From 7f942bbffdf2baa007eae61947bc74004aa89c1d Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Fri, 23 Feb 2024 23:34:21 +0100
Subject: [PATCH] added details for KMS, ACM and Route53

---
 Enumeration/AWS.md | 101 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md
index 6af5d8a..0f0906b 100644
--- a/Enumeration/AWS.md
+++ b/Enumeration/AWS.md
@@ -833,6 +833,11 @@ aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
 
 ### Lambda
 
+Lambda is a serverless, event-driven compute service offered by AWS. Means, you
+don't need a backend to a function you want to provider. A Lambda function
+has its own container deployed.
+A Lambda function can for 15 minutes at max.
+
 Execute a lambda function via aws cli.
 
 ```sh
@@ -1187,9 +1192,105 @@ aws elbv2 describe-load-balancers --query Loadbalancers[].DNSName --output text
 Create encryption keys to be used on AWS services through their API.
 Encryption of storage can also be done through KMS keys.
 
+A KMS key created in one account can be used in a second account as well.
+This means an attacker with sufficient privileges is able to (theoretically)
+lock you out of data encrypted with a key from another account. This can be
+mitigated through e.g. Object Versioning of an S3 bucket or MFA Delete.
+
+Every KMS key has a (resource based) key policy attached to it. Therein is the
+`Prinicpal` key-value set to permit access to the key. If
+`arn:aws:iam::<accountId>:root` is set as Principal, every principal inside the
+account is able to use the key.
+
+An identity based policy can also be set, where the KMS key is mentioned in the
+`Resource` list.
+
+##### Create a KMS Key
+
+Create a KMS key using aws cli.
+
+```sh
+aws kms create-key
+```
+
+##### Create a Data Key
+
+Use the created KMS key to create a data key via aws cli.
+
+```sh
+aws kms generate-data-key --key-id <KeyId> --number-of-bytes 32
+```
+
 #### Amazon Certificate Manger (ACM)
 
 Manage certificate so 2e2 encryption through TLS which are then used for other
 AWS services.
 
+##### Create an ACM TLS Certificate
+
+Request a TLS certificate for a (sub-)domain via aws cli.
+
+```sh
+aws acm request-certificate --domain-name <AccountId>.example.org --validation-method DNS
+```
+
+##### Describe a Certificate
+
+Details about a certificate can be queried via aws cli.
+
+```sh
+aws acm desribe-certificate --certificate-arn <certificate-arn>
+```
+
 #### DNS & Route53
+
+List hosted DNS zone in an account via aws cli.
+
+```sh
+aws route53 list-hosted-zones
+```
+
+##### Register a Domain via Certificate through Route53
+
+A subdomain can be useful for regular users and an attacker alike.
+
+Create a file named `create_record.json` containing certificate details from the aws acm desription.
+
+```json
+{
+  "Comment": "subdomain.example.com record"
+  "Changes": [
+    {
+      "Action": "CREATE",
+      "ResourceRecordSet": 
+        {
+          "Name": "<ResourceRecord/Name>",
+          "Type": "CNAME", 
+          "TTL": 300,
+          "ResourceRecords": [
+            {
+            "Value": "<ResourceRecord/Value"
+            }
+          ]
+        }
+    }
+  ]
+}
+```
+
+Create the record from the previously created file via aws cli.
+
+```sh
+aws route53 change-resource-record-sets --hosted-zone-id <ZoneId> --change-batch file://create_record.json
+```
+
+Check the status of the created record using the `ChangeInfo` ID from the last
+step via aws cli. The final status needs to be "INSYNC"
+
+```sh
+aws route53 get-change --id <ChangeInfo/Id>
+```
+
+Describe the certificate to see the details via aws cli, like mentioned in the
+ACM chapter above.
+