AWS - Step Functions Enum

Reading time: 11 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Step Functions

AWS Step Functions ni huduma ya mchakato inayokuwezesha kuratibu na kuandaa huduma nyingi za AWS katika michakato isiyo na seva. Kwa kutumia AWS Step Functions, unaweza kubuni na kuendesha michakato inayounganisha huduma mbalimbali za AWS kama AWS Lambda, Amazon S3, Amazon DynamoDB, na nyingine nyingi, katika mfululizo wa hatua. Huduma hii ya uratibu inatoa kiolesura cha mchakato wa kuona na inatoa uwezo wa mashine ya hali, ikikuruhusu kufafanua kila hatua ya mchakato kwa njia ya kutangaza kwa kutumia lugha ya Amazon States Language (ASL) inayotegemea JSON.

Key concepts

Standard vs. Express Workflows

AWS Step Functions inatoa aina mbili za michakato ya mashine ya hali: Standard na Express.

  • Standard Workflow: Aina hii ya mchakato wa kawaida imeundwa kwa ajili ya michakato ya muda mrefu, ya kudumu, na inayoweza kukaguliwa. Inasaidia utendaji wa mara moja tu, kuhakikisha kazi zinafanyika mara moja tu isipokuwa ikiwa kurudiwa kumetajwa. Ni bora kwa michakato inayohitaji historia ya kina ya utendaji na inaweza kuendesha kwa muda wa hadi mwaka mmoja.
  • Express Workflow: Aina hii ni bora kwa kazi zenye kiasi kikubwa, za muda mfupi, zinazoendesha hadi dakika tano. Zinasaidia utendaji wa angalau mara moja, zinazofaa kwa kazi zisizobadilika kama usindikaji wa data. Michakato hii imeboreshwa kwa gharama na utendaji, ikitoza kulingana na utendaji, muda, na matumizi ya kumbukumbu.

States

Hali ni vitengo muhimu vya mashine za hali. Zinafafanua hatua za kibinafsi ndani ya mchakato, zikiwa na uwezo wa kutekeleza kazi mbalimbali kulingana na aina yake:

  • Task: Inatekeleza kazi, mara nyingi ikitumia huduma ya AWS kama Lambda.
  • Choice: Inafanya maamuzi kulingana na ingizo.
  • Fail/Succeed: Inamaliza utendaji kwa kushindwa au kufanikiwa.
  • Pass: Inapitisha ingizo kwa pato au kuingiza data.
  • Wait: Inachelewesha utendaji kwa muda uliowekwa.
  • Parallel: Inaanzisha matawi ya sambamba.
  • Map: Inarudia hatua kwa vitu kwa njia ya dinamik.

Task

Hali ya Task inawakilisha kitengo kimoja cha kazi kinachotekelezwa na mashine ya hali. Tasks zinaweza kuita rasilimali mbalimbali, ikiwa ni pamoja na shughuli, kazi za Lambda, huduma za AWS, au APIs za wahusika wengine.

  • Activities: Wafanyakazi maalum unayoshughulikia, wanaofaa kwa michakato ya muda mrefu.
  • Rasilimali: arn:aws:states:region:account:activity:name.
  • Lambda Functions: Inatekeleza kazi za AWS Lambda.
  • Rasilimali: arn:aws:lambda:region:account:function:function-name.
  • AWS Services: Inajumuisha moja kwa moja na huduma nyingine za AWS, kama DynamoDB au S3.
  • Rasilimali: arn:partition:states:region:account:servicename:APIname.
  • HTTP Task: Inaita APIs za wahusika wengine.
  • Uwanja wa rasilimali: arn:aws:states:::http:invoke. Kisha, unapaswa kutoa maelezo ya usanidi wa mwisho wa API, kama vile URL ya API, njia, na maelezo ya uthibitishaji.

Mfano ufuatao unaonyesha ufafanuzi wa hali ya Task inayokita kazi ya Lambda inayoitwa HelloWorld:

json
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"Parameters": {
"Payload.$": "$",
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
},
"End": true
}

Choice

A Choice state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.

  • Comparison: Kila sheria ya uchaguzi inajumuisha opereta wa kulinganisha (e.g., NumericEquals, StringEquals) inayolinganisha kigezo cha ingizo na thamani iliyotolewa au kigezo kingine.
  • Next Field: Mstates za uchaguzi hazisaidii uwanja wa End, badala yake, zin定义 Next state ya kuhamia ikiwa kulinganisha ni kweli.

Example of Choice state:

json
{
"Variable": "$.timeStamp",
"TimestampEquals": "2000-01-01T00:00:00Z",
"Next": "TimeState"
}

Fail/Succeed

A Fail state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.

A Succeed state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a Next field.

json
"FailState": {
"Type": "Fail",
"Error": "ErrorName",
"Cause": "Error details"
}

Pass

A Pass state inapitisha ingizo lake kwa pato lake bila kufanya kazi yoyote au kubadilisha ingizo la hali ya JSON kwa kutumia filters, kisha inapitisha data iliyobadilishwa kwa hali inayofuata. Ni muhimu kwa kupima na kujenga mashine za hali, ikiruhusu kuingiza data ya kudumu au kuibadilisha.

json
"PassState": {
"Type": "Pass",
"Result": {"key": "value"},
"ResultPath": "$.newField",
"Next": "NextState"
}

Wait

A Wait state inachelewesha utekelezaji wa mashine ya hali kwa muda ulioainishwa. Kuna mbinu tatu kuu za kuunda muda wa kusubiri:

  • X Seconds: Nambari thabiti ya sekunde za kusubiri.
json
"WaitState": {
"Type": "Wait",
"Seconds": 10,
"Next": "NextState"
}
  • Absolute Timestamp: Wakati sahihi wa kusubiri hadi.
json
"WaitState": {
"Type": "Wait",
"Timestamp": "2024-03-14T01:59:00Z",
"Next": "NextState"
}
  • Dynamic Wait: Kulingana na input kwa kutumia SecondsPath au TimestampPath.
json
jsonCopiar código
"WaitState": {
"Type": "Wait",
"TimestampPath": "$.expirydate",
"Next": "NextState"
}

Parallel

A Parallel state inaruhusu kutekeleza matawi mengi ya kazi kwa wakati mmoja ndani ya mtiririko wako wa kazi. Kila tawi linafanya kazi kwa uhuru na linafanya mchakato wa hali zake mwenyewe. Utekelezaji unasubiri hadi matawi yote yakamilike kabla ya kuendelea na hali inayofuata. Sehemu zake kuu ni:

  • Branches: Array inayofafanua njia za utekelezaji wa sambamba. Kila tawi ni mashine tofauti ya hali.
  • ResultPath: Inafafanua wapi (katika input) kuweka matokeo yaliyojumuishwa ya matawi.
  • Retry and Catch: Mipangilio ya kushughulikia makosa kwa hali ya sambamba.
json
"ParallelState": {
"Type": "Parallel",
"Branches": [
{
"StartAt": "Task1",
"States": { ... }
},
{
"StartAt": "Task2",
"States": { ... }
}
],
"Next": "NextState"
}

Ramani

Hali ya Ramani inaruhusu utekelezaji wa seti ya hatua kwa kila kipengee katika dataset. Inatumika kwa usindikaji wa data kwa wakati mmoja. Kulingana na jinsi unavyotaka kusindika vipengee vya dataset, Step Functions inatoa njia zifuatazo:

  • Njia ya Ndani: Inatekeleza subset ya hali kwa kila kipengee cha JSON array. Inafaa kwa kazi ndogo zenye iterations zisizozidi 40, ikikimbia kila moja katika muktadha wa workflow inayojumuisha hali ya Ramani.
json
"MapState": {
"Type": "Map",
"ItemsPath": "$.arrayItems",
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "INLINE"
},
"StartAt": "AddState",
"States": {
"AddState": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"OutputPath": "$.Payload",
"Parameters": {
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
},
"End": true
}
}
},
"End": true
"ResultPath": "$.detail.added",
"ItemsPath": "$.added"
}
  • Njia Iliyosambazwa: Imeundwa kwa ajili ya usindikaji wa wakati mmoja kwa kiwango kikubwa na concurrency ya juu. Inasaidia usindikaji wa datasets kubwa, kama zile zilizohifadhiwa katika Amazon S3, ikiruhusu concurrency ya juu ya hadi 10,000 ya utekelezaji wa workflow wa watoto, ikikimbia watoto hawa kama utekelezaji wa mtoto tofauti.
json
"DistributedMapState": {
"Type": "Map",
"ItemReader": {
"Resource": "arn:aws:states:::s3:getObject",
"Parameters": {
"Bucket": "my-bucket",
"Key": "data.csv"
}
},
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "DISTRIBUTED",
"ExecutionType": "EXPRESS"
},
"StartAt": "ProcessItem",
"States": {
"ProcessItem": {
"Type": "Task",
"Resource": "arn:aws:lambda:region:account-id:function:my-function",
"End": true
}
}
},
"End": true
"ResultWriter": {
"Resource": "arn:aws:states:::s3:putObject",
"Parameters": {
"Bucket": "myOutputBucket",
"Prefix": "csvProcessJobs"
}
}
}

Matoleo na majina

Step Functions pia inakuwezesha kudhibiti utekelezaji wa workflow kupitia matoleo na majina ya mashine za hali. Toleo linawakilisha picha ya mashine ya hali ambayo inaweza kutekelezwa. Majina hutumikia kama viashiria vya matoleo mawili ya mashine ya hali.

  • Matoleo: Picha hizi zisizobadilika za mashine ya hali zinaundwa kutoka kwa toleo la hivi karibuni la mashine hiyo ya hali. Kila toleo linatambulishwa na ARN ya kipekee inayounganisha ARN ya mashine ya hali na nambari ya toleo, iliyotenganishwa na koloni (arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number). Matoleo hayawezi kubadilishwa, lakini unaweza kuboresha mashine ya hali na kuchapisha toleo jipya, au kutumia toleo la mashine ya hali unalotaka.
  • Majina: Viashiria hivi vinaweza kurejelea hadi matoleo mawili ya mashine moja ya hali. Majina mengi yanaweza kuundwa kwa mashine moja ya hali, kila moja ikitambulishwa na ARN ya kipekee iliyoundwa kwa kuunganisha ARN ya mashine ya hali na jina la jina, iliyotenganishwa na koloni (arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName). Majina yanaruhusu kuelekeza trafiki kati ya moja ya matoleo mawili ya mashine ya hali. Vinginevyo, jina linaweza kuelekeza kwenye toleo moja maalum la mashine ya hali, lakini si kwenye majina mengine. Yanweza kuboreshwa ili kuelekeza kwenye toleo tofauti la mashine ya hali kadri inavyohitajika, kurahisisha utekelezaji wa kudhibitiwa na usimamizi wa workflow.

Kwa maelezo zaidi kuhusu ASL, angalia: Amazon States Language.

Majukumu ya IAM kwa Mashine za Hali

AWS Step Functions inatumia majukumu ya AWS Identity and Access Management (IAM) kudhibiti ufikiaji wa rasilimali na vitendo ndani ya mashine za hali. Hapa kuna vipengele muhimu vinavyohusiana na usalama na majukumu ya IAM katika AWS Step Functions:

  • Jukumu la Utekelezaji: Kila mashine ya hali katika AWS Step Functions inahusishwa na jukumu la IAM la utekelezaji. Jukumu hili linaeleza vitendo gani mashine ya hali inaweza kutekeleza kwa niaba yako. Wakati mashine ya hali inahamia kati ya hali zinazoshirikiana na huduma za AWS (kama vile kuita kazi za Lambda, kufikia DynamoDB, nk), inachukua jukumu hili la utekelezaji ili kutekeleza vitendo hivyo.
  • Ruhusa: Jukumu la utekelezaji la IAM lazima liwe limeundwa na ruhusa zinazoruhusu vitendo vinavyohitajika kwenye huduma nyingine za AWS. Kwa mfano, ikiwa mashine yako ya hali inahitaji kuita kazi za AWS Lambda, jukumu la IAM lazima liwe na ruhusa za lambda:InvokeFunction. Vivyo hivyo, ikiwa inahitaji kuandika kwenye DynamoDB, ruhusa zinazofaa (dynamodb:PutItem, dynamodb:UpdateItem, nk.) lazima zipewe.

Uhesabu

Sera ya ReadOnlyAccess inatosha kwa vitendo vyote vya uhesabu vifuatavyo.

bash
# State machines #

## List state machines
aws stepfunctions list-state-machines
## Retrieve informatio about the specified state machine
aws stepfunctions describe-state-machine --state-machine-arn <value>

## List versions for the specified state machine
aws stepfunctions list-state-machine-versions --state-machine-arn <value>
## List aliases for the specified state machine
aws stepfunctions list-state-machine-aliases --state-machine-arn <value>
## Retrieve information about the specified state machine alias
aws stepfunctions describe-state-machine-alias --state-machine-alias-arn <value>

## List executions of a state machine
aws stepfunctions list-executions --state-machine-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]
## Retrieve information and relevant metadata about a state machine execution (output included)
aws stepfunctions describe-execution --execution-arn <value>
## Retrieve information about the state machine associated to the specified execution
aws stepfunctions describe-state-machine-for-execution --execution-arn <value>
## Retrieve the history of the specified execution as a list of events
aws stepfunctions get-execution-history --execution-arn <value> [--reverse-order | --no-reverse-order] [--include-execution-data | --no-include-execution-data]

## List tags for the specified step Functions resource
aws stepfunctions list-tags-for-resource --resource-arn <value>

## Validate the definition of a state machine without creating the resource
aws stepfunctions validate-state-machine-definition --definition <value> [--type <STANDARD | EXPRESS>]

# Activities #

## List existing activities
aws stepfunctions list-activities
## Retrieve information about the specified activity
aws stepfunctions describe-activity --activity-arn <value>

# Map Runs #

## List map runs of an execution
aws stepfunctions list-map-runs --execution-arn <value>
## Provide information about the configuration, progress and results of a Map Run
aws stepfunctions describe-map-run --map-run-arn <value>
## Lists executions of a Map Run
aws stepfunctions list-executions --map-run-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]

Privesc

Katika ukurasa ufuatao, unaweza kuangalia jinsi ya kudhulumu ruhusa za Step Functions ili kupandisha mamlaka:

AWS - Step Functions Privesc

Post Exploitation

AWS - Step Functions Post Exploitation

Persistence

AWS - Step Functions Persistence

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks