AWS Privilege Escalation Techniques

AWS Identity and Access Management (IAM) is a critical component of AWS. It allows you to control who has access to your AWS resources and what they can do with those resources. There are many different ways that IAM can be abused for account access and privilege escalation. Some of the most common ways include the techniques below:

• Utilizing Stolen Keys: If an attacker can steal your IAM access keys, they can use them to authenticate to your AWS account and assume the permissions of your account.
• IAM enumeration: An attacker can use tools like boto3 to enumerate the IAM users, groups, and roles in your account. This information can be used to identify accounts with elevated privileges that the attacker can target.
• Updating IAM policy versions: An attacker with the iam:CreatePolicyVersion permission can update the default policy version for an IAM policy. This can give them access to resources that they would not otherwise have access to.
• Setting the default policy version for an existing policy: An attacker with the iam:SetDefaultPolicyVersion permission can set the default policy version for an IAM policy. This can give them access to resources that they would not otherwise have access to.
• Creating EC2 instances with existing instance profiles: An attacker with the iam:PassRole and ec2:RunInstances permissions can create EC2 instances with existing instance profiles. This can give them access to resources that are running on those instances.
• Creating new user access keys: An attacker with the iam:CreateAccessKey permission can create new user access keys. This can give them a way to authenticate to your AWS account and assume the permissions of the user.
• Creating new login profiles: An attacker with the iam:CreateLoginProfile permission can create new login profiles. This can give them a way to authenticate to your AWS account without having to create a new user.
• Updating login profiles: An attacker with the iam:UpdateLoginProfile permission can update existing login profiles. This can give them a way to change the password for a login profile, which can give them access to your AWS account.
• Attaching policies to users: An attacker with the iam:AttachUserPolicy permission can attach policies to users. This can give them the permissions of the policies that are attached to the user.
• Attaching policies to groups: An attacker with the iam:AttachGroupPolicy permission can attach policies to groups. This can give them the permissions of the policies that are attached to the group.
• Attaching policies to roles: An attacker with the iam:AttachRolePolicy permission can attach policies to roles. This can give them the permissions of the policies that are attached to the role.
• Creating/updating inline policies for users: An attacker with the iam:PutUserPolicy permission can create or update inline policies for users. This can give them the permissions of the policies that are created or updated.
• Creating/updating inline policies for groups: An attacker with the iam:PutGroupPolicy permission can create or update inline policies for groups. This can give them the permissions of the policies that are created or updated.
• Creating/updating inline policies for roles: An attacker with the iam:PutRolePolicy permission can create or update inline policies for roles. This can give them the permissions of the policies that are created or updated.
• Adding users to groups: An attacker with the iam:AddUserToGroup permission can add users to groups. This can give them the permissions of the groups that they are added to.
• Updating the AssumeRolePolicyDocument permissions of a role: An attacker with the iam:UpdateAssumeRolePolicy and sts:AssumeRole permissions can update the AssumeRolePolicyDocument of a role. This can give them the permissions of the role that they are updating.
• Passing a role to Lambda and invoking the role: An attacker with the iam:PassRole and lambda:CreateFunction and lambda:InvokeFunction permissions can pass a role to a Lambda function and then invoke the function. This can give them the permissions of the role that they passed to the function.
• Passing a role to Lambda and triggering the role with DynamoDB: An attacker with the iam:PassRole and lambda:CreateFunction and lambda:CreateEventSourceMapping permissions can pass a role to a Lambda function and then trigger the function with a DynamoDB event. This can give them the permissions of the role that they passed to the function.
• Updating existing Lambda code: An attacker with the lambda:UpdateFunctionCode permission can update the code for an existing Lambda function. This can give them the ability to inject malicious code that elevates the attacker’s permissions into the function, which can then be executed when the function is invoked.
• Passing role to Glue Dev Endpoint: An attacker with the iam:PassRole and glue:CreateDevEndpoint permissions can pass a role to a Glue Dev Endpoint. This can give them the permissions of the role that they passed to the endpoint, which can then be used to access resources in your AWS account.
• Updating existing Glue Dev Endpoint: An attacker with the glue:UpdateDevEndpoint permission can update an existing Glue Dev Endpoint. This can give them the ability to change the role that is associated with the endpoint, which can then be used to access resources in your AWS account.
• Pass role to CloudFormation: An attacker with the iam:PassRole and cloudformation:CreateStack permissions can pass a role to a CloudFormation stack. This can give them the permissions of the role that they passed to the stack, which can then be used to create and manage resources in your AWS account.
• Pass role to Data Pipeline: An attacker with the iam:PassRole and datapipeline:CreatePipeline and datapipeline:PutPipelineDefinition permissions can pass a role to a Data Pipeline. This can give them the permissions of the role that they passed to the pipeline, which can then be used to create and manage resources in your AWS account.
• Abuse iam:PassRole in Sagemaker Jupyter Notebooks: An attacker with the sagemaker:CreateNotebookInstance and sagemaker:CreatePresignedNotebookInstanceUrl and iam:PassRole permissions can create a Sagemaker Jupyter Notebook instance and then pass a role to the instance. This can give them the permissions of the role that they passed to the instance, which can then be used to access resources in your AWS account.
• Get access to existing Sagemaker Jupyter Notebooks: An attacker with the sagemaker:CreateNotebookInstance and sagemaker:CreatePresignedNotebookInstanceUrl and sagemaker:ListNotebookInstances permissions can list all of the Sagemaker Jupyter Notebook instances in your account. This can give them the information they need to access an existing notebook instance and escalate their privileges.

Persistence Techniques: Once an attacker has escalated their privileges, they may want to establish persistence so that they can maintain access to your AWS account even if you revoke their access. Some common persistence techniques include:

• Creating a cron job: An attacker can create a cron job that runs a script that gives them access to your AWS account.
• Hijacking an IAM role: An attacker can hijack an IAM role that has permissions to access your AWS account.
• Leaving a backdoor: An attacker can leave a backdoor in your AWS account that they can use to regain access.

Conclusion:

AWS privilege escalation is a serious threat that can have a significant impact on your AWS environment. It is important to be aware of the different techniques that attackers can use to escalate their privileges and to take steps to mitigate these risks. Some of the key steps you can take include:

• Using strong IAM permissions: Only grant users and roles the permissions they need to do their jobs.
• Rotating IAM credentials: Rotate IAM access keys and passwords on a regular basis.
• Monitoring IAM activity: Monitor IAM activity for suspicious patterns.
• Using IAM roles for cross-account access: Use IAM roles to grant cross-account access instead of sharing access keys and passwords.
• Keeping your software up to date: Keep your AWS software up to date with the latest security patches.

By taking these steps, you can help to protect your AWS environment from privilege escalation attacks.

Resources

To learn more about the techniques mentioned in this article, please visit https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/. Many of these techniques were originally documented by RhinoSecurityLabs, so be sure to check out their work too!

Check out the program I created to test these techniques, including all of the latest and greatest IAM PrivEsc techniques: https://github.com/cyberqueenmeg/aws_iam_privesc

About the Author:

Megan Howell (CyberQueenMeg) is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.

DISCLAIMER

The information presented above can be used for both beneficial and malicious purposes. I do not condone or endorse the use of this information for malicious purposes and will fully support the prosecution of those who use the information presented above in a manner that violates the law. You are only authorized to utilize this information on your own systems or on systems you are explicitly authorized to penetration test or perform bug bounties on. If you use this exploit in a malicious manner, you will be charged and prosecuted to the full extent of the laws surrounding unethical hacking and cyber crime.