Imagine yourself setting up a shared cloud environment for a machine learning (ML) workshop for 100 participants. After preparing the cloud resources needed for the workshop session, you then proceed with the creation of Identity and Access Management (IAM) user accounts for accessing the resources running inside the cloud account. During the workshop session, you find out that all resources inside your cloud account have been deleted! It seems that the shared cloud account used by the workshop participants has been completely compromised. Upon investigation, you find out that one of the workshop participants was able to successfully escalate privileges by exploiting an IAM misconfiguration to gain unauthorized access and delete all resources inside the account.

In this chapter, we will set up an IAM privilege escalation lab that mimics the ML workshop environment we just talked about! Inside this realistic workshop environment, lab participants...

Before we start, we must have the following ready:

• An Amazon Web Services (AWS) account—feel free to use any of the existing accounts you’ve used in the previous chapters of this book
• A ChatGPT account—sign up for a free account using the following link: https://chat.openai.com/auth/login
• Any text editor (such as Notepad++, Visual Studio Code, or Sublime Text) where we can temporarily store specific values (for example, your local machine’s IP address) used in the hands-on solutions in this chapter

You may proceed with the next steps once these are ready.

Important note

You might probably be wondering why we need a ChatGPT account! In this chapter, we will use this generative AI solution to generate code automatically for us. If this is your first time using ChatGPT, don’t worry as we will have a step-by-step guide later on how to use it to generate working code for our penetration testing simulation...

In this section, we will set up an AWS Cloud9 environment to help us speed up the preparation of the Terraform code for our vulnerable IAM lab. If you are wondering what AWS Cloud9 is, it is simply an integrated development environment (IDE) that allows developers and engineers to manage and run code using a browser. If you have used other IDEs before, such as Visual Studio Code and Eclipse, you can think of Cloud9 as a cloud-based solution provided by AWS that offers a collaborative and flexible environment for software development.

With AWS Cloud9, our code is stored and runs inside an Amazon Elastic Compute Cloud (EC2) instance, giving us a similar level of control and familiarity as if we were working on a local machine. For example, if we encounter disk space issues while using AWS Cloud9, we can simply expand the storage capacity of the underlying EC2 instance that hosts our Cloud9 environment. We can do this by resizing the instance’...

In this section, we will set up several lab resources using the AWS Management Console. While these can easily be created automatically with Terraform, we will prepare these manually and use the opportunity to discuss how these resources have been configured and dive deeper into the concepts, terminologies, and services as well.

Similar to what we have in Figure 7.11, we will set up a Quantum Ledger Database (QLDB) database resource along with a Simple Storage Service (S3) bucket:

Figure 7.11 – What we will set up and prepare in this section

We will then set up flags inside these resources—one flag inside the QLDB database resource and another flag stored inside the S3 bucket. If you are wondering what these flags look like, these are simply string values containing the word FLAG stored somewhere inside the resources and components of the lab environment. Of course, we are simplifying things...

At this point, we should already have a few resources (such as the QLDB ledger database and the S3 bucket where we stored our flags) created in our account. In this section, we will use Terraform to set up a few more resources to complete the IAM privilege escalation lab.

Here’s an overview of the resources we’ll create and configure in this section:

Figure 7.23 – The resources we will create and configure using Terraform

Given that our lab environment should mimic an ML workshop environment, we will create and configure (1) an IAM user for accessing the workshop environment and (2) a SageMaker notebook instance with the relevant workshop files, including the Jupyter Notebook .ipynb file already downloaded inside the instance. Here, the workshop IAM user should only have the permissions to list down and access the SageMaker notebook instances available. In addition to...

Generative AI has taken the world by storm and has revolutionized various industries and creative fields. From generating images and videos to even simulating natural language conversations, generative AI has pushed the boundaries further on what’s possible in the realm of AI. Its ability to generate new and innovative content has sparked innovation across diverse fields and applications.

Note

Since this is not a book on AI and ML, we will limit our scope to the main topic and focus on practical applications and examples instead. If you are interested in learning more about AI and ML, there are tons of available resources online to help you get started. I have also written two books on ML (which is a subset of AI)—Machine Learning with Amazon SageMaker Cookbook and Machine Learning Engineering on AWS by Packt Publishing. Feel free to check these out if you want to learn more about how to build and deploy ML models...

In the previous section, we used ChatGPT (a generative AI solution) to help us generate exploit code. If you are wondering where we will use the generated code, we will use it in our penetration testing simulation in this section.

In our simulation, we will start with a set of credentials for a workshop user account with a limited set of permissions. The workshop user account should allow the lab user to access a SageMaker notebook instance along with files stored inside the instance. In addition to this, the lab user should be able to run the code inside the .ipynb files stored inside the notebook instance (with the help of the permissions from the IAM role attached to the notebook instance).

Let’s look at an overview of what we’ll do in this section:

Figure 7.35 – High-level diagram of what we’ll do in this section

Since the role attached to the SageMaker notebook...

Cleaning up the cloud resources we created or deployed is a crucial step when working with vulnerable cloud applications and environments. If we don’t clean up and delete the resources we created right away, we might end up paying for unused cloud resources. In addition to this, these cloud resources may end up being attacked by malicious users as well. At a minimum, we will pay for the time the following resources are running:

• 1 x ml.t3.medium SageMaker notebook instance
• 1 x t2.micro EC2 instance of the Cloud9 environment
• 1 x QLDB ledger database

Note that there are other costs we should consider as well—including data transfer fees, storage costs for any persistent data used by the instances, potential charges for additional AWS services utilized in the lab environment (for example, monitoring logs), and any applicable taxes or fees associated with the AWS usage.

Important note

It is important to note that this lab allows for...

In this chapter, we were able to successfully set up an IAM privilege escalation lab environment on AWS. We started by setting up a Cloud9 environment, which we utilized to prepare and run our Terraform configuration code. After that, we proceeded with setting up the flags along with various cloud resources using the AWS Management Console. We then used Terraform to automatically generate the rest of the IAM privilege escalation lab. After completing the lab setup, we performed a penetration testing simulation to verify that our IAM privilege escalation lab had been configured correctly.

In the next chapter, we will design and build a vulnerable Active Directory lab inside an isolated network environment in Microsoft Azure. We will deliberately introduce various security misconfigurations to mimic common security issues present in real-world Active Directory implementations. If you are interested in learning how to build (and exploit) an Active Directory lab, then the next...

For additional information on the topics covered in this chapter, you may find the following resources helpful:

• AWS Identity and Access Management – Access management for AWS resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html)
• AWS Identity and Access Management – AWS managed policies for AWS Identity and Access Management Access Analyzer (https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html)
• Amazon Quantum Ledger Database – What is Amazon QLDB? (https://docs.aws.amazon.com/qldb/latest/developerguide/working.history.html)
• Amazon SageMaker – Customize a Notebook Instance Using a Lifecycle Configuration Script (https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-lifecycle-config.html)
• AWS Cloud9 – What is AWS Cloud9? (https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html)