What does it mean when we say something is “public” in the cloud? Do you need an IP address to be public? What if a resource is accessible to anyone in the world, provided they have an AWS account (any AWS account). That seems close enough to public to scare me! Note: FWIW, there is a policy on the resource in question that will only allow you to exploit it from your IP address to prevent misuse) ...
TL;DR: You’ve just gained access to the role Ertz. Can you find and access the its-another-secret flag? A lot of the challenges in the category Assumed Breach: Principal will have you assume into a role to simulate a new starting point. You’ll technically start as ctf-starting-user, but your first action will be to assume the role Ertz listed above. This is to simulate a scenario where you’ve just gained access to the role Ertz. ...
For this CTF, your starting CTF user has the following policies: SecurityAudit (AWS Managed) CloudFox (Customer Managed) its-a-secret (Customer Managed) The first two policies allow you to run CloudFox. The third policy allows this starting user to get the flag for this challenge. If you followed the setup steps in the First Flag challenge (if you are doing this in a workshop, the setup in First Flag has been done for you), you’ll have a profile called cloudfoxable which is tied to the user/ctf-starting-user. ...