Skip to content

Commit

Permalink
aws-stepfunctions-post-exploitation v1.1
Browse files Browse the repository at this point in the history
  • Loading branch information
m4dn3g4t1v3 authored Jul 12, 2024
1 parent d96c15a commit 3a75646
Showing 1 changed file with 49 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,60 @@ For more information about this AWS service, check:
[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
{% endcontent-ref %}

### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`

An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.

{% hint style="info" %}

- Deleting a state machine you also delete all its associated versions and aliases.
- Deleting a state machine alias you do not delete the state machine versions referecing this alias.
- It is not possible to delete a state machine version currently referenced by one o more aliases.

{% endhint %}

```bash
# Delete state machine
aws stepfunctions delete-state-machine --state-machine-arn <value>
# Delete state machine version
aws stepfunctions delete-state-machine-version --state-machine-version-arn <value>
# Delete state machine alias
aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>
```

- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.

### `states:UpdateMapRun`

An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.

```bash
aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]
```

- **Potential Impact**: Performance degradation, and disruption of critical workflows.

### `states:StopExecution`

An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.

{% hint style="warning" %}
This action is not supported by **express state machines**.
{% endhint %}

```bash
aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]
```

- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.

### `states:TagResource`, `states:UntagResource`

An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.

```bash
aws states tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws states untag-resource --resource-arn <value> --tag-keys <key>
aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
```

**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
Expand Down

0 comments on commit 3a75646

Please sign in to comment.