🎯Attacks, Techniques, and Tools

Tools and techniques for attacking, exploiting, and enumerating AWS IAM

Abusing Vulnerable Trust Policies

Poorly written IAM Trust Policies can lead to compromise.

AWS Service Trust Policy

Bad policy

This policy allows the Lambda service in any AWS account to assume the role. An attacker only needs to know the ARN of the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
	  "AWS": "*",
	  "Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}

Better policy

The role assumption is restricted to a particular lambda function within a particular AWS account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:lambda:<Region>:<AwsAccountId>:function:<LambdaFunction>"
        }
      }
    }
  ]
}

AWS Identity Federation Trust Policy

Bad Policy

This policy allows any GitLab instance to assume the role. An attacker only needs to know the ARN of the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com"
        }
      }
    }
  ]
}

Better policy

The role assumption is restricted to a particular GitLab project path.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGitlabToAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.example.com:sub": "project_path:mygroup/myproject:ref_type:branch:ref:main"
        }
      }
    }
  ]
}

Resources

Last updated