AWS - RDS Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about RDS check:
AWS - Relational Database (RDS) Enumrds:ModifyDBInstance
With that permission an attacker can modify the password of the master user, and the login inside the database:
You will need to be able to contact to the database (they are usually only accessible from inside networks).
Potential Impact: Find sensitive info inside the databases.
According to the docs a user with this permission could connect to the DB instance.
If running SELECT datname FROM pg_database;
you find a database called rdsadmin
you know you are inside an AWS postgresql database.
First you can check if this database has been used to access any other AWS service. You could check this looking at the installed extensions:
If you find something like aws_s3
you can assume this database has some kind of access over S3 (there are other extensions such as aws_ml
and aws_lambda
).
Also, if you have permissions to run aws rds describe-db-clusters
you can see there if the cluster has any IAM Role attached in the field AssociatedRoles
. If any, you can assume that the database was prepared to access other AWS services. Based on the name of the role (or if you can get the permissions of the role) you could guess what extra access the database has.
Now, to read a file inside a bucket you need to know the full path. You can read it with:
If you had raw AWS credentials you could also use them to access S3 data with:
Postgresql doesn't need to change any parameter group variable to be able to access S3.
Inside a mysql, if you run the query SELECT User, Host FROM mysql.user;
and there is a user called rdsadmin
, you can assume you are inside an AWS RDS mysql db.
Inside the mysql run show variables;
and if the variables such as aws_default_s3_role
, aurora_load_from_s3_role
, aurora_select_into_s3_role
, have values, you can assume the database is prepared to access S3 data.
Also, if you have permissions to run aws rds describe-db-clusters
you can check if the cluster has any associated role, which usually means access to AWS services).
Now, to read a file inside a bucket you need to know the full path. You can read it with:
rds:AddRoleToDBCluster
, iam:PassRole
An attacker with the permissions rds:AddRoleToDBCluster
and iam:PassRole
can add a specified role to an existing RDS instance. This could allow the attacker to access sensitive data or modify the data within the instance.
Potential Impact: Access to sensitive data or unauthorized modifications to the data in the RDS instance. Note that some DBs require additional configs such as Mysql, which needs to specify the role ARN in the aprameter groups also.
rds:CreateDBInstance
Just with this permission an attacker could create a new instance inside a cluster that already exists and has an IAM role attached. He won't be able to change the master user password, but he might be able to expose the new database instance to the internet:
rds:CreateDBInstance
, iam:PassRole
TODO: Test
An attacker with the permissions rds:CreateDBInstance
and iam:PassRole
can create a new RDS instance with a specified role attached. The attacker can then potentially access sensitive data or modify the data within the instance.
Some requirements of the role/instance-profile to attach (from here):
The profile must exist in your account.
The profile must have an IAM role that Amazon EC2 has permissions to assume.
The instance profile name and the associated IAM role name must start with the prefix AWSRDSCustom
.
Potential Impact: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
rds:AddRoleToDBInstance
, iam:PassRole
An attacker with the permissions rds:AddRoleToDBInstance
and iam:PassRole
can add a specified role to an existing RDS instance. This could allow the attacker to access sensitive data or modify the data within the instance.
The DB instance must be outside of a cluster for this
Potential Impact: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)