Day 23: AWS Security – S3cret Santa
Continuing the investigation into Wareville's digital infrastructure, Day 23 is titled "AWS Security: S3cret Santa". This mission shifts focus to the cloud, where an infiltrator elf discovered a bundle of credentials belonging to Sir Carrot Bane. The challenge involves navigating the complexities of Identity and Access Management (IAM) and Simple Storage Service (S3) to reclaim access to the TBFC cloud network.
1. The Starting Point: Identity Verification
The investigation begins with a set of compromised AWS Access Keys. To understand the reach of these credentials, the first step is to perform a "sanity check" using the AWS Command Line Interface (CLI).
• Command: aws sts get-caller-identity.
• Result: This reveals the User ID, the Account ID, and the Amazon Resource Name (ARN), confirming which user the credentials belong to and which account they are operating within.
2. Understanding IAM: The Gatekeeper of the Cloud
The core of this challenge lies in IAM, which AWS uses to manage who can access what. The sources define four critical components of IAM:
• Users: Single identities with specific credentials.
• Groups: Collections of users that share the same permissions to simplify management.
• Roles: Temporary identities that can be assumed by users or services to gain specific permissions for a limited time.
• Policies: JSON documents that define exactly what actions are allowed on which resources.
3. Privilege Enumeration and The "Assume Role" Attack
By enumerating the permissions of the initial user, it is discovered that while Sir Carrot Bane has limited read-only access (such as listing users), he possesses a highly critical permission: sts:AssumeRole.
• Finding the Target: Listing the available roles reveals a role named "bucket-master".
• The Transition: Using the command aws sts assume-role, the attacker requests temporary credentials—consisting of an Access Key ID, a Secret Access Key, and a Session Token—to "become" the bucket-master.
• Escalation: Once these temporary credentials are exported into the environment, the user inherits the permissions of that role, which includes the ability to list buckets and retrieve objects.
4. S3 Investigation: Exfiltrating the Secrets
With the bucket-master role active, the focus moves to Amazon S3, an object storage service where data is stored in buckets.
• Discovery: Listing the S3 buckets reveals one titled "Easter Secrets".
• Extraction: Inside the bucket, a file named cloud-password.txt is found. By using the aws s3 cp command, the file is downloaded to the local machine, exposing sensitive data that was meant to be protected.
-----------------------------------------------------------------------------------------
Analogy for IAM Roles: Think of an IAM Role like a high-security uniform kept in a locker. A regular employee (the User) might have the key to the locker (AssumeRole permission), but they don't have high-level access themselves. When they put on the uniform (Assume the Role), the security guards (the Policies) allow them into restricted areas like the vault (S3 Buckets) until they take the uniform off again.
