AWS - MSK Privesc
MSK
For more information about MSK (Kafka) check:
pageAWS - MSK Enummsk:ListClusters
, msk:UpdateSecurity
msk:ListClusters
, msk:UpdateSecurity
With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.
You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret). If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.
Last updated