ```
 
+#### Assume Roles through STS
+
+A an attack vector, a user can assume a role of higher privileges through the STS. This might happen through a policy bound to a group the user is a member of. 
+
+You need an ARN of the role you want to assume
+
+```sh
+arn:aws:iam::<ACCOUNT_ID>:role/<rolename>
+```
+
+A role session name from the CloudTrail logs is needed, somone who has got the role we want to assume.
+
+Use aws cli to assume the role.
+
+```sh
+aws --profile <lowprivuser> sts assume-role --role-arn arn:aws:iam::<ACCOUNT_ID>:role/<rolename> --role-session-name <highprivuserthathastherole>
+```
+
+This result of this is to get the `AccessKeyId`, `SecretAccessKey` and `SessionToken` of the user to complete the three needed variables for aquiring the high privilege.
+
+```sh
+export AWS_SECRET_ACCESS_KEY=<HighPrivUserSK>
+export AWS_ACCESS_KEY_ID=<HighPrivUserAK>
+export AWS_SESSION_TOKEN=<SessionToken>
+```
+
+Check the current identity after setting the variables via aws cli.
+
+```sh
+aws sts get-caller-identity
+```
+
 ### Secrets
 
 Use the secrets manager via
@@ -456,14 +516,71 @@ aws_session_token = TQijaZw==
 ### Simple Storage Service (S3)
 
 [S3](https://aws.amazon.com/s3/) is an object storage without volume limits.
-The names of buckets are unique and the namespace of buckets is global but they
+
-are stored regionally.
+A nested directory structure in a bucket is possible,
+but pseudo file system for organizing files.
+
+The names of buckets are unique and the namespace of
+buckets is global but they are stored regionally.
+
+Versioning of files is possible. Files will not be
+overwritten by updated versions. Files are enrypted by
+default.
 
  Methods of access control are as follows
 1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
 2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
 
-The aws cli scheme is
+#### S3 Policies
+
+Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`.
+
+There are identity based and resource based policies for s3 buckets.
+If global access or read is set, a resource based
+policy access to the objects is available in general of everyone, unauthenticated.
+
+```json
+{
+  [...]
+  "Effect": "Allow",
+  "Principal": "*",
+  "Action": [
+    "s3:GetObject",
+    "s3:PutObject"
+    ],
+  [...]
+}
+```
+
+Check which policies are set
+
+```sh
+aws s3api get-bucket-policy-status --bucket <bucketname>
+aws s3api get-bucket-ownership-controls --bucket <bucketname>
+```
+
+#### ACL
+
+Existed since before AWS IAM. The ACL is generated for
+every bucket created. Resource owner gets full
+permissions. ACL can be extended through principals'
+[canonical
+userID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html)
+and services which are allowed or forbidden to access
+the bucket.
+
+__Attack vector__: The group `Any Authenticated AWS
+User` can be set as permissions for a group of every
+authenticated AWS user.
+
+If the ACL is set to
+
+* `Anyone`, just `curl`
+* `AuthenticatedUsers`, `s3` cli with aws key
+
+#### Scheme
+
+The aws cli scheme for s3 is the following.
 
 ```sh
 http://<bucketname>.s3.amazonaws.com/file.name
@@ -477,10 +594,9 @@ http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
 
 #### Check Permissions of a bucket
 
-Do a `PUT` method to see if the bucket may be writeable to upload a file via
+Use a `PUT` method to see if the bucket may be writeable to upload a file via
 
-```sh
+```sh curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
-curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
 ```
 
 #### List content of public bucket via
@@ -495,21 +611,6 @@ Download via `curl`, `wget` or `s3` cli via
 aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
 ```
 
-#### S3 Policies
-
-Check which policies are set
-
-```sh
-aws s3api get-bucket-policy-status --bucket <bucketname>
-aws s3api get-bucket-ownership-controls --bucket <bucketname>
-```
-
-#### ACL
-
-If the ACL is set to
-
-* `Anyone`, just `curl`
-* `AuthenticatedUsers`, `s3` cli with aws key
 
 ### Lambda
 
@@ -529,3 +630,39 @@ aws lambda get-policy \
 --output text \
 | jq .
 ```
+
+### CloudFront
+
+CloudFront is a Content Delivery Network(CDN), which stores static data on Edge
+Locations, closer to the customer for performance improvements.
+
+Geo-fences can be placed to access the content. Can also use authorization
+based requests,encryption of data is possible.
+
+A Web Application Firewall (WAF) as well as Distributed Denial of Service
+(DDoS) prevention can be configured for CloudFront instances.
+
+#### CloudFront Hosts
+
+An "origin" of a CloudFront instance can be resources like EC2, ELBs or S3 buckets.
+Origin Access Identities (OAIs), which are resourced based policies for the
+resources or "origins" of a CloudFront instance, need to be set the owner.
+For an attack to take place, information about the DNS records of a domain is
+needed, to find probable CloudFront resources.
+
+Use dig or drill or nslookup to list IP addresses of a (sub-)domain where
+assets are hosted, potentially. Do A reverse lookup to get the aws domains of
+the resources behind the IP addresses.
+
+```sh
+drill assets.example.com
+drill <$IP_ADDRESS> -x
+
+```
+
+How to find a potentially interesting CloudFront assets domain
+
+* Enumerate subdomains of a website
+* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian
+* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder)
+* Search for certificate details