Endgame: Creating Backdoors in AWS
An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire Internet 😈
Endgame abuses AWS's resource permission model to grant rogue users (or the Internet) access to an AWS account's resources with a single command. It does this through one of three methods:
- Modifying resource-based policies (such as S3 Bucket policies or Lambda Function policies)
- Resources that can be made public through sharing APIs (such as Amazon Machine Images (AMIs), EBS disk snapshots, and RDS database snapshots)
- Sharing resources via AWS Resource Access Manager (RAM)
Endgame was created to:
- Push AWS to improve coverage of AWS Access Analyzer so AWS users can protect themselves.
- Show blue teams and developers what kind of damage can be done by overprivileged/leaked accounts.
- Help red teams to demonstrate impact of their access.
Endgame demonstrates (with a bit of shock and awe) how simple human errors in excessive permissions (such a granting
s3:* access instead of
s3:GetObject) can be abused by attackers. These are not new attacks, but AWS's ability to detect and prevent these attacks falls short of what customers need to protect themselves. This is what inspired us to write this tool. Follow the Tutorial and observe how you can expose resources across 17 different AWS services to the Internet in a matter of seconds.
The resource types that can be exposed are of high value to attackers. This can include:
- Privileged compute access (by exposing who can invoke
- Database snapshots (
rds), Storage buckets (
s3), file systems (
elasticfilesystem), storage backups (
glacier), disk snapshots (
- Encryption keys (
kms), secrets (
secretsmanager), and private certificate authorities (
- Messaging and notification services (
- Compute artifacts (
- Logging endpoints (
- Search and analytics engines (
Endgame is an attack tool, but it was written with a specific purpose. We wrote this tool with desired outcomes for the following audiences:
- AWS: We want AWS to empower their customers with the capabilities to fight these attacks. Our recommendations are outlined in the Recommendations to AWS section.
- AWS Customers and their customers: It is better to have risks be more easily understood and know how to mitigate those risks than to force people to fight something novel. By increasing awareness about Resource Exposure and excessive permissions, we can protect ourselves against attacks where the attackers previously held the advantage and AWS customers were previously left blind.
- Blue Teams: Defense teams can leverage the guidance around user-agent detection, API call detection, and behavioral detection outlined in the Recommendations to Blue Teams section.
- Red Teams: This will make for some very eventful red team exercises. Make sure you give the Blue Team kudos when they catch you!
Endgame can create backdoors for resources in any of the services listed in the table below.
Note: At the time of this writing, AWS Access Analyzer does NOT support auditing 11 out of the 18 services that Endgame attacks. Given that Access Analyzer is intended to detect this exact kind of violation, we kindly suggest to the AWS Team that they support all resources that can be attacked using Endgame. 😊
|Backdoor Resource Type||Endgame||AWS Access Analyzer Support|
|ACM Private CAs||✅||❌|
|CloudWatch Resource Policies||✅||❌|
|EBS Volume Snapshots||✅||❌|
|ECR Container Repositories||✅||❌|
|EFS File Systems||✅||❌|
|Glacier Vault Access Policies||✅||❌|
|Secrets Manager Secrets||✅||✅|
|SES Sender Authorization Policies||✅||❌|