diff --git a/content/aws/exploitation/iam_privilege_escalation.md b/content/aws/exploitation/iam_privilege_escalation.md index 6d51bef4c..7d717fa91 100644 --- a/content/aws/exploitation/iam_privilege_escalation.md +++ b/content/aws/exploitation/iam_privilege_escalation.md @@ -79,6 +79,12 @@ Another (stealthier) example would be to perform all your API operations at once ## iam:PassRole, glue:CreateDevEndpoint With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:CreateDevEndpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/create-dev-endpoint.html) permissions, an adversary can create a new Glue development endpoint and pass in a more privileged role. It is worth noting that to do this the AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls. +## iam:PassRole, glue:CreateJob +With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:CreateJob](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/create-job.html) permissions, an adversary can create a new Glue job and pass in a more privileged role. The AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls. The [glue:StartJobRun](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/start-job-run.html) privilege would allow for the job to be run. + +## iam:PassRole, glue:UpdateJob +With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:UpdateJob](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/update-job.html) permissions, an adversary can update the role and command associated with a Glue job. The AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls. The [glue:StartJobRun](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/start-job-run.html) privilege or some pre-existing trigger could cause the job to run. + ## iam:PassRole, lambda:AddPermission, lambda:CreateFunction With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [lambda:AddPermission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html), and [lambda:CreateFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) permissions, an adversary can create a Lambda function with an existing role. This function could then by updated with lambda:AddPermission to allow another principal in another AWS account the permission to invoke it. It is worth noting that the AWS account must already contain a role that can be assumed by Lambda.