search

DataDog / stratus-red-team

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
https://stratus-red-team.cloud
Apache License 2.0
1.78k stars 208 forks source link

Incorrect IAM permissions causing Stratus to error on detonation of aws.defense-evasion.organizations-leave #462

Closed christofort closed 8 months ago

christofort commented 9 months ago

What is not working? When detonating the technique aws.defense-evasion.organizations-leave, the role created by Stratus does not have the sts:TagSession permission set in its Trust Relationship policy. This causes the following error:

2024/01/04 10:49:17 go run cmd/stratus/*.go detonate aws.defense-evasion.organizations-leave                                                                      
2024/01/04 10:50:17 Checking your authentication against AWS
Authentication Succeeded!
Authentication Succeeded!
2024/01/04 10:51:20 Error while detonating attack technique aws.defense-evasion.organizations-leave: unable to assume role arn:aws:iam::0000:role/stratus-red-team-leave-org-role: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxxxx-xx-xx-xx-xx, api error AccessDenied: User: arn:aws:sts::0000:assumed-role/role-name/user@aws-account is not authorized to perform: sts:TagSession on resource: arn:aws:iam::0000:role/stratus-red-team-leave-org-role
exit status 1

The Terraform for the stratus-red-team-leave-org-role has the below definition:

data "aws_caller_identity" "current" {}

resource "aws_iam_role" "role" {
  name = "${local.resource_prefix}-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = ["sts:AssumeRole", "sts:SetSourceIdentity"]
        Effect = "Allow"
        Sid    = ""
        Principal = {
          AWS = data.aws_caller_identity.current.account_id
        }
      },
    ]
  })

If I add sts:TagSession to the permission set, the detonation works without error. The working IAM definition:

data "aws_caller_identity" "current" {}

resource "aws_iam_role" "role" {
  name = "${local.resource_prefix}-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = ["sts:AssumeRole", "sts:SetSourceIdentity", "sts:TagSession"]
        Effect = "Allow"
        Sid    = ""
        Principal = {
          AWS = data.aws_caller_identity.current.account_id
        }
      },
    ]
  })

Output of success after editing the permission set:

2024/01/04 10:54:31 go run cmd/stratus/*.go detonate aws.defense-evasion.organizations-leave
2024/01/04 10:55:10 Checking your authentication against AWS
Authentication Succeeded!
2024/01/04 10:55:15 Warming up aws.defense-evasion.organizations-leave
2024/01/04 10:55:15 Initializing Terraform to spin up technique prerequisites
2024/01/04 10:55:30 Applying Terraform to spin up technique prerequisites
Authentication Succeeded!
Authentication Succeeded!
Authentication Succeeded!
2024/01/04 10:56:00 Attempting to leave the AWS organization (will trigger an Access Denied error)
2024/01/04 10:56:01 Got an access denied error as expected

What OS are you using? Mac OS X

What is your Stratus Red Team version? stratus version 2.12.1

Full output?

2024/01/04 10:50:17 go run cmd/stratus/*.go detonate aws.defense-evasion.organizations-leave                                                                      
2024/01/04 10:50:17 Checking your authentication against AWS
Authentication Succeeded!
Authentication Succeeded!
2024/01/04 10:51:20 Error while detonating attack technique aws.defense-evasion.organizations-leave: unable to assume role arn:aws:iam::0000:role/stratus-red-team-leave-org-role: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxxxx-xx-xx-xx-xx, api error AccessDenied: User: arn:aws:sts::0000:assumed-role/role-name/user@aws-account is not authorized to perform: sts:TagSession on resource: arn:aws:iam::0000:role/stratus-red-team-leave-org-role
exit status 1

Files in $HOME/.stratus-red-team? ls -lahR

total 140232
drwxr--r--@  4 user  staff   128B  4 Jan 11:00 .
drwx------+ 44 user  staff   1.4K  4 Jan 11:15 ..
drwxr--r--   2 user  staff    64B  4 Jan 11:00 aws.defense-evasion.organizations-leave
-rwx------@  1 user  staff    68M  2 Jan 10:15 terraform

./aws.defense-evasion.organizations-leave:
total 0
drwxr--r--  2 user  staff    64B  4 Jan 11:00 .
drwxr--r--@ 4 user  staff   128B  4 Jan 11:00 ..
christofort commented 9 months ago

PR raised here :)

christophetd commented 9 months ago

Thanks for reporting! I can't seem to reproduce this in my AWS account:

$ stratus detonate aws.defense-evasion.organizations-leave
2024/01/04 13:54:07 Checking your authentication against AWS
2024/01/04 13:54:07 Warming up aws.defense-evasion.organizations-leave
2024/01/04 13:54:07 Applying Terraform to spin up technique prerequisites
2024/01/04 13:54:22 Attempting to leave the AWS organization (will trigger an Access Denied error)
2024/01/04 13:54:23 Got an access denied error as expected

Any idea what could be causing your issue? There's no harm adding that permission, but I'd like to understand the underlying cause if possible

christofort commented 8 months ago

I think this is because we assume our own role which contains session tags, then with this role we try to assume the stratus role. When you do that in AWS, the session tags are propagated from one session to the other: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining So it will only work for us with that extra permission unfortunately

christophetd commented 8 months ago

Merged #463, will be available shortly under v2.12.2