diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 921e386..1a9b03e 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -1,21 +1,34 @@ # AWS S3 Enumeration -## Usage +## Regions -* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) - * `--region` +[A list of services by region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) is maintained by AWS +There are global and regional services. -### Simple Storage Service (S3) -* [S3](https://aws.amazon.com/s3/) -* Methods of access control are as follows - * [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) - * [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) +Watch out for the global and regional __Security Token Service__ (STS) which +provides temporary access to third party identities, since regional STS are +also valid in other regions. Global STS are only valid in default regions. + +In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region` + +## Simple Storage Service (S3) + +[S3](https://aws.amazon.com/s3/) is an object storage without volume limits. +The names of buckets are unique and the namespace of buckets is global but they +are stored regionally. + + Methods of access control are as follows +1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) +2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) + +The aws cli scheme is -* Scheme is ```sh http://.s3.amazonaws.com/file.name ``` + or + ```sh http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext ``` @@ -24,55 +37,107 @@ http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext ```sh aws s3 ls s3:/// --no-sign-request ``` -* Download via `curl`, `wget` or `s3` cli via + +Download via `curl`, `wget` or `s3` cli via + ```sh aws s3 cp s3:///foo_public.xml . --no-sign-request ``` -#### ACL +### ACL + +If the ACL is set to * `Anyone`, just `curl` * `AuthenticatedUsers`, `s3` cli with aws key ## IAM -* Not necessarily used by s3 -* Access key ID, starts with `AKIA` + 20 chars -* Secret access key -* Session token, `ASIA` + sessionToken +Permissions are granted directly through user accounts or indirectly through +roles the user has joined. +![users and groups](./include/iam-intro-users-and-groups.diagram.png) + +Gaining access to important roles like maintenance opens the door to higher permissions. +An always unique AWS Account ID has a length of 12 digits. + +The IAM is not necessarily used by S3. AK/SK is sufficient for authentication +and authorization. + +* Access key ID, starts with `AKIA` + 20 chars +* Secret access key (SK) +* Session token, `ASIA` + sessionToken +* AWS Organizations control accounts who joined +* Third party identity providers are supported +* IAM identity center of an organization allows provision of accounts from third parties through the AWS SSO + +### Root Accounts + +Every AWS account has a single root account bound to an email address. This +account has got the all privileges over the account. A root account has MFA +disabled by default. + +The account is susceptible to an attack if the mail address is accessible but +MFA is not activated. + +If the MFA is not set, it is an opportunity for a password reset attack when +the account the vulnerable root belongs to is part of an AWS Organization. + +### User Policies + +After authentication of a user (or principal) policies of the account are +checked if the request is allowed. +Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). +The following graph is taken from the documentation, it shows the evaluation +logic inside an account +![policy evaluation](./include/PolicyEvaluationHorizontal111621.pnhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-login.htmlg) + +Policies like `assume-role` and `switch-role` can lead to the gain of roles +with higher permissions + +### User Provisioning + +When using the cli command, the aws configuration and credentials are stored at `~/.aws` + +Add credentials to profile via -* Add credentials to profile via ```sh aws configure --profile PROFILENAME ``` -* Config and credentials is stored at `~/.aws` -* Sanity test profile via + +Sanity test a profile through checking its existance via + ```sh aws s3 ls --profile PROFILENAME ``` -* Find account ID to an access key + +Find account ID to an access key + ```sh aws sts get-access-key-info --access-key-id AKIAEXAMPLE ``` -* Find username to an access key + +Find username to an access key + ```sh aws sts get-caller-identity --profile PROFILENAME ``` -* Listing EC2 instances of an account + +Listing EC2 instances of an account + ```sh aws ec2 describe-instances --output text --profile PROFILENAME ``` -* aws ec2 describe-instances --output text --profile PROFILENAME -```sh -aws ec2 describe-instances --output text --profile PROFILENAME -``` - * In another region + +In another region + ```sh aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME ``` ### AWS ARN -* Unique ID is create via the following scheme + +Unique ID is create through the following scheme + ```sh arn:aws::::/ ``` @@ -87,8 +152,8 @@ ws secretsmanager get-secret-value --secret-id --region ## Check Permissions on S3 Bucket -* Do a `PUT` method to see if the bucket may be writeable to upload a file via +Do a `PUT` method to see if the bucket may be writeable to upload a file via + ```sh curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" ``` - diff --git a/Enumeration/include/PolicyEvaluationHorizontal111621.png b/Enumeration/include/PolicyEvaluationHorizontal111621.png new file mode 100644 index 0000000..12ce586 Binary files /dev/null and b/Enumeration/include/PolicyEvaluationHorizontal111621.png differ diff --git a/Enumeration/include/iam-intro-users-and-groups.diagram.png b/Enumeration/include/iam-intro-users-and-groups.diagram.png new file mode 100644 index 0000000..19b0969 Binary files /dev/null and b/Enumeration/include/iam-intro-users-and-groups.diagram.png differ