Skip to main content

Attack Goals

An attack goal within CodeShield is defined by the AWS IAM action an attacker will get after performing one of the pre-defined escalation methods within the account.

CodeShield currently defines a total of 22 attack goals. All attack goals are classified and labeled to techniques and tactics from the official MITRE ATT&CK Cloud Matrix.

In the below table you find an overview of all pre-defined attack goals and the mapping to the IAM actions within CodeShield.

Goal IDTitleDescriptionMitre Attack Tactics
ADMIN_ACCESSGain Administrator Access on AWS AccountAn attacker was able to gain access to the 'AdministratorAccess' policy (or equivalent), effectively compromising the whole account!
  • Privilege Escalation
BLOCK_USER_ACCESSBlock legitimate account accessAn attacker can use the gained privileges to block legitimate user's access to your cloud environment.
  • Impact
DATA_STORAGE_READGain read access on data storagesAn attacker can use the gained privileges to exfiltrate data from one of the data storages in your environment. For S3 data exfiltration, the attacker needs to invoke: aws s3api get-object --bucket <BUCKET_NAME> --key <SOURCE_FILE_PATH> <TARGET_FILE>
  • Exfiltration
  • Collection
DATA_STORAGE_WRITEGain write access on data storagesAn attacker can use the gained privileges to modify data of your data storages in your cloud environment.
  • Impact
DISABLE_CLOUDTRAILDisable Logs to CloudTrailAn attacker can use the gained privileges to disable cloud trail logs that monitor activities from the AWS cli, console or API within your AWS account. This further allows an attacker to navigate in your account without leaving traces.
  • Defense Evasion
DISABLE_CLOUDWATCHDisable Logs to CloudWatchAn attacker can use the gained privileges to disable CloudWatch logs of your cloud application. This further allows the attacker to attack the underlying cloud application without leaving traces.
  • Defense Evasion
ESCALATION_NO_IMPACTCritical actions without impact/newly-gained-privileges foundActions necessary for a privilege escalation found but no new permissions could be acquired by the attacker. The attacker would be able to escalate privileges, if the cloud setup would allow it. E.g., passRole is possible but no role to pass exists. This will turn into a security vulnerability as soon as the cloud setup changes accordingly!
  • Privilege Escalation
ESCALATION_WITHOUT_TARGETPrivilege escalation without detected target of escalation actionA possibility for privilege escalation was found for which we could not compute any target resources. This should not be ignored as it might be possible to escalate at a later point when a fitting resource has been created in the account. E.g., we found that the attacker got access to iam:passRole but no role was found that was passable by the user. It's highly recommended to still fix this issue as creating a too open role later might render this scenario exploitable!
  • Privilege Escalation
GAIN_CREDENTIALS_ACCESSGain Access to CredentialsAn attacker can use the gained privileges to steal sensitive credentials from your cloud account. The credentials can then further be used to access other services, such as databases, AWS user accounts or cloud application accounts (Cognito).
  • Credential Access
GAIN_IAM_PRIVILEGESGain additional IAM Permissions / IAM Privilege EscalationAn attacker can use the gained privileges to further attach roles to resource or identities and gain access to even more cloud resources.
  • Privilege Escalation
GAIN_USER_ACCESSGain access over an AWS user's accountAn attacker can use the gained privileges to obtain access over an AWS user's account and further use the newly gained account to modify the infrastructure or exfiltrate data.
  • Initial Access
  • Privilege Escalation
KMS_DECRYPTDecrypt data using AWS KMSAn attacker can use the gained privileges to decrypt sensitive data within your account. Using KMS, the attacker can decrypt any data that has been stored encrypted with the same keys.
  • N/A
KMS_ENCRYPTEncrypt data using AWS KMSAn attacker can use the gained privileges to encrypt data within the account. If the attacker can access an arbitrary KMS within a different AWS account and some data storage, this allows a ransomware attack to encrypt all data. https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
  • Impact
MODIFY_EC2_NETWORKModify Infrastructure (Security Groups, Networks & VPCs)An attacker can use the gained privileges to modify the EC2 instance hosts, volume or VPC endpoint.
  • Lateral Movement
MODIFY_EC2_SECURITYModify Infrastructure (Security Groups, Networks & VPCs)An attacker can use the gained privileges to open a new port (for instance ssh 22) of an EC2 instance.
  • Lateral Movement
SPAWN_COSTLY_SERVICESpawn cost-intensive AWS servicesAn attacker can use the gained privileges to spawn cost-intensive services and increase your cloud bill. Ensure to enable billing alarms on AWS. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html
  • Impact
TAKEOVER_AMPLIFYTakeover of AmplifyAn attacker can use the gained privileges to update your amplify application to any arbitrary new logic.
  • Impact
TAKEOVER_CLOUDFRONTTakeover of CloudFront DistributionsAn attacker can use the gained privileges to replace the distribution bucket of your CloudFront distribution. The attacker can attach his/her own bucket and an arbitrary website can be served.
  • Impact
TAKEOVER_CODECOMMITTakeover of CodeCommit EnvironmentAn attacker can use the gained privileges to steal your applications source code or any other sensitive data within the git repositories.
  • Collection
TAKEOVER_COGNITOTakeover of Cognito User PoolsAn attacker can use the gained privileges to gain access to a user's account on your cloud application served by Cognito.
  • Credential Access
TAKEOVER_EC2Takeover of EC2 InstancesAn attacker can use the gained privileges to gain root access on EC2 instance. https://hackingthe.cloud/aws/exploitation/local-priv-esc-mod-instance-att/
  • Credential Access
TAKEOVER_LAMBDATakeover over LambdaAn attacker can use the gained privileges to allow internal lambda function to be publicly reachable via a Lambda Function URL.
  • Impact
UNCLASSIFIED_IMPACTPrivilege escalation allowed the attacker to gain new unclassified permissionsThe attacker was able to gain new permissions and potentially access new resources. The gained permissions are not classified by a more concrete attack goal.
  • Privilege Escalation