diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md index bc3b27f47b..1bd3d9a88a 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md @@ -79,30 +79,6 @@ aws iam update-login-profile --user-name target_user --no-password-reset-require **Impact:** Direct privilege escalation by logging in as "any" user. -### **`iam:GetFederationToken`** - -With this permission it's possible to generate credentials to impersonate any user: - -```bash -aws sts get-federation-token --name -``` - -This is how this permission can be given securely without giving access to impersonate other users: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "sts:GetFederationToken", - "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}" - } - ] -} -``` - ### **`iam:UpdateAccessKey`** Allows enabling a disabled access key, potentially leading to unauthorized access if the attacker possesses the disabled key. diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md index d12e01eee6..ffd370a99f 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -50,6 +50,30 @@ Note that in this case the permission `sts:AssumeRole` needs to be **indicated i With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role. {% endhint %} +### **`sts:GetFederationToken`** + +With this permission it's possible to generate credentials to impersonate any user: + +```bash +aws sts get-federation-token --name +``` + +This is how this permission can be given securely without giving access to impersonate other users: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "sts:GetFederationToken", + "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}" + } + ] +} +``` + ### `sts:AssumeRoleWithSAML` A trust policy with this role grants **users authenticated via SAML access to impersonate the role.** @@ -121,7 +145,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.