In today’s digital landscape, we are seeing more organizations adopting AWS services for their cloud infrastructure, making the importance of penetration testing within this environment undeniable. For those haven’t heard of AWS, is a comprehensive cloud computing platform provided by Amazon. Understanding its security implications is crucial for modern security professionals. This blog post covers the basics of AWS penetration testing.

Before perform penetration testing on AWS cloud services, we have to understand its core concepts and services.

Key AWS Services:

• S3 (Simple Storage Service)
• EC2 (Elastic Compute Cloud)
• RDS (Relational Database Service)
• Lambda (Serverless Computing)
• Polly (Text-to-Speech)
• SNS (Simple Notification Service)
• SQS (Simple Queue Service)
• And many more…

AWS Geographic Structure:

Regions and Availability Zones

• Each AWS region consists of multiple, isolated locations known as Availability Zones (AZs)
• Regions are geographically distributed (example: us-east-1, eu-west-1)
• Each region operates independently
• Security configurations and policies can vary by region

Accessing AWS Services

1. AWS Management Console (Web Interface)
   • Browser-based Inteface
   • Requires username/password
   • Support MFA
2. AWS CLI (Command-Line Interface)
   • Command-line tool
   • Requires access keys
   • Useful for automation and scripting
3. AWS SDKs
   • Programming language-specific libraries
   • Enables programmatic access
   • Available for multiple languages (Python, Java, JavaScript, etc)

Understanding Different Service Layers

Note: Each services has its own attack surface and security consideration

1. Networking
   • VPC
   • Route 53
   • CloudFront
2. Access Management
   • IAM
   • AWS Organizations
   • AWS SSO
3. Compute
   • EC2
   • Lambda
   • ECS
4. Storage
   • S3
   • EBS
   • EFS
5. Security Services
   • AWS Shield
   • WAF
   • GuardDuty

AWS Identity and Access Management (IAM) Deep Dive

IAM is crucial for AWS security and is often a primary target during penetration testing as it is the main service for controlling privileges and enables safe access control across all Amazon services.

Key Components of IAM:

1. Identity: Represents entities like IAM users, groups, or roles that can interact with AWS resources, used for authentication and authorization.

2. IAM User: An entity within AWS that represents a person or an application, with unique credentials and permissions for AWS service interaction.

3. IAM Group: A collection of IAM users that simplifies permission management by allowing you to assign the same permissions to multiple users at once.

4. IAM Role: An entity similar to a user but not tied to a specific individual, granting temporary access to AWS services for instances, applications, or other AWS resources.

5. Policy: A JSON document that defines permissions, controlling what actions an identity (IAM user, group, or role) can perform on specific AWS resources.

6. Access Key ID / Secret Access Key: Credential pairs used to authenticate programmatic access to AWS services, consisting of an Access Key ID (public identifier) and a Secret Access Key (confidential key).

7. Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring users to provide a second authentication factor in addition to their password, enhancing account protection.

8. Identity Provider (IdP): An external system used for authentication that can integrate with AWS to provide identity information about users, enabling features like Single Sign-On (SSO).

9. Role-based Access Control (RBAC): A method of managing permissions based on roles, allowing a structured way to grant and revoke access to AWS resources.

10. Assume Role: A process where users or services temporarily gain permissions by assuming a role that provides the necessary credentials.

11. Temporary Credentials: Credentials granted for a limited time when a role is assumed, consisting of an Access Key ID, Secret Access Key, and Session Token.

12. Access Control: The process of granting or denying permissions to AWS resources using IAM policies, defining specific actions and resources that identities can access.

13. Security Token Service (STS): A service that provides temporary security credentials for users or services to assume roles and access AWS resources.

14. Identity Federation: The integration of external identity systems with AWS to enable users to access AWS resources using their existing credentials from systems like Active Directory or other IdPs.

IAM Policy Example:

In this policy, it grants read access to S3 however full access to EC2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket",
                "arn:aws:s3:::example-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "*"
        }
    ]
}

To understand deeper concept of AWS IAM, this YouTube video helps.

Enumeration Techniques

1. User Enumeration

# List all users
aws iam list-users

# List groups for specific user
aws iam list-groups-for-user --user-name TARGET_USER

# List user policies
aws iam list-attached-user-policies --user-name TARGET_USER
aws iam list-user-policies --user-name TARGET_USER

2. Role Enumeration

• Identify roles with elevated privileges
• Focus on roles like:
  • ec2FullAccess
  • AdminRole
  • DevRole
  • Custom roles with broad permissions

3. Policy Enumeration

Key attributes to check:

• PolicyName
• PolicyArn
• Policy Version
• Policy Document content

4. Group Enumeration

Important attributes:

• GroupName
• GroupId
• Path
• Attached policies

Privilege Escalation

Assume Role Vulnerabilities

• Watch for wildcards (*) in trust relationships
• These often indicate potential privilege escalation paths
• Check for overly permissive resource policies

Recommended Practice Labs

1. PwnedLabs.io
   • Realistic AWS scenarios
   • Guided learning paths
   • Hands-on experience
2. AWSGoat
   • Open-source vulnerable AWS environment
   • GitHub: https://github.com/ine-labs/AWSGoat
   • Great for learning AWS security

Automation Tools

Popular Tools for AWS Pentesting

1. Pacu
   • Comprehensive AWS exploitation framework
   • GitHub: https://github.com/RhinoSecurityLabs/pacu
   • Features:
     • Reconnaissance
     • Privilege escalation
     • Data exfiltration
     • Persistence
2. Scout Suite
   • Multi-cloud security auditing tool
   • Comprehensive security reports
   • Easy-to-use web interface
3. CloudMapper
   • Creates visual diagrams of AWS environments
   • Helps identify security risks
   • Useful for attack path mapping

Additional Resources

1. https://hackingthe.cloud
   • Comprehensive cloud hacking techniques
   • Updated regularly with new attack methods
   • Community-driven content

References:

1. https://alparslanakyildiz.medium.com/cloud-aws-pentest-series-iam-enumeration-b2ed922e7cab

2. https://medium.com/@osamaavvan/aws-cross-account-enumeration-c98d4808ac37

3. (AWS IAM Cheatsheet)[https://medium.com/@reach2shristi.81/aws-iam-cheatsheet-d3fe97a933f5]