Additional Edges: Developer Tools Services

[ncc-erik-steringer]

Need to look at the various AWS Code* services to look for ways to gain access to other roles/services.

• AWS CodeStar - end to end software development service
• AWS CodePipeline - continuous delivery service
• AWS CodeDeploy - automated app deployment
• AWS CodeCommit - source code storage/versioning
• AWS CodeBuild - build service, run's user-defined code
• AWS CodeArtifact - artifact repository

A bunch of these services have overlaps/etc.

[ncc-erik-steringer]

AWS CodeBuild:

• Let's me run arbitrary commands through a buildspec (inline with a param to codebuild:CreateProject/codebuild:UpdateProject/codebuild:StartProject)
• Running aws sts get-caller-identity from the build environment via buildspec returns the "service role" assigned to a build "project".
• I need iam:PassRole to set the service role
• I think I need iam:CreateRole to create the service role (that was in the error I got instead of iam:CreateServiceLinkedRole).
• I think I need iam:Update/AttachManagedPolicy for the "update role" checkbox, should probably ignore this
• The service role needs to allow codebuild.amazonaws.com in the trust-doc
• Artifact outputs (where we pull creds for the service role) can be overridden when calling codebuild:StartBuild and pointed at any S3 bucket we want (we assume attacker creates a public S3 bucket to point to so we don't have to check S3 perms).
• Buildspec can be overridden when calling codebuild:StartBuild.

Since the "allow CodeBuild to create a service role and modify permissions" scenario ends up requiring the caller to be an admin, we can just do the following:

Existing CodeBuild Projects:

• Gather existing projects and note existing service roles for them
• See who can call codebuild:Startbuild on said projects (no iam:PassRole check here)

New CodeBuild Projects:

• See who can call codebuild:CreateProject, iam:PassRole, and codebuild:StartBuild

EDIT: Done in 59d7c9a4 (v1.1.2-dev)