gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Update AWS KMS post-exploitation documentation

Browse Source 
Clarified KMS policy restrictions and updated ransomware sections.
This commit is contained in:
SirBroccoli
2025-10-07 11:02:01 +02:00
committed by GitHub
parent 29e379d07d
commit 1077cf6f89
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
View File

@@ -98,23 +98,22 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
```
> [!CAUTION]
> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be perfoemed from a cross account**.
> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be performed from a cross account**.
<figure><img src="../../../images/image (77).png" alt=""><figcaption></figcaption></figure>
### Generic KMS Ransomware
#### Global KMS Ransomware
There is another way to perform a global KMS Ransomware, which would involve the following steps:
- Create a new **key with a key material** imported by the attacker
- **Re-encrypt older data** encrypted with the previous version with the new one.
- **Re-encrypt older data** of the victim encrypted with the previous version with the new one.
- **Delete the KMS key**
- Now only the attacker, who has the original key material could be able to decrypt the encrypted data
#### Ransomware via kms:DeleteImportedKeyMaterial
With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with Origin=EXTERNAL, making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
### Delete Keys via kms:DeleteImportedKeyMaterial
With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
```bash
aws kms delete-imported-key-material --key-id <Key_ID>
@@ -123,10 +122,9 @@ aws kms delete-imported-key-material --key-id <Key_ID>
### Destroy keys
```bash
# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Destroying keys it's possible to perform a DoS.
```bash
# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \