gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 21:36:23 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix macie

Browse Source
This commit is contained in:
Carlos Polop
2025-02-13 11:00:27 +01:00
parent abbd0a816b
commit 615a959bb6
4 changed files with 135 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
View File

@@ -1,4 +1,16 @@
# Amazon Macie - Bypass `Reveal Sample` Integrity Check
# AWS - Macie Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Macie
For more information about Macie check:
{{#ref}}
../aws-services/aws-macie-enum.md
{{#endref}}
### Amazon Macie - Bypass `Reveal Sample` Integrity Check
AWS Macie is a security service that automatically detects sensitive data within AWS environments, such as credentials, personally identifiable information (PII), and other confidential data. When Macie identifies a sensitive credential, such as an AWS secret key stored in an S3 bucket, it generates a finding that allows the owner to view a "sample" of the detected data. Typically, once the sensitive file is removed from the S3 bucket, it is expected that the secret can no longer be retrieved.
@@ -6,7 +18,7 @@ However, a **bypass** has been identified where an attacker with sufficient perm
<img src="https://github.com/user-attachments/assets/c44228ae-12cd-41bd-9a04-57f503a63281" height="800" width="auto"/>
## Steps To Reproduce:
**Steps To Reproduce:**
1. Upload a file (e.g., `test-secret.txt`) to an S3 bucket with sensitive data, such as an AWS secret key. Wait for AWS Macie to scan and generate a finding.
@@ -20,6 +32,6 @@ However, a **bypass** has been identified where an attacker with sufficient perm
6. Observe that Macie still reveals the original secret, despite the file being deleted and replaced with different content **from different accounts, in our case it will be the attacker's account**.
## Summary:
**Summary:**
This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.