From 1077cf6f891efaba4b8052fd809fdfd3d356ab8a Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Tue, 7 Oct 2025 11:02:01 +0200 Subject: [PATCH] Update AWS KMS post-exploitation documentation Clarified KMS policy restrictions and updated ransomware sections. --- .../aws-kms-post-exploitation.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md index 0168837b0..acf70ffa6 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md @@ -98,23 +98,22 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \ ``` > [!CAUTION] -> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be perfoemed from a cross account**. +> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be performed from a cross account**.
### Generic KMS Ransomware -#### Global KMS Ransomware - There is another way to perform a global KMS Ransomware, which would involve the following steps: - Create a new **key with a key material** imported by the attacker -- **Re-encrypt older data** encrypted with the previous version with the new one. +- **Re-encrypt older data** of the victim encrypted with the previous version with the new one. - **Delete the KMS key** - Now only the attacker, who has the original key material could be able to decrypt the encrypted data -#### Ransomware via kms:DeleteImportedKeyMaterial -With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with Origin=EXTERNAL, making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible. +### Delete Keys via kms:DeleteImportedKeyMaterial + +With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible. ```bash aws kms delete-imported-key-material --key-id @@ -123,10 +122,9 @@ aws kms delete-imported-key-material --key-id ### Destroy keys -```bash -# Destoy they key material previously imported making the key useless -aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab +Destroying keys it's possible to perform a DoS. +```bash # Schedule the destoy of a key (min wait time is 7 days) aws kms schedule-key-deletion \ --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \