gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 21:53:15 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
cfcc8369744f5038a9baf0d2d5667a6d6e9cb413
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
Carlos Polop 716aa06779 translate 2
2025-01-01 23:55:27 +01:00

1.5 KiB
Raw Blame History

AWS - KMS Persistence

{{#include ../../../banners/hacktricks-training.md}}

KMS

For mor information check:

{{#ref}} ../aws-services/aws-kms-enum.md {{#endref}}

Grant acces via KMS policies

An attacker could use the permission kms:PutKeyPolicy to give access to a key to a user under his control or even to an external account. Check the KMS Privesc page for more information.

Eternal Grant

Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.

Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.

(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)

# To generate grants, generate 10 like this one
aws kms create-grant \
    --key-id <key-id> \
    --grantee-principal <user_arn> \
    --operations "CreateGrant" "Decrypt"

# To monitor grants
aws kms list-grants --key-id <key-id>

Note

A grant can give permissions only from this: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations

{{#include ../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink