iam:ListPolicies, iam:GetPolicy na iam:GetPolicyVersion
iam:ListRoles
iam:ListUsers
iam:ListGroups
iam:ListGroupsForUser
iam:ListAttachedUserPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedGroupPolicies
iam:ListUserPolicies na iam:GetUserPolicy
iam:ListGroupPolicies na iam:GetGroupPolicy
iam:ListRolePolicies na iam:GetRolePolicy
# All IAMs## Retrieves information about all IAM users, groups, roles, and policies## in your Amazon Web Services account, including their relationships to## one another. Use this operation to obtain a snapshot of the configura-## tion of IAM permissions (users, groups, roles, and policies) in your## account.awsiamget-account-authorization-details# List usersawsiamlist-usersawsiamlist-ssh-public-keys#User keys for CodeCommitawsiamget-ssh-public-key--user-name<username>--ssh-public-key-id<id>--encodingSSH#Get public key with metadataawsiamlist-service-specific-credentials#Get special permissions of the IAM user over specific servicesawsiamget-user--user-name<username>#Get metadata of user, included permissions boundariesawsiamlist-access-keys#List created access keys## inline policiesawsiamlist-user-policies--user-name<username>#Get inline policies of the userawsiamget-user-policy--user-name<username>--policy-name<policyname>#Get inline policy details## attached policiesawsiamlist-attached-user-policies--user-name<username>#Get policies of user, it doesn't get inline policies# List groupsawsiamlist-groups#Get groupsawsiamlist-groups-for-user--user-name<username>#Get groups of a userawsiamget-group--group-name<name>#Get group name info## inline policiesawsiamlist-group-policies--group-name<username>#Get inline policies of the groupawsiamget-group-policy--group-name<username>--policy-name<policyname>#Get an inline policy info## attached policiesawsiamlist-attached-group-policies--group-name<name>#Get policies of group, it doesn't get inline policies# List rolesawsiamlist-roles#Get rolesawsiamget-role--role-name<role-name>#Get role## inline policiesawsiamlist-role-policies--role-name<name>#Get inline policies of a roleawsiamget-role-policy--role-name<name>--policy-name<name>#Get inline policy details## attached policiesawsiamlist-attached-role-policies--role-name<role-name>#Get policies of role, it doesn't get inline policies# List policiesawsiamlist-policies [--only-attached] [--scope Local]aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy contentawsiamget-policy--policy-arn<policy_arn>awsiamlist-policy-versions--policy-arn<arn>awsiamget-policy-version--policy-arn<arn:aws:iam::975426262029:policy/list_apigateways>--version-id<VERSION_X># Enumerate providersawsiamlist-saml-providersawsiamget-saml-provider--saml-provider-arn<ARN>awsiamlist-open-id-connect-providersawsiamget-open-id-connect-provider--open-id-connect-provider-arn<ARN># Password Policyawsiamget-account-password-policy# MFAawsiamlist-mfa-devicesawsiamlist-virtual-mfa-devices
Kupiga nguvu ruhusa
Ikiwa una nia ya ruhusa zako mwenyewe lakini huna ufikiaji wa kuuliza IAM unaweza daima kuzipiga nguvu.
bf-aws-permissions
Zana bf-aws-permissions ni skripti ya bash ambayo itaendeshwa kwa kutumia wasifu ulioonyeshwa wote list*, describe*, get* hatua inayoweza kupatikana kutumia ujumbe wa msaada wa aws cli na kurudisha utekelezaji mafanikio.
Chombo bf-aws-perms-simulate kinaweza kupata ruhusa zako za sasa (au za wakala wengine) ikiwa una ruhusa ya iam:SimulatePrincipalPolicy.
# Ask for permissionspython3aws_permissions_checker.py--profile<AWS_PROFILE> [--arn <USER_ARN>]
Perms2ManagedPolicies
Ikiwa umepata baadhi ya ruhusa ambazo mtumiaji wako anayo, na unadhani zinatolewa na jukumu la AWS lililosimamiwa (na sio la desturi). Unaweza kutumia zana aws-Perms2ManagedRoles kuchunguza majukumu yote ya AWS yaliyosimamiwa yanayotoa ruhusa ulizoona unazo.
# Run example with my profilepython3aws-Perms2ManagedPolicies.py--profilemyadmin--permissions-fileexample-permissions.txt
Inawezekana "kujua" kama ruhusa unazomiliki zimetolewa na jukumu lililosimamiwa na AWS ikiwa unaona kwamba una ruhusa juu ya huduma ambazo hazitumiki kwa mfano.
Cloudtrail2IAM
CloudTrail2IAM ni chombo cha Python kinachochambua kumbukumbu za AWS CloudTrail ili kutoa na kufupisha hatua zilizofanywa na kila mtu au tu mtumiaji au jukumu fulani. Chombo hicho kitachambua kila kumbukumbu ya cloudtrail kutoka kwenye kisanduku kilichotajwa.
Ikiwa unapata .tfstate (faili za hali ya Terraform) au faili za CloudFormation (hizi kawaida ni faili za yaml zilizoko ndani ya ndoo yenye kipimo cha cf-templates), unaweza pia kusoma ili kupata usanidi wa aws na kujua ni ruhusa zipi zimewekwa kwa nani.
enumera-iam
Ili kutumia zana https://github.com/andresriancho/enumerate-iam kwanza unahitaji kupakua vituo vyote vya API vya AWS, kutoka kwenye vituo hivyo script generate_bruteforce_tests.py itapata vituo vyote vya "list_", "describe_", na "get_". Na mwishowe, itajaribu kupata ufikiaji wao kwa kutumia sifa zilizotolewa na kuonyesha ikiwa ilifanya kazi.
(Kulingana na uzoefu wangu zana inakwama wakati fulani, angalia marekebisho haya kujaribu kusahihisha hilo).
Kulingana na uzoefu wangu zana hii ni kama ile ya awali lakini inafanya kazi vibaya zaidi na kuangalia ruhusa chache zaidi.
Unaweza pia kutumia zana weirdAAL. Zana hii itachunguza operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida (itachunguza idhini za uorodheshaji na pia idhini za privesc). Lakini itachunguza tu uchunguzi uliopangwa (njia pekee ya kuchunguza vitu zaidi ni kwa kuandika vipimo zaidi).
# Installgitclonehttps://github.com/carnal0wnage/weirdAAL.gitcdweirdAALpython3-mvenvweirdAALsourceweirdAAL/bin/activatepip3install-rrequirements.txt# Create a .env file with aws credentials such as[default]aws_access_key_id=<insertkeyid>aws_secret_access_key=<insertsecretkey># Setup DBpython3create_dbs.py# Invoke itpython3weirdAAL.py-mec2_describe_instances-tec2test# Just some ec2 testspython3weirdAAL.py-mrecon_all-tMyTarget# Check all permissions# You will see output such as:# [+] elbv2 Actions allowed are [+]# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
# https://github.com/turbot/steampipe-mod-aws-insightssteampipecheckall--export=json# https://github.com/turbot/steampipe-mod-aws-perimeter# In this case you cannot output to JSON, so heck it in the dashboardsteampipedashboard
<YourTool>
Hakuna zana yoyote kati ya zilizotangulia inayoweza kuchunguza karibu ruhusa zote, kwa hivyo kama unajua zana bora tuma PR!
# Connect with sso via CLI aws configure ssoawsconfiguresso[profile profile_name]sso_start_url=https://subdomain.awsapps.com/start/sso_account_id=<account_numbre>sso_role_name=AdministratorAccesssso_region=us-east-1
Uchambuzi
Vipengele kuu vya Kituo cha Utambulisho ni:
Watumiaji na vikundi
Seti za Ruhusa: Zina sera zilizowekwa
Akaunti za AWS
Kisha, mahusiano huanzishwa ili watumiaji/vikundi wawe na Seti za Ruhusa juu ya Akaunti za AWS.
Tafadhali kumbuka kuwa kuna njia 3 za kuambatanisha sera kwa Seti ya Ruhusa. Kuambatanisha sera zilizosimamiwa na AWS, Sera zilizosimamiwa na Mteja (sera hizi zinahitaji kuundwa katika akaunti zote ambazo Seti ya Ruhusa inaathiri), na sera za ndani (zilizoelezwa hapo).
# Check if IAM Identity Center is usedawssso-adminlist-instances# Get Permissions sets. These are the policies that can be assignedawssso-adminlist-permission-sets--instance-arn<instance-arn>awssso-admindescribe-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get managed policies of a permission setawssso-adminlist-managed-policies-in-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get inline policies of a permission setawssso-adminget-inline-policy-for-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get customer managed policies of a permission setaws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission setaws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List accounts a permission set is affectingaws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an accountaws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
# Get permissions sets affecting an accountawssso-adminlist-permission-sets-provisioned-to-account--instance-arn<instance-arn>--account-id<account_id># List users & groups from the identity storeawsidentitystorelist-users--identity-store-id<store-id>awsidentitystorelist-groups--identity-store-id<store-id>## Get members of groupsawsidentitystorelist-group-memberships--identity-store-id<store-id>--group-id<group-id>## Get memberships or a user or a groupawsidentitystorelist-group-memberships-for-member--identity-store-id<store-id>--member-id<member-id>
Uchambuzi wa Kienyeji
Inawezekana kuunda ndani ya folda $HOME/.aws faili la config kwa ajili ya kusanidi maelezo yanayopatikana kupitia SSO, kwa mfano:
# Login in ms-sso-profileawsssologin--profilemy-sso-profile# Use dependent-profileawss3ls--profiledependent-profile
Wakati wasifu kutoka SSO unapotumiwa kupata baadhi ya habari, sifa hizo zinahifadhiwa kwenye faili ndani ya folda $HOME/.aws/sso/cache. Hivyo basi zinaweza kusomwa na kutumiwa kutoka hapo.
Zaidi ya hayo, sifa zaidi zinaweza kuhifadhiwa kwenye folda $HOME/.aws/cli/cache. Folda hii ya cache hutumiwa hasa unapokuwa ukifanya kazi na profaili za AWS CLI zinazotumia sifa za mtumiaji wa IAM au kudai majukumu kupitia IAM (bila SSO). Mfano wa mipangilio:
# Create user identitystore:CreateUseraws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
Unda kikundi na umpatie ruhusa na umweke mtumiaji aliye chini ya udhibiti
Toa ruhusa ziada kwa mtumiaji aliye chini ya udhibiti au kikundi
Kwa chaguo-msingi, ni watumiaji tu wenye ruhusa kutoka kwenye Akaunti ya Usimamizi ndio watakaoweza kupata na kudhibiti Kituo cha Utambulisho cha IAM.
Hata hivyo, niwezekanavyo kupitia Msimamizi wa Kuwakilisha kuruhusu watumiaji kutoka kwenye akaunti tofauti kuisimamia. Hawatapata ruhusa sawa kabisa, lakini wataweza kutekeleza shughuli za usimamizi.