AWS - DynamoDB Post Exploitation
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information check:
AWS - DynamoDB Enumdynamodb:BatchGetItem
An attacker with this permissions will be able to get items from tables by the primary key (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (describe-table
).
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:GetItem
Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
With this permission it's also possible to use the transact-get-items
method like:
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:Query
Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a subset of comparisons, but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:Scan
You can use this permission to dump the entire table easily.
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:PartiQLSelect
You can use this permission to dump the entire table easily.
This permission also allow to perform batch-execute-statement
like:
but you need to specify the primary key with a value, so it isn't that useful.
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)
This permission will allow an attacker to export the whole table to a S3 bucket of his election:
Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
If it isn't enabled, you will need to enable it and for that you need the dynamodb:ExportTableToPointInTime
permission:
Potential Impact: Indirect privesc by locating sensitive information in the table
dynamodb:CreateTable
, dynamodb:RestoreTableFromBackup
, (dynamodb:CreateBackup)
With these permissions, an attacker would be able to create a new table from a backup (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check information from the backups that could not be any more in the production table.
Potential Impact: Indirect privesc by locating sensitive information in the table backup
dynamodb:PutItem
This permission allows users to add a new item to the table or replace an existing item with a new item. If an item with the same primary key already exists, the entire item will be replaced with the new item. If the primary key does not exist, a new item with the specified primary key will be created.
Potential Impact: Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
dynamodb:UpdateItem
This permission allows users to modify the existing attributes of an item or add new attributes to an item. It does not replace the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will create a new item with the specified primary key and set the attributes specified in the update expression.
Potential Impact: Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
dynamodb:DeleteTable
An attacker with this permission can delete a DynamoDB table, causing data loss.
Potential impact: Data loss and disruption of services relying on the deleted table.
dynamodb:DeleteBackup
An attacker with this permission can delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario.
Potential impact: Data loss and inability to recover from a backup during a disaster recovery scenario.
dynamodb:StreamSpecification
, dynamodb:UpdateTable
, dynamodb:DescribeStream
, dynamodb:GetShardIterator
, dynamodb:GetRecords
TODO: Test if this actually works
An attacker with these permissions can enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
Enable a stream on a DynamoDB table:
Describe the stream to obtain the ARN and other details:
Get the shard iterator using the stream ARN:
Use the shard iterator to access and exfiltrate data from the stream:
Potential impact: Real-time monitoring and data leakage of the DynamoDB table's changes.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)