safety: add permissions boundary that neutralizes the role

DataDog · Feb 9, 2024 · c3fcba6 · c3fcba6
1 parent c8263f6
commit c3fcba6
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	_ "embed"
 	"errors"
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
 	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
@@ -37,6 +38,8 @@ Detonation:
 
 - Attach the 'AdministratorAccess' managed IAM policy to it. 
 
+*Note: For safety reasons, the detonation code makes sure that this role has no real effective permissions, by attaching it an empty permissions boundary..*
+
 References:
 
 - https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
@@ -75,14 +78,15 @@ func detonate(_ map[string]string, providers stratus.CloudProviders) error {
 	input := &iam.CreateRoleInput{
 		RoleName:                 &roleName,
 		AssumeRolePolicyDocument: &maliciousTrustPolicy,
+		PermissionsBoundary:      aws.String("arn:aws:iam::aws:policy/AWSDenyAll"),
 	}
 
 	_, err := iamClient.CreateRole(context.Background(), input)
 	if err != nil {
 		return errors.New("Unable to create IAM role: " + err.Error())
 	}
 
-	log.Println("IAM role created: " + roleName)
+	log.Println("Backdoor IAM role created: " + roleName)
 
 	attachPolicyInput := &iam.AttachRolePolicyInput{
 		RoleName:  &roleName,