Closed ncc-erik-steringer closed 3 years ago
AWS CodeBuild:
codebuild:CreateProject
/codebuild:UpdateProject
/codebuild:StartProject
)aws sts get-caller-identity
from the build environment via buildspec returns the "service role" assigned to a build "project".iam:PassRole
to set the service roleiam:CreateRole
to create the service role (that was in the error I got instead of iam:CreateServiceLinkedRole
).iam:Update/AttachManagedPolicy
for the "update role" checkbox, should probably ignore thiscodebuild.amazonaws.com
in the trust-doccodebuild:StartBuild
and pointed at any S3 bucket we want (we assume attacker creates a public S3 bucket to point to so we don't have to check S3 perms).codebuild:StartBuild
.Since the "allow CodeBuild to create a service role and modify permissions" scenario ends up requiring the caller to be an admin, we can just do the following:
Existing CodeBuild Projects:
codebuild:Startbuild
on said projects (no iam:PassRole
check here)New CodeBuild Projects:
codebuild:CreateProject
, iam:PassRole
, and codebuild:StartBuild
EDIT: Done in 59d7c9a4 (v1.1.2-dev
)
Need to look at the various AWS Code* services to look for ways to gain access to other roles/services.
A bunch of these services have overlaps/etc.