Cloud technologies are great for making it easy to set up infrastructure for apps and services. Increasingly, companies and independent developers are moving their projects to AWS, Azure, or others. In this article, we'll get familiar with the basics of cloud technologies, find out what services we can use, and analyze how hackers can gain access. We will conduct reconnaissance and gather important information.
Cloud is a technology that provides Internet users access to computer resources of the server and use of software as an online service. This means that even from a smartphone that has an Internet connection, you can perform complex calculations and process your data using the power of a remote server.
What services can we get?
SaaS (software as a service) - providing software and services.
IaaS (infrastructure as a service) - is a representation of computer infrastructure in the form of virtualization.
PaaS (platform as a service) - allows you to rent a virtual server (instance).
FaaS (Function as a Service) - also known as serverless computing, enables developers to deploy individual functions or units of code in response to events.
DaaS (Desktop as a Service) - provides a virtual desktop infrastructure.
DBaaS (Database as a Service) - offers database management and maintenance as a cloud service.
DRaaS (Disaster Recovery as a Service) - provides a cloud-based solution for disaster recovery, ensuring data backup and business continuity in case of emergencies.
IAM
Identity and access management (IAM) is one of the foundational services of Amazon's cloud infrastructure. It allows you to manage access to AWS resources. Users, groups, roles, and their access are administered here. The structure of this service is shown in the following illustration:
Policy
The policy contains information about what the user can and cannot do and what his/her rights are. Policies can be applied to groups, users, or roles. For example, if a policy allows the action GetUser, then a user with the policy can get information about other users.
Within the policy are three important components:
1. Effect - used to grant or deny access.
2. Action - includes a list of actions that the policy allows or prohibits.
3. Resource - lists the resources to which the policy applies.
User
An IAM user is an entity that is created in AWS to represent the person or application using it. Users have a so-called User ARN (Amazon resource name), which looks like the following:
arn:partition:service:region:account:resource
where
- arn is the string identifier;
- partition identifies the partition for the resource. For standard AWS regions, the aws partition is used.
- service identifies the AWS product. IAM resources always use “iam”;
- region identifies the region of the resource. For IAM resources, this field is always left blank;
- account specifies the AWS account ID without hyphens;
- resource identifies a specific resource by name.
Here are some examples of ARNs:
arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:role/my-role
arn:aws:iam::123456789012:user/JohnDoe
arn:aws:iam::123456789012:group/Developers
Group
An IAM group is a collection of users. Groups make it easier to manage
them. A group can contain multiple users, and a user can belong to multiple groups.
Role
An IAM role is an entity that defines a set of permissions for making requests to AWS services. Using roles is a secure way to grant permissions to specific entities. For example, a hacker can try to take on a certain role, if he has the permissions to do so, and gain the privileges of that role. Roles are created so that you don't have to register an additional account for some automated tasks. A role is often tied to a service.
EC2
Also known as Elastic Compute Cloud. It is a virtual server (instance) on which the user can run any application to solve his own tasks. The instance consists of the following components:
1. Operating system - almost any operating system can be installed on the EC2.
2. Access - how you can access EC2 over the Internet.
3. Address - the IP address to which the instance responds.
4. Storage - the location where the instance's data is stored.
5. Security Groups - a set of rules that apply to EC2, they allow you to control incoming and outgoing traffic.
6. VPC (virtual private cloud) - an isolated cloud network where our instance can reside.
Initial Access
There are different methods to get into the clouds. We'll be going through the AWS CLI, which is the command line interface for working with AWS. We will need a special secret key identifier and the secret key itself, once provided we will be able to work with the cloud. We will use IAM as the entry point.
Reconnaissance
On computers that interact with Amazon Cloud Services, there is usually a credentials file that contains the secret access key ID and the key itself. The standard file location paths are as follows. In Linux:
/root/.aws/credentials
/home/user/.aws/credentials
Windows:
%userprofile%\.aws\credentials
These credentials can be found in public repositories. In addition, you should not forget about environment variables. We are interested in the following values:
aws_access_key
aws_secret_key
aws_access_key_id
aws_secret_access_key
S3_BUCKET
S3_ACCESS_KEY_ID
S3_SECRET_ACCESS_KEY
Connection
After receiving the ID and key, we can install AWS CLI with the following command.
kali> sudo apt install awscli -y
To connect, run the following command:
kali> aws configure
To find out under which account you are connected to the system, Linux uses the “whoami” command, but AWS does not have it. To find out your username, enter the following command:
kali> aws sts get-caller-identity
I AM Users
Users are the most popular entry point into the AWS cloud. It is the user account that can be found in the “.aws/credentials” file as well as in public repositories.
The first step is to find all registered users in the cloud:
kali> aws iam list-users
Users can be members of groups, and these groups can have misconfigured policies attached to them. The next command will determine which groups each user is a member of:
kali> aws iam list-groups-for-user --user-name <username>
In addition to groups, policies can also be bound directly to a user. Let's check if there is such a binding in our case:
kali> aws iam list-attached-user-policies --user-name <username>
kali> aws iam list-user-policies --user-name <username>
Groups
Groups can also have policies attached to them that can help us during the privilege escalation phase. To see all IAM groups, type the following:
kali> aws iam list-groups
The following commands help you find the policies that apply to a group.
For the managed policies:
kali> aws iam list-group-policies --group-name <group-name>
And for the attached policies:
kali> aws iam list-attached-group-policies --group-name <group-name>
Roles
Roles interest us for the same reasons we are interested in groups. We can use roles to our advantage if we have the “iam:PassRole” privilege.
You can see all IAM roles using the following command:
kali> aws iam list-roles
Policies
Policies within AWS contain information about the privileges granted to users. There's a very useful site, “policysim.aws.amazon.com”, where you can upload the obtained policy and work with it conveniently, applying filters.
At the same time, policies can be either inline or managed. They serve the same functions: granting or denying permissions. The difference with inline policies is that they are actually embedded in the group, user, or role to which they are applied. This creates a strict link: one policy to one object. When a user, group, or role is deleted, this policy will also be deleted. Inline policies are often applied to guarantee that privileges are not accidentally granted to any other object. However, Amazon recommends using managed policies instead of inline ones.
Managed policies are slightly more convenient. The most important thing is that they can be attached to multiple objects at once. Managed policies are divided into two types: managed policy and customer-managed policy. The first type eliminates the need to write the policy yourself, as AWS has taken care of this and provided some options for the most common cases, such as “AmazonDynamoDBFullAccess”, “AWSCodeCommitPowerUser”, and similar ones. The standard-managed policy cannot be edited. The second type - customer-managed policy - is used if more fine-tuning of privileges is required. In this case, you will have to create the policy yourself.
You can see the list of IAM policies with the following command:
kali> aws iam list-policies
To get information about a particular policy, use the following syntax:
kali> aws iam get-policy --policy-arn <policy-arn>
Several different versions of the same policy can exist simultaneously in AWS. For example, let's say that the first version of the policy gave us full access to all resources, and the second version of the policy already restricted us in some way. We need to know in order to escalate privileges in the future.
To get the version information of the specified policy, use the following command:
kali> aws iam list-policy-versions --policy-arn <policy-arn>
Summary
In this article, we have reviewed the basics of cloud technologies and their application. We accessed the cloud and looked around, gaining important information for escalating privileges in the future.
To be continued...
Olexander