[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
IAM policies can have versioning enabled with up to 5 policy versions at a time (more info). Instead of overwriting an existing IAM policy, versioning will create a new version, set it as the default, and keep the prior policy as another version.
This is a useful feature for tracking changes over time and rolling back if you’ve made a mistake, but it can also lead to vulnerabilities. For that reason, you should limit which users have access to
iam:SetDefaultPolicyVersion as otherwise they can use this to grant themselves higher privilege permissions.
This lab has been misconfigured, so exploit it with
iam:SetDefaultPolicyVersion to grant yourself S3 permissions.
You’ve successfully completed this lab once you’ve accessed and downloaded sensitive files containing customer PII in Amazon S3. (The next lab will switch it up from S3 to keep it interesting, don’t worry!)
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Revert back to a prior policy version that gives permissions to S3
- Using your new permissions, access the S3 bucket containing sensitive data
- Download those files and make sure they contain PII.