Unauthenticated AWS IAM Principals Enumeration | Cloud Misconfiguration and Countermeasures.
Context:
Enumerating IAM resources is an important part of mapping the attack surface of a cloud environment and can provide insight into the services that the company could be using and defences that may be in place. IAM misconfigurations can provide attackers with an opportunity to gain a foothold in an AWS cloud environment. This could be due to missing MFA that allows brute force attacks, improperly configured policies that allow us to assume a role, or excessive privileges that allow us to further our access in the environment. It’s important for defense and attack oriented professionals alike to map out all available IAM resources as they can often be leveraged in unintended ways, with privileges on other objects and resources resulting in attack chains that make possible lateral or vertical movement within a cloud environment.
Cloud Provider : AWS
Services : S3 and IAM
Tools: Pacu
Lab: https://pwnedlabs.io/labs/unauthenticated-aws-iam-principals-enumeration
Free/Paid : Paid
Learning Outcome:
- Cross-account IAM principal enumeration via IAM role trust policy
- Cross-account IAM principal enumeration via S3 bucket policy
- Cross-account IAM principal enumeration via Lambda function
- IAM principal enumeration via AWS console
- Understanding of how to assume IAM roles
- Familiarity with the pacu
- S3 buckets enumeration
Scenario:
As a top-tier cybersecurity specialist, you’ve been covertly contracted to probe their AWS defenses. With just an AWS account ID to go on, your mission is to carry out comprehensive IAM enumeration and uncover potential vulnerabilities. Time to dive in.
Starting Point:
Provided AWS Access and Secret Key.
Configure:
Enumeration via IAM Role Trust Policy
A Trust Policy is effectively a document that says which people or services (the “principal entities”) are allowed to assume a certain role and any permissions assigned to it. It’s possible to specify principals that other AWS accounts as long as you know the account ID. What makes this method (and all methods shown in this lab) possible is that AWS provides different output depending on whether an IAM principal exists or not. We can use this behavior to guess different principal names and verify a true or false condition.
The trust policy consists of a JSON document. The policy below denies the principal admin in AWS account 104506445608 from being able to assume the role this policy applies to.
If you check in above ss my account id is 107513503799 but I want to enumerate the cross account IAM enumeration with help of role name, yes for sure I am using pacu for this activity which is popular python scripting tool by Rhino security.Other AWS Account is 104506445608.
https://cybr.com/courses/pentesting-aws-environments-with-pacu-cloudgoat-and-chatgpt
Tried with below CLI command include policy.json but wouldn’t work for me.
aws iam update-assume-role-policy --role-name IAMEnum --policy-document file://policy.json
Now we run iam__enum_roles
accesskey, secretkey and secret token………
Now we configure the aws profile with new access key, secret key and session token which belogs to administrators……..hahhahahaha and assumedrole user.
aws iam get-role --role-name Administrator
We see that it can manage the S3 bucket it-admin-hl. Issue the following commands to access it and get the flag.
Enumeration via S3 Bucket Policy
We can similarly enumerate IAM users and roles using S3 bucket policies.
Enumeration via Lambda Function
you can follow along and replicate this technique in your own AWS account
Enumeration via AWS Console
Another IAM user enumeration method uses the AWS console login screen. In the AWS Console, make sure to choose the ‘Root user’ radio button and input an email address you believe is associated with an AWS account. On entering a valid AWS email address you’re prompted to enter the password.
It’s worth noting a false positive case, where an Amazon accounts exists but it hasn’t signed up for AWS. In this case you will still be prompted to enter a password but there is a clear difference in the form layout for Amazon accounts only vs AWS accounts.
Countermeasures:
Mitigating the risk associated with unauthenticated AWS IAM (Identity and Access Management) principals enumeration involves several strategic and technical measures. Enumeration attacks typically aim to discover valid user names, roles, or policies in an AWS environment, which can then be used for further attacks. Here’s how you can mitigate this risk effectively:
1. Limit Verbose Error Messages
- Customize Error Responses: Ensure that your applications and AWS configurations do not return detailed error messages that could help attackers guess user names, roles, or policy names. Generic messages prevent attackers from learning whether their guesses are correct.
2. Implement Strong Naming Conventions
- Use Non-Descriptive Names: Avoid using easily guessable names for IAM users, roles, or policies. For instance, instead of naming an admin role as
admin, use a non-descriptive, unique identifier that does not reveal the role's purpose or level of access.
3. Enable CloudTrail Logging
- Monitor and Alert: Ensure that AWS CloudTrail is enabled for all regions and that you monitor logs for unusual patterns of access attempts or policy queries. Use Amazon CloudWatch or AWS Lambda to set up real-time alerts based on suspicious activity patterns, such as a high rate of failed authentication attempts or API calls that list or describe IAM resources.
4. Use Multi-Factor Authentication (MFA)
- Require MFA: Enforce Multi-Factor Authentication for all IAM users, especially those with elevated permissions. MFA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access even if they manage to enumerate IAM principals.
5. Apply the Principle of Least Privilege
- Restrict Permissions: Ensure IAM policies are strictly scoped to allow only the necessary permissions for a user or role to perform its tasks. Minimize the use of wildcards in IAM policies and regularly review and tighten permissions.
6. Regularly Audit IAM Configurations
- Use IAM Access Analyzer: Utilize tools like the IAM Access Analyzer to identify and remediate policies that grant public or external access to your resources. Regularly auditing your IAM configurations helps ensure that unintended permissions are not granted.
7. Implement Account Segregation
- Use Multiple Accounts: Segregate your AWS resources across multiple accounts to limit the impact of an enumeration attack. Utilizing AWS Organizations can help manage and apply consistent policies across accounts.
8. Enable GuardDuty and Security Hub
- Leverage AWS Security Services: Use Amazon GuardDuty for intelligent threat detection and continuous monitoring. Enable AWS Security Hub for a comprehensive view of your security posture and automated compliance checks against AWS best practices.
How CSPM helps us for mitigation of misconfiguartion:
Continuous Configuration Auditing
CSPM tools continuously scan cloud environments to detect misconfigurations or non-compliant setups that could potentially expose sensitive information about IAM principals. By identifying overly permissive settings or unintended public exposures, CSPM helps prevent attackers from gaining the insights needed to perform enumeration attacks.
Automated Compliance Checks
Many CSPM solutions come pre-configured with benchmarks and compliance frameworks (such as CIS AWS Foundations Benchmark, PCI DSS, HIPAA, etc.) that include specific controls related to IAM policies and practices. These automated checks ensure that IAM configurations adhere to industry best practices, significantly reducing the risk of enumeration by ensuring that access policies are tightly controlled and do not inadvertently reveal user or role information.
Anomaly Detection and Alerting
CSPM platforms often include behavior monitoring and anomaly detection capabilities. They can alert security teams to unusual activity that may indicate an enumeration attempt, such as spikes in failed login attempts or abnormal API call patterns. Early detection allows teams to respond quickly to potential threats before attackers can exploit any discovered information.
Visualization and Risk Assessment
By providing a clear visualization of the cloud environment’s security posture, CSPM tools help organizations understand their attack surface, including potential IAM vulnerabilities. They assess the overall risk environment, highlighting critical vulnerabilities (like those that could lead to IAM enumeration) and offering prioritized recommendations for mitigation.
Access and Identity Insights
CSPM solutions can offer insights into IAM roles, policies, and configurations, helping organizations to implement the principle of least privilege effectively. They identify excessive permissions and unused IAM roles or credentials that could be exploited by attackers, thereby reducing the opportunities for successful enumeration.
Automated Remediation and Enforcement
Beyond identification, many CSPM tools support automated remediation of identified issues or integration with infrastructure as code (IaC) tools to enforce secure configurations programmatically. This capability ensures that IAM policies are promptly corrected to prevent enumeration, without relying solely on manual intervention.
Enhanced Reporting
CSPM tools provide detailed reporting features that can be used to track compliance, security posture improvements, and the handling of identified risks over time. These reports can be invaluable for security teams to understand their progress and for auditing purposes.
In summary, CSPM tools bolster cloud security strategies by ensuring IAM configurations are continuously monitored, compliant, and securely managed. By leveraging CSPM, organizations can significantly reduce the likelihood and impact of unauthenticated AWS IAM principals enumeration, alongside a broad spectrum of other cloud security risks.
Further reading
Daniel Grzelak’s original research / talk: https://www.youtube.com/watch?v=8ZXRw4Ry3mQ
Remastered talk by Scott Piper: https://www.youtube.com/watch?v=8ZXRw4Ry3mQ
