# Misconfigurations with AWS IAM ## Introduction AWS Identity and Access Management enables fine grained access control to AWS resources. AWS IAM is a completely free to use service and a fundamental service to have security for everything in AWS. * `AWS services` need to be managed * This requires access to these services * These services allow us to work with `AWS resources` * IAM allows us to **manage access securely** ## What are we going to cover? This chapter covers misconfigurations in AWS IAM policies & how that can be used for malicious purpose. ### Misconfigured IAM policies AWS IAM policy mis-configurations can occur in various ways. This could be due to a broad Action or broad Resource or a combination of both, resulting in overly permissive policies. Alternatively, since AWS allows you to have upto 5 versions of a policy, only one of which is active at any given moment, there could be a policy that has a vulnerable older version that can be activated instead. `aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2` The first example that we saw with common mis-configurations was a policy that was not bound to a particular Action or Resource. * usage of wildcard\* not bound to action/resource. Here we have a policy that when evaluated by AWS, effectively gives the user or the role Administrative Access to the AWS account. This is one of the most dangerous policy definitions and must never be used unless absolutely required within AWS. ```json { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*" } ] } ``` * Using "Action" that could lead to impersonation of another user. ```json { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": "*" } ] } ``` * Here we have is that of the presence of sts:AssumeRole. This operation allows the user or the role to assume the privileges of a role in AWS. For example, if we had access to a user with the sts:AssumeRole operation allowed, and a role with an ARN of arn:aws:iam::123456789123:role/adminrole exists on AWS for the account then the following command would generate an AWS\_ACCESS\_KEY\_ID, a AWS\_SECRET\_ACCESS\_KEY, and a AWS\_SESSION\_TOKEN which could then be used to impersonate the role with all of its privileges. `aws sts assume-role --role-arn arn:aws:iam::123456789123:role/adminrole --role-session-name impersonatingrole` ## Additional references * [Getting started](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) * [Lambda functions made easy](https://codeburst.io/aws-lambda-functions-made-easy-1fae0feeab27) * [Lambhack](https://github.com/wickett/lambhack) * [AWS vulnerable lambda](https://github.com/torque59/AWS-Vulnerable-Lambda) * [Hacking Serverless runtimes](https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) * [Gone in 60 milliseconds](https://www.youtube.com/watch?v=YZ058hmLuv0) * [Build and deploy a serverless REST API using chalice](https://aws.amazon.com/blogs/developer/build-and-deploy-a-serverless-rest-api-in-minutes-using-chalice/) * [OWASP Top 10 Serverless](https://owasp.org/www-pdf-archive/OWASP-Top-10-Serverless-Interpretation-en.pdf) * [Client-Side Keys, IAM Policies and a Vulnerable Lambda](https://speakerdeck.com/riyazwalikar/raining-shells-in-aws-by-chaining-vulnerabilities?slide=38) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/aws-identity-and-access-management/iam/misconfigurations-with-aws-iam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.