Monday, February 24, 2020

AWS Role Assumption

AWS Role Assumption

Perpetual Self Role Assumption

The below script shows you how to daisy-chain role assumption from a single role. I do this from my environment that has ADFS enabled, so my initial role assumption happens using my network credential. Because any role that has STS:RoleAssume is allowed to assume role in the same account, this is permitted. If you don't want this to be possible, then DENY this permission.

1. Create a role with AdministratorAccess AWS managed policy attached.
2. Set the Trust Relationship to trust your SAML-Provider arn: arn:aws:iam::9999999999999:saml-provider/my_adfs

Setup to get all the available credentials

$endPoint= "https://sts.mynet.net/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices"
$storeAs="ADFS"
$region = "us-east-1"
$accountNum = "999999999999"
$roleName = "STS-Administrator"
$LongprofileName = $accountNum + ":role/" + $roleName
$roleArn = "arn:aws:iam::" + $LongprofileName
$mysessionName = "itsme"
## provide my network credential
$Cred = Get-Credential -Message "AWS Session credentials (do not include domain)"
## Set endpoint ##
Set-AWSSamlEndpoint -Endpoint $Endpoint -StoreAs $storeAs -AuthenticationType Negotiate 
## Retrieves ALL roles that I am allowed to use and store them as NetSDKCredentialsFile ##
Set-AWSSamlRoleProfile -EndpointName $storeAs -StoreAllRoles -networkCredential $cred 
## view my NetSDKCredentialsFile list
Get-AWSCredential -ListProfileDetail

Get keys by assuming itself by calling "Use-STSRole"
$tempadmin = Use-STSRole `
               -RoleArn $roleArn `
               -ProfileName $LongprofileName `
               -RoleSessionName $mysessionName `
               -Region $region `
               -DurationInSeconds (900)

Set-AWSCredential -StoreAs $mysessionName `
                  -SecretKey $tempadmin.Credentials.SecretAccessKey `
                  -AccessKey $tempadmin.Credentials.AccessKeyId `
                  -SessionToken $tempadmin.Credentials.SessionToken `
                  -ProfileLocation $env:userprofile\.aws\credentials

Using the above $tempadmin credential, we loop and continue to generate more temporary credential

for($i=0;$i -lt 59;$i++){
    $skey = $tempadmin.Credentials.SecretAccessKey
    $akey = $tempadmin.Credentials.AccessKeyId
    $stoken = $tempadmin.Credentials.SessionToken
    $tempadmin = Use-STSRole `
               -RoleArn $roleArn `
               -ProfileName $LongprofileName `
               -RoleSessionName $mysessionName"_"$i `
               -Region $region `
               -SecretKey $skey `
               -AccessKey $akey `
               -SessionToken $stoken `
               -DurationInSeconds 900
    write-host $mysessionName"_"$i" will expire at" $tempadmin.Credentials.Expiration    
    Set-AWSCredential -StoreAs $mysessionName"_"$i `
                -SecretKey $tempadmin.Credentials.SecretAccessKey `
                -AccessKey $tempadmin.Credentials.AccessKeyId `
                -SessionToken $tempadmin.Credentials.SessionToken `
                -ProfileLocation $env:userprofile\.aws\credentials

    ## sleep for 1 mins
    start-sleep -Seconds (60 * 1)
}

In theory, you could run the above "for" loop indefinitely and gain perpetual temp credential.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS WAF log4j query

How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...

  • AWS WAF log4j query
    How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...
  • Terraform Errors
    Terraform Notes Terraform Errors The given key does not identify an element in this collection value. Error: Invalid index on main...
  • AWS Policy Conditions
    AWS Policy Conditions References: Condition Policy Element Condition with Multiple Keys or Values Multiple Conditions Multiple conditions ar...