gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Update README to specify Airflow DAG permissions

Browse Source 
Clarified that all Airflow DAGs run with the execution role's permissions.
This commit is contained in:
Ben
2025-10-23 16:26:48 -05:00
committed by GitHub
parent 8c472fbf01
commit 3f8aa12ce9
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md
View File

@@ -27,7 +27,7 @@ Documentation Verifying Vuln and Acknowledging Vectorr: [AWS Documentation](http
## Exploitation
All DAGs run with the execution role's permissions. DAGs are Python scripts that can execute arbitrary code - they can use `yum` or `curl` to install tools, download malicious scripts, or import any Python library. DAGs are pulled from an assigned S3 folder and run on schedule automatically, all an attacker needs is ability to PUT to that bucket path.
All Airflow DAGs run with the execution role's permissions. DAGs are Python scripts that can execute arbitrary code - they can use `yum` or `curl` to install tools, download malicious scripts, or import any Python library. DAGs are pulled from an assigned S3 folder and run on schedule automatically, all an attacker needs is ability to PUT to that bucket path.
Anyone who can write DAGs (typically most users in MWAA environments) can abuse this permission: