kmcquade
/ AWS API calls that return credentials.md
Last active
April 30, 2025 02:52
AWS API calls that return credentials
kmcquade
/ PreventMarketplaceImages.json
Last active
October 27, 2021 14:19
Testing this out with AWS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "VisualEditor0", | |
| "Effect": "Deny", | |
| "Action": "ec2:RunInstances", | |
| "Resource": "arn:aws:ec2:*::image/ami-*", | |
| "Condition": { | |
| "StringNotEquals": { |
kmcquade
/ brick-aws.sh
Last active
September 26, 2023 22:52
One-liner to brick AWS accounts from the Master Payer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws organizations attach-policy \ | |
| --policy-id $(aws organizations create-policy --name pwn \ | |
| --type SERVICE_CONTROL_POLICY \ | |
| --description "pwn" | |
| --content '{"Version": "2012-10-17","Statement": [{"Effect": "Deny", "Action": "*", "Resource": "*"}]}' \ | |
| | jq ".Policy.PolicySummary.Id"\ | |
| ) \ | |
| --target-id $(aws organizations list-roots | jq ".Roots | .[0].Id") |
noamsdahan
/ passrole_actions_and_parameters.csv
Last active
April 19, 2024 05:54
A list of IAM actions which require iam:PassRole as of December 2020. Nested parameters are written with dot ('.') notation. Where there are multiple relevant parameters, they are separated by the pipe character ('|'). consult the AWS documentation on special cases - noted with an asterisk (most of them are "array of documents" type parameters).…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IAM Permission | Params | |
|---|---|---|
| amplify:CreateApp | iamServiceRoleArn | |
| amplify:UpdateApp | iamServiceRoleArn | |
| appconfig:CreateConfigurationProfile | RetrievalRoleArn | |
| appconfig:UpdateConfigurationProfile | RetrievalRoleArn | |
| appflow:CreateConnectorProfile | connectorProfileConfig.connectorProfileProperties.Redshift.roleArn | |
| appflow:UpdateConnectorProfile | connectorProfileConfig.connectorProfileProperties.Redshift.roleArn | |
| application-autoscaling:RegisterScalableTarget | RoleARN | |
| apprunner:CreateService | SourceConfiguration.AuthenticationConfiguration.AccessRoleArn|InstanceConfiguration.InstanceRoleArn | |
| apprunner:UpdateService | SourceConfiguration.AuthenticationConfiguration.AccessRoleArn|InstanceConfiguration.InstanceRoleArn |
iann0036
/ gist:b473bbb3097c5f4c656ed3d07b4d2222
Last active
May 12, 2025 22:39
List of expensive / long-term effect AWS IAM actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acm-pca:CreateCertificateAuthority | |
| aws-marketplace:AcceptAgreementApprovalRequest | |
| aws-marketplace:Subscribe | |
| backup:PutBackupVaultLockConfiguration | |
| bedrock:CreateProvisionedModelThroughput | |
| bedrock:UpdateProvisionedModelThroughput | |
| devicefarm:PurchaseOffering | |
| dynamodb:PurchaseReservedCapacityOfferings | |
| ec2:ModifyReservedInstances | |
| ec2:PurchaseCapacityBlock |
z0ph
/ sso_assumer.sh
Created
June 3, 2022 13:46
Bash script to run an AWS CLI command across all your AWS Accounts (AWS SSO wide)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # From Victor (zoph) Grenu from zoph.io - https://zoph.io | |
| # Twitter: @zoph | |
| TARGET_ROLE_NAME="AdministratorAccess" | |
| ## Get list of AWS accounts using SSO | |
| AWS_ACCESS_TOKEN=$(cat $(ls -1d ~/.aws/sso/cache/* | grep -v botocore) | jq -r "{accessToken} | .[]") | |
| ACCOUNTS_IDS=($(aws sso list-accounts --access-token $AWS_ACCESS_TOKEN | jq -r '.accountList[] | .accountId')) |
hashbrowncipher
/ contracts_do_not_bind.md
Last active
August 15, 2022 16:21
Why contracts within engineering organizations don't work.
One time at work, my team was upgrading an open source search-engine-cum-database that had an unfortunate predilection for breaking its external API. We had already deployed the new version of the database with its breaking changes, and now it was time to herd our customers off of the old version and onto the new version. Our customers were naturally reticent: for most of them it was just a bunch of work for very little reward. The migration would require careful testing, and just generally it didn't sound like a fun time. To top the situation off, some of these customers' services hadn't been touched in years, and the original authors had long since left.
I'm proud to say that my team was significantly more interested in accommodating our customers' needs than some other DBA teams I've worked with or around. During the migration we spent a fair bit of time chewing on ways to lessen the burden we placed on our customers. At one point the possibility of simply "handing off" the outdated search engines was dis
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Talks and blog posts that all newcomers should check out when interested in Cloud Security | |
| Bringing a machete to the amazon (Peterson) | |
| https://youtu.be/y8nftRzbiXk | |
| Flying a false flag: (Landers) | |
| https://youtu.be/2BEwqbCbQuM | |
| Another day another billion packets (Brandwine) | |
| https://youtu.be/3qln2u1Vr2E |
jchrisfarris
/ disable_security_hub_standards.sh
Last active
July 8, 2023 17:51
Disable All Security Controls in Security Hub
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ROLENAME=$1 | |
| if [ -z $ROLENAME ] ; then | |
| echo "usage $0 <ROLENAME>" | |
| exit 1 | |
| fi | |
| while read line ; do |
badideasforsale
/ create_gha_oidc_in_aws.sh
Last active
March 24, 2024 04:08
Create OIDC connection for GitHub Actions to use in AWS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Get role name, git org or user, and git repo | |
| # If not set, error out later | |
| # @TODO: add help text | |
| # @TODO: verify org/repo are not wildcards | |
| while getopts ":r:o:g:h" opt; do | |
| case $opt in | |
| r) ROLE_NAME="$OPTARG" |