Skip to content

Mwaa post exploitation #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 23, 2025
Merged

Mwaa post exploitation #226

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6fc8a81
Add AWS MWAA post-exploitation documentation
AI-redteam Oct 21, 2025
0d4fb44
Add README for AWS MWAA post-exploitation
AI-redteam Oct 23, 2025
65a1490
Update README to clarify policy tightening process
AI-redteam Oct 23, 2025
8c472fb
Revise README for AWS MWAA execution role vulnerability
AI-redteam Oct 23, 2025
3f8aa12
Update README to specify Airflow DAG permissions
AI-redteam Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions ...g-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# AWS MWAA Execution Role Account Wildcard Vulnerability

## The Vulnerability

MWAA's execution role (the IAM role that Airflow workers use to access AWS resources) requires this mandatory policy to function:

```json
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:us-east-1:*:airflow-celery-*"
}
```

The wildcard (`*`) in the account ID position allows the role to interact with **any SQS queue in any AWS account** that starts with `airflow-celery-`. This is required because AWS provisions MWAA's internal queues in a separate AWS-managed account. There is no restriction on making queues with the `airflow-celery-` prefix.

**Cannot be fixed:** Removing the wildcard pre-deployment breaks MWAA completely - the scheduler can't queue tasks for workers.

Documentation Verifying Vuln and Acknowledging Vectorr: [AWS Documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html)

## Exploitation

All Airflow DAGs run with the execution role's permissions. DAGs are Python scripts that can execute arbitrary code - they can use `yum` or `curl` to install tools, download malicious scripts, or import any Python library. DAGs are pulled from an assigned S3 folder and run on schedule automatically, all an attacker needs is ability to PUT to that bucket path.

Anyone who can write DAGs (typically most users in MWAA environments) can abuse this permission:

1. **Data Exfiltration**: Create a queue named `airflow-celery-exfil` in an external account, write a DAG that sends sensitive data to it via `boto3`

2. **Command & Control**: Poll commands from an external queue, execute them, return results - creating a persistent backdoor through SQS APIs

3. **Cross-Account Attacks**: Inject malicious messages into other organizations' queues if they follow the naming pattern

All attacks bypass network controls since they use AWS APIs, not direct internet connections.

## Impact

This is an architectural flaw in MWAA with no IAM-based mitigation. Every MWAA deployment following AWS documentation has this vulnerability.

**Network Control Bypass:** These attacks work even in private VPCs with no internet access. The SQS API calls use AWS's internal network and VPC endpoints, completely bypassing traditional network security controls, firewalls, and egress monitoring. Organizations cannot detect or block this data exfiltration path through network-level controls.