mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-06-12 19:11:44 -07:00
Translated ['', 'src/pentesting-cloud/aws-security/aws-services/aws-s3-a
This commit is contained in:
Translator
+3
-13
@@ -1,4 +1,4 @@
|
||||
# AWS - VPC & Networking Basic Information
|
||||
# AWS - VPC & Maelezo Msingi ya Mtandao
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -10,7 +10,7 @@ This VPC network is divided in **subnetworks**, so a **subnetwork** is directly
|
||||
|
||||
Then, **Network Interface**s attached to services (like EC2 instances) are **connected** to the **subnetworks** with **security group(s)**.
|
||||
|
||||
Therefore, a **security group** will limit the exposed ports of the network **interfaces using it**, **independently of the subnetwork**. And a **network ACL** will **limit** the exposed ports to the **whole network**.
|
||||
Therefore, a **security group** will limit the exposed ports of the network **interfaces using it**, **independently of the subnetwork**. And a **network ACL** will **limit** the exposed ports to to the **whole network**.
|
||||
|
||||
Moreover, in order to **access Internet**, there are some interesting configurations to check:
|
||||
|
||||
@@ -33,13 +33,9 @@ Subnets helps to enforce a greater level of security. **Logical grouping of simi
|
||||
|
||||
- Valid CIDR are from a /16 netmask to a /28 netmask.
|
||||
- A subnet cannot be in different availability zones at the same time.
|
||||
- **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
|
||||
- **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: the first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
|
||||
- It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
|
||||
|
||||
<figure><img src="https://lh5.googleusercontent.com/N_WTrTrDAHwN61FMKJvLSHVua2EM0IazHH1fSTg8JQfTChm-dLN9mn7wkjz2MlpD-uOUqtWdMZpqKOp4VxaHy5-5X66GD1K8y1UGc27r-GbHdFty9ImpXdcjEsC7u4vjxKme_B_HwDOUnG6camxENYECTw=s2048" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="https://lh3.googleusercontent.com/MmjfVzGmV4jM7tO8lVoTKONoeqbq6E40DGeKUoo4kN-lmMDKnEiGNB-gGVx3EvjK9UV844im225CA8aAjomHf1Modt3MramHrHZdEGbeSZncWhVuT9R8f7tQZ2pXjdSJxeNfErmJ-0mmcUaV6dcU0TAd2A=s2048" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Route Tables
|
||||
|
||||
Route tables determine the traffic routing for a subnet within a VPC. They determine which network traffic is forwarded to the internet or to a VPN connection. You will usually find access to the:
|
||||
@@ -50,12 +46,6 @@ Route tables determine the traffic routing for a subnet within a VPC. They deter
|
||||
- In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC.
|
||||
- VPC endpoints (to access S3 from private networks)
|
||||
|
||||
In the following images you can check the differences in a default public network and a private one:
|
||||
|
||||
<figure><img src="https://lh3.googleusercontent.com/q4ASpcLAYqijdNMLhMLl8EoowDtTMU5I_7YCVfk7-5hxDyeQOik9ImHnD2SYy32XUA2qXjEbXTAxA1lP--znJASdhYOdBveDcrD42f9XBKZ3EmjJCazN3YPLC6oS0xtRMmfORuwCszmMt-KrAkH07_izwg=s2048" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="https://lh5.googleusercontent.com/30psylXAI0gRN6_LK-reP00aGIlMma64E1qafCVPunn6nS-y5jAO6Y2JiempKcf6-LFi7ScicYcOh7BbHEya2VWtksnFX_8SPXQf97tKkg2tNZzrArWbiDCCn2m2LP1QUq6MZ_KayH3yir7t8zpO7CEQOw=s2048" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### ACLs
|
||||
|
||||
**Network Access Control Lists (ACLs)**: Network ACLs are firewall rules that control incoming and outgoing network traffic to a subnet. They can be used to allow or deny traffic to specific IP addresses or ranges.
|
||||
|
||||
@@ -6,34 +6,34 @@
|
||||
|
||||
Amazon S3 ni huduma inayokuruhusu **kuhifadhi kiasi kikubwa cha data**.
|
||||
|
||||
Amazon S3 inatoa chaguzi mbalimbali za kufikia **ulinzi** wa data at REST. Chaguzi hizi ni pamoja na **idhinishaji** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** na **MFA based delete**. Mtumiaji anaweza kuwezesha yoyote ya chaguzi hizi ili kupata ulinzi wa data. **Data replication** ni kipengele cha ndani cha AWS ambapo **S3 automatically replicates each object across all the Availability Zones** na shirika halihitaji kuizime katika kesi hii.
|
||||
Amazon S3 inatoa chaguzi mbalimbali za kupata **ulinzi** wa data wakati wa kusimama (at REST). Chaguzi hizi ni pamoja na **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** na **MFA** **based delete**. **Mtumiaji anaweza kuwezesha** yoyote ya chaguzi hizi ili kupata ulinzi wa data. **Data replication** ni huduma ya ndani ya AWS ambapo **S3 huiga kila object kiotomatiki katika Availability Zones zote** na shirika halihitaji kuiwezesha katika kesi hii.
|
||||
|
||||
Kwa resource-based permissions, unaweza kufafanua ruhusa kwa sub-directories za bucket yako kando.
|
||||
Kwa resource-based permissions, unaweza kufafanua ruhusa kwa sub-directories za bucket yako kwa njia tofauti.
|
||||
|
||||
### Bucket Versioning and MFA based delete
|
||||
|
||||
Wakati Bucket Versioning imewezeshwa, kitendo chochote kinachojaribu kubadilisha faili ndani ya bucket kitatengeneza version mpya ya faili hiyo, na kuhifadhi pia yaliyokuwa hapo awali. Kwa hiyo, haitabana au kuandika juu ya yaliyomo yake ya awali.
|
||||
Wakati Bucket Versioning imewezeshwa, kitendo chochote kinachojaribu kubadilisha faili kitatengeneza toleo jipya la faili hiyo, huku kikibakisha pia yaliyokuwapo awali. Kwa hivyo, haitaandika juu ya yaliyomo yake.
|
||||
|
||||
Zaidi ya hayo, MFA based delete itazuia matoleo ya faili ndani ya S3 bucket kufutwa na pia kuzuia Bucket Versioning kuzimwa, hivyo mshambuliaji hatawezi kubadilisha faili hizi.
|
||||
Zaidi ya hayo, MFA based delete itazuia matoleo ya faili ndani ya bucket ya S3 kutolewa na pia itazuia Bucket Versioning kuzimwa, kwa hivyo mshambuliaji hataweza kubadilisha faili hizi.
|
||||
|
||||
### S3 Access logs
|
||||
|
||||
Inawezekana **kuwezesha S3 access logging** (ambayo kwa default imezimwa) kwa bucket fulani na kuhifadhi logi katika bucket tofauti ili kujua nani anayeitumia bucket (bucket zote mbili lazima ziwe katika region moja).
|
||||
Inawezekana **kuwezesha S3 access login** (ambayo kwa chaguo-msingi imezimwa) kwa bucket fulani na kuhifadhi logs katika bucket tofauti ili kujua nani anayeingilia bucket (buckets zote mbili lazima ziwe katika region moja).
|
||||
|
||||
### S3 Presigned URLs
|
||||
|
||||
Inawezekana kuzalisha presigned URL ambayo kawaida inaweza kutumika **kupata faili iliyotajwa** katika bucket. A **presigned URL looks like this**:
|
||||
Inawezekana kuzalisha presigned URL ambayo kawaida inaweza kutumika ili **kupata faili iliyotajwa** katika bucket. A **presigned URL inafanana na hii**:
|
||||
```
|
||||
https://<bucket-name>.s3.us-east-1.amazonaws.com/asd.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUUE8GZC4S5L3TY3P%2F20230227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230227T142551Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjELf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBhQpdETJO3HKKDk2hjNIrPWwBE8gZaQccZFV3kCpPCWAiEAid3ueDtFFU%2FOQfUpvxYTGO%2BHoS4SWDMUrQAE0pIaB40qggMIYBAAGgwzMTgxNDIxMzg1NTMiDJLI5t7gr2EGxG1Y5CrfAioW0foHIQ074y4gvk0c%2B%2Fmqc7cNWb1njQslQkeePHkseJ3owzc%2FCwkgE0EuZTd4mw0aJciA2XIbJRCLPWTb%2FCBKPnIMJ5aBzIiA2ltsiUNQTTUxYmEgXZoJ6rFYgcodnmWW0Et4Xw59UlHnCDB2bLImxPprriyCzDDCD6nLyp3J8pFF1S8h3ZTJE7XguA8joMs4%2B2B1%2FeOZfuxXKyXPYSKQOOSbQiHUQc%2BFnOfwxleRL16prWk1t7TamvHR%2Bt3UgMn5QWzB3p8FgWwpJ6GjHLkYMJZ379tkimL1tJ7o%2BIod%2FMYrS7LDCifP9d%2FuYOhKWGhaakPuJKJh9fl%2B0vGl7kmApXigROxEWon6ms75laXebltsWwKcKuYca%2BUWu4jVJx%2BWUfI4ofoaGiCSaKALTqwu4QNBRT%2BMoK6h%2BQa7gN7JFGg322lkxRY53x27WMbUE4unn5EmI54T4dWt1%2Bg8ljDS%2BvKfBjqmAWRwuqyfwXa5YC3xxttOr3YVvR6%2BaXpzWtvNJQNnb6v0uI3%2BTtTexZkJpLQYqFcgZLQSxsXWSnf988qvASCIUhAzp2UnS1uqy7QjtD5T73zksYN2aesll7rvB80qIuujG6NOdHnRJ2M5%2FKXXNo1Yd15MtzPuSjRoSB9RSMon5jFu31OrQnA9eCUoawxbB0nHqwK8a43CKBZHhA8RoUAJW%2B48EuFsp3U%3D&X-Amz-Signature=3436e4139e84dbcf5e2e6086c0ebc92f4e1e9332b6fda24697bc339acbf2cdfa
|
||||
```
|
||||
Presigned URL inaweza **kuundwa kutoka kwa cli kwa kutumia credentials za principal mwenye upatikanaji wa object** (kama account unayotumia haina upatikanaji, presigned URL fupi itaundwa lakini haitakuwa na matumizi)
|
||||
Presigned URL inaweza **kutengenezwa kutoka kwa cli kwa kutumia credentials za principal mwenye access kwa object** (ikiwa account unayotumia haina access, presigned URL fupi itaundwa lakini haitakuwa na manufaa)
|
||||
```bash
|
||||
aws s3 presign --region <bucket-region> 's3://<bucket-name>/<file-name>'
|
||||
```
|
||||
> [!NOTE]
|
||||
> Ruhusa pekee inayohitajika kuunda presigned URL ni ruhusa inayotolewa, hivyo kwa amri iliyotangulia ruhusa pekee inayohitajika kwa principal ni `s3:GetObject`
|
||||
|
||||
Pia inawezekana kuunda presigned URLs kwa **ruhusa nyingine**:
|
||||
> Ruhusa pekee inayohitajika kuunda presigned URL ni ruhusa inayotolewa; kwa hivyo kwa amri iliyotangulia, ruhusa pekee inayohitajika kwa principal ni `s3:GetObject`
|
||||
>
|
||||
> Pia inawezekana kuunda presigned URLs kwa **ruhusa nyingine**:
|
||||
```python
|
||||
import boto3
|
||||
url = boto3.client('s3').generate_presigned_url(
|
||||
@@ -42,38 +42,38 @@ Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
|
||||
ExpiresIn=3600
|
||||
)
|
||||
```
|
||||
### Mbinu za Usimbaji za S3
|
||||
### Mekanizimu za Usimbaji za S3
|
||||
|
||||
**DEK inamaanisha Ufunguo wa Usimbaji wa Data** na ni ufunguo unaoundwa kila wakati na kutumika kusimba data.
|
||||
**DEK inamaanisha Data Encryption Key** na ni funguo inayozalishwa kila wakati na kutumika encrypt data.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Usimbaji upande wa server kwa ufunguo zinazosimamiwa na S3, SSE-S3</strong></summary>
|
||||
<summary><strong>Server-side encryption with S3 managed keys, SSE-S3</strong></summary>
|
||||
|
||||
Chaguo hili linahitaji usanidi mdogo na usimamizi wote wa ufunguo wa usimbaji unafanywa na AWS. Unachotakiwa kufanya ni **kupakia data yako na S3 itashughulikia mengine yote**. Kila bucket katika akaunti ya S3 hupatiwa bucket key.
|
||||
Chaguo hili linahitaji usanidi mdogo na usimamizi wote wa encryption keys unafanywa na AWS. Unachohitaji kufanya ni **kupakia data yako na S3 itashughulikia mambo mengine yote**. Kila bucket katika akaunti ya S3 inapewa bucket key.
|
||||
|
||||
- Encryption:
|
||||
- Usimbaji:
|
||||
- Object Data + created plaintext DEK --> Encrypted data (stored inside S3)
|
||||
- Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory
|
||||
- Decryption:
|
||||
- Dekripsi:
|
||||
- Encrypted DEK + S3 Master Key --> Plaintext DEK
|
||||
- Plaintext DEK + Encrypted data --> Object Data
|
||||
|
||||
Tafadhali kumbuka kwamba katika kesi hii **ufunguo unasimamiwa na AWS** (rotation kila miaka 3 tu). Ukitumia ufunguo wako mwenyewe utaweza kufanya rotation, ku-disable na kuweka udhibiti wa upatikanaji.
|
||||
Tafadhali kumbuka kwamba katika kesi hii **funguo inasimamiwa na AWS** (rotation tu kila miaka 3). Ikiwa utatumia funguo yako mwenyewe utaweza ku-rotate, kuzima na kutumia udhibiti wa upatikanaji.
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Usimbaji upande wa server kwa ufunguo zinazosimamiwa na KMS, SSE-KMS</strong></summary>
|
||||
<summary><strong>Server-side encryption with KMS managed keys, SSE-KMS</strong></summary>
|
||||
|
||||
Njia hii inaruhusu S3 kutumia key management service ili kuunda data encryption keys zako. KMS inakupa unyumbufu mkubwa zaidi jinsi ufunguo zako zinavyosimamiwa. Kwa mfano, utaweza ku-disable, ku-rotate, na kuweka udhibiti wa upatikanaji kwa CMK, na pia kufuatilia matumizi yao kwa kutumia AWS Cloud Trail.
|
||||
Njia hii inaruhusu S3 kutumia key management service kuunda data encryption keys zako. KMS inakupa urahisi mkubwa kuhusu jinsi funguo zako zinavyosimamiwa. Kwa mfano, unaweza kuzima, ku-rotate, na kutumia udhibiti wa upatikanaji kwa CMK, na kupiga oda dhidi ya matumizi yao kwa kutumia AWS Cloud Trail.
|
||||
|
||||
- Encryption:
|
||||
- Usimbaji:
|
||||
- S3 request data keys from KMS CMK
|
||||
- KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S3
|
||||
- S3 uses the plaintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
|
||||
- Decryption:
|
||||
- KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£
|
||||
- S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
|
||||
- Dekripsi:
|
||||
- S3 ask to KMS to decrypt the encrypted data key of the object
|
||||
- KMS decrypt the data key with the CMK and send it back to S3
|
||||
- S3 decrypts the object data
|
||||
@@ -82,16 +82,16 @@ Njia hii inaruhusu S3 kutumia key management service ili kuunda data encryption
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Usimbaji upande wa server kupitia ufunguo zilizotolewa na mteja, SSE-C</strong></summary>
|
||||
<summary><strong>Server-side encryption with customer provided keys, SSE-C</strong></summary>
|
||||
|
||||
Chaguo hili linakupa fursa ya kutoa master key yako ambayo unaweza kuwa unaitumia nje ya AWS. Ufunguo uliotolewa na mteja utakapotumwa pamoja na data yako kwa S3, S3 itafanya usimbaji kwa niaba yako.
|
||||
Chaguo hili linakupa nafasi ya kutoa master key yako ambayo unaweza kuwa unaitumia nje ya AWS. Customer-provided key yako itatumwa pamoja na data yako kwa S3, ambapo S3 itafanya encryption kwa niaba yako.
|
||||
|
||||
- Encryption:
|
||||
- Usimbaji:
|
||||
- The user sends the object data + Customer key to S3
|
||||
- The customer key is used to encrypt the data and the encrypted data is stored
|
||||
- a salted HMAC value of the customer key is stored also for future key validation
|
||||
- the customer key is deleted from memory
|
||||
- Decryption:
|
||||
- Dekripsi:
|
||||
- The user send the customer key
|
||||
- The key is validated against the HMAC value stored
|
||||
- The customer provided key is then used to decrypt the data
|
||||
@@ -100,16 +100,16 @@ Chaguo hili linakupa fursa ya kutoa master key yako ambayo unaweza kuwa unaitumi
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Usimbaji upande wa mteja kwa KMS, CSE-KMS</strong></summary>
|
||||
<summary><strong>Client-side encryption with KMS, CSE-KMS</strong></summary>
|
||||
|
||||
Kama SSE-KMS, pia hutumia key management service kuunda data encryption keys zako. Tofauti ni kwamba sasa KMS inaitwa kupitia client badala ya S3. Usimbaji hufanyika upande wa client na data iliyosimbwa kisha inatumwa kwa S3 kuhifadhiwa.
|
||||
Kwa njia iliyo fanana na SSE-KMS, hili pia hutumia key management service kuunda data encryption keys zako. Hata hivyo, wakati huu KMS inaitwa kupitia client, sio S3. Encryption hutokea upande wa client na data iliyosimbwa kisha inatumwa kwa S3 kuhifadhiwa.
|
||||
|
||||
- Encryption:
|
||||
- Usimbaji:
|
||||
- Client request for a data key to KMS
|
||||
- KMS returns the plaintext DEK and the encrypted DEK with the CMK
|
||||
- Both keys are sent back
|
||||
- The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3)
|
||||
- Decryption:
|
||||
- Dekripsi:
|
||||
- The encrypted data with the encrypted DEK is sent to the client
|
||||
- The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
|
||||
- The client can now decrypt the encrypted data
|
||||
@@ -118,15 +118,15 @@ Kama SSE-KMS, pia hutumia key management service kuunda data encryption keys zak
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Usimbaji upande wa mteja kwa ufunguo zilizotolewa na mteja, CSE-C</strong></summary>
|
||||
<summary><strong>Client-side encryption with customer provided keys, CSE-C</strong></summary>
|
||||
|
||||
Kwa kutumia mfumo huu, unaweza kutumia ufunguo uliopewa na wewe mwenyewe na kutumia AWS-SDK client kusimba data yako kabla ya kuituma kwa S3 kwa ajili ya uhifadhi.
|
||||
Kwa kutumia mekanizimu hii, unaweza kutumia funguo zako mwenyewe na kutumia AWS-SDK client kusimba/encrypt data yako kabla ya kuituma kwa S3 kwa ajili ya kuhifadhiwa.
|
||||
|
||||
- Encryption:
|
||||
- Usimbaji:
|
||||
- The client generates a DEK and encrypts the plaintext data
|
||||
- Then, using it's own custom CMK it encrypts the DEK
|
||||
- submit the encrypted data + encrypted DEK to S3 where it's stored
|
||||
- Decryption:
|
||||
- Dekripsi:
|
||||
- S3 sends the encrypted data and DEK
|
||||
- As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
|
||||
|
||||
@@ -134,7 +134,7 @@ Kwa kutumia mfumo huu, unaweza kutumia ufunguo uliopewa na wewe mwenyewe na kutu
|
||||
|
||||
### **Enumeration**
|
||||
|
||||
Moja ya njia za jadi za ku-compromise organizations za AWS huanza kwa ku-compromise buckets zinazonekana hadharani. **You can find** [**public buckets enumerators in this page**](../aws-unauthenticated-enum-access/index.html#s3-buckets)**.**
|
||||
Moja ya njia za jadi za ku-compromise AWS orgs huanza kwa ku-compromise buckets zinazopatikana kwa umma. **Unaweza kupata** [**public buckets enumerators in this page**](../aws-unauthenticated-enum-access/index.html#s3-buckets)**.**
|
||||
```bash
|
||||
# Get buckets ACLs
|
||||
aws s3api get-bucket-acl --bucket <bucket-name>
|
||||
@@ -150,7 +150,7 @@ aws s3api list-buckets
|
||||
|
||||
# list content of bucket (no creds)
|
||||
aws s3 ls s3://bucket-name --no-sign-request
|
||||
aws s3 ls s3://bucket-name --recursive
|
||||
aws s3 ls s3://bucket-name --recursive --no-sign-request
|
||||
|
||||
# list content of bucket (with creds)
|
||||
aws s3 ls s3://bucket-name
|
||||
@@ -231,14 +231,14 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-poli
|
||||
|
||||
Unaweza kufikia S3 bucket kupitia dual-stack endpoint kwa kutumia virtual hosted-style au path-style endpoint name. Hizi ni muhimu kufikia S3 kupitia IPv6.
|
||||
|
||||
Dual-stack endpoints zinatumia sintaksia ifuatayo:
|
||||
Dual-stack endpoints zinatumia sintaksifuu ifuatayo:
|
||||
|
||||
- `bucketname.s3.dualstack.aws-region.amazonaws.com`
|
||||
- `s3.dualstack.aws-region.amazonaws.com/bucketname`
|
||||
|
||||
### Privesc
|
||||
|
||||
Kwenye ukurasa ufuatao unaweza kuona jinsi ya **abuse S3 permissions to escalate privileges**:
|
||||
Katika ukurasa unaofuata unaweza kuona jinsi ya **kulaumiwa ruhusa za S3 ili kupandisha privileges**:
|
||||
|
||||
{{#ref}}
|
||||
../aws-privilege-escalation/aws-s3-privesc/README.md
|
||||
@@ -266,19 +266,21 @@ Kwenye ukurasa ufuatao unaweza kuona jinsi ya **abuse S3 permissions to escalate
|
||||
|
||||
### S3 HTTP Cache Poisoning Issue <a href="#heading-s3-http-desync-cache-poisoning-issue" id="heading-s3-http-desync-cache-poisoning-issue"></a>
|
||||
|
||||
[**According to this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) ilichangia kuwezekana kuweka kwenye cache majibu ya bucket yoyote kana kwamba ilihusiana na bucket tofauti. Hii inaweza kutumiwa kubadilisha, kwa mfano, majibu ya faili za javascript na kuathiri kurasa yoyote zinazotumia S3 kuhifadhi static code.
|
||||
[**According to this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) ilikuwa inawezekana kuweka response ya bucket yoyote kwenye cache kana kwamba ilikuwa ya bucket nyingine. Hii ingeweza kutumika kubadilisha, kwa mfano, majibu ya faili za javascript na kuathiri ukurasa wowote unaotumia S3 kuhifadhi code za static.
|
||||
|
||||
## Amazon Athena
|
||||
|
||||
Amazon Athena ni huduma ya interactive query inayofanya iwe rahisi **kuchambua data** moja kwa moja katika Amazon Simple Storage Service (Amazon **S3**) **kwa kutumia** standard **SQL**.
|
||||
Amazon Athena ni huduma ya kuuliza maswali ya mwingiliano ambayo inafanya iwe rahisi **kuchambua data** moja kwa moja katika Amazon Simple Storage Service (Amazon **S3**) **kwa kutumia** standard **SQL**.
|
||||
|
||||
Unahitaji **kuandaa relational DB table** lenye muundo wa yaliyomo yatakayojitokeza katika buckets za S3 zinazofuatiliwa. Kisha, Amazon Athena itaweza kujaza DB kutoka kwa logs, hivyo unaweza kuyafanya query.
|
||||
Unahitaji **kuandaa jedwali la DB la uhusiano** lenye muundo wa yaliyomo yatakayojitokeza katika buckets za S3 zinazofuatiliwa. Kisha, Amazon Athena itaweza kujaza DB kutoka kwa logs, ili uweze kuiuliza.
|
||||
|
||||
Amazon Athena inaunga mkono **uwezo wa kufanya query kwa S3 data ambayo tayari imeencrypted** na ikiwa imewezeshwa kufanya hivyo, **Athena pia inaweza encrypt matokeo ya query ambayo yanaweza kisha kuhifadhiwa katika S3**.
|
||||
Amazon Athena inaunga mkono **uwezo wa kuuliza data ya S3 ambayo tayari imefichwa (encrypted)** na ikiwa imewekwa kufanya hivyo, **Athena pia inaweza kuchomeka (encrypt) matokeo ya query ambayo kisha yanaweza kuhifadhiwa kwenye S3**.
|
||||
|
||||
**This encryption of results is independent of the underlying queried S3 data**, ikimaanisha kwamba hata kama data ya S3 haijaencrypted, matokeo yaliyofutwa yanaweza kuwa encrypted. Pointi chache za kuzingatia ni kwamba Amazon Athena inaunga mkono data iliyokuwa **encrypted** kwa kutumia **S3 encryption methods** zifuatazo: **SSE-S3, SSE-KMS, and CSE-KMS**.
|
||||
**Ufungaji huu wa matokeo ni tofauti na data ya msingi ya S3 inayoulizwa**, ikimaanisha kwamba hata kama data ya S3 haijachomekwa, matokeo ya kuulizwa yanaweza kuchomekwa. Mambo kadhaa ya kuzingatia ni kwamba Amazon Athena inaunga mkono data ambayo imechomekwa kwa **mbinu zifuatazo za S3 encryption**, **SSE-S3, SSE-KMS, na CSE-KMS**.
|
||||
|
||||
SSE-C na CSE-C hazitumiwi. Zaidi ya hayo, ni muhimu kuelewa kwamba Amazon Athena itafanya queries tu dhidi ya **encrypted objects that are in the same region as the query itself**. Ikiwa unahitaji kufanya query kwa S3 data ambayo imeencrypted kwa kutumia KMS, basi idhini maalum zinahitajika kwa Athena user ili kumruhusu kufanya query.
|
||||
SSE-C na CSE-C hazitegemelewi. Mbali na haya, ni muhimu kuelewa kwamba Amazon Athena itafanya queries tu dhidi ya **vitu vilivyochomekwa ambavyo viko katika region ile ile kama query yenyewe**. Ikiwa unahitaji kuuliza data ya S3 iliyochomekwa kwa kutumia KMS, basi ruhusa maalum zinahitajika kwa mtumiaji wa Athena ili kumuwezesha kufanya query.
|
||||
|
||||
### Enumeration
|
||||
```bash
|
||||
# Get catalogs
|
||||
aws athena list-data-catalogs
|
||||
@@ -300,7 +302,7 @@ aws athena get-prepared-statement --statement-name <name> --work-group <wg-name>
|
||||
# Run query
|
||||
aws athena start-query-execution --query-string <query>
|
||||
```
|
||||
## Marejeleo
|
||||
## Marejeo
|
||||
|
||||
- [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3)
|
||||
- [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)
|
||||
|
||||
Reference in New Issue
Block a user