HackTricks CloudAWS - MSK Privesc
Reading time: 2 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
MSK
For more information about MSK (Kafka) check:
msk:ListClusters, msk:UpdateSecurity
With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.
aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>
You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret).
If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.