Skip to content

README.md

Latest commit

 

History

History
53 lines (35 loc) · 1.34 KB

README.md

File metadata and controls

53 lines (35 loc) · 1.34 KB

AWS - IAM Persistence

{{#include ../../../../banners/hacktricks-training.md}}

IAM

For more information access:

{{#ref}} ../../aws-services/aws-iam-enum.md {{#endref}}

Common IAM Persistence

  • Create a user
  • Add a controlled user to a privileged group
  • Create access keys (of the new user or of all users)
  • Grant extra permissions to controlled users/groups (attached policies or inline policies)
  • Disable MFA / Add you own MFA device
  • Create a Role Chain Juggling situation (more on this below in STS persistence)

Backdoor Role Trust Policies

You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["*", "arn:aws:iam::123213123123:root"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Backdoor Policy Version

Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.

Backdoor / Create Identity Provider

If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.

{{#include ../../../../banners/hacktricks-training.md}}