kbroughton / aws-labs Goto Github PK
View Code? Open in Web Editor NEWsecurity focused labs for AWS
aws-labs's People
Contributors
Stargazers
Watchers
Forkers
juan-guemberenaaws-labs's Issues
New Lab Idea: sts:AssumeRole
sts:AssumeRole has some interesting properties
If the role being assumed has the sts:AssumeRole permission then the role can assume itself NO MATTER WHAT THE CONDITION BLOCK SAYS. The condition block is ignored when the temp creds for a role are used to assume the same role.
Build a lab to explore this. This is very relevant to externalID attacks.
Also, assume-role has a max 12 hr time limit, but again, with the ability to assume itself, this can be extended indefinitely.
https://www.cyberark.com/resources/threat-research-blog/wild-temporary-tokens-and-where-to-find-them-aws-edition
Also explore assume-role across aws accounts and see if there is any difference in rules.
config rule PassRole experiment
setup:
NotAction policy restricting iam:, sts:
Can we use ConfigRule or other ServiceLinked role to modify existing Config task?
I can change Config Rules
Config triggers lambda and associates role because it has PassRole:* Condition passedToService: Config or soemthing.
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html
Deployment option - lambda container
This describes having a jupyter notebook hosted on Lambda
https://towardsdatascience.com/how-to-build-an-aws-lambda-for-data-science-cec62deaf0e9
add iam:PassedToService lab
Elaborate on this question to make a new passrole lab
From Cloud Security Form Slack
I have a question with regards to below. Its from below article. It states “If there is no condition field, the principal can pass a role to any service.” (point #3). But my question is, lets say the “DevOpsEC2-*” role has trust relationship with only EC2…. why would i be able to pass this to any service other than EC2 ?? I hope i am making sense
https://unit42.paloaltonetworks.com/iam-roles-compromised-workloads/
you are correct, it wouldn't work if the trust policy didn't list it as a service however, the main difference is that by adding thee passedtoservice, your prevention of passing that role to a service is done so in the sense that the person who is doing the operation might have accesss to modify the trust policy on the role being passed.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.