Cheatsheet - AWS - Scenario - Unauthenticated IAM principal enumeration - S3 bucket and Lambda
Overview
Utilise resource based policies on S3 buckets to enumerate IAM principals
Service/Tool: awcli, S#
Use Case: Discover IAM principals in another AWS account that can be used for further attacks such as phishing or brute-forcing etc.
Prerequisites: A valid AWS ID of the target, a AWS account to launch the attack from.
Attack Workflow
1. Step 1 (Discovery/Access) - Manual
Objective: Use a resource based policy on an S3 bucket to enumerate IAM principals in another account.
Command/Method:
Nice short one!
Create a S3 bucket and set the resource based policy on the S3 bucket as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAM Enum",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::104506445608:role/batch"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::iam-enum/*"
}
]
}In this policy we have:
- The principal we are attempting to enumerate:
role/batchin the account104506445608 - The resource that we own, i.e. the S3 bucket,
iam-enum
In the event that the specified principal does not exist the UI will report an error.
We can also run this from the commandline for automating - first we create a policy file, policy.json and set the contents to the aforementioned policy document.
Then we can execute the following command:
aws s3api put-bucket-policy --bucket iam-enum --policy file://s3_policy.json
We can also do a similar enumeration via Lambda. In the instance of Lambda, we can attempt to assign the lambda:GetFunction privilege to our target account/principal that we want to enumerate.
We can complete this via the AWS console, or via the CLI:
aws lambda add-permission --function-name IAMEnum --action lambda:GetFunction --statement-id IAMEnum --principal "arn:aws:iam::104506445608:role/admin"
Notes and References
Links:
PwnedLabs - Unauthenticated AWS IAM Principals Enumeration