Skip to content

Instantly share code, notes, and snippets.

@kmcquade
Last active May 2, 2024 14:39
Show Gist options
  • Save kmcquade/33860a617e651104d243c324ddf7992a to your computer and use it in GitHub Desktop.
Save kmcquade/33860a617e651104d243c324ddf7992a to your computer and use it in GitHub Desktop.
AWS API calls that return credentials
@kmcquade
Copy link
Author

kmcquade commented Dec 24, 2020

This one is really interesting. I was reading about how to link up AWS Chatbot to Slack and thought about the potential for using Slack as an attack vector. Seems like AWS has anticipated this; the AWS Chatbot documentation says here that they do not support commands denied by the following IAM Policy:

{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "cognito-idp:*",
        "cognito-identity:*",
        "connect:GetFederationToken",
        "dynamodb:BatchGetItem",
        "dynamodb:GetItem",
        "ec2:GetPasswordData",
        "ecr:GetAuthorizationToken",
        "ecr:GetLogin",
        "gamelift:RequestUploadCredentials",
        "gamelift:GetInstanceAccess",
        "lightsail:DownloadDefaultKeyPair",
        "lightsail:GetInstanceAccessDetail",
        "lightsail:GetKeyPair",
        "lightsail:GetKeyPairs",
        "iam:*",
        "kms:*",
        "redshift:GetClusterCredentials",
        "sdb:*",
        "secretsmanager:*",
        "sso:*",
        "sso-admin:*",
        "sso-oidc:*",
        "storagegateway:DescribeChapCredentials",
        "sts:*",
        "s3:GetObject",
        "s3:HeadObject",
        "snowball:GetJobUnlockCode"
      ],
      "Effect": "Deny",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

There is a strong overlap between that list and the ones provided on my list above.

If you are looking to prevent Data Exfiltration and Credential Exposure, I would suggest blocking the combination of both of these.

@kmcquade
Copy link
Author

kmcquade commented Jan 3, 2021

Note: I reflected this in a recent blog post: https://kmcquade.com/2020/12/sensitive-aws-api-calls/.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment