-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSM edge, false positive ? #58
Comments
Hi there, The SSM-related edges are about using actions such as PMapper makes the determination that if there's an IAM Role with an EC2 instance profile that has access to call Looking at what you're describing, you've got an IAM Role named |
Yeah it's basically RCE over the AWS API :) |
There is indeed an "admin-role" instance-profile, however it is not assigned to any EC2 instance, might be a future check to do ;) I thought for some reason it was possible to assume such role through the trust policy with the principal service "ssm.amazonaws.com". Thanks for the clarification ! |
In fact that should be possible through ssm:StartAutomationExecution; you can assume a role not assigned on an EC2 instance I think. I will try that asap, if you don't already have the answer ;) |
I think you may be right, and the output would probably be accessed through I'm going to avoid scanning EC2 instances for a matching instance profile for the SSM-related findings for now. We'd either end up with a false positive (at the present moment the graph was created, since someone could spin up an instance at a later time) or a false negative, and I think the downside of the false positive is massively outweighed by the downside of the false negative. |
…n_details Added information on how to contribute
First, thanks or this great tool, It really help me understand AWS roles dependancies.
However, I tried on my environment the privesc module, and obtained :
According to Pmapper, as SSM is an edge, the following user can privesc :
Account arn:aws:iam::XXX544221596:user/external-admin Permission Policy :
Administrative principal role detected as obtainable : arn:aws:iam::XXX544221596:role/admin-role
role/admin-role Permission Policy (AdministratorAccess) :
Trust policy
However, I don't see how SSM can be an edge in this case, is this a false positive ?
As no EC2 instance got the role/admin-role, and as far as I know, an EC2 instance can't get a role from a Principal service (ec2.amazonaws.com), isn't it ?
I tried connecting to an EC2 instance and assume the role admin-role, without success.
Regards.
The text was updated successfully, but these errors were encountered: