@SpenGietz I've read https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and also the different escalation methods listed in aws-pentest-tools/aws_escalate.py.
IMHO in the blog post, 13. Updating the code of an existing Lambda function could allow admin privilege escalation only if the function does run as admin, because lambda:UpdateFunctionCode does not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example: Partial privilege escalation?
On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.
What do you think about adding these to escalation_methods:
'UpdateExistingLambdaFunctionConfigurationWithRole': {
'lambda:UpdateFunctionConfiguration': True,
'lambda:InvokeFunction': True
}
@SpenGietz I've read https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and also the different escalation methods listed in
aws-pentest-tools/aws_escalate.py.IMHO in the blog post,
13. Updating the code of an existing Lambda functioncould allow admin privilege escalation only if the function does run as admin, becauselambda:UpdateFunctionCodedoes not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example:Partial privilege escalation?On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.
What do you think about adding these to escalation_methods: