Exercise 24: Privilege Escalation via Misconfigured IAM Roles

Objective:

Understand how misconfigured IAM roles and policies can allow attackers to escalate privileges. Simulate an attack where a user with limited permissions exploits IAM role misconfigurations to gain higher privileges.

---

Scenario:

An organization has an IAM user with limited permissions and an IAM role with broader permissions. Due to improper trust policies or permissions, the user can assume the role and gain unauthorized access to higher privileges. Your goal is to demonstrate privilege escalation and recommend strategies to secure IAM roles and policies.

---

Lab Setup:

Prerequisites:

1. Access to an AWS account.
2. Installed tools:
   • aws-cli (Installation Guide).

---

Steps to Set Up the Lab:

1. Create a Limited IAM User:
   • Navigate to IAM > Users > Add users.
   • Configure:
     • User Name: limited-user.
     • Access Type: Programmatic access (to generate Access and Secret keys).
   • Attach a policy with limited permissions:jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::<account-id>:role/escalation-role" } ] }
   • Save the Access Key and Secret Key.
2. Create an IAM Role with Broader Permissions:
   • Navigate to IAM > Roles > Create Role.
   • Configure:
     • Trusted Entity: Another AWS account or the same account (allowing the user to assume the role).
     • Role Name: escalation-role.
     • Attach a policy with broader permissions:jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
   • Save the Role ARN.
3. Verify Role Trust Policy:
   • Edit the trust relationship of the escalation-role to allow the limited-user to assume it:jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:user/limited-user" }, "Action": "sts:AssumeRole" } ] }

---

Exercise: Exploiting Misconfigured IAM Roles

Objective:

Simulate an attacker using the limited IAM user credentials to assume the privileged IAM role and perform unauthorized actions.

1. Configure the Limited IAM User in aws-cli:
   • Set up the user profile:bashCopyEditaws configure --profile limited-user
   • Enter the Access Key, Secret Key, and default region.
2. Assume the Privileged Role:
   • Use the sts:AssumeRole API to assume the escalation-role:bashCopyEditaws sts assume-role \ --role-arn arn:aws:iam::<account-id>:role/escalation-role \ --role-session-name privilege-escalation \ --profile limited-user
   • Note the AccessKeyId, SecretAccessKey, and SessionToken in the output.
3. Use the Escalated Privileges:
   • Configure a new profile for the assumed role:bashCopyEditaws configure --profile escalated-role
     • Use the AccessKeyId, SecretAccessKey, and SessionToken from the previous step.
   • Perform privileged actions:
     • List all S3 buckets:bashCopyEditaws s3 ls --profile escalated-role
     • Create a new IAM user:bashCopyEditaws iam create-user --user-name attacker-user --profile escalated-role
4. Analyze the Exploit:
   • Demonstrate how the limited user escalated privileges to perform unauthorized actions.

---

Tools Required:

1. AWS IAM Console: For creating users, roles, and policies.
2. aws-cli: For simulating the attack and managing credentials.

---

Deliverables:

1. Exploit Report:
   • Evidence of assuming the role and performing privileged actions.
   • Logs or screenshots showing unauthorized access using escalated privileges.
2. Recommendations for Mitigating Privilege Escalation Risks:
   • Steps to secure IAM roles and implement the principle of least privilege.

---

Solution:

1. Identified Vulnerabilities:
   • Overly Permissive Role Permissions: The escalation-role had excessive permissions (Action: "*").
   • Improper Trust Policy: Allowed the limited-user to assume a high-privilege role.
   • Lack of Monitoring: No alerts or logs for role assumption activities.
2. Consequences:
   • Unauthorized Access: The limited user gained access to sensitive resources and actions.
   • Privilege Escalation: The user created new IAM users and manipulated resources.
   • Compliance Violations: Violations of least privilege policies may result in non-compliance with security standards.
3. Prevention Techniques:
   • Enforce the Principle of Least Privilege:
     • Grant users only the permissions required for their roles.
     • Example policy for the escalation-role:jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::specific-bucket-name" } ] }
   • Restrict Trust Policies:
     • Allow only trusted principals to assume roles:jsonCopyEdit{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:user/secure-user" }, "Action": "sts:AssumeRole" }
   • Enable Monitoring:
     • Use AWS CloudTrail to log and monitor sts:AssumeRole events.
     • Set up alerts for unauthorized role assumptions.
   • Regularly Audit IAM Policies:
     • Use AWS IAM Access Analyzer to detect overly permissive roles or trust policies.

---

Conclusion:

This exercise demonstrates how misconfigured IAM roles allow privilege escalation, enabling attackers to gain unauthorized access to cloud resources. By enforcing least privilege, securing trust policies, and enabling monitoring, organizations can mitigate the risk of privilege escalation in cloud environments.