关于Red-Shadow
Red-Shadow是一款功能强大的AWS IAM漏洞扫描工具,该工具可以帮助你扫描AWS IAM中的错误配置与安全漏洞。
该工具支持检测下列IAM对象中的错误配置:
管理策略(Managed Policies)
用户内联策略(Users Inline Policies)
组内联策略(Groups Inline Policies)
角色内联策略(Groups Inline Policies)
运行机制
针对应用于组的决绝策略,AWS IAM评估逻辑的工作方式与大多数安全工程师用于其他授权机制的工作方式不同。假设具有组资源的策略为显式拒绝,在这种情况下,这只会影响组操作,而不会影响用户操作。
下面给出的是存在漏洞的JSON策略样例:
{"Version": "2012-10-17","Statement": [{"Sid": "ProtectManagersByDeny","Effect": "Deny","Action": "*","Resource": "arn:aws:iam::123456789999:group/managers"}]}在上面这个例子中,这个策略将会拒绝用户、组或策略绑定的任何角色执行任意IAM活动。但实际上,类似iam:ChangePassword这种简单的IAM操作是可以正常执行的,因此上述的拒绝策略将失效。
安全检测
AWS IAM在用户对象操作和组对象操作之间有明确的区分。
以下列表包括工具正在扫描的影响组的拒绝策略上的用户对象操作(除通配符外):
AWS_USER_ACTIONS = ["iam:CreateUser","iam:GetUser","iam:UpdateUser","iam:DeleteUser","iam:GetUserPolicy","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:ListUserPolicies","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:ListAttachedUserPolicies","iam:SimulatePrincipalPolicy","iam:GetContextKeysForPrincipalPolicy","iam:TagUser","iam:UpdateSSHPublicKey","iam:UntagUser","iam:GetSSHPublicKey","iam:ListUserTags","iam:DeleteSSHPublicKey","iam:GetLoginProfile","iam:GetAccessKeyLastUsed","iam:UpdateLoginProfile","iam:UploadSigningCertificate","iam:DeleteLoginProfile","iam:ListSigningCertificates","iam:CreateLoginProfile","iam:UpdateSigningCertificate","iam:EnableMFADevice","iam:DeleteSigningCertificate","iam:ResyncMFADevice","iam:ListServiceSpecificCredentials","iam:ListMFADevices","iam:ResetServiceSpecificCredential","iam:DeactivateMFADevice","iam:CreateServiceSpecificCredential","iam:ChangePassword","iam:UpdateServiceSpecificCredential","iam:CreateAccessKey","iam:DeleteServiceSpecificCredential","iam:ListAccessKeys","iam:PutUserPermissionsBoundary","iam:UpdateAccessKey","iam:DeleteUserPermissionsBoundary","iam:DeleteAccessKey","iam:ListGroupsForUser","iam:ListSSHPublicKeys","iam:UploadSSHPublicKey"]工具要求
Red-Shadow基于Python 3和Boto3开发,并且需要以下依赖组件:
操作系统环境变量中需配置IAM用户访问密钥。
IAM用户需有足够的权限运行扫描工具。
Python3和pip3。
工具安装
sudo git clone https://github.com/lightspin-tech/red-shadow.gitcd red-shadowpip3 install -r requirements.txt工具使用
python3 red-shadow.py分析结果
++ Starting Red-Shadow ++++ AWS IAM Vulnerability Scanner++ Red Shadow scans for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groupsStep 1: Searching for IAM Group misconfigurations in managed policiesFound potential misconfiguration at arn:aws:iam::123456789999:policy/ProtectManagersProgress: |██████████████████████████████████████████████████| 100.0% CompleteStep 2: Searching for IAM Group misconfigurations in Users inline policiesProgress: |██████████████████████████████████████████████████| 100.0% CompleteStep 3: Searching for IAM Group misconfigurations in Groups inline policiesProgress: |██████████████████████████████████████████████████| 100.0% CompleteStep 4: Searching for IAM Group misconfigurations in Roles inline policiesProgress: |██████████████████████████████████████████████████| 100.0% CompleteDone上述终端输出中,我们可以看到ProtectManagers拒绝策略已失效,并且可能受到提权攻击等威胁。
许可证协议
本项目的开发与发布遵循Apache License 2.0开源许可证协议。
项目地址
Red-Shadow:【点击文末阅读原文】
参考资料
-
https://blog.lightspin.io/aws-iam-groups-authorization-bypass
精彩推荐
本文始发于微信公众号(FreeBuf):使用Red-Shadow扫描AWS IAM中的安全漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论