gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-11 20:45:21 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

360
src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
View File

@@ -4,266 +4,253 @@
## Step Functions
AWS Step Functions is a workflow service that enables you to coordinate and orchestrate multiple AWS services into serverless workflows. By using AWS Step Functions, you can design and run workflows that connect various AWS services such as AWS Lambda, Amazon S3, Amazon DynamoDB, and many more, in a sequence of steps. This orchestration service provides a visual workflow interface and offers **state machine** capabilities, allowing you to define each step of the workflow in a declarative manner using JSON-based **Amazon States Language** (ASL).
AWS Step Functions is 'n werksvloei-diens wat jou in staat stel om verskeie AWS-dienste in serverless werksvloeie te koördineer en te orkestreer. Deur AWS Step Functions te gebruik, kan jy werksvloeie ontwerp en uitvoer wat verskillende AWS-dienste soos AWS Lambda, Amazon S3, Amazon DynamoDB, en vele meer, in 'n reeks stappe verbind. Hierdie orkestrasiediens bied 'n visuele werksvloei-koppelvlak en bied **state machine** vermoëns, wat jou toelaat om elke stap van die werksvloei op 'n deklaratiewe manier te definieer met behulp van JSON-gebaseerde **Amazon States Language** (ASL).
## Key concepts
### Standard vs. Express Workflows
AWS Step Functions offers two types of **state machine workflows**: Standard and Express.
AWS Step Functions bied twee tipes **state machine workflows**: Standaard en Uitdrukking.
- **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year.
- **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage.
- **Standard Workflow**: Hierdie standaard werksvloei tipe is ontwerp vir langlopende, duursame, en auditeerbare prosesse. Dit ondersteun **exactly-once execution**, wat verseker dat take slegs een keer uitgevoer word tensy herhalings gespesifiseer word. Dit is ideaal vir werksvloeie wat gedetailleerde uitvoeringsgeskiedenis benodig en kan tot een jaar lank loop.
- **Express Workflow**: Hierdie tipe is ideaal vir h-volume, kortduur take, wat tot vyf minute duur. Hulle ondersteun **at-least-once execution**, geskik vir idempotente take soos data verwerking. Hierdie werksvloeie is geoptimaliseer vir koste en prestasie, en hef koste gebaseer op uitvoerings, duur, en geheuegebruik.
### States
States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type:
States is die essensiële eenhede van state machines. Hulle definieer die individuele stappe binne 'n werksvloei, en kan 'n verskeidenheid funksies uitvoer, afhangende van sy tipe:
- **Task:** Executes a job, often using an AWS service like Lambda.
- **Choice:** Makes decisions based on input.
- **Fail/Succeed:** Ends the execution with a failure or success.
- **Pass:** Passes input to output or injects data.
- **Wait:** Delays execution for a set time.
- **Parallel:** Initiates parallel branches.
- **Map:** Dynamically iterates steps over items.
- **Task:** Voer 'n werk uit, dikwels met 'n AWS-diens soos Lambda.
- **Choice:** Neem besluite gebaseer op invoer.
- **Fail/Succeed:** Eindig die uitvoering met 'n mislukking of sukses.
- **Pass:** Gee invoer aan uitvoer of voeg data in.
- **Wait:** Vertraag uitvoering vir 'n bepaalde tyd.
- **Parallel:** Begin parallelle takke.
- **Map:** Dinamies herhaal stappe oor items.
### Task
A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs.
'n **Task** state verteenwoordig 'n enkele eenheid van werk wat deur 'n state machine uitgevoer word. Take kan verskeie hulpbronne aanroep, insluitend aktiwiteite, Lambda funksies, AWS dienste, of derdeparty API's.
- **Activities**: Custom workers you manage, suitable for long-running processes.
- Resource: **`arn:aws:states:region:account:activity:name`**.
- **Lambda Functions**: Executes AWS Lambda functions.
- Resource: **`arn:aws:lambda:region:account:function:function-name`**.
- **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3.
- Resource: **`arn:partition:states:region:account:servicename:APIname`**.
- **HTTP Task**: Calls third-party APIs.
- Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details.
The following example shows a Task state definition that invokes a Lambda function called HelloWorld:
- **Activities**: Pasgemaakte werkers wat jy bestuur, geskik vir langlopende prosesse.
- Hulpbron: **`arn:aws:states:region:account:activity:name`**.
- **Lambda Functions**: Voer AWS Lambda funksies uit.
- Hulpbron: **`arn:aws:lambda:region:account:function:function-name`**.
- **AWS Services**: Integreer direk met ander AWS dienste, soos DynamoDB of S3.
- Hulpbron: **`arn:partition:states:region:account:servicename:APIname`**.
- **HTTP Task**: Roep derdeparty API's aan.
- Hulpbron veld: **`arn:aws:states:::http:invoke`**. Dan moet jy die API eindpunt konfigurasie besonderhede verskaf, soos die API URL, metode, en outentikasie besonderhede.
Die volgende voorbeeld toon 'n Task state definisie wat 'n Lambda funksie genaamd HelloWorld aanroep:
```json
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"Parameters": {
"Payload.$": "$",
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
},
"End": true
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"Parameters": {
"Payload.$": "$",
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
},
"End": true
}
```
### Keuse
### Choice
'n **Keuse** toestand voeg voorwaardelike logika by 'n werksvloei, wat besluite op grond van invoerdata moontlik maak. Dit evalueer die gespesifiseerde voorwaardes en oorweeg na die ooreenstemmende toestand op grond van die resultate.
A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.
- **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable.
- **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true.
Example of **Choice** state:
- **Vergelyking**: Elke keuse-reël sluit 'n vergelykingsoperateur in (bv. **`NumericEquals`**, **`StringEquals`**) wat 'n invoer veranderlike met 'n gespesifiseerde waarde of 'n ander veranderlike vergelyk.
- **Volgende Veld**: Keuse toestande ondersteun nie die **`End`** veld nie, eerder definieer hulle die **`Next`** toestand om na oor te skakel as die vergelyking waar is.
Voorbeeld van **Keuse** toestand:
```json
{
"Variable": "$.timeStamp",
"TimestampEquals": "2000-01-01T00:00:00Z",
"Next": "TimeState"
"Variable": "$.timeStamp",
"TimestampEquals": "2000-01-01T00:00:00Z",
"Next": "TimeState"
}
```
### Fail/Succeed
A **`Fail`** state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.
'n **`Fail`** toestand stop die uitvoering van 'n toestandmasjien en merk dit as 'n mislukking. Dit word gebruik om 'n foutnaam en 'n oorsaak te spesifiseer, wat besonderhede oor die mislukking verskaf. Hierdie toestand is terminal, wat beteken dit beëindig die uitvoeringsvloei.
A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field.
'n **`Succeed`** toestand stop die uitvoering suksesvol. Dit word tipies gebruik om die werksvloei te beëindig wanneer dit suksesvol voltooi is. Hierdie toestand vereis nie 'n **`Next`** veld nie.
{{#tabs }}
{{#tab name="Fail example" }}
```json
"FailState": {
"Type": "Fail",
"Error": "ErrorName",
"Cause": "Error details"
"Type": "Fail",
"Error": "ErrorName",
"Cause": "Error details"
}
```
{{#endtab }}
{{#tab name="Succeed example" }}
{{#tab name="Sukses voorbeeld" }}
```json
"SuccessState": {
"Type": "Succeed"
"Type": "Succeed"
}
```
{{#endtab }}
{{#endtabs }}
### Pass
A **Pass** state passes its input to its output either without performing any work or transformin JSON state input using filters, and then passing the transformed data to the next state. It is useful for testing and constructing state machines, allowing you to inject static data or transform it.
'n **Pass** toestand gee sy invoer aan sy uitvoer oor, hetsy sonder om enige werk te verrig of deur JSON toestand invoer te transformeer met behulp van filters, en dan die getransformeerde data aan die volgende toestand oor te dra. Dit is nuttig vir toetsing en die konstruksie van toestandmasjiene, wat jou toelaat om statiese data in te voeg of dit te transformeer.
```json
"PassState": {
"Type": "Pass",
"Result": {"key": "value"},
"ResultPath": "$.newField",
"Next": "NextState"
"Type": "Pass",
"Result": {"key": "value"},
"ResultPath": "$.newField",
"Next": "NextState"
}
```
### Wag
'n **Wag** toestand vertraag die uitvoering van die toestandmasjien vir 'n spesifieke duur. Daar is drie primêre metodes om die wagtyd te konfigureer:
- **X Sekondes**: 'n Vasgestelde aantal sekondes om te wag.
```json
"WaitState": {
"Type": "Wait",
"Seconds": 10,
"Next": "NextState"
}
```
### Wait
- **Absoluut Tydstempel**: 'n Presiese tyd om te wag tot.
A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time:
```json
"WaitState": {
"Type": "Wait",
"Timestamp": "2024-03-14T01:59:00Z",
"Next": "NextState"
}
```
- **X Seconds**: A fixed number of seconds to wait.
- **Dinamiese Wag**: Gebaseer op invoer met behulp van **`SecondsPath`** of **`TimestampPath`**.
```json
"WaitState": {
"Type": "Wait",
"Seconds": 10,
"Next": "NextState"
}
```
- **Absolute Timestamp**: An exact time to wait until.
```json
"WaitState": {
"Type": "Wait",
"Timestamp": "2024-03-14T01:59:00Z",
"Next": "NextState"
}
```
- **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**.
```json
jsonCopiar código
"WaitState": {
"Type": "Wait",
"TimestampPath": "$.expirydate",
"Next": "NextState"
}
```
```json
jsonCopiar código
"WaitState": {
"Type": "Wait",
"TimestampPath": "$.expirydate",
"Next": "NextState"
}
```
### Parallel
A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are:
- **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine.
- **ResultPath**: Defines where (in the input) to place the combined output of the branches.
- **Retry and Catch**: Error handling configurations for the parallel state.
'n **Parallel** toestand laat jou toe om verskeie takke van take gelyktydig binne jou werksvloei uit te voer. Elke tak loop onafhanklik en verwerk sy eie volgorde van toestande. Die uitvoering wag totdat al die takke voltooi is voordat dit na die volgende toestand gaan. Sy sleutelvelde is:
- **Takke**: 'n Array wat die parallelle uitvoeringspaaie definieer. Elke tak is 'n aparte toestandmasjien.
- **ResultPath**: Definieer waar (in die invoer) om die saamgevoegde uitvoer van die takke te plaas.
- **Herhaal en Vang**: Fouthanteringskonfigurasies vir die parallelle toestand.
```json
"ParallelState": {
"Type": "Parallel",
"Branches": [
{
"StartAt": "Task1",
"States": { ... }
},
{
"StartAt": "Task2",
"States": { ... }
}
],
"Next": "NextState"
"Type": "Parallel",
"Branches": [
{
"StartAt": "Task1",
"States": { ... }
},
{
"StartAt": "Task2",
"States": { ... }
}
],
"Next": "NextState"
}
```
### Map
'n **Map** toestand stel die uitvoering van 'n stel stappe vir elke item in 'n dataset in staat. Dit word gebruik vir parallelle verwerking van data. Afhangende van hoe jy die items van die dataset wil verwerk, bied Step Functions die volgende modi aan:
- **Inline Mode**: Voer 'n substel van toestande uit vir elke JSON-array item. Geschik vir klein skaal take met minder as 40 parallelle iterasies, wat elkeen in die konteks van die werksvloei wat die **`Map`** toestand bevat, loop.
```json
"MapState": {
"Type": "Map",
"ItemsPath": "$.arrayItems",
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "INLINE"
},
"StartAt": "AddState",
"States": {
"AddState": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"OutputPath": "$.Payload",
"Parameters": {
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
},
"End": true
}
}
},
"End": true
"ResultPath": "$.detail.added",
"ItemsPath": "$.added"
}
```
### Map
- **Distributed Mode**: Ontwerp vir groot skaal parallelle verwerking met hoë mededinging. Ondersteun die verwerking van groot datasets, soos dié wat in Amazon S3 gestoor is, wat 'n hoë mededinging van tot 10,000 parallelle kind werksvloei-uitvoerings moontlik maak, wat hierdie kinders as 'n aparte kind uitvoering loop.
A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes:
- **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state.
```json
"MapState": {
"Type": "Map",
"ItemsPath": "$.arrayItems",
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "INLINE"
},
"StartAt": "AddState",
"States": {
"AddState": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"OutputPath": "$.Payload",
"Parameters": {
"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
},
"End": true
}
}
},
"End": true
"ResultPath": "$.detail.added",
"ItemsPath": "$.added"
}
```
- **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution.
```json
"DistributedMapState": {
"Type": "Map",
"ItemReader": {
"Resource": "arn:aws:states:::s3:getObject",
"Parameters": {
"Bucket": "my-bucket",
"Key": "data.csv"
}
},
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "DISTRIBUTED",
"ExecutionType": "EXPRESS"
},
"StartAt": "ProcessItem",
"States": {
"ProcessItem": {
"Type": "Task",
"Resource": "arn:aws:lambda:region:account-id:function:my-function",
"End": true
}
}
},
"End": true
"ResultWriter": {
"Resource": "arn:aws:states:::s3:putObject",
"Parameters": {
"Bucket": "myOutputBucket",
"Prefix": "csvProcessJobs"
}
}
}
```
```json
"DistributedMapState": {
"Type": "Map",
"ItemReader": {
"Resource": "arn:aws:states:::s3:getObject",
"Parameters": {
"Bucket": "my-bucket",
"Key": "data.csv"
}
},
"ItemProcessor": {
"ProcessorConfig": {
"Mode": "DISTRIBUTED",
"ExecutionType": "EXPRESS"
},
"StartAt": "ProcessItem",
"States": {
"ProcessItem": {
"Type": "Task",
"Resource": "arn:aws:lambda:region:account-id:function:my-function",
"End": true
}
}
},
"End": true
"ResultWriter": {
"Resource": "arn:aws:states:::s3:putObject",
"Parameters": {
"Bucket": "myOutputBucket",
"Prefix": "csvProcessJobs"
}
}
}
```
### Versions and aliases
Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine.
Step Functions laat jou ook toe om werksvloei-implementasies te bestuur deur middel van **versies** en **aliases** van toestand masjiene. 'n Weergawe verteenwoordig 'n snapshot van 'n toestand masjien wat uitgevoer kan word. Aliases dien as wysers na tot twee weergawes van 'n toestand masjien.
- **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version.
- **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management.
- **Versies**: Hierdie onveranderlike snapshots van 'n toestand masjien word geskep vanaf die mees onlangse hersiening van daardie toestand masjien. Elke weergawe word geïdentifiseer deur 'n unieke ARN wat die toestand masjien ARN met die weergawe nommer kombineer, geskei deur 'n dubbelepunt (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Weergawes kan nie ge-edit word nie, maar jy kan die toestand masjien opdateer en 'n nuwe weergawe publiseer, of die gewenste toestand masjien weergawe gebruik.
- **Aliases**: Hierdie wysers kan na tot twee weergawes van dieselfde toestand masjien verwys. Meerdere aliases kan geskep word vir 'n enkele toestand masjien, elkeen geïdentifiseer deur 'n unieke ARN wat die toestand masjien ARN met die alias naam kombineer, geskei deur 'n dubbelepunt (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases stel die roetering van verkeer tussen een van die twee weergawes van 'n toestand masjien in staat. Alternatiewelik kan 'n alias na 'n enkele spesifieke weergawe van die toestand masjien wys, maar nie na ander aliases nie. Hulle kan opdateer word om na 'n ander weergawe van die toestand masjien te herlei soos nodig, wat beheerde implementasies en werksvloei bestuur fasiliteer.
For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html).
Vir meer gedetailleerde inligting oor **ASL**, kyk: [**Amazon States Language**](https://states-language.net/spec.html).
## IAM Roles for State machines
AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions:
AWS Step Functions gebruik AWS Identity and Access Management (IAM) rolle om toegang tot hulpbronne en aksies binne toestand masjiene te beheer. Hier is die sleutel aspekte wat verband hou met sekuriteit en IAM rolle in AWS Step Functions:
- **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions.
- **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted.
- **Execution Role**: Elke toestand masjien in AWS Step Functions is geassosieer met 'n IAM uitvoering rol. Hierdie rol definieer watter aksies die toestand masjien namens jou kan uitvoer. Wanneer 'n toestand masjien tussen toestande oorgaan wat met AWS dienste interaksie het (soos die aanroep van Lambda funksies, toegang tot DynamoDB, ens.), neem dit hierdie uitvoering rol aan om daardie aksies uit te voer.
- **Permissions**: Die IAM uitvoering rol moet geconfigureer word met toestemmings wat die nodige aksies op ander AWS dienste toelaat. Byvoorbeeld, as jou toestand masjien AWS Lambda funksies moet aanroep, moet die IAM rol **`lambda:InvokeFunction`** toestemmings hê. Op soortgelyke wyse, as dit na DynamoDB moet skryf, moet toepaslike toestemmings (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, ens.) toegestaan word.
## Enumeration
ReadOnlyAccess policy is enough for all the following enumeration actions.
ReadOnlyAccess beleid is genoeg vir al die volgende enumerasie aksies.
```bash
# State machines #
@@ -310,10 +297,9 @@ aws stepfunctions describe-map-run --map-run-arn <value>
## Lists executions of a Map Run
aws stepfunctions list-executions --map-run-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]
```
## Privesc
In the following page, you can check how to **abuse Step Functions permissions to escalate privileges**:
In die volgende bladsy kan jy kyk hoe om **Step Functions toestemming te misbruik om voorregte te verhoog**:
{{#ref}}
../aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -338,7 +324,3 @@ In the following page, you can check how to **abuse Step Functions permissions t
- [https://states-language.net/spec.html](https://states-language.net/spec.html)
{{#include ../../../banners/hacktricks-training.md}}