0x251e

AWS Pentesting Basics: A Comprehensive Guide

Overview

Amazon Web Services (AWS) is a comprehensive cloud computing platform provided by Amazon. Understanding its security implications is crucial for modern security professionals. This blog post covers the basics of AWS penetration testing based on workshop learnings.

Key AWS Services

• S3 (Simple Storage Service)
• EC2 (Elastic Compute Cloud)
• RDS (Relational Database Service)
• Lambda (Serverless Computing)
• Polly (Text-to-Speech)
• SNS (Simple Notification Service)
• SQS (Simple Queue Service)
• And many more…

AWS Geographic Structure

Regions and Availability Zones

• Each AWS region consists of multiple, isolated locations known as Availability Zones (AZs)
• Regions are geographically distributed (e.g., us-east-1, eu-west-1)
• Each region operates independently
• Security configurations and policies can vary by region

Accessing AWS Services

Access Methods

1. AWS Management Console (Web Interface)
   • Browser-based interface
   • Requires username/password
   • Supports MFA
2. AWS CLI (Command Line Interface)
   • Command-line tool
   • Requires access keys
   • Useful for automation and scripting
3. AWS SDKs
   • Programming language-specific libraries
   • Enables programmatic access
   • Available for multiple languages (Python, Java, JavaScript, etc.)

Service Models

Understanding Different Service Layers

1. Infrastructure as a Service (IaaS)
   • Provides virtual machines, storage, networks
   • Example: EC2, S3
   • Highest level of control
   • Requires most management
2. Platform as a Service (PaaS)
   • Provides runtime environment
   • Example: Elastic Beanstalk, RDS
   • Reduced management overhead
   • Focus on application development
3. Software as a Service (SaaS)
   • Fully managed applications
   • Example: Amazon WorkMail
   • Minimal management required
   • Limited customization

AWS Services Classification

Main Categories

1. Networking
   • VPC
   • Route 53
   • CloudFront
2. Access Management
   • IAM
   • AWS Organizations
   • AWS SSO
3. Compute
   • EC2
   • Lambda
   • ECS
4. Storage
   • S3
   • EBS
   • EFS
5. Security Services
   • AWS Shield
   • WAF
   • GuardDuty

Note: Each service has its own attack surface and security considerations.

Identity and Access Management (IAM) Deep Dive

IAM is crucial for AWS security and is often a primary target during penetration testing.

Key Components

1. User Management
   • Create/modify/delete users
   • Assign direct permissions
   • Manage access keys
2. Roles
   • Used by services and applications
   • Temporary credentials
   • Cross-account access
3. Policies
   • JSON documents defining permissions
   • Attached to users, roles, or groups
   • Both AWS-managed and custom policies
4. Multi-Factor Authentication (MFA)
   • Additional security layer
   • Various MFA options available
   • Recommended for all IAM users

Enumeration Techniques

1. User Enumeration

# List all users
aws iam list-users

# List groups for specific user
aws iam list-groups-for-user --user-name TARGET_USER

# List user policies
aws iam list-attached-user-policies --user-name TARGET_USER
aws iam list-user-policies --user-name TARGET_USER

2. Role Enumeration

• Identify roles with elevated privileges
• Focus on roles like:
  • ec2FullAccess
  • AdminRole
  • DevRole
  • Custom roles with broad permissions

3. Policy Enumeration

Key attributes to check:

• PolicyName
• PolicyArn
• Policy Version
• Policy Document content

4. Group Enumeration

Important attributes:

• GroupName
• GroupId
• Path
• Attached policies

Privilege Escalation

Assume Role Vulnerabilities

• Watch for wildcards (*) in trust relationships
• These often indicate potential privilege escalation paths
• Check for overly permissive resource policies

Recommended Practice Labs

1. PwnedLabs.io
   • Realistic AWS scenarios
   • Guided learning paths
   • Hands-on experience
2. AWSGoat
   • Open-source vulnerable AWS environment
   • GitHub: https://github.com/ine-labs/AWSGoat
   • Great for learning AWS security

Automation Tools

Popular Tools for AWS Pentesting

1. Pacu
   • Comprehensive AWS exploitation framework
   • GitHub: https://github.com/RhinoSecurityLabs/pacu
   • Features:
     • Reconnaissance
     • Privilege escalation
     • Data exfiltration
     • Persistence
2. Scout Suite
   • Multi-cloud security auditing tool
   • Comprehensive security reports
   • Easy-to-use web interface
3. CloudMapper
   • Creates visual diagrams of AWS environments
   • Helps identify security risks
   • Useful for attack path mapping

Additional Resources

1. https://hackingthe.cloud
   • Comprehensive cloud hacking techniques
   • Updated regularly with new attack methods
   • Community-driven content
2. AWS Security Documentation
   • Official AWS security best practices
   • Service-specific security guides
   • Regular updates with new features

Best Practices for AWS Pentesting

1. Always obtain proper authorization
2. Follow AWS acceptable use policy
3. Use dedicated testing accounts
4. Monitor and log all testing activities
5. Clean up resources after testing
6. Report findings responsibly

Conclusion

AWS penetration testing requires understanding of both cloud concepts and security principles. Regular practice, hands-on labs, and staying updated with new services and features are essential for effective AWS security testing.

This site is open source. Improve this page.