Add table of contents to each of the risk descriptions. This will work for private beta until we can move to ReadTheDocs

Author: kmcquade

docs/risks/acm-pca.md

@@ -1,5 +1,10 @@
 # ACM Private Certificate Authority (PCA)
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * ‼️ If you are using the Terraform demo infrastructure, you must take some follow-up steps after provisioning the resources in order to be able to expose the demo resource. This is due to how ACM PCA works. For instructions, see the [Appendix on ACM PCA Activation](../appendices/acm-pca-activation.md)
@@ -59,13 +64,13 @@ TODO
 * **Trusted Accounts Only**: Ensure that AWS PCA Certificates are only shared with trusted accounts, and that the trusted accounts truly need access to the Certificates.
 * **Ensure access is necessary**: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
 * **Restrict access to IAM permissions that could lead to exposing usage of your private CAs**: Tightly control access to the following IAM actions:
-  - [acm-pca:GetPolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html): _Description_
-  - [acm-pca:PutPolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html): _Description_
-  - [acm-pca:DeletePolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html): _Description_
+  - [acm-pca:GetPolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html): Retrieves the policy on an ACM Private CA._
+  - [acm-pca:PutPolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html): _Puts a policy on an ACM Private CA._
+  - [acm-pca:DeletePolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html): _Deletes the policy for an ACM Private CA._
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
-## Resources
+## References
 
 * [Attaching a Resource-based Policy for Cross Account Access in ACM PCA](https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html)
 * [GetPolicy](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html)

docs/risks/amis.md

@@ -1,5 +1,11 @@
 # EC2 AMIs (Machine Images)
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/ebs.md

@@ -1,5 +1,11 @@
 # EBS Snapshot Exposure
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/ecr.md

@@ -1,5 +1,11 @@
 # Elastic Container Registries (ECR)
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/efs.md

@@ -1,5 +1,11 @@
 # Elastic File Systems (EFS)
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 > Note: The Terraform demo infrastructure will output the EFS File System ID. If you are using the Terraform demo infrastructure, you must leverage the file system ID in the `--name` parameter.

docs/risks/es.md

@@ -1,11 +1,33 @@
 # ElasticSearch Domains
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 > Note: The **Network Configuration** settings in ElasticSearch clusters offer two options - **VPC Access** or **Public access**. If VPC access is used, modification of the resource-based policy - whether using `endgame` or the CLI exploitation method - will not result in access to the internet. `endgame` only modifies the resource-based policy for the ElasticSearch cluster, so this will only expose ElasticSearch clusters that are set to **Public access*.
 
 ## Steps to Reproduce
 
+* To expose the resource using `endgame`, run the following from the victim account:
+
+```bash
+export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
+
+endgame expose --service elasticsearch --name test-resource-exposure
+```
+
+* To get the content of the resource-based policy for ElasticSearch domain config, run the following command from the victim account:
+
+```bash
+aws es describe-elasticsearch-domain-config --domain-name test-resource-exposure
+```
+
 ## Example
 
+The response will contain a field titled `AccessPolicies`. AccessPolicies will contain content that resembles the below. Observe that the victim resource (`arn:aws:es:us-east-1:999988887777:domain/test-resource-exposure`) allows access to `*` principals, indicating a successful compromise.
+
 ```json
 {
   "Version": "2012-10-17",
@@ -24,6 +46,10 @@
 
 ## Exploitation
 
+```
+TODO
+```
+
 ## Remediation
 
 > ‼️ **Note**: At the time of this writing, AWS Access Analyzer does **NOT** support auditing of this resource type to prevent resource exposure. **We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool**. 😊

docs/risks/glacier.md

@@ -1,5 +1,11 @@
 # Glacier Vault
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/iam-roles.md

@@ -1,5 +1,11 @@
 # IAM Roles (via AssumeRole)
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/kms.md

@@ -1,5 +1,11 @@
 # KMS Keys
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/lambda-functions.md

@@ -1,5 +1,11 @@
 # Lambda Function Cross-Account Access
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 AWS Lambda Permission Policies (aka resource-based policies) can allow functions to be invoked from AWS accounts other than the one it is running in.
 
 Compromised Lambda functions are a known attack path for [Privilege Escalation](https://resources.infosecinstitute.com/topic/cloudgoat-walkthrough-lambda-privilege-escalation/) and other nefarious use cases. While the impact often depends on the context of the Lambdas itself, Lambda functions often modify AWS infrastructure or have data plane access. Abusing these capabilities could compromise the confidentiality and integrity of the resources in the account.

docs/risks/lambda-layers.md

@@ -1,5 +1,10 @@
 # Lambda Layers
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/logs.md

@@ -2,6 +2,11 @@
 
 CloudWatch Resource Policies allow other AWS services or IAM Principals to put log events into the account.
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/rds-snapshots.md

@@ -1,5 +1,11 @@
 # RDS Snapshots
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/s3.md

@@ -1,5 +1,11 @@
 # S3 Buckets
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/secretsmanager.md

@@ -1,5 +1,11 @@
 # Secrets Manager
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * **Option 1**: To expose the resource using `endgame`, run the following from the victim account:

docs/risks/ses.md

@@ -1,5 +1,11 @@
 # SES Sender Authorization Policies
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 SES Sending Authorization Policies can be used to add a rogue IAM user as a [Delegate sender](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-delegate-sender-tasks.html). This can result in a malicous user sending an email on behalf of your organization, which could lead to phishing attacks against customers or employees, as well as a loss of consumer trust and reputation loss.
 
 ### How it works

docs/risks/sns.md

@@ -1,5 +1,11 @@
 # SNS
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:

docs/risks/sqs.md

@@ -1,5 +1,11 @@
 # SQS
 
+* [Steps to Reproduce](#steps-to-reproduce)
+* [Exploitation](#exploitation)
+* [Remediation](#remediation)
+* [Basic Detection](#basic-detection)
+* [References](#references)
+
 ## Steps to Reproduce
 
 * To expose the resource using `endgame`, run the following from the victim account:
@@ -46,8 +52,8 @@ TODO
 * **Ensure access is necessary**: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
 * **AWS Access Analyzer**: Leverage AWS Access Analyzer to report on external access to  SQS Queues. See [the AWS Access Analyzer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html) for more details.
 * **Restrict access to IAM permissions that could lead to exposure of your SQS Queues**: Tightly control access to the following IAM actions:
-  - [sqs:AddPermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html): _Description_
-  - [sqs:RemovePermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_RemovePermission.html): _Description_
+  - [sqs:AddPermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html): _Adds a permission to a queue for a specific principal._
+  - [sqs:RemovePermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_RemovePermission.html): _Revokes any permissions in the queue policy that matches the specified Label parameter._
   - [sqs:GetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.html): _Gets attributes for the specified queue. This includes retrieving the list of principals who are authorized to access the queue._
   - [sqs:GetQueueUrl](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueUrl.html): _Returns the URL of an existing queue._
   - [sqs:ListQueues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueues.html): _Returns a list of your queues._