Comment on page
AWS - Privilege Escalation

Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
AWS Privilege Escalation
The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization.
AWS has hundreds (if not thousands) of permissions that an entity can be granted. In this book you can find all the permissions that I know that you can abuse to escalate privileges, but if you know some path not mentioned here, please share it.
If an IAM policy has "Effect": "Allow" and "NotAction": "Someaction" indicating a resource... that means that the allowed principal has permission to do ANYTHING but that specified action.
So remember that this is another way to grant privileged permissions to a principal.
You can find all the privesc paths divided by services:
​Apigateway Privesc​
​Codebuild Privesc​
​Codepipeline Privesc​
​Codestar Privesc​
​Cloudformation Privesc​
​Cognito Privesc​
​Datapipeline Privesc​
​DynamoDB Privesc​
​EBS Privesc​
​EC2 Privesc​
​ECR Privesc​
​ECS Privesc​
​EFS Privesc​
​EMR Privesc​
​Glue Privesc​
​IAM Privesc​
​KMS Privesc​
​Lambda Privesc​
​Lightsail Privesc​
​MQ Privesc​
​MSK Privesc​
​RDS Privesc​
​Redshift Privesc​
​S3 Privesc​
​Sagemaker Privesc​
​Secrets Privesc​
​SSM Privesc​
​STS Privesc​
​Misc (Other Techniques) Privesc​
Tools
​https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py​
​Pacu​
References
​https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/​
​https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/​
​https://bishopfox.com/blog/privilege-escalation-in-aws​
​https://hackingthe.cloud/aws/exploitation/local-priv-esc-user-data-s3/​
Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
AWS - STS Post Exploitation
AWS - Apigateway Privesc
Last modified 1yr ago