Defender Track

Objective 2: Access the Target account

A common, and best practice, AWS setup is to have a separate Security account that contains the CloudTrail logs from all other AWS accounts and also has some sort of access into the other accounts to check up on things. For this objective, we need to access the Target account through the IAM role that grants the Security account access. In your ~/.aws/config file, you should already have a profile for your security account that looks like:

[profile security]
region=us-east-1
output=json

Now, we'll add a profile for the target to that file:

[profile target_security]
region=us-east-1
output=json
source_profile = security
role_arn = arn:aws:iam::653711331788:role/security

You should now be able to run:

aws --profile target_security sts get-caller-identity

You should get results like this:

{
    "Account": "653711331788",
    "UserId": "AROAIKRY5GULQLYOGRMNS:botocore-session-1544126021",
    "Arn": "arn:aws:sts::653711331788:assumed-role/security/botocore-session-1544126021"
}

The important thing to notice is when your account ID is 322079859186, you are running in the security account, and when it is 653711331788, you are running in the context of the target account.

Run aws --profile target_security s3 ls and you'll see the S3 buckets for the levels of the Attacker path.

Next objective