# AWS - Elastic Beanstalk Post Exploitation {{#include ../../../../banners/hacktricks-training.md}} ## Elastic Beanstalk For more information: {{#ref}} ../../aws-services/aws-elastic-beanstalk-enum.md {{#endref}} ### `elasticbeanstalk:DeleteApplicationVersion` > [!NOTE] > TODO: Test if more permissions are required for this An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up. ```bash aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version ``` **Potential Impact**: Disruption of application deployment and potential loss of application versions. ### `elasticbeanstalk:TerminateEnvironment` > [!NOTE] > TODO: Test if more permissions are required for this An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups. ```bash aws elasticbeanstalk terminate-environment --environment-name my-existing-env ``` **Potential Impact**: Downtime of the application, potential data loss, and disruption of services. ### `elasticbeanstalk:DeleteApplication` > [!NOTE] > TODO: Test if more permissions are required for this An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up. ```bash aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force ``` **Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss. ### `elasticbeanstalk:SwapEnvironmentCNAMEs` > [!NOTE] > TODO: Test if more permissions are required for this An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior. ```bash aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2 ``` **Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments. ### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags` > [!NOTE] > TODO: Test if more permissions are required for this An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management. ```bash aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1 aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag ``` **Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags. {{#include ../../../../banners/hacktricks-training.md}}