Attack Goals

An attack goal is a defined goal an attacker wants to gain within the AWS account. CodeShield defines more than a dozent attack goals. Example attack goals are: Gaining read or write access to databases, modifying the cloud infrastructure or gaining administrator access on the account.

An attack goal within CodeShield is defined by the AWS IAM action an attacker will get after performing one of the pre-defined escalation methods within the account.

CodeShield currently defines a total of 22 attack goals. All attack goals are classified and labeled to techniques and tactics from the official MITRE ATT&CK Cloud Matrix.

In the below table you find an overview of all pre-defined attack goals and the mapping to the IAM actions within CodeShield.

Goal ID Title Description Mitre Attack Tactics
ADMIN_ACCESS Gain Administrator Access on AWS Account An attacker was able to gain access to the ‘AdministratorAccess’ policy, effectively compromising the whole account!
  • Privilege Escalation
BLOCK_USER_ACCESS Block legitimate account access An attacker can use the gained privileges to block legitimate user’s access to your cloud environment.
  • Impact
DATA_STORAGE_READ Gain read access on data storages An attacker can use the gained privileges to exfiltrate data from one of the data storages in your environment. For S3 data exfiltration, the attacker needs to invoke: aws s3api get-object --bucket <BUCKET_NAME> --key <SOURCE_FILE_PATH> <TARGET_FILE>
  • Exfiltration
  • Collection
DATA_STORAGE_WRITE Gain write access on data storages An attacker can use the gained privileges to modify data of your data storages in your cloud environment.
  • Impact
DISABLE_CLOUDTRAIL Disable Logs to CloudTrail An attacker can use the gained privileges to disable cloud trail logs that monitor activities from the AWS cli, console or API within your AWS account. This further allows an attacker to navigate in your account without leaving traces.
  • Defense Evasion
DISABLE_CLOUDWATCH Disable Logs to CloudWatch An attacker can use the gained privileges to disable CloudWatch logs of your cloud application. This further allows the attacker to attack the underlying cloud application without leaving traces.
  • Defense Evasion
ESCALATION_NO_IMPACT Critical actions without impact/newly-gained-privileges found Actions necessary for a privilege escalation found but no new permissions could be acquired by the attacker. The attacker would be able to escalate privileges, if the cloud setup would allow it. E.g., passRole is possible but no role to pass exists. This will turn into a security vulnerability as soon as the cloud setup changes accordingly!
  • Privilege Escalation
ESCALATION_UNCLASSIFIED_IMPACT Privilege escalation allowed the attacker to gain new unclassified permissions The attacker was able to gain new permissions and potentially access new resources. The gained permissions are not classified by a more concrete attack goal.
  • Privilege Escalation
ESCALATION_WITHOUT_TARGET Privilege escalation without detected target of escalation action A possibility for privilege escalation was found for which we could not compute any target resources. This should not be ignored as it might be possible to escalate at a later point when a fitting resource has been created in the account. E.g., we found that the attacker got access to iam:passRole but no role was found that was passable by the user. It’s highly recommended to still fix this issue as creating a too open role later might render this scenario exploitable!
  • Privilege Escalation
GAIN_CREDENTIALS_ACCESS Gain Access to Credentials An attacker can use the gained privileges to steal sensitive credentials from your cloud account. The credentials can then further be used to access other services, such as databases, AWS user accounts or cloud application accounts (Cognito).
  • Credential Access
GAIN_IAM_PRIVILEGES Gain additional IAM Permissions / IAM Privilege Escalation An attacker can use the gained privileges to further attach roles to resource or identities and gain access to even more cloud resources.
  • Privilege Escalation
GAIN_USER_ACCESS Gain access over an AWS user’s account An attacker can use the gained privileges to obtain access over an AWS user’s account and further use the newly gained account to modify the infrastructure or exfiltrate data.
  • Initial Access
  • Privilege Escalation
KMS_DECRYPT Decrypt data using AWS KMS An attacker can use the gained privileges to decrypt sensitive data within your account. Using KMS, the attacker can decrypt any data that has been stored encrypted with the same keys.
  • N/A
KMS_ENCRYPT Encrypt data using AWS KMS An attacker can use the gained privileges to encrypt data within the account. If the attacker can access an arbitrary KMS within a different AWS account and some data storage, this allows a ransomware attack to encrypt all data. https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
  • Impact
MODIFY_EC2_NETWORK Modify Infrastructure (Security Groups, Networks & VPCs) An attacker can use the gained privileges to modify the EC2 instance hosts, volume or VPC endpoint.
  • Lateral Movement
MODIFY_EC2_SECURITY Modify Infrastructure (Security Groups, Networks & VPCs) An attacker can use the gained privileges to open a new port (for instance ssh 22) of an EC2 instance.
  • Lateral Movement
SPAWN_COSTLY_SERVICE Spawn cost-intensive AWS services An attacker can use the gained privileges to spawn cost-intensive services and increase your cloud bill. Ensure to enable billing alarms on AWS. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html
  • Impact
TAKEOVER_AMPLIFY Takeover of Amplify An attacker can use the gained privileges to update your amplify application to any arbitrary new logic.
  • Impact
TAKEOVER_CLOUDFRONT Takeover of CloudFront Distributions An attacker can use the gained privileges to replace the distribution bucket of your CloudFront distribution. The attacker can attach his/her own bucket and an arbitrary website can be served.
  • Impact
TAKEOVER_CODECOMMIT Takeover of CodeCommit Environment An attacker can use the gained privileges to steal your applications source code or any other sensitive data within the git repositories.
  • Collection
TAKEOVER_COGNITO Takeover of Cognito User Pools An attacker can use the gained privileges to gain access to a user’s account on your cloud application served by Cognito.
  • Credential Access
TAKEOVER_EC2 Takeover of EC2 Instances An attacker can use the gained privileges to gain root access on EC2 instance. https://hackingthe.cloud/aws/exploitation/local-priv-esc-mod-instance-att/
  • Credential Access
TAKEOVER_LAMBDA Takeover over Lambda An attacker can use the gained privileges to allow internal lambda function to be publicly reachable via a Lambda Function URL.
  • Impact
Last modified September 23, 2022