From 8f802b5fbd3da47aa8d5953dcf79c0dc14c6ecd5 Mon Sep 17 00:00:00 2001
From: WebbinRoot <74038921+WebbinRoot@users.noreply.github.com>
Date: Sat, 18 Mar 2023 20:42:21 -0700
Subject: [PATCH 1/7] Update aws_organizations_defaults.md with new AWS
 Organizations research

I wrote 2 large blog posts on how to pivot within AWS Organizations, added support for it to Pacu, and built a Pacu enumeration module. Added to this page to help other pentesters.
---
 .../aws_organizations_defaults.md             | 42 +++++++++++++++----
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index a5a75abb..582a4eae 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -1,7 +1,7 @@
 ---
-author_name: Nick Frichette
-title: AWS Organizations Defaults
-description: AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers.
+author_name: Nick Frichette & Scott
+title: AWS Organizations Defaults & Pivoting
+description: AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers, and it offers numerous routes to pivot beyond the default behavior.
 ---
 
 Almost all mid-to-large sized AWS environments make use of [multi-account](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) architecture. Using multiple AWS accounts offers a number of [benefits](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-multiple-aws-accounts.html) and is considered a best practice. To help organize and manage those accounts, AWS offers a service called [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
@@ -10,9 +10,9 @@ Due to the ubiquity of AWS Organizations, it is important for Penetration Tester
 
 When an account creates an organization it becomes the management account of that organization. Each organization has one management account, and this account effectively "owns" the organization.
 
-## Member Accounts and the OrganizationAccountAccessRole
+## Creating Member Accounts: Default OrganizationAccountAccessRole
 
-When an account is created with AWS Organizations it is considered a member of the organization (hence, member account). As a part of this account creation process, AWS Organizations will create a role in the member account called `OrganizationAccountAccessRole`. This role is created in [each member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html).
+When an account is created through AWS Organizations, it is considered a member of the organization (hence, member account). As a part of this account creation process, AWS Organizations will create a role in the member account called `OrganizationAccountAccessRole`. This role is created in [each member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html).
 
 By default, the `OrganizationAccountAccessRole` has the `AdministratorAccess` policy attached to it, giving the role complete control over the member account. In addition, the default trust policy on the role is as shown below where `000000000000` is the account ID of the management account.
 
@@ -31,6 +31,34 @@ By default, the `OrganizationAccountAccessRole` has the `AdministratorAccess` po
 }
 ```
 
-These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. **For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.**
+These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator **assuming that the member account was created through AWS organizations (as opposed to invited)**. **For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.**
 
-For defensive security teams, it would be a good idea to ensure no infrastructure is deployed into the management account to reduce attack surface. Additionally, carefully controlling who has access to it and monitoring that access would also help to reduce risk.
\ No newline at end of file
+For defensive security teams, it would be a good idea to ensure no infrastructure is deployed into the management account to reduce attack surface. Additionally, carefully controlling who has access to it and monitoring that access would also help to reduce risk.
+
+## Inviting a Pre-Existing AWS Account: Trusted Access, Delegated Administration, IAM Access Analyzer, IAM Identity Center
+
+Scott ([@WebbinRoot](https://twitter.com/WebbinRoot)) at [NetSPI](https://www.netspi.com/) has performed research on how to pivot within AWS accounts if the OrganizationAccountAccessRole is not present as listed above. He covers: 
+- AWS Organizations basics
+- the OrganizationAccountAccessRole role covered above
+- trusted access & delegated administration fundamentals 
+- Leveraging IAM Access Analyzer to indirectly access member accounts
+- Leveraging IAM Identity Center to directly sign into member accounts as admin
+- A new security feature added to AWS Orgs in late 2022. 
+
+His resarch is encapsulated in the following two blog articles:
+- https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/
+- https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
+
+## Pacu Support
+
+[@WebbinRoot](https://twitter.com/WebbinRoot) added AWS Organizations support to [Pacu](https://github.com/RhinoSecurityLabs/pacu) and created an enumeration module for AWS Organizations specifically. See the following pulls that have been merged into the official Pacu repository:
+- https://github.com/RhinoSecurityLabs/pacu/pull/326
+- https://github.com/RhinoSecurityLabs/pacu/pull/335
+
+```
+# Run Module
+Pacu (Session: Keys) > run organizations__enum
+
+# See Data Collected/Enumerated
+Pacu (Session: Keys) > data organizations
+```

From 1777ce17fccddec995e2725a8e2daa6b9261f535 Mon Sep 17 00:00:00 2001
From: WebbinRoot <74038921+WebbinRoot@users.noreply.github.com>
Date: Sun, 3 Dec 2023 20:21:52 -0600
Subject: [PATCH 2/7] Update aws_organizations_defaults.md

Added more direct content, added some pictures, added references, first draft will check syntax/etc this week
---
 .../aws_organizations_defaults.md             | 67 ++++++++++++++-----
 1 file changed, 51 insertions(+), 16 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index 582a4eae..26372699 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -1,5 +1,5 @@
 ---
-author_name: Nick Frichette & Scott
+author_name: Nick Frichette & Scott Weston
 title: AWS Organizations Defaults & Pivoting
 description: AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers, and it offers numerous routes to pivot beyond the default behavior.
 ---
@@ -35,26 +35,52 @@ These things combined mean that, should an attacker compromise the management ac
 
 For defensive security teams, it would be a good idea to ensure no infrastructure is deployed into the management account to reduce attack surface. Additionally, carefully controlling who has access to it and monitoring that access would also help to reduce risk.
 
-## Inviting a Pre-Existing AWS Account: Trusted Access, Delegated Administration, IAM Access Analyzer, IAM Identity Center
+Note Scott Weston (See References) has added a module to Pacu to brute force this role name or a list of role names. So if a management account is compromised, and the user wants to attempt to assume one to many role names on all accounts, they can run the following Pacu Module
+```
+Pacu (role:ManagementAccount) > run organizations__assume_role
+[ Review the results to see if any of the following roles are assumed] 
+```
 
-Scott ([@WebbinRoot](https://twitter.com/WebbinRoot)) at [NetSPI](https://www.netspi.com/) has performed research on how to pivot within AWS accounts if the OrganizationAccountAccessRole is not present as listed above. He covers: 
-- AWS Organizations basics
-- the OrganizationAccountAccessRole role covered above
-- trusted access & delegated administration fundamentals 
-- Leveraging IAM Access Analyzer to indirectly access member accounts
-- Leveraging IAM Identity Center to directly sign into member accounts as admin
-- A new security feature added to AWS Orgs in late 2022. 
+## Inviting Pre-Existing Member Accounts: Trusted Access & Delegated Administration
 
-His resarch is encapsulated in the following two blog articles:
-- https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/
-- https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
+When a pre-existing AWS account is **invited** to join an organization, it does not auto-generate a default role with AdministratorAccess like the account creation workflow. As a pentester, one can look into trusted access and delegated administration to see if there are any more avenues to pivot such that you can move from the compromised management account/delegated admin to another member account in the organization.
 
-## Pacu Support
+### Organization-Integrated Features
 
-[@WebbinRoot](https://twitter.com/WebbinRoot) added AWS Organizations support to [Pacu](https://github.com/RhinoSecurityLabs/pacu) and created an enumeration module for AWS Organizations specifically. See the following pulls that have been merged into the official Pacu repository:
-- https://github.com/RhinoSecurityLabs/pacu/pull/326
-- https://github.com/RhinoSecurityLabs/pacu/pull/335
+Many AWS services include specific features that have the capability to scope to the entire organization. For example, IAM Access Analyzer is a feature within the overall IAM service. Normally a user would just run Access Analyzer on their own AWS account to find roles with trust policies that reference outside AWS account sources. Because IAM Access Analyzer is an organization-integrated feature, if the target AWS account is part of an organization, a user can choose to scope Access Analyzer from their single account **to the organization** meaning Access Analyzer will check all AWS account roles in the organization and consider "untrusted" sources as any resource outside of the organization (as opposed to the single AWS account). IAM Access Analyzer is just one example, but there are a multitude of features that can do a similar scope increase to the organization that all behave differently. This might sound complicated, but from a UI perspective, this basically just means there is another option in the dropdown or radio buttons when kicking off the service that lets you choose "organization" instead of the specifc account you are in. A list of all these can be found [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)
+
+### Helpful Diagram
+
+![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/e5edf877-5175-4d7d-895c-6aa8389c9207)
+Trusted Access & Delegated Administration
+
+### Trusted Access
+
+These organization integrated features are in an "off" state by default. Trusted access is the act of the management account turning "on" the organization integrated features. For example, even if a member account is part of an organization, they will not be able to increase the scope of IAM Access Analyzer to the organization until the management account enables trusted access for IAM Access Analyzer for the organization. On a technical level, the act of turning "on" an organization-integrated feature via trusted access allows the feature to make roles in member accounts to carry out its tasks. There is an AWS CLI command the management account can run to enable one of these organization-integrated features and list those that are present as seen below:
+![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/66525d6d-a365-4603-ac9e-04124ff7ebfb).
+
+Note trusted access is enabled via the management account and allows IAM Access Analyzer to reach into all member accounts to achieve its objective.
+
+### Delegated Administration
+
+Delegated Administration is pretty much like trusted access, but is from the perspective of a member account. In delegated administration, the user allows one of the member accounts to execute an organization-integrated feature on the AWS organization, essentially "delegating" the "administration" of that feature to that member account. We would say that a member account is "a delegated administrator for service ABC (ex. IAM Access Analyzer)." The CLI command to see all delegated administrators in an organization is shown below. If you are a member account, and call this API, and your AWS account is listed in the output, than that is a good way to confirm you are in a delegated admin account. Note again that a delegated admin is **for a specific service** so rather than searching through every single feature to see what you are a delegated admin for, you can call the API shown below to see what specific feature you are a delegated admin for.
+![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/3deec4a3-363a-48c0-a075-432d078f68a7)
 
+Besides the ability to run specific organization-integrated features, note that the member account also in general **gains access to numerous read-only APIs**. For example, note how [this](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html) CLI command states that a "delegated administrator" can run it. While a default member account can only see itself and the management account in an organization, a delegated administrator can potentially see all AWS accounts in the organization. 
+
+### IAM Access Analyzer (Indirect Route):
+
+IAM Access Analyzer allows one to scan all roles in the organization. If an attacker compromises the managament account where trusted access is enabled for IAM Access Analyzer (or the attacker enables it depending on permissions), the attacker could run IAM Access Analyzer on the entire organization and review the results to see if there are any misconfigured roles they can pivot to. Note **the attacker NEVER directly got access to the member accounts and was constrained to the management account**. Rather the attacker just ran the organization-integrated feature which accesses the member accounts giving the attacker indirect access to the organization. See the blog post in references for images/walkthrough.
+
+Now imagine an attacker compromises a member account. If the member account is a delegated administrator for IAM Access Analyzer, the attacker can perform a similar action of launching the feature and reviewing the results without ever directly accessing the member accounts. In addition, if a delegated administrator is compromised, the attacker can also see much more of the organization and what the structure looks like due to their read-only rights. See the blog post in references for images/walkthrough.
+
+### IAM Identity Center (Direct Route)
+
+IAM Identity center supports trusted access, and allows one to create a user entity, a permission set, and attach the user and permission set to an account in the organization. So, if an attacker compromises a management account, the attacker could enable trusted access for IAM Identity Center (assuming it is not already enabled). Then the attacker (if they have the necessary permissions), can create a user entity with a username/password and the attacker email, and create a permission set entity that is the equivalent of AdministratorAccess. The attacker can then attach the user and permissions to a member account in the organization through IAM Identity Center in the management account, and navigate to the IAM Identity Center login link. The attacker then can enter the users username/password and get access to the member account directly as Administrator Access. See the references section for the blog post with images/walkthrough/etc. 
+
+### Automated Tools
+
+To enumerate an organization for all the info discussed above, you can use the Pacu module shown below:
 ```
 # Run Module
 Pacu (Session: Keys) > run organizations__enum
@@ -62,3 +88,12 @@ Pacu (Session: Keys) > run organizations__enum
 # See Data Collected/Enumerated
 Pacu (Session: Keys) > data organizations
 ```
+See the relevant pull requests here:
+- https://github.com/RhinoSecurityLabs/pacu/pull/326
+- https://github.com/RhinoSecurityLabs/pacu/pull/335
+
+## References
+- Author: Scott ([@WebbinRoot](https://twitter.com/WebbinRoot)) or ([in/webbinroot/](https://www.linkedin.com/in/webbinroot/)) at [NetSPI](https://www.netspi.com/)
+- Blog Posts:
+     - https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/
+     - https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/

From 2f7e000ff6960827433a2383d6b22088f4a8a2e8 Mon Sep 17 00:00:00 2001
From: WebbinRoot <74038921+WebbinRoot@users.noreply.github.com>
Date: Sat, 9 Dec 2023 19:35:53 -0600
Subject: [PATCH 3/7] Update aws_organizations_defaults.md

final updates
---
 content/aws/general-knowledge/aws_organizations_defaults.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index 26372699..3cdc461c 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -35,7 +35,7 @@ These things combined mean that, should an attacker compromise the management ac
 
 For defensive security teams, it would be a good idea to ensure no infrastructure is deployed into the management account to reduce attack surface. Additionally, carefully controlling who has access to it and monitoring that access would also help to reduce risk.
 
-Note Scott Weston (See References) has added a module to Pacu to brute force this role name or a list of role names. So if a management account is compromised, and the user wants to attempt to assume one to many role names on all accounts, they can run the following Pacu Module
+Scott Weston (See References) has added a module to Pacu to brute force this role name or a list of role names. So if a management account is compromised, and the user wants to attempt to assume one to many role names on all accounts, they can run the following Pacu Module
 ```
 Pacu (role:ManagementAccount) > run organizations__assume_role
 [ Review the results to see if any of the following roles are assumed] 
@@ -43,7 +43,7 @@ Pacu (role:ManagementAccount) > run organizations__assume_role
 
 ## Inviting Pre-Existing Member Accounts: Trusted Access & Delegated Administration
 
-When a pre-existing AWS account is **invited** to join an organization, it does not auto-generate a default role with AdministratorAccess like the account creation workflow. As a pentester, one can look into trusted access and delegated administration to see if there are any more avenues to pivot such that you can move from the compromised management account/delegated admin to another member account in the organization.
+When a pre-existing AWS account is **invited** to join an organization, it does not auto-generate a default role with AdministratorAccess like the account creation workflow. As a pentester, one can look into trusted access and delegated administration to see if there are any more avenues to pivot such that you can move from the compromised management account/delegated admin to another member account in the organization. Depending on the features available, this might allow for indirect access to other member accounts (ex. IAM Access Analyzer), or direct access with some setup (IAM Identity Center).
 
 ### Organization-Integrated Features
 

From dd4624dbe1240b0a67a99678e088ae0cd5849e1e Mon Sep 17 00:00:00 2001
From: WebbinRoot <74038921+WebbinRoot@users.noreply.github.com>
Date: Sat, 9 Dec 2023 19:37:01 -0600
Subject: [PATCH 4/7] Update aws_organizations_defaults.md

Mention SCPs
---
 content/aws/general-knowledge/aws_organizations_defaults.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index 3cdc461c..eb17f3a1 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -68,6 +68,8 @@ Delegated Administration is pretty much like trusted access, but is from the per
 
 Besides the ability to run specific organization-integrated features, note that the member account also in general **gains access to numerous read-only APIs**. For example, note how [this](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html) CLI command states that a "delegated administrator" can run it. While a default member account can only see itself and the management account in an organization, a delegated administrator can potentially see all AWS accounts in the organization. 
 
+As of late 2022, delegated administrators also potentially have the ability to manipulate SCPs (which are basically IAM policy filters at the organization level). See the attached blog article for a review of this avenue.
+
 ### IAM Access Analyzer (Indirect Route):
 
 IAM Access Analyzer allows one to scan all roles in the organization. If an attacker compromises the managament account where trusted access is enabled for IAM Access Analyzer (or the attacker enables it depending on permissions), the attacker could run IAM Access Analyzer on the entire organization and review the results to see if there are any misconfigured roles they can pivot to. Note **the attacker NEVER directly got access to the member accounts and was constrained to the management account**. Rather the attacker just ran the organization-integrated feature which accesses the member accounts giving the attacker indirect access to the organization. See the blog post in references for images/walkthrough.

From 62b2e2f8233d786d9d0f9a648e66b0e71a9ae656 Mon Sep 17 00:00:00 2001
From: WebbinRoot <74038921+WebbinRoot@users.noreply.github.com>
Date: Sat, 9 Dec 2023 19:44:18 -0600
Subject: [PATCH 5/7] Update aws_organizations_defaults.md

Added title card
---
 .../aws_organizations_defaults.md             | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index eb17f3a1..6c3d9272 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -4,6 +4,20 @@ title: AWS Organizations Defaults & Pivoting
 description: AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers, and it offers numerous routes to pivot beyond the default behavior.
 ---
 
+<div class="grid cards" markdown>
+
+-   :material-account:{ .lg .middle } __Original Research__
+
+    ---
+
+    <aside style="display:flex">
+    <p><a href="https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/">Pivoting AWS Organizations 1</a> & <a href="https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/">Pivoting AWS Organizations 2</a> by <a href="https://www.linkedin.com/in/webbinroot/">Scott Weston</a></p>
+    <p><img src="https://avatars.githubusercontent.com/u/74038921?v=4" height=80 width=80></img></p>
+    </aside>
+
+-   :material-book:{ .lg .middle } __Additional Resources__
+</div>
+
 Almost all mid-to-large sized AWS environments make use of [multi-account](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) architecture. Using multiple AWS accounts offers a number of [benefits](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-multiple-aws-accounts.html) and is considered a best practice. To help organize and manage those accounts, AWS offers a service called [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
 
 Due to the ubiquity of AWS Organizations, it is important for Penetration Testers and Red Teamers to familiarize themselves with its default configuration. 
@@ -94,8 +108,4 @@ See the relevant pull requests here:
 - https://github.com/RhinoSecurityLabs/pacu/pull/326
 - https://github.com/RhinoSecurityLabs/pacu/pull/335
 
-## References
-- Author: Scott ([@WebbinRoot](https://twitter.com/WebbinRoot)) or ([in/webbinroot/](https://www.linkedin.com/in/webbinroot/)) at [NetSPI](https://www.netspi.com/)
-- Blog Posts:
-     - https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/
-     - https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
+

From ad0dc1eb79e8253462fb039996a8bfdfb40fd0fe Mon Sep 17 00:00:00 2001
From: Nick Frichette <nick@frichetten.com>
Date: Sat, 9 Dec 2023 23:14:41 -0600
Subject: [PATCH 6/7] Minor formatting things

---
 .../aws_organizations_defaults.md             | 35 ++++++++++---------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index 6c3d9272..37ea72a4 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -12,10 +12,9 @@ description: AWS Organizations is a common service to run into in AWS environmen
 
     <aside style="display:flex">
     <p><a href="https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-1/">Pivoting AWS Organizations 1</a> & <a href="https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/">Pivoting AWS Organizations 2</a> by <a href="https://www.linkedin.com/in/webbinroot/">Scott Weston</a></p>
-    <p><img src="https://avatars.githubusercontent.com/u/74038921?v=4" height=80 width=80></img></p>
+    <p><img src="https://avatars.githubusercontent.com/u/74038921?v=4" style="width:44px;height:44px;margin-left:10px;border-radius:100%;max-width:unset"></img></p>
     </aside>
 
--   :material-book:{ .lg .middle } __Additional Resources__
 </div>
 
 Almost all mid-to-large sized AWS environments make use of [multi-account](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) architecture. Using multiple AWS accounts offers a number of [benefits](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-multiple-aws-accounts.html) and is considered a best practice. To help organize and manage those accounts, AWS offers a service called [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
@@ -45,11 +44,12 @@ By default, the `OrganizationAccountAccessRole` has the `AdministratorAccess` po
 }
 ```
 
-These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator **assuming that the member account was created through AWS organizations (as opposed to invited)**. **For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.**
+These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator, assuming that the member account was created through AWS organizations (as opposed to invited). **For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.**
 
 For defensive security teams, it would be a good idea to ensure no infrastructure is deployed into the management account to reduce attack surface. Additionally, carefully controlling who has access to it and monitoring that access would also help to reduce risk.
 
-Scott Weston (See References) has added a module to Pacu to brute force this role name or a list of role names. So if a management account is compromised, and the user wants to attempt to assume one to many role names on all accounts, they can run the following Pacu Module
+[Scott Weston](https://www.linkedin.com/in/webbinroot/) has added a module to Pacu to brute force this role name or a list of role names. So if a management account is compromised, and the user wants to attempt to assume one to many role names on all accounts, they can run the following Pacu Module
+
 ```
 Pacu (role:ManagementAccount) > run organizations__assume_role
 [ Review the results to see if any of the following roles are assumed] 
@@ -59,44 +59,48 @@ Pacu (role:ManagementAccount) > run organizations__assume_role
 
 When a pre-existing AWS account is **invited** to join an organization, it does not auto-generate a default role with AdministratorAccess like the account creation workflow. As a pentester, one can look into trusted access and delegated administration to see if there are any more avenues to pivot such that you can move from the compromised management account/delegated admin to another member account in the organization. Depending on the features available, this might allow for indirect access to other member accounts (ex. IAM Access Analyzer), or direct access with some setup (IAM Identity Center).
 
-### Organization-Integrated Features
+## Organization-Integrated Features
 
 Many AWS services include specific features that have the capability to scope to the entire organization. For example, IAM Access Analyzer is a feature within the overall IAM service. Normally a user would just run Access Analyzer on their own AWS account to find roles with trust policies that reference outside AWS account sources. Because IAM Access Analyzer is an organization-integrated feature, if the target AWS account is part of an organization, a user can choose to scope Access Analyzer from their single account **to the organization** meaning Access Analyzer will check all AWS account roles in the organization and consider "untrusted" sources as any resource outside of the organization (as opposed to the single AWS account). IAM Access Analyzer is just one example, but there are a multitude of features that can do a similar scope increase to the organization that all behave differently. This might sound complicated, but from a UI perspective, this basically just means there is another option in the dropdown or radio buttons when kicking off the service that lets you choose "organization" instead of the specifc account you are in. A list of all these can be found [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)
 
-### Helpful Diagram
+## Helpful Diagram
 
 ![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/e5edf877-5175-4d7d-895c-6aa8389c9207)
 Trusted Access & Delegated Administration
 
-### Trusted Access
+## Trusted Access
 
 These organization integrated features are in an "off" state by default. Trusted access is the act of the management account turning "on" the organization integrated features. For example, even if a member account is part of an organization, they will not be able to increase the scope of IAM Access Analyzer to the organization until the management account enables trusted access for IAM Access Analyzer for the organization. On a technical level, the act of turning "on" an organization-integrated feature via trusted access allows the feature to make roles in member accounts to carry out its tasks. There is an AWS CLI command the management account can run to enable one of these organization-integrated features and list those that are present as seen below:
-![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/66525d6d-a365-4603-ac9e-04124ff7ebfb).
 
-Note trusted access is enabled via the management account and allows IAM Access Analyzer to reach into all member accounts to achieve its objective.
+![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/66525d6d-a365-4603-ac9e-04124ff7ebfb)
+
+!!! Note 
+    Trusted access is enabled via the management account and allows IAM Access Analyzer to reach into all member accounts to achieve its objective.
 
-### Delegated Administration
+## Delegated Administration
 
 Delegated Administration is pretty much like trusted access, but is from the perspective of a member account. In delegated administration, the user allows one of the member accounts to execute an organization-integrated feature on the AWS organization, essentially "delegating" the "administration" of that feature to that member account. We would say that a member account is "a delegated administrator for service ABC (ex. IAM Access Analyzer)." The CLI command to see all delegated administrators in an organization is shown below. If you are a member account, and call this API, and your AWS account is listed in the output, than that is a good way to confirm you are in a delegated admin account. Note again that a delegated admin is **for a specific service** so rather than searching through every single feature to see what you are a delegated admin for, you can call the API shown below to see what specific feature you are a delegated admin for.
+
 ![image](https://github.com/WebbinRoot/hackingthe.cloud/assets/74038921/3deec4a3-363a-48c0-a075-432d078f68a7)
 
 Besides the ability to run specific organization-integrated features, note that the member account also in general **gains access to numerous read-only APIs**. For example, note how [this](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html) CLI command states that a "delegated administrator" can run it. While a default member account can only see itself and the management account in an organization, a delegated administrator can potentially see all AWS accounts in the organization. 
 
 As of late 2022, delegated administrators also potentially have the ability to manipulate SCPs (which are basically IAM policy filters at the organization level). See the attached blog article for a review of this avenue.
 
-### IAM Access Analyzer (Indirect Route):
+## IAM Access Analyzer (Indirect Route):
 
 IAM Access Analyzer allows one to scan all roles in the organization. If an attacker compromises the managament account where trusted access is enabled for IAM Access Analyzer (or the attacker enables it depending on permissions), the attacker could run IAM Access Analyzer on the entire organization and review the results to see if there are any misconfigured roles they can pivot to. Note **the attacker NEVER directly got access to the member accounts and was constrained to the management account**. Rather the attacker just ran the organization-integrated feature which accesses the member accounts giving the attacker indirect access to the organization. See the blog post in references for images/walkthrough.
 
 Now imagine an attacker compromises a member account. If the member account is a delegated administrator for IAM Access Analyzer, the attacker can perform a similar action of launching the feature and reviewing the results without ever directly accessing the member accounts. In addition, if a delegated administrator is compromised, the attacker can also see much more of the organization and what the structure looks like due to their read-only rights. See the blog post in references for images/walkthrough.
 
-### IAM Identity Center (Direct Route)
+## IAM Identity Center (Direct Route)
 
 IAM Identity center supports trusted access, and allows one to create a user entity, a permission set, and attach the user and permission set to an account in the organization. So, if an attacker compromises a management account, the attacker could enable trusted access for IAM Identity Center (assuming it is not already enabled). Then the attacker (if they have the necessary permissions), can create a user entity with a username/password and the attacker email, and create a permission set entity that is the equivalent of AdministratorAccess. The attacker can then attach the user and permissions to a member account in the organization through IAM Identity Center in the management account, and navigate to the IAM Identity Center login link. The attacker then can enter the users username/password and get access to the member account directly as Administrator Access. See the references section for the blog post with images/walkthrough/etc. 
 
-### Automated Tools
+## Automated Tools
 
 To enumerate an organization for all the info discussed above, you can use the Pacu module shown below:
+
 ```
 # Run Module
 Pacu (Session: Keys) > run organizations__enum
@@ -104,8 +108,5 @@ Pacu (Session: Keys) > run organizations__enum
 # See Data Collected/Enumerated
 Pacu (Session: Keys) > data organizations
 ```
-See the relevant pull requests here:
-- https://github.com/RhinoSecurityLabs/pacu/pull/326
-- https://github.com/RhinoSecurityLabs/pacu/pull/335
-
 
+Relevant pull requests can be found [here](https://github.com/RhinoSecurityLabs/pacu/pull/326) and [here](https://github.com/RhinoSecurityLabs/pacu/pull/335).

From 83b3af963f1979a2b7391031d0bf97ce7052264f Mon Sep 17 00:00:00 2001
From: Nick Frichette <nick@frichetten.com>
Date: Sat, 9 Dec 2023 23:31:13 -0600
Subject: [PATCH 7/7] Changed aws_organizations_defaults description

---
 content/aws/general-knowledge/aws_organizations_defaults.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/aws/general-knowledge/aws_organizations_defaults.md b/content/aws/general-knowledge/aws_organizations_defaults.md
index 37ea72a4..3b2715ba 100644
--- a/content/aws/general-knowledge/aws_organizations_defaults.md
+++ b/content/aws/general-knowledge/aws_organizations_defaults.md
@@ -1,7 +1,7 @@
 ---
-author_name: Nick Frichette & Scott Weston
+author_name: Scott Weston & Nick Frichette
 title: AWS Organizations Defaults & Pivoting
-description: AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers, and it offers numerous routes to pivot beyond the default behavior.
+description: How to abuse AWS Organizations' default behavior and lateral movement capabilities.
 ---
 
 <div class="grid cards" markdown>