diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation/README.md index 178cee584d..5cf1d1a16c 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation/README.md @@ -80,7 +80,9 @@ users: The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**. -The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**. +#### Abusing configmap + +The traditional way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**. > [!WARNING] > Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**. @@ -89,6 +91,30 @@ For more information about how to **grant extra privileges to IAM roles & users* Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**. +#### Abusing Access Entries + +AWS implementes an additional way to grant IAM users access to the Kubernetes cluster through access entries. If you have the `eks:CreateAccessEntry` and `eks:AssociateAccessPolicy` permissions, you may also be able to assign a Kubernetes administrator role to either your user or a specific rol. + +First, **create an access entry for your user or role**: + +``` +aws eks create-access-entry --cluster-name --region --principal-arn --type STANDARD +``` + +With that entry created, you may now be able to assign a policy directly to it. There is a built-in AWS policy called *AmazonEKSClusterAdminPolicy* that may be used directly. Keep in mind that if your environment has some other custom policies that also grant elevated privileges in EKS, you may change the `--policy-arn` to any of those: + +``` +aws eks associate-access-policy --cluster-name --region --principal-arn --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy --access-scope type=cluster +``` + +You can search for this policy in AWS official documentation [**here**](https://docs.aws.amazon.com/eks/latest/userguide/access-policy-permissions.html#access-policy-permissions-amazoneksclusteradminpolicy) + +From this point on, you may now be able to request a *k8s* token and interact with the cluster as an administrator: + +``` +aws eks get-token --cluster-name --output json | jq -r '.status.token' +``` + ### From Kubernetes to AWS It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).