Priv Esc

• It's assumed that we have gain access to the AWS Credentials
• We can see if we have permissions using Amazon's policy simulator
• Always look for policies and roles with the * symbol.
• See which user do not have MFA enabled
• User enumeration in IAM Panel and group enumeration
• We can also enumerate roles from the same interface
• Root user is super admin

Listing IAM access Keys

aws iam list-access-keys

1. Enumerating IAM users

Checking credentials for the user

aws sts get-caller-identity

Listing IAM Users

aws iam list-users

Listing the IAM groups that the specified IAM user belongs to

aws iam list-groups-for-user --user-name user-name

Listing all managed policies that are attached to the specified IAM user

aws iam list-attached-user-policies --user-name user-name

Listing the names of the inline policies embedded in the specified IAM user

aws iam list-user-policies --user-name user-name

2. Enumeration Groups IAM

Listing IAM Groups

aws iam list-groups

Listing all managed policies that are attached to the specified IAM Group

aws iam list-attached-group-policies --group-name group-name

Listing the names of the inline policies embedded in the specified IAM Group

aws iam list-group-policies --group-name group name

3. Enumerating Roles

Listing IAM Roles

aws iam list-roles

Listing all managed policies that are attached to the specified IAM role

aws iam list-attached-role-policies --role-name role-name

Listing the names of the inline policies embedded in the specified IAM role

aws iam list-role-policies --role-name role-name
	

4. Enumerating Policies

Listing of IAM Policies

aws iam list-policies

Retrieving information about the specified managed policy

aws iam get-policy --policy-arn policy-arn

Listing information about the versions of the specified managed policy

aws iam list-policy-versions --policy-arn policy-arn

Retrieving information about the specific version of the specified managed policy

aws iam get-policy-version --policy-arn policy-arn --version-id version-id

Retrieving the specified inline policy document that is embedded on the specified IAM user / group / role

aws iam get-user-policy --user-name user-name --policy-name policy-name

aws iam get-group-policy --group-name group-name --policy-name policy-name

aws iam get-role-policy --role-name role-name --policy-name policy-name

Pruebas de Firewall y Configuración de Security Groups

Los Security Groups de EC2 deben restringir el tráfico. Para probar configuraciones incorrectas:

📌 Escanear reglas con AWS CLI:

bash
CopiarEditar
aws ec2 describe-security-groups