AWS

Assessments

./aws_escalate.py -p default

git clone https://github.com/duo-labs/cloudmapper.git
brew install autoconf automake libtool jq awscli python3 pipenv
cd cloudmapper/
pipenv install --skip-lock
pipenv shell
# Adjust your config.json
python cloudmapper.py collect --config config.json --account spaceteam
python cloudmapper.py weboftrust --account spaceteam
python cloudmapper.py iam_report --accounts spaceteam
git clone https://github.com/toniblyx/prowler
cd prowler
./prowler -sn | aha > prowler-report.htm
https://github.com/nccgroup/PMapper.git
cd PMapper
pip install -r requirements.txt
# Use my automated PMapper script
# Create graph only
aws_privilege_audit.py graph
# Create graph and visualize
aws_privilege_audit.py start
# Identify privilege escalation opportunities
aws_privilege_audit.py escalate
# Create pretty graph
brew install librsvg
rsvg-convert -h 4096 pmapper-viz-acct-12345678910.svg > pmapper-viz-this-acct.png

Misc

Get container-instance ID in ECS

curl -s http://localhost:51678/v1/metadata | python -mjson.tool | jq '.ContainerInstanceArn' | sed -n -e 's/^.*\(container-instance\/\)/\1/p' | sed -e 's/container-instance\///g' | sed -e 's/"//g'

Bash script:

container_instance_id=`curl -s http://localhost:51678/v1/metadata | python -mjson.tool | jq '.ContainerInstanceArn' | sed -n -e 's/^.*\(container-instance\/\)/\1/p' | sed -e 's/container-instance\///g' | sed -e 's/"//g'`
echo $container_instance_id

Delete untagged images from AWS ECR

aws ecr describe-repositories --output text | awk '{print $5}' | while read line; do aws ecr list-images --repository-name $line --filter tagStatus=UNTAGGED --query 'imageIds[*]' --output text | while read imageId; do aws ecr batch-delete-image --repository-name $line --image-ids imageDigest=$imageId; done; done

AssumeRole

aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/xaccounts3access \
--role-session-name s3-access-example

Check for privilege escalation

git clone https://github.com/RhinoSecurityLabs/Cloud-Security-Research.git
cd Cloud-Security-Research/AWS/aws_escalate/
chmod +x aws_escalate.py
./aws_escalate.py --all-users

List AWS SSM Parameter Types in use

aws ssm describe-parameters --region us-west-2 --query 'Parameters[*].{Name: Name, Type: Type}' | jq '.[] | select(.Type=="SecureString")'