AWS - EMR Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
More info about EMR in:
iam:PassRole
, elasticmapreduce:RunJobFlow
An attacker with these permissions can run a new EMR cluster attaching EC2 roles and try to steal its credentials.
Note that in order to do this you would need to know some ssh priv key imported in the account or to import one, and be able to open port 22 in the master node (you might be able to do this with the attributes EmrManagedMasterSecurityGroup
and/or ServiceAccessSecurityGroup
inside --ec2-attributes
).
Note how an EMR role is specified in --service-role
and a ec2 role is specified in --ec2-attributes
inside InstanceProfile
. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
Potential Impact: Privesc to the EC2 service role specified.
elasticmapreduce:CreateEditor
, iam:ListRoles
, elasticmapreduce:ListClusters
, iam:PassRole
, elasticmapreduce:DescribeEditor
, elasticmapreduce:OpenEditorInConsole
With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.
Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
elasticmapreduce:OpenEditorInConsole
Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it.
The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)