AWS IAM Privilege Escalation Learning Path
So you want to learn about AWS IAM privilege escalations…where should you start, and what should you learn?
We launched a course specifically for this purpose called “AWS IAM Privilege Escalation Labs” with the following learning path:
Let’s break down this learning path.
Fundamentals
First things first, we need to cover fundamentals. If you already have some AWS experience, then you might be able to skip this section, but I’d still recommend doing a quick run through because this section covers:
- Useful IAM tips and security tools you can use
- Getting started with the AWS CLI
- Introduction to AWS IAM Enumeration
- IAM Enumeration CLI commands
- Introduction to Secrets Manager Enumeration
- Secrets Manager Enumeration CLI commands
- Introduction to Amazon S3 Enumeration
We include enumeration tips and tricks for S3, Secrets Manager, and IAM, because those are the 3 services we focus on in this course, but the skills you learn going after those 3 services will apply to all other AWS services that could be exploited by a threat actor.
Attack Paths
Once you’ve covered fundamentals, it’s time to learn about IAM-specific attack paths. This course covers quite a few of them, but for a full list, refer to this page.
This course covers:
- iam:CreateAccessKey
- iam:CreateLoginProfile
- iam:UpdateLoginProfile
- iam:SetDefaultPolicyVersion
- iam:AddUserToGroup
- iam:AttachUserPolicy
- iam:AttachGroupPolicy
- iam:PutUserPolicy
- iam:PutGroupPolicy
- iam:AttachRolePolicy
- iam:PutRolePolicy
Not only will you learn about each of these IAM actions, but you will also learn how they can be exploited by threat actors if they’ve been misconfigured — which is very easy to do given how complex IAM is.
Once you’ve learned how they can be exploited, you’ll actually do the exploitation yourself in our 1-Click deploy Hands-On Labs environments. This course is 100% made up of Hands-On Labs which means you jump in and get your hands dirty. You’re not just watching me do it. You’re doing it yourself!
Challenges
After you’ve learned about all of these attack paths, we’ll challenge your new skills with our Challenge Labs. We’ve got 2 challenges in this course:
- Challenge #1 – Secrets Unleashed
- Challenge #2 – IAM Escape Room
Challenge #1 – Secrets Unleashed
In this Challenge Lab, you’ve been hired by a client to find vulnerabilities in their AWS environments. You’ll need to find IAM PrivEsc vulnerabilities that enable you to access a secret API key stored in Secrets Manager from a lower privileged user to prove to your client that there are serious vulnerabilities in their environments that need to be addressed.
Challenge #2 – IAM Escape Room
In this Challenge Lab, you need to find IAM PrivEsc vulnerabilities that will enable you to access proprietary and secret military fighter jet schematics stored in an Amazon S3 bucket so that you can exfiltrate them to your local device.
Course Testimonials
Since launching our course, it’s gotten great reviews and testimonials:
“This course not only taught me how to think like an attacker, but also how easy it is to escalate privileges if excessive IAM permissions are present in the cloud. I honestly loved it and recommend it 100%!” – Mariana Arce Aguilar (Cybersecurity Engineer)
“I thoroughly enjoyed every aspect of this course. The content was engaging and well-structured, and I particularly appreciated the approach it took. Both challenges provided were not only interesting but also highly stimulating. I would strongly recommend this course to anyone interested in AWS Pentesting.” – Revanth (Security Engineer II)
If you’re interested, you can access the course for free here, and some of the Hands-On Labs are also available at no cost.
AWS Security Cheat Sheets
If you’re interested in AWS security, Cybr has the largest collection of high-quality AWS security cheat sheets available for free.
Responses