Closed christofort closed 8 months ago
PR raised here :)
Thanks for reporting! I can't seem to reproduce this in my AWS account:
$ stratus detonate aws.defense-evasion.organizations-leave
2024/01/04 13:54:07 Checking your authentication against AWS
2024/01/04 13:54:07 Warming up aws.defense-evasion.organizations-leave
2024/01/04 13:54:07 Applying Terraform to spin up technique prerequisites
2024/01/04 13:54:22 Attempting to leave the AWS organization (will trigger an Access Denied error)
2024/01/04 13:54:23 Got an access denied error as expected
Any idea what could be causing your issue? There's no harm adding that permission, but I'd like to understand the underlying cause if possible
I think this is because we assume our own role which contains session tags, then with this role we try to assume the stratus role. When you do that in AWS, the session tags are propagated from one session to the other: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining So it will only work for us with that extra permission unfortunately
Merged #463, will be available shortly under v2.12.2
What is not working? When detonating the technique aws.defense-evasion.organizations-leave, the role created by Stratus does not have the sts:TagSession permission set in its Trust Relationship policy. This causes the following error:
The Terraform for the
stratus-red-team-leave-org-role
has the below definition:If I add
sts:TagSession
to the permission set, the detonation works without error. The working IAM definition:Output of success after editing the permission set:
What OS are you using? Mac OS X
What is your Stratus Red Team version?
stratus version
2.12.1
Full output?
Files in $HOME/.stratus-red-team?
ls -lahR