Awesome

AWS Exposable Resources

The goal of this repo is to maintain a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts (that section is still in development and not included here yet).

The following concepts are applied in this list:

• Resources that could be indirectly exposed through another resource are not included. For example, CloudTrail logs can be sent to an S3 bucket that is public, but it is the S3 bucket that is misconfigured, so CloudTrail is not listed as a resource that can be made public.
• Some resources may require multiple things configured a certain way to be considered public. For example, a Secrets Manager secret that is encrypted with a KMS, would need both the Secret and KMS key to be public for access to the Secret. For the purposes of this list, I consider the Secret resource policy only. Similarly, for Managed ElasticSearch clusters, you need both the resource policy to allow public access, and for it to have a non-VPC IP. I consider only the resource policy. For an EC2, you could create an EC2 with a public IP, but associate a restricted Security Group to it that perhaps later is opened up to allow public access. I view the creation of the EC2 with a public IP, and not the modification of the Securtiy Group to be the action of interest.

Roadmap

I would like this repo to eventually contain the following:

• Sample CLI commands for creating both a private and public resource
• Associated CloudTrail logs for these two events so you can build and test monitoring solutions. For example, you can see sample CloudTrail events for StreamAlert here
• Associated Describe calls on the resources to show what it looks like when these resources are public. For example, you can see sample json responses in CloudMapper's test data here.

Resources that can be made public through resource policies

ECR Repository

Actions:

• ecr set-repository-policy

Lambda

Allows invoking the function

Actions:

• lambda add-permission

Lambda layer

Actions:

• lambda add-layer-version-permission

Serverless Application Repository

Actions:

• serverlessrepo put-application-policy

Backup

Docs

Actions:

• backup put-backup-vault-access-policy

EFS

TODO: Need to confirm this can actually be shared with other accounts. Some of the doc wording leads me to think this might only be shareable to principals within an account.

Actions:

• efs put-file-system-policy

Glacier

Actions:

• glacier set-vault-access-policy

S3

S3 buckets can be public via policies and ACL. S3 objects can be public via ACL. ACLs can be set at bucket or object creation.

Actions:

• s3api create-bucket
• s3api put-bucket-policy
• s3api put-bucket-acl
• s3api put-object
• s3api put-object-acl

IAM Role

Actions:

• iam create-role
• iam update-assume-role-policy

KMS Keys

Actions:

• kms create-key
• kms create-grant
• kms put-key-policy

Secrets Managers

Actions:

• secretsmanager put-resource-policy

CloudWatch Logs

Actions:

• logs put-resource-policy
• logs put-destination-policy

EventBridge

Only allows sending data into an account

Actions:

• events put-permission

MediaStore

Docs

Actions:

• mediastore put-container-policy

ElasticSearch

Actions:

• es create-elasticsearch-domain
• es update-elasticsearch-domain-config

Glue

Actions:

• glue put-resource-policy

SNS

Actions:

• sns create-topic
• sns add-permission

SQS

Actions:

• sqs create-queue
• sqs add-permission

SES

Docs

Actions:

• ses put-identity-policy

Resource that can be made public through sharing APIs

AMI

Actions:

• ec2 modify-image-attribute

FPGA image

Actions:

• ec2 modify-fpga-image-attribute

EBS snapshot

Actions:

• ec2 modify-snapshot-attribute

RDS snapshot

Actions:

• rds modify-db-snapshot

RDS DB Cluster snapshot

Actions:

• rds modify-db-cluster-snapshot-attribute

Resources that can be made public through network access

API Gateway

There are associated resource policies (see here) that may make this something that should be in multiple categories?

Actions:

• apigateway create-rest-api
• apigateway update-rest-api
• apigateway create-api

CloudFront

Actions:

• cloudfront create-distribution
• cloudfront create-distribution-with-tags

Redshift

Actions:

• redshift create-cluster
• redshift modify-cluster

RDS

Actions:

• rds create-db-instance
• rds modify-db-instance

EC2

Actions:

• ec2 run-instances
• ec2 run-scheduled-instances

Elastic IP

Actions:

• ec2 allocate-address

ECS

Actions:

• ecs create-service
• ecs update-service
• ecs create-task-set
• ecs update-task-set

Global Accelerator

Actions:

• globalaccelerator create-accelerator

ELB

Actions:

• elb create-load-balancer
• elbv2 create-load-balancer

Lightsail

Actions:

• lightsail allocate-static-ip
• lightsail create-distribution
• lightsail create-relational-database
• lightsail update-relational-database
• lightsail create-load-balancer
• lightsail create-instances

Neptune

Actions:

• neptune create-db-instance

ElasticCache

Actions:

• elasticcache create-cache-cluster

EMR

Actions:

• emr create-cluster