CloudPrivs: Determine privileges from cloud credentials

CloudPrivs

CloudPrivs is a tool that leverages the existing power of SDKs like Boto3 to brute force privileges of all cloud services to determine what privileges exist for a given set of credentials.

This tool is useful for Pentesters, Red Teamers, and other security professionals. Cloud services typically offer no way to determine what permissions a given set of credentials has, and the sheer number of services and operations make it a daunting task to manually confirm. This can mean privilege escalation might be possible from a set of credentials, but one would never know it because they simply don’t know the AWS credentials they found can execute Lambda.

How it works

Unlike other tools such as WeirdAAL that hand write each test case, CloudPrivs directly queries the Boto3 SDK to dynamically generate a list of all available services and all available regions for each service,

Once a full list is generated, each function is called without arguments by default, although the option to add custom arguments per operation is supported (more info at #Customizing)

Note: some AWS functions can incur costs when called, I have only allowed operations starting with get_, list_, and describe_ to mitigate accidental costs, which appears to be safe in my own testing, but please use this with caution. This appears to be safe for other tools like enumerate-iam I don’t guarantee you won’t accidentally incur costs when calling all these functions (even if it’s without arguments)

Customizing

CloudPrivs supports easy extension/customizing in two areas:

• Providers
• Custom tests

Providers

To implement a new provider (ex. GCP) is simple

1. Write the logic to do the tests, naming convention and structure does not matter
2. Under the CloudPrivs/providers folder, create a new folder for your provider (ex. ‘gcp’)
3. In the CloudPrivs/providers/__init__.py file, add your provider to the __all__ variable, it must match the name of the folder
4. Create a file called cli.py in your provider folder
5. Use the Click to create a CLI for your provider and name your cli entry function cli (see the AWS provider for reference)
6. Done! Running cloudprivs <provider> should now show your CLI

Custom Tests

The AWS provider supports the injection of arguments when calling AWS functions. This feature is provided because often times an AWS function requires arguments to be called and in some cases these arguments can be fixed variables. This means if we can provided dummy variables we can increase our testing coverage. In other cases we can inject arguments like dryrun=true to make calls go faster.

Custom tests are stored in a YAML file at cloudprivs/providers/aws/CustomTests.yaml.

The structure of the YAML is as follows:

---

<service-name>:

    - <function-name>:

        args:

            - <arg1>

            - <arg2>

        kwargs:

            arg1: val1

            arg2: val2

Install & Use