Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
AWS Directory Service for Microsoft Active Directory is a managed service that makes it easy to set up, operate, and scale a directory in the AWS Cloud. It is built on actual Microsoft Active Directory and integrates tightly with other AWS services, making it easy to manage your directory-aware workloads and AWS resources. With AWS Managed Microsoft AD, you can use your existing Active Directory users, groups, and policies to manage access to your AWS resources. This can help simplify your identity management and reduce the need for additional identity solutions. AWS Managed Microsoft AD also provides automatic backups and disaster recovery capabilities, helping to ensure the availability and durability of your directory. Overall, AWS Directory Service for Microsoft Active Directory can help you save time and resources by providing a managed, highly available, and scalable Active Directory service in the AWS Cloud.
Directory Services allows to create 5 types of directories:
AWS Managed Microsoft AD: Which will run a new Microsoft AD in AWS. You will be able to set the admin password and access the DCs in a VPC.
Simple AD: Which will be a Linux-Samba Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC.
AD Connector: A proxy for redirecting directory requests to your existing Microsoft Active Directory without caching any information in the cloud. It will be listening in a VPC and you need to give credentials to access the existing AD.
Amazon Cognito User Pools: This is the same as Cognito User Pools.
Cloud Directory: This is the simplest one. A serverless directory where you indicate the schema to use and are billed according to the usage.
AWS Directory services allows to synchronise with your existing on-premises Microsoft AD, run your own one in AWS or synchronize with other directory types.
Here you can find a nice tutorial to create you own Microsoft AD in AWS: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html
Note that if the description of the directory contained a domain in the field AccessUrl it's because a user can probably login with its AD credentials in some AWS services:
<name>.awsapps.com/connect (Amazon Connect)
<name>.awsapps.com/workdocs (Amazon WorkDocs)
<name>.awsapps.com/workmail (Amazon WorkMail)
<name>.awsapps.com/console (Amazon Management Console)
<name>.awsapps.com/start (IAM Identity Center)
An AD user can be given access over the AWS management console via a Role to assume. The default username is Admin and it's possible to change its password from AWS console.
Therefore, it's possible to change the password of Admin, create a new user or change the password of a user and grant that user a Role to maintain access. It's also possible to add a user to a group inside AD and give that AD group access to a Role (to make this persistence more stealth).
It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env. However, this implies sharing the managed AD and also creating an VPC peering connection.
You can find a guide here: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html
It doesn't look like possible to grant AWS access to users from a different AD env to one AWS account.
Amazon Web Services (AWS) WorkDocs is a cloud-based file storage and sharing service. It is part of the AWS suite of cloud computing services and is designed to provide a secure and scalable solution for organizations to store, share, and collaborate on files and documents.
AWS WorkDocs provides a web-based interface for users to upload, access, and manage their files and documents. It also offers features such as version control, real-time collaboration, and integration with other AWS services and third-party tools.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
