Today I am releasing Quiet Riot, an “unauthenticated” tool for enumeration of services, roles, and users in an AWS account or in every AWS account in existence.
Update: I’ve also written a follow-up post describing additional capabilities, overall tool impacts, and relevant mitigations.
AWS IAM and Resource-Based Policies Background
AWS services that work with IAM include a number of services that support “resource-based policies”. These resource-based policies allow direct access to AWS service-level resources and are evaluated prior to Identity-based policies when determining whether a given user (unauthenticated user, any authenticated AWS principal, or a specific AWS IAM principal) has access to the specified resource. You can see the approximate policy evaluation logic of AWS IAM below:
Furthermore, AWS defines an IAM Principal as the following:
AWS account and root user
Federated users (using web identity or SAML federation)
Why it matters
To determine the validity of a particular resource-based policy, the AWS IAM engine validates the form of a particular policy and critically, the validity of included AWS principals, at the time the policy is attached to the relevant resource. Many services that support such resource-based policies will throw an error for an invalid AWS principal in the policy. This means that a policy containing a single AWS principal can be used as a proxy to validate whether that principal exists or not….EVEN FOR ACCOUNTS THAT YOU DON’T OWN.
Originally identified by Daniel Grzelak and subsequently re-discovered a number of times, this technique can help attackers with a key capability — enumerating attack targets (Account IDs) and the associated footprint (root account e-mail, roles, users).
While AWS considers this capability a “feature”, I am curious to see what scale of featureploitation might change the perspective. To this end, I have developed an Offensive Security Tool (OST) to exploit this AWS feature for the maximum possible impact. Even this idea is not new. Will Bengston has previously suggested a similar technique. Seeing as how I haven’t found a tool that implements Will’s suggestion and I have limited software development experience, I decided to take the opportunity to hone my Python chops further.
Quiet Riot Capabilities
To use Quiet Riot, once you clone the repository, you can run main.py as the entry-point (and with sufficient credentials available to the aws cli) to perform automated deployment of scanning infrastructure (SNS topic, ECR-Public repository, and ECR-Private repository) and initiate dictionary-attack scanning for Account IDs, roles, and users across AWS. On completion, the scanning tool writes the results to the results/ directory and deletes the associated infrastructure.
Footprinting, Account IDs, and future state
I have included the beginnings of a wordlists directory, but would invite pull requests geared towards including better wordlists. In particular, static vendor users and roles and AWS “service-linked” roles give strong insights into the services and platforms/applications that a particular AWS account has configured.
I have included a list of AWS Account IDs identified so far by the tool. Given that there are 1 trillion potential Account IDs, it is unlikely I will ever enumerate all of them…but that won’t stop me from trying. See progress on this topic (wordlists/provided_account_ids.txt).
Finally, I have included a wordlist (wordlists/service-roles.txt) that can be used specifically to identify what services are used or have been used in a given account. Often the hardest place to start for attackers is with determining the footprint of a given cloud environment…and AWS resources-based policy validation is here to help. The use of the following AWS services should be identifiable by the configuration of their associated “service-linked” role:
EC2 Image Builder
Elastic Load Balancer (ELB)
and more …
Author’s Note: While limited testing has been performed without incurring costs, the author takes no responsibility for costs incurred by running the tool.
To ensure the satisfaction of Train GRC course participants, all eligible courses purchased may be refunded within 30 days. For complaints or refund requests, please contact Train GRC at email@example.com.
Train GRC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have the final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.