Tech with Tyler
LinkedInGitHubYouTube
  • 👋Welcome!
    • whoami
    • !!! Disclaimer !!!
  • 🎓Academy
    • AWS Security Cookbook
      • AWS Control Tower
        • Lab: Deploying AWS Control Tower via Terraform
        • Lab: Blocking Regions with AWS Control Tower
      • AWS CloudTrail
      • AWS GuardDuty
        • Lab: Deploying AWS GuardDuty via Terraform
        • Lab: Logging GuardDuty Findings to S3
        • Lab: Adversary Simulation Detection with Stratus Red Team and GuardDuty
      • AWS Organizations
        • Lab: Deploying AWS Organizations via Terraform
      • AWS Root Account Management
        • Lab: Deploying AWS Root Account Management via Terraform
      • AWS Service Control Policies (SCPs)
        • Lab: Deploying AWS Service Control Policies (SCPs) via Terraform
      • TBD - Coming Soon!
        • [TBD] AWS Account Factory
        • [TBD] AWS Identity Center
    • My content on Cybr
      • Course - Terraform on AWS: From Zero to Cloud Infrastructure
      • Lab - Create Static AWS S3 Website with Terraform
      • Lab - Secure EC2 Access with SSM Session Manager and KMS
      • Lab - Encrypt and Decrypt Data with KMS and Data Encryption Keys
    • My content on PwnedLabs
      • Cyber Range - Electra
      • Lab - Abusing Identity Providers in AWS
      • Lab - Prowler and AWS Security Hub
      • Blog - Abusing Identity Providers in AWS
      • Blog - Building Security Guardrails with AWS Resource Control Policies
      • Blog - Defending Against the whoAMI Attack with AWS Declarative Policies
    • My content on YouTube
      • AWS Security Engineering
      • Linux in 60 Seconds!
  • ☁️Cloud Security
    • AWS Attacks and Techniques
      • Enumerate AWS Account IDs
      • Enumerate AWS IAM Users
      • Enumerate (Unauthenticated) IAM Users and Roles
      • Enumerate AWS Public Resources
      • Enumerate Secrets in AWS
      • Generate AWS Console Session
      • Generate IAM Access Keys from CloudShell
      • Password Spraying AWS IAM Users
      • Subdomain Takeovers
    • AWS Privilege Escalation
      • Identity Access Management (IAM)
      • IAM Trust Policies
      • Key Management Service (KMS)
      • Lightsail
      • OpenID Connect (OIDC)
      • S3
      • Secrets Manager
      • Security Token Service (STS)
    • AWS General Info
      • Amazon Bedrock
      • EC2
      • KMS
      • S3
      • SNS Topic
    • AWS CLI Cheat Sheet
    • Capture the Flags (CTFs)
      • Flaws.Cloud
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
      • PwnedLabs
        • Escalate Privileges by IAM Policy Rollback
        • Exploiting Weak S3 Bucket Policies
        • Leveraging S3 Bucket Versioning
        • S3 Enumeration Basics
        • Pillage Exposed RDS Instances
        • EC2 SSRF Attack
        • Hunt for Secrets in Git Repos
      • Cybr
        • Challenge - Secrets Unleashed
    • Tools
      • Tooling Index
      • dsnap
      • Pacu
      • s3-account-search
      • GoAWSConsoleSpray
      • aws_consoler
      • cloudenum
  • 📦Containers & Orchestration
    • Kubernetes
  • 👨‍💻Coding & CLI Tooling
    • CLI Tools
      • AWS CLI
      • Git
      • GitHub Copilot (CLI)
      • Homebrew
      • jq
      • ngrok
      • ssh
    • Coding and Scripting
      • Bash
      • Python
    • Terminal Customization
  • ⚙️DevSecOps
    • CI/CD
      • GitLab
    • Hashicorp Terraform
    • Hashicorp Vault
    • IAC Scanning
      • tfsec
    • Secrets Scanning
      • Trufflehog
  • 🎁Miscellaneous
    • Jenkins
  • 💻Operating Systems
    • Linux
      • APT Package Manager
      • CLI Tools Cheat Sheet
      • Man Pages
      • Services
      • Users and Groups
  • 🏗️Projects
    • Active Directory Homelab Automation
    • AWS Cloud Resume Challenge
    • Proxmox Homelab as Code
  • 📌Other
    • Useful Resources
Powered by GitBook
On this page
  • Abusing Vulnerable Trust Policies
  • AWS Service Trust Policy
  • Bad policy
  • Better policy
  • Resources

Was this helpful?

  1. Cloud Security
  2. AWS Privilege Escalation

IAM Trust Policies

Abusable AWS IAM Trust Policies that can lead to compromise or privilege escalation

Abusing Vulnerable Trust Policies

  • Poorly written IAM Trust Policies can lead to compromise


AWS Service Trust Policy

Bad policy

  • This policy allows the Lambda service in any AWS account to assume the role. An attacker only needs to know the ARN of the role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
	  "AWS": "*",
	  "Service": "lambda.amazonaws.com"
	},
      "Action": "sts:AssumeRole"
    }
  ]
}

Better policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:lambda:<Region>:<AwsAccountId>:function:<LambdaFunction>"
        }
      }
    }
  ]
}

Resources

PreviousIdentity Access Management (IAM)NextKey Management Service (KMS)

Last updated 4 months ago

Was this helpful?

The role assumption is restricted to a particular lambda function within a particular AWS account but can be specified too

☁️
other conditions
AWS global condition context keys - AWS Identity and Access ManagementAWS Identity and Access Management
Logo
IAM and AWS STS condition context keys - AWS Identity and Access ManagementAWS Identity and Access Management
Logo
IAM JSON policy elements reference - AWS Identity and Access ManagementAWS Identity and Access Management
Logo