Kinesis Data Firehose

Amazon Kinesis Data Firehose is a fully managed service that facilitates the delivery of real-time streaming data. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints.

The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the automatic delivery of data to the specified destination. Additionally, Kinesis Data Firehose provides the option to transform the data prior to its delivery, enhancing its flexibility and applicability to various use cases.

Enumeration

# Get delivery streams
aws firehose list-delivery-streams

# Get stream info
aws firehose describe-delivery-stream --delivery-stream-name <name>
## Get roles
aws firehose describe-delivery-stream --delivery-stream-name <name> | grep -i RoleARN

Post-exploitation / Defense Bypass

In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly.

firehose:DeleteDeliveryStream

aws firehose delete-delivery-stream --delivery-stream-name <value> --allow-force-delete

firehose:UpdateDestination

aws firehose update-destination --delivery-stream-name <value> --current-delivery-stream-version-id <value> --destination-id <value>

firehose:PutRecord | firehose:PutRecordBatch

aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}'

aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json

References

• https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html