search

DataDog / stratus-red-team

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
https://stratus-red-team.cloud
Apache License 2.0
1.78k stars 208 forks source link

[AWS] Add boundary support #508

Closed Renizmy closed 1 month ago

Renizmy commented 5 months ago

Hello, In corporate environments, it is common to have boundary policies implemented. It could be interesting to be able to import them to be more "realistic"

Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

christophetd commented 5 months ago

Thanks for the suggestion!

To make sure I understand this properly, are you suggesting that we add a new attack technique related to permissions boundaries, or something else?

Renizmy commented 5 months ago

Something else, for example this scenario needs to create a new role. In corporate environnement, a common scenario is to restrict the creation of new role by importing a boundary

The main idea is to add an optional parameter to be able to import a boundary for creating this type of resources

christophetd commented 5 months ago

What do you mean by "import a boundary"?

Renizmy commented 5 months ago

Something like it: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary

christophetd commented 1 month ago

The current pre-requisites for Stratus Red Team indicate that you should run it as admin, in a sandbox. Documenting each and every permission required for each technique might be a valuable item, I'm going to track this in #555