SSM edge, false positive ?

[rommate]

First, thanks or this great tool, It really help me understand AWS roles dependancies.

However, I tried on my environment the privesc module, and obtained :

user/external-admin can escalate privileges by accessing the administrative principal role/admin-role
   user/external-admin can call ssm:SendCommand to access an EC2 instance with access to role/admin-role

According to Pmapper, as SSM is an edge, the following user can privesc :

Account arn:aws:iam::XXX544221596:user/external-admin Permission Policy :

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ds:DescribeDirectories",
                "ec2:DescribeInstanceStatus",
                "ssm:SendCommand",
                "ec2messages:*"
            ],
            "Resource": "*"
        }
    ]
}

Administrative principal role detected as obtainable : arn:aws:iam::XXX544221596:role/admin-role
role/admin-role Permission Policy (AdministratorAccess) :

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]

Trust policy

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ssm.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
}

However, I don't see how SSM can be an edge in this case, is this a false positive ?

As no EC2 instance got the role/admin-role, and as far as I know, an EC2 instance can't get a role from a Principal service (ec2.amazonaws.com), isn't it ?
I tried connecting to an EC2 instance and assume the role admin-role, without success.

Regards.

[ncc-erik-steringer]

Hi there,

The SSM-related edges are about using actions such as ssm:SendCommand or ssm:StartSession. These basically let you reach into a running EC2 instance and execute commands (through the SSM Agent), which is all you need to get creds for that EC2 instance's IAM Role.

PMapper makes the determination that if there's an IAM Role with an EC2 instance profile that has access to call ssmmessages:CreateControlChannel, and a principal can call the ssm:SendCommand or ssmStartSession actions, the principal can hit a running EC2 instance for its creds for its IAM Role. That's what we're tracking with an Edge object.

Looking at what you're describing, you've got an IAM Role named admin-role that I assume has an instance profile. This means you can toss it onto an EC2 instance. Assuming that the EC2 instance is running ssm-agent (Amazon Linux has it by default), the permissions of the role has everything that ssm-agent needs to activate. Then, you can use SSM to execute commands on the instance to get creds. Your IAM User named external-admin has permission to call ssm:SendCommand, so it'll be able to hit up an instance with that admin-role for creds which is why it's tracked using an Edge.

[kmcquade]

Yeah it's basically RCE over the AWS API :)

[rommate]

There is indeed an "admin-role" instance-profile, however it is not assigned to any EC2 instance, might be a future check to do ;)

I thought for some reason it was possible to assume such role through the trust policy with the principal service "ssm.amazonaws.com".

Thanks for the clarification !

[rommate]

In fact that should be possible through ssm:StartAutomationExecution; you can assume a role not assigned on an EC2 instance I think.

I will try that asap, if you don't already have the answer ;)

[ncc-erik-steringer]

I think you may be right, and the output would probably be accessed through ssm:DescribeAutomationExecutions. If I added an edge check there, both of those permissions would be necessary.

I'm going to avoid scanning EC2 instances for a matching instance profile for the SSM-related findings for now. We'd either end up with a false positive (at the present moment the graph was created, since someone could spin up an instance at a later time) or a false negative, and I think the downside of the false positive is massively outweighed by the downside of the false negative.