Links

AWS - Firewall Manager Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Firewall Manager

AWS Firewall Manager streamlines the management and maintenance of AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall across multiple accounts and resources. It enables you to configure your firewall rules, Shield Advanced protections, VPC security groups, and Network Firewall settings just once, with the service automatically enforcing these rules and protections across your accounts and resources, including newly added ones.
The service offers the capability to group and safeguard specific resources together, like those sharing a common tag or all your CloudFront distributions. A significant advantage of Firewall Manager is its ability to automatically extend protection to newly added resources in your account.
Prerequisites include setting up a Firewall Manager Master Account, establishing an AWS organization with member accounts, and enabling AWS Config.
A rule group (a collection of WAF rules) can be incorporated into an AWS Firewall Manager Policy, which is then linked to specific AWS resources such as CloudFront distributions or application load balancers.
It's important to note that Firewall Manager policies permit only "Block" or "Count" actions for a rule group, without an "Allow" option.

Enumeration

# Get admin account
aws fms get-admin-account
# Get member accounts
aws fms list-member-accounts
# Get policies
aws fms list-policies
# Get App list
aws fms list-apps-lists --max-results 10
# Get notification channel (if any)
aws fms get-notification-channel
# Get resource sets
aws fms list-resource-sets
# Get admin scope: Get resources Firewall Manager can manage
aws fms get-admin-scope --admin-account <acc-id> # ReadOnly policy is not enough for this
# Get Firewall Manager administrators within the organization that are onboarded to Firewall Manager by AssociateAdminAccount
aws fms list-admin-accounts-for-organization # ReadOnly policy is not enough for this

Bypass Detection

TODO, PRs accepted

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: