Challenge 11 ☆☆☆☆

Welcome to challenge 11. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

AWS SSM Parameter Store

We’ve now used Parameter Store directly from within the app, but there’s an IAM problem…​

Assume the role cant-read-secrets and try some IAM privilege escalation. Don’t cheat using your own roles :)

Here is where tools like ScoutSuite can really help detecting issues with your IAM setup. IAM might provide paths towards privilege escalation. These paths can often be used to create and/or assume other more powerful roles which might actually allow you to (among other things) read the secret.

If you’re stuck, try spotting the error in Terraform.

Answer to solution :

Secrets management is more than secure storage:

As you can tell by now: there are many ways to get to a secret: whether hardcoded, stored in a misconfigured third party solution, or stored correctly, but with the wrong IAM access rights in accounts next to it. You will, by now see, why we say that "your security maturity reflects in your secrets management".

In this specific case, this kind of role assumption should be impossible given the proper configuration, but it’s a good idea to monitor for these events and flag them as suspicious.