Deep-Dive into AWS Pentesting Cloud Security Workshop
The presentation provides an overview of Amazon Web Services (AWS) and how to pentest AWS services. It covers various AWS services like EC2, S3, Lambda, RDS, IAM and tools that can be used for pentesting. It demonstrates how to find and exploit vulnerabilities in S3 buckets and discusses common attack vectors for services like EC2 and ways to escalate privileges in IAM. The presentation aims to help security professionals learn how to securely test cloud environments hosted on AWS.
In these slides we introduce real-time examples and architectures built using AWS Serverless components like AWS Lambda, AWS Fargate, AWS SNS, AWS SQS, AWS DynamoDB, AWS Kinesis, AWS API GW.
Github Repo: https://github.com/arconsis/aws-microservices-terraform-warmup
The document outlines the agenda for a user group meeting on AWS VPC topics. The agenda includes reviewing default and custom VPCs, NAT instances and gateways, VPC peering, flow logs, endpoints, VPN connections, Direct Connect, limits and pricing, and exam tips. It also lists past topics such as storage, compute, databases, and networking services, as well as upcoming topics such as Lambda, cost optimization, and machine learning.
Introduction to AWS Serverless. In these slides we introduce AWS Serverless, we define what is serverless, we explore Amazon services which can be used to create serverless flows like Lambda, SQS, SNS, Api Gateway, DynamoDB and finally we use Terraform to deploy a serverless API in AWS.
Introduction to AWS and Terraform. In these slides we introduce AWS, cloud networking and cloud native workflows using infrastructure as code via Terraform.
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Amazon Web Services
In this talk, we’ll take well known architectural patterns such as 3-tier web application, stream processing, scheduled jobs and show how they can be realized without needing to manage servers.
Reducing Latency and Increasing Performance while Cutting Infrastructure CostsAmazon Web Services
Discussion on Datadog’s experiences, both successes and challenges, as they built our monitoring solutions on top AWS Lambda and Amazon API gateway with the goal of reducing latency and increasing performance while cutting infrastructure costs.
In these slides we introduce real-time examples and architectures built using AWS Serverless components like AWS Lambda, AWS Fargate, AWS SNS, AWS SQS, AWS DynamoDB, AWS Kinesis, AWS API GW.
Github Repo: https://github.com/arconsis/aws-microservices-terraform-warmup
The document outlines the agenda for a user group meeting on AWS VPC topics. The agenda includes reviewing default and custom VPCs, NAT instances and gateways, VPC peering, flow logs, endpoints, VPN connections, Direct Connect, limits and pricing, and exam tips. It also lists past topics such as storage, compute, databases, and networking services, as well as upcoming topics such as Lambda, cost optimization, and machine learning.
Introduction to AWS Serverless. In these slides we introduce AWS Serverless, we define what is serverless, we explore Amazon services which can be used to create serverless flows like Lambda, SQS, SNS, Api Gateway, DynamoDB and finally we use Terraform to deploy a serverless API in AWS.
Introduction to AWS and Terraform. In these slides we introduce AWS, cloud networking and cloud native workflows using infrastructure as code via Terraform.
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Amazon Web Services
In this talk, we’ll take well known architectural patterns such as 3-tier web application, stream processing, scheduled jobs and show how they can be realized without needing to manage servers.
Reducing Latency and Increasing Performance while Cutting Infrastructure CostsAmazon Web Services
Discussion on Datadog’s experiences, both successes and challenges, as they built our monitoring solutions on top AWS Lambda and Amazon API gateway with the goal of reducing latency and increasing performance while cutting infrastructure costs.
Speaker spoke about features and benefits of the AWS Lambda service and explained how to increase system performance by using AWS services.
This presentation by Mykhailo Brodskyi (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv), was delivered at GlobalLogic Kharkiv Java Conference 2018 on June 10, 2018.
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources. Docker is fast becoming a core component of these architectures, but going from a single or a small number of containers to a distributed application is not trivial. In this session we will talk about some of the core architectural principles underlying the Amazon EC2 Container (ECS) and how they are designed to help you scale your applications and run them in production. We will talk about how containers can be used as the foundation for new computing primitives and how these are being used by our customers for increased agility and productivity.
by Ron Cully, Product Management Manager,
AWS Active Directory (AD) is essential for Windows workloads in the cloud. AWS offers customers multiple ways to integrate AD with cloud workloads like EC2, RDS, and AWS Enterprise Applications: AWS Directory Service for Microsoft Active Directory (Enterprise Edition) as a managed service and Active Directory running on AWS EC2 Windows instances. Which option is right for you? This session will discuss the key deployment considerations for each option to help you identify which best meets your project goals, and the effort involved. The session will cover options for integrating with your on-premises directory, port and security considerations, application considerations, and best practices. Level 200
With AWS, you can choose the right storage service like including Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Storage (Amazon EBS) for the right use case. This session shows the range of AWS choices—from object storage to block storage—that are available to you. The sessions will also include specifics about real-world deployments from customers who are using Amazon S3, Amazon EBS, Amazon Glacier, and AWS Storage Gateway.
Convert and Migrate Your NoSQL Database or Data Warehouse to AWS - July 2017Amazon Web Services
Learning Objectives:
- Understand the use cases for migrating or replicating databases to the cloud
- Learn about the benefits of cloud-native databases for performance and costs reduction
- See how AWS Database Migration Service helps with your migration and how AWS Schema Conversion Tool makes conversions simple and quick
Moving or replicating your databases to the cloud should be simple and inexpensive. AWS has recently enhanced the AWS Database Migration Service and the AWS Schema Conversion Tool with new data sources to increase your migration options. You can now export from MongoDB databases and Greenplum, IBM Netezza, HPE Vertica, Teradata, Oracle DW and Microsoft SQL Server data warehouses to AWS. Learn how to export and migrate your data and procedural code with minimal downtime to the cloud database of your choice, including cloud-native offerings such as Amazon Aurora, Amazon DynamoDB and Amazon Redshift.
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...Amazon Web Services
Learn how you can use the AWS Key Management Service to protect data in your applications. This talk shows you how to use the encryption features of AWS Key Management Service within your applications and provides an in-depth walk-through of applying policy control to keys to control access.
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this session, you learn what you need to get started quickly, including a review of key features, a live demonstration, how to use AWS Lambda with Amazon S3 event notifications and Amazon DynamoDB streams, and tips on getting the most out of Lambda functions.
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this session, you learn what you need to get started quickly, including a review of key features, a live demonstration, guidelines on how to use AWS Lambda with Amazon S3 event notifications and Amazon DynamoDB streams, and tips on getting the most out of Lambda functions.
AWS January 2016 Webinar Series - Introduction to Docker on AWSAmazon Web Services
Using Docker on your local development machine is simple, but running Docker applications at scale in production can be difficult.
In this webinar, we will discuss the difficulties of running Docker in production and how Amazon EC2 Container Service (ECS) can be used to reduce the operational burdens, and we will give an overview of the architecture powering Amazon ECS. We will also demo how to define multi-container applications with Docker Compose and deploy and scale them seamlessly to a cluster with Amazon ECS.
Learning Objectives:
Understand the benefits and architecture of Amazon ECS
Learn how to deploy and scale Docker containers on Amazon ECS
Who Should Attend:
Developers
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014Amazon Web Services
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
AWS April Webinar Series - AWS Lambda: Event-driven Code for Devices and the ...Amazon Web Services
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this webinar you’ll learn what you need to quickly begin building mobile, tablet, or IoT applications that use AWS Lambda as a serverless back-end. You’ll also hear about Amazon Web Service’s Event-Driven Compute strategy and see demonstrations that use Lambda to respond to events from Amazon S3 notifications and Amazon DynamoDB streams. We’ll cover key Lambda features, its programming model, and tips on getting the most out of Lambda functions.
Learning Objectives:
• Understand key AWS Lambda features
• Learn the AWS Lambda programming model
• Get tips on getting the most out of AWS Lambda
Who Should Attend:
• Developers, Dev-ops Engineers, IT Operations Professionals
The document discusses serverless architectures using AWS Lambda and Amazon API Gateway. It provides background on moving from monolithic to microservices architectures. It then covers AWS Lambda functions, event sources, and networking environments. Amazon API Gateway is presented as a way to build multi-tier serverless applications. Common serverless architecture patterns and best practices for AWS Lambda, API Gateway, and general serverless development are outlined. The document concludes with a demonstration of a simple CRUD backend using Lambda and DynamoDB with API Gateway.
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAmazon Web Services
With hundreds of new and sometimes disparate tools, it’s hard to keep pace. Amazon Web Services provides a broad and fully integrated portfolio of cloud computing services to help you build, secure and deploy your big data applications.
Attend this webinar to get an overview of the different big data options available in the AWS Cloud – including popular big data frameworks such as Hadoop, Spark, NoSQL databases, and more. Learn about ideal use cases, cases to avoid, performance, interfaces, and more. Finally, learn how you can build valuable applications with a real-life example.
Learning Objectives:
Learn about big data tools available at AWS
Understand ideal use cases
Learn some of the key considerations such as performance, scalability, elasticity and availability, when selecting big data tools
Who Should Attend:
Data Architects, Data Scientists, Developers
Microservices is a software architectural method where you decompose complex applications into smaller, independent services. Containers are great for running small decoupled services, but how do you coordinate running microservices in production at scale and what AWS services do you use?
In this session, we will explore the reasoning and concepts behind microservices and how containers simplify building microservices based applications. We will also demonstrate how you can easily launch microservices on Amazon EC2 Container Service and how you can use ELB and Route 53 to easily do service discovery between microservices.
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
This document summarizes an upcoming MuleSoft meetup in NYC on integrating with AWS S3. The meetup will be hosted by Neeraj Kumar and feature a presentation by Tirthankar Kundu on using the MuleSoft connector for AWS S3. The agenda will include an introduction to AWS and S3, a demonstration of the S3 connector in MuleSoft, and a Q&A session with trivia questions about AWS S3. Upcoming meetups will focus on continuous integration/delivery and caching strategies with MuleSoft.
Speaker spoke about features and benefits of the AWS Lambda service and explained how to increase system performance by using AWS services.
This presentation by Mykhailo Brodskyi (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv), was delivered at GlobalLogic Kharkiv Java Conference 2018 on June 10, 2018.
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources. Docker is fast becoming a core component of these architectures, but going from a single or a small number of containers to a distributed application is not trivial. In this session we will talk about some of the core architectural principles underlying the Amazon EC2 Container (ECS) and how they are designed to help you scale your applications and run them in production. We will talk about how containers can be used as the foundation for new computing primitives and how these are being used by our customers for increased agility and productivity.
by Ron Cully, Product Management Manager,
AWS Active Directory (AD) is essential for Windows workloads in the cloud. AWS offers customers multiple ways to integrate AD with cloud workloads like EC2, RDS, and AWS Enterprise Applications: AWS Directory Service for Microsoft Active Directory (Enterprise Edition) as a managed service and Active Directory running on AWS EC2 Windows instances. Which option is right for you? This session will discuss the key deployment considerations for each option to help you identify which best meets your project goals, and the effort involved. The session will cover options for integrating with your on-premises directory, port and security considerations, application considerations, and best practices. Level 200
With AWS, you can choose the right storage service like including Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Storage (Amazon EBS) for the right use case. This session shows the range of AWS choices—from object storage to block storage—that are available to you. The sessions will also include specifics about real-world deployments from customers who are using Amazon S3, Amazon EBS, Amazon Glacier, and AWS Storage Gateway.
Convert and Migrate Your NoSQL Database or Data Warehouse to AWS - July 2017Amazon Web Services
Learning Objectives:
- Understand the use cases for migrating or replicating databases to the cloud
- Learn about the benefits of cloud-native databases for performance and costs reduction
- See how AWS Database Migration Service helps with your migration and how AWS Schema Conversion Tool makes conversions simple and quick
Moving or replicating your databases to the cloud should be simple and inexpensive. AWS has recently enhanced the AWS Database Migration Service and the AWS Schema Conversion Tool with new data sources to increase your migration options. You can now export from MongoDB databases and Greenplum, IBM Netezza, HPE Vertica, Teradata, Oracle DW and Microsoft SQL Server data warehouses to AWS. Learn how to export and migrate your data and procedural code with minimal downtime to the cloud database of your choice, including cloud-native offerings such as Amazon Aurora, Amazon DynamoDB and Amazon Redshift.
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...Amazon Web Services
Learn how you can use the AWS Key Management Service to protect data in your applications. This talk shows you how to use the encryption features of AWS Key Management Service within your applications and provides an in-depth walk-through of applying policy control to keys to control access.
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this session, you learn what you need to get started quickly, including a review of key features, a live demonstration, how to use AWS Lambda with Amazon S3 event notifications and Amazon DynamoDB streams, and tips on getting the most out of Lambda functions.
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this session, you learn what you need to get started quickly, including a review of key features, a live demonstration, guidelines on how to use AWS Lambda with Amazon S3 event notifications and Amazon DynamoDB streams, and tips on getting the most out of Lambda functions.
AWS January 2016 Webinar Series - Introduction to Docker on AWSAmazon Web Services
Using Docker on your local development machine is simple, but running Docker applications at scale in production can be difficult.
In this webinar, we will discuss the difficulties of running Docker in production and how Amazon EC2 Container Service (ECS) can be used to reduce the operational burdens, and we will give an overview of the architecture powering Amazon ECS. We will also demo how to define multi-container applications with Docker Compose and deploy and scale them seamlessly to a cluster with Amazon ECS.
Learning Objectives:
Understand the benefits and architecture of Amazon ECS
Learn how to deploy and scale Docker containers on Amazon ECS
Who Should Attend:
Developers
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014Amazon Web Services
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
AWS April Webinar Series - AWS Lambda: Event-driven Code for Devices and the ...Amazon Web Services
AWS Lambda is a new compute service that runs your code in response to events and automatically manages compute resources for you. In this webinar you’ll learn what you need to quickly begin building mobile, tablet, or IoT applications that use AWS Lambda as a serverless back-end. You’ll also hear about Amazon Web Service’s Event-Driven Compute strategy and see demonstrations that use Lambda to respond to events from Amazon S3 notifications and Amazon DynamoDB streams. We’ll cover key Lambda features, its programming model, and tips on getting the most out of Lambda functions.
Learning Objectives:
• Understand key AWS Lambda features
• Learn the AWS Lambda programming model
• Get tips on getting the most out of AWS Lambda
Who Should Attend:
• Developers, Dev-ops Engineers, IT Operations Professionals
The document discusses serverless architectures using AWS Lambda and Amazon API Gateway. It provides background on moving from monolithic to microservices architectures. It then covers AWS Lambda functions, event sources, and networking environments. Amazon API Gateway is presented as a way to build multi-tier serverless applications. Common serverless architecture patterns and best practices for AWS Lambda, API Gateway, and general serverless development are outlined. The document concludes with a demonstration of a simple CRUD backend using Lambda and DynamoDB with API Gateway.
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAmazon Web Services
With hundreds of new and sometimes disparate tools, it’s hard to keep pace. Amazon Web Services provides a broad and fully integrated portfolio of cloud computing services to help you build, secure and deploy your big data applications.
Attend this webinar to get an overview of the different big data options available in the AWS Cloud – including popular big data frameworks such as Hadoop, Spark, NoSQL databases, and more. Learn about ideal use cases, cases to avoid, performance, interfaces, and more. Finally, learn how you can build valuable applications with a real-life example.
Learning Objectives:
Learn about big data tools available at AWS
Understand ideal use cases
Learn some of the key considerations such as performance, scalability, elasticity and availability, when selecting big data tools
Who Should Attend:
Data Architects, Data Scientists, Developers
Microservices is a software architectural method where you decompose complex applications into smaller, independent services. Containers are great for running small decoupled services, but how do you coordinate running microservices in production at scale and what AWS services do you use?
In this session, we will explore the reasoning and concepts behind microservices and how containers simplify building microservices based applications. We will also demonstrate how you can easily launch microservices on Amazon EC2 Container Service and how you can use ELB and Route 53 to easily do service discovery between microservices.
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
This document summarizes an upcoming MuleSoft meetup in NYC on integrating with AWS S3. The meetup will be hosted by Neeraj Kumar and feature a presentation by Tirthankar Kundu on using the MuleSoft connector for AWS S3. The agenda will include an introduction to AWS and S3, a demonstration of the S3 connector in MuleSoft, and a Q&A session with trivia questions about AWS S3. Upcoming meetups will focus on continuous integration/delivery and caching strategies with MuleSoft.
This document provides an overview of AWS Lambda and serverless computing. It discusses why AWS Lambda is useful by avoiding the need to manage servers. It then explains how AWS Lambda works by allowing users to run code in response to events without provisioning servers. The document outlines several common use cases for AWS Lambda like web applications, data processing, and chatbots. It also provides examples of serverless architectures and best practices for using AWS Lambda including limiting function size, externalizing configuration, and engaging AWS support for assistance with scaling.
Developing in the cloud should not be different than on-premise development and AWS services aim to facilitate developers and reduce costs. The main AWS developer services that a developer should know include IAM for managing users and credentials, CloudWatch for monitoring and alarms, EC2 for renting compute resources, VPC for network management, S3 for object storage, DynamoDB for NoSQL database, RDS for relational databases, Elastic Beanstalk for deploying applications, and CloudFront for low-latency content delivery. Additional services are CloudFormation for provisioning via templates and Elasticache for caching.
Walk through this hands-on workshop to expand your AWS technical skills. Gain credibility for your experience working with AWS by building proficiency with services and solutions in the areas of AWS Architecture Fundamentals.
This document discusses using AWS services for the Aufzugswächter project, which sends push notifications about broken elevators. It describes how AWS Elastic Beanstalk was used to easily host the backend API, and how AWS S3 and IAM were used to securely store application secrets. It also discusses how AWS SNS was used to send email notifications, though it was not optimal for end-user messaging. The document provides examples of using the AWS Java SDK to easily integrate these services.
Learn the basics of getting started with AWS and migrating your data to AWS. This session will also cover core AWS services, such as Amazon EC2 and Amazon S3, and provide demonstrations of how to set up and utilize those services to launch virtual machines in the cloud.
Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services -- now commonly known as cloud computing. One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale with your business. With the Cloud, businesses no longer need to plan for and procure servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up hundreds or thousands of servers in minutes and deliver results faster.
Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.
AWS (Amazon Web Services) is a subsidiary of Amazon that provides on-demand cloud computing platforms and services including computing power, database storage, content delivery and other functionality via web services on a paid subscription basis. Some key AWS services discussed are S3 for cloud storage, EC2 for virtual computing instances, Route 53 for cloud-based DNS, RDS for database hosting, and identity and access management.
This document provides an overview of Amazon Elastic Compute Cloud (EC2), a cloud computing service that allows users to launch server instances in Amazon's data centers. EC2 provides templates called Amazon Machine Images (AMIs) that contain pre-configured software. Users can launch instances of AMIs to replicate configurations across multiple servers. EC2 instances can be deployed and terminated on demand, while physical servers require regular maintenance. EC2 offers scalable, on-demand resources that users pay for based on usage, unlike physical servers which incur costs whether used or not. The document also briefly discusses other Amazon cloud services like S3, DynamoDB, and Elastic Beanstalk.
A comprehensive list of all the announcements made during AWS re:Invent 2019.
Also sharing the details of what the services are meant for and the planned GA for each.
Feel free to reach out over LinkedIn: https://www.linkedin.com/in/kaushikmohanraj/
#AWS #Cloud #reINvent
AWS Security Hub was announced, which provides a single pane of glass to view and manage security alerts and automate compliance checks across multiple AWS accounts. It aggregates findings from AWS services and partners. Compliance can be improved through automated configuration and compliance checks. Customers can prioritize issues, track unique security issues in their environments, and define response and remediation actions. The tool is available now in preview at no additional cost beyond AWS Config.
Getting Started with AWS Lambda & Serverless CloudIan Massingham
This document provides an overview of serverless computing using AWS Lambda. It defines serverless computing as running code without servers by paying only for the compute time consumed. AWS Lambda allows triggering functions from events or APIs which makes it easy to build scalable back-ends, perform data processing, and integrate systems. Recent updates include support for Python, scheduled functions, VPC access, and versioning. The document demonstrates using Lambda for building serverless web apps and microservices.
AWS provides a global infrastructure with 11 regions and 52 edge locations to host computing, storage, database, analytics, and application services. It offers virtual servers (EC2), load balancing, virtual desktops, and auto-scaling for compute. Storage options include S3 object storage, EBS block storage, and archival storage (Glacier). Relational databases include RDS for SQL and NoSQL includes DynamoDB. Analytics services include Redshift data warehousing, Kinesis real-time processing, and EMR for big data. Application services include SQS for messaging, SWF for workflows, SNS for notifications, and SES for email. Management tools include IAM for security, CloudWatch for monitoring, Ops
AWS provides a global infrastructure with 11 regions and 52 edge locations to host computing, storage, database, analytics, and application services. It offers virtual servers (EC2), load balancing, virtual desktops, and auto-scaling for compute. Storage options include S3 object storage, EBS block storage, and archival storage (Glacier). Relational databases include RDS for SQL and NoSQL includes DynamoDB. Analytics services include Redshift data warehousing, Kinesis for real-time processing, and EMR for big data. Application services include SQS for messaging, SWF for workflows, SNS for notifications, and SES for email. Management tools include IAM for security, CloudWatch for monitoring,
This document provides an overview of architecting applications for the Amazon Web Services (AWS) cloud platform. It discusses key cloud computing attributes like abstract resources, on-demand provisioning, scalability, and lack of upfront costs. It then describes various AWS services for compute, storage, messaging, payments, distribution, analytics and more. It provides examples of how to design applications to be scalable and fault-tolerant on AWS. Finally, it discusses best practices for migrating existing web applications to take advantage of AWS capabilities.
Amazon Web Services provides a set of cloud computing services including Amazon EC2 for computing power, Amazon S3 for object storage, and Amazon EBS for block-level storage. The document discusses these services as well as Amazon VPC which allows users to provision a virtual private cloud within AWS. It provides flexibility to customize the network configuration and control the virtual networking environment.
1. IAM manages identities and access control for AWS resources by controlling authentication and authorization. It uses users, groups, roles, and access policies.
2. EC2 allows users to launch virtual servers and configure security, networking, and storage. Elastic Block Store provides block-level storage volumes for applications. Elastic Load Balancing distributes traffic across targets. Auto Scaling automatically adjusts capacity based on performance.
3. Database services include RDS for relational databases, DynamoDB for NoSQL, S3 for object storage, and Aurora which is compatible with MySQL and PostgreSQL.
Similar to Deep dive into cloud security - Jaimin Gohel & Virendra Rathore (20)
An APT29 simulation was conducted using the MITRE ATT&CK framework involving 3 virtual machines - an attacker system, domain controller, and 2 Windows workstations. The simulation began with generating a PowerShell payload using Pupy and delivering it to a workstation by disguising it as a document file. Once executed, the payload established a command and control connection back to the attacker, initiating the first stage of the simulated APT29 intrusion.
Create a Custom Plugin in Burp Suite using the ExtensionNSConclave
This document discusses creating a custom plugin in Burp Suite using the extension framework. It provides advantages of using the extension, requirements, an overview of implementing request and response functions on the server, server helper functions, and a demo of creating a custom plugin that decrypts and encrypts requests and responses for a bank web application. The presentation agenda includes an introduction, block diagram, requirements, running the server, request and response functions, server helper functions, and a demo.
This document discusses the pentester's approach to assessing the security of an IoT device. It outlines various attack surfaces at the hardware, software, and communication levels. The pentester's process involves understanding the device architecture, extracting and analyzing the firmware to obtain sensitive information like passwords, getting into the device's network, analyzing its communication protocol, duplicating requests to control the device remotely. Specific hardware hacking techniques are described like identifying communication points to dump the firmware directly from memory chips or by desoldering and reading the chip's contents.
These slides were used to explain the concepts such as android's native
library, NDK and JNI using which demonstration of native library
debugging at runtime was presented in #NSConclave2023.
Presentation on - How to create custom Burp Suite extensions using Jython to test the web
application / mobile applications with strong encryptions in HTTP requests and responses.
Logs are one of the most valuable assets when it comes to IT system management and monitoring. As they record every action that took place on your network, logs provide the insight you need to spot issues that might impact performance, compliance, and security.
Regular Expression Injection occurs when an attacker supplies malicious input that modifies the intended regular expression in a way that breaks the program's specifications. This can impact control flow, leak information, or cause denial-of-service vulnerabilities. The document discusses regular expressions, how to find regular expression injection issues through error-based or blind injection techniques, demonstrates an example exploit, and provides mitigation strategies like input validation before using regular expressions and killing expressions that take too long.
This document discusses HTML5 postMessage and cross-origin messaging. It begins with an overview of postMessage, how it works, and how it can be exploited in cross-site scripting attacks. It then explains how the same-origin policy impacts postMessage and provides examples of same-origin violations. The document emphasizes that to prevent XSS, the postMessage origin must be correctly checked. It includes code demos and references to illustrate postMessage workings, attacks, and proper origin validation.
This document discusses node.js deserialization and exploitation examples. It provides an overview of node.js as server-side JavaScript. Deserialization is converting an object from a byte stream back into memory. The document demonstrates two exploitation examples, the first using an unprotected API and the second targeting node.js deserialization. It recommends input sanitization and blocking/replacing methods as remediation techniques.
This document discusses cross-domain policy and the crossdomain.xml file. It provides examples of how a misconfigured crossdomain.xml file that allows access from any domain using a wildcard could be exploited to gather sensitive user information or perform unauthorized actions. The vulnerability can be remediated by hardcoding allowed domains instead of using a wildcard and implementing cross-site request forgery prevention.
This document discusses LDAP injection, an attack where malicious code is inserted into a user input field to gain unauthorized access. It provides an overview of LDAP syntax and injection, demonstrating how an attacker can bypass authentication by closing parentheses in the username field. The document also notes LDAP injection can lead to privilege escalation and information disclosure. It recommends escaping special characters, using frameworks that encode LDAP queries, and applying least privilege to secure applications from LDAP injection.
Sandboxing involves running malware in an isolated environment to analyze its behavior without exposing other systems. Cuckoo Sandbox is an open source tool that can analyze Windows, macOS, Linux, and Android malware this way. However, sandbox-evading malware can detect it is running in a sandbox and avoid revealing its malicious code until it is outside the sandbox. Such malware uses techniques like detecting user interactions, system characteristics, timing-based approaches, and obfuscating internal data to bypass detection in sandboxing.
This document summarizes a presentation on NoSQL injection given by Husseni Muzkkir. The presentation covered the differences between SQL and NoSQL databases, what NoSQL injection is and how it can be used to expose unauthorized information or modify data. It also described a NoSQL lab that was created with possible attack scenarios like authentication bypass, enumeration, data manipulation, and MongoDB injection. The presentation provided examples of insecure coding that could enable these attacks and discussed secure coding practices and a related CVE vulnerability.
This document discusses effective use of markdown with various online and offline tools. It begins by introducing the author and briefly describing markdown. It then lists several popular online markdown editors like StackEdit, Dillinger, and GitHub. Examples are provided of common markdown syntaxes. The document demonstrates the markdown preview features of offline editors like Sublime Text and Visual Studio Code. It concludes by providing the author's contact information.
This session is a part of the #TechieThursday initiative from Net-Square for the internal team. In this webinar, we discussed several introductory topics including:
The difference between containers and VMs
Defined key Docker terminology that beginners should familiarize themselves with Learned how to get started with docker with a hands-on demo
Security Architecture Consulting - Hiren ShahNSConclave
In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
Speaker is going to conduct hands-on training on how an individual can use Open-source intelligence (OSINT) to collect data from publicly available sources. Speaker will showcase tools and techniques used in collecting information from the public sources.
https://nsconclave.net-square.com/advanced-reconnaissance-using-OSINT.html
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
2. # Who am I ?
• Manager - Professional
Services @ Net Square
• Chapter Lead @ null
Ahmedabad
• Speaker
• CTF Player
jaimin_gohel
3. # Who am I ?
• Security Analyst @ Net
Square
• Speaker
• Bug Hunter
• Infosec Trainer
VEERSAA1
4.
5.
6.
7. Agenda ● Intro to AWS services
● Intro to AWS CLI
● Attack Vectors for AWS
● Tools to pentest the AWS services
● Pentesting Most Used Services
● DEMO
12. EC2
Amazon EC2 (Elastic Compute Cloud) is a web
service interface that provides resizable
compute capacity in the AWS cloud. It is
designed for developers to have complete
control over web-scaling and computing
resources. AWS EC2 (Elastic Compute Cloud)
13. Lambda
AWS Lambda is an event-driven, serverless
computing platform. It is a computing service
that runs code in response to events and
automatically manages the computing resources
required by that code.
● Advanced version of EC2
● It cannot be used to host an application
● Execution is by tasks
● Triggers are setup and Lambda executes
the code
● Eg: File processing after file upload.
AWS Lambda
14. Elastic Load Balancer
Amazon ELB allows you to make your
applications highly available by using health
checks and distributing traffic across a
number of instances.
AWS Elastic Load Balancer
15. AutoScaling
Amazon EC2 Auto Scaling helps you ensure
that you have the correct number of
Amazon EC2 instances available to handle
the load for your application.
AWS AutoScaling
18. S3
Amazon Simple Storage Service (Amazon
S3) is a scalable, high-speed, web-based
cloud storage service designed for online
backup and archiving of data and
applications on Amazon Web Services.
● It is an object oriented File system.
● All the files are uploaded on S3 are
treated as objects.
● These objects are stored in buckets.
● Buckets are the first folders in the
root directory.
AWS S3
19. Cloudfront
It is a Content Delivery Network (CDN).
● Basically it is a caching service.
● It delivers the data through a
network of data centers called edge
locations.
● The main purpose of Cloudfront is
providing good user experience AWS Cloudfront
20. Elastic Block
Storage
Amazon Elastic Block Store (EBS) provides
raw block-level storage that can be
attached to Amazon EC2 instances and is
used in Amazon Relational Database
Service (RDS)
● It is basically a hard drive of EC2
● It cannot be used independently
AWS Elastic Block Store
21. Amazon Glacier
Amazon Glacier is an online file storage
web service that provides storage for data
archiving and backup.
● Low price storage
● It uses Magnetic tapes, hence it is a
cheap storage
AWS Glacier
22. Snowball
It is a AWS service of transferring data physically
to AWS Infrastructure.
● Snowball is a physical device (50-80 TB)
which is used to transfer data.
23. Snowmobile
● Can be used to transfer data from
your datacenter to AWS.
● 100 petabytes of data per
Snowmobile
25. Relational Database
Management Service
Relational Database Service (Amazon RDS)
is a managed SQL database service
provided by Amazon Web Services (AWS).
● Updates to the DB engine
● Patching automation
AWS RDS
26. Aurora
Amazon Aurora is a fully managed
relational database engine that's
compatible with MySQL and PostgreSQL
● Basically it is a custom built by
Amazon
● It is based on MySQL
● 5x Faster than Traditional MySQL
DB
27. DynamoDB
Amazon DynamoDB is a fully managed NoSQL database
service that allows to create database tables that can
store and retrieve any amount of data. It automatically
manages the data traffic of tables over multiple servers
and maintains performance.
● Only NoSQL DB are managed by DynamoDB
● Updating and patching is done automatically
● Auto-scaling
Note: DynamoDB is a fully managed proprietary
NoSQL database service
28. ElastiCache
Amazon ElastiCache is a fully managed
caching service.
● It is protocol-compliant with
Memcached
● It is used to set up, manage and scale
a distributed cache environment in
the cloud.
AWS ElastiCache
30. Virtual Private Cloud (Amazon VPC) enables
you to launch AWS resources into a virtual
network that you've defined.
● Simulates an environment similar to
a private Data Center
● Provides Scalability in the virtual
environment
Direct Connect is a network service that
allows a customer to establish a dedicated
network connection between AWS and the
customer's data center
● It’s a Leased line to the AWS
infrastructure
Amazon Route 53 is a scalable domain name
system (DNS) service intended to give
business and developers a reliable way to
direct end users to applications.
AWS VPC AWS Direct Connect AWS Route 53
32. CloudWatch is a component of Amazon
Web Services (AWS) that provides
monitoring for AWS resources and the
customer applications running on the
AWS infrastructure
CloudFormation is a service that provides
customers with the tools they need to
create and manage the infrastructure.
● It helps create templates of the
infrastructure and then replicate
to another instance.
● Like taking a snapshot of the
current infra and making another
instance
● Helps in version controlling
CloudTrail is a API service that enables
governance, compliance, operational
auditing, and risk auditing of your AWS
infrastructure
● simplifies security analysis,
resource change tracking, and
troubleshooting
● provides event history of your
AWS account activity
AWS CloudWatch AWS CloudFormation AWS CloudTrail
33. Cloudformation
Template
Create or use a
template
Template
S3
Bucket
Save locally on S3
bucket
Template
Use Cloudformation
to create stack based
on template and
construct the stack
resource
AWS CloudFormation
34. AWS CLI
AWS Command Line Interface (CLI) is a unified
tool to manage your AWS services
● Control multiple AWS services
● Automation using scripts
● Just a CLI version of the AWS GUI
AWS CLI
35. IAM - Identity and
Access
Management
IAM enables you to securely control access to AWS
services and resources for your users.
Create and manage AWS users and groups and use
permissions to allow and deny their permissions to
AWS resources. AWS IAM
36. Policies
TO assign permissions to
a user, group, role or
resource, you create a
policy, which is a
document that explicitly
lists permissions
Users
Using IAM, you can
create and manage
users, and use
permissions to allow and
deny their access to AWS
resources
Groups
The users created, can also be divided
among groups, and then the rules and
policies that apply on the group, apply on
the suer level as well
Roles
An IAM role is an entity that define a set of
permissions for making AWS service
requests. IAM roles are not associated with
a specific user or group. Instead , trusted
entities assume roles, such as IAM users,
applications or AWS services such as EC2.
IAM - Components
39. Incidents that happen
● Uber - committed their AWS access key to their GITHUB
page
● Accenture and lot of others misconfigured s3 buckets
● Tesla - Unsecure IT admin console panel
40. Test cases
● What if we only need to pentest the cloud environment
● What if we find AWS keys
○ Github commits
○ Social engineering/phishing
○ Password reuse
○ Web application vulnerabilities
■ SSRF
■ Local file read
41. S3 Agenda
● S3 bucket policies and ACLs
● S3 common misconfigurations
● S3 bucket pentesting
○ Demo
42. Find S3 buckets
● Google the domain and see if any history of it exposes the bucket
name.
● Look at the web interface of the target comments etc.
● Brute-force to $bucket.s3.amazonaws.com
Keep in mind anyone can create a bucket with “Company Name”
43. Ways to give permissions to users
● ID / emailAddress
● AuthenticatedUsers
● Anyone with a valid set of AWS credentials
● AllUsers
● Any one can make PUT object, GET object depending upon the
policy
44. S3 Bucket policies
● S3 Bucket Policies are similar to IAM policies in that they allow
access to resources via a JSON script.
● However, Bucket policies are applied to Buckets in S3, where as IAM
policies are assigned to user/groups/roles and are used to govern
access to any AWS resource through the IAM service.
● When a bucket policy is applied the permissions assigned apply to all
objects within the Bucket. The policy will specify which ‘principles’
(users) are allowed to access which resources.
46. S3 Bucket ACLs
READ_ACP02
● At the bucket level, this allows the
grantee to read the bucket’s access
control list. At the object level, this
allows the grantee to read the object’s
access control list.
READ01
● At the bucket level, this allows the
grantee to list the objects in a bucket. At
the object level, this allows the grantee
to read the contents as well as the
metadata of an object.
47. S3 Bucket ACLs
WRITE_ACP04
● At the bucket level, this allows the
grantee to set an ACL for a bucket. At
the object level, this allows the grantee
to set an ACL for an object.
WRITE03
● At the bucket level, this allows the
grantee to create, overwrite, and delete
objects in a bucket.
48. S3 Bucket ACLs
FULL_CONTROL05
● At the bucket level, this is equivalent to
granting the “READ”, “WRITE”,
“READ_ACP”, and “WRITE_ACP”
permissions to a grantee.
49. Scenario
● You have access to AWS credentials of LOW priv user with S3
permissions (User for analytics > Hard coded creds in JS)
● Public access is set for any of the below
● List Objects
● Write objects
● Read bucket permissions
● Write bucket permissions
50. Amazon S3 REST API
● Requests to Amazon S3 can be authenticated or anonymous.
● Authenticated access requires credentials that AWS can use to
authenticate your requests.
52. S3 Bucket Common Vulnerabilities
Improper ACL Permissions
The ACL of the bucket has
its permissions which are
often found to be world
readable. This does not
necessarily imply a
misconfiguration of the
bucket itself. However, it
may reveal which users
have what type of access.
Unauthenticated Bucket Access
As the name implies, an S3
bucket can be configured
to allow anonymous users
to list, read, and or write
to a bucket.
Semi-public Bucket Access
An S3 bucket is configured
to allow access to
“authenticated users”.
This, unfortunately, means
anyone authenticated to
AWS. A valid AWS access
key and secret is required
to test for this condition.
53. S3 Bucket Pentesting
1. AWS Account
2. AWS CLI on the host computer
3. Vulnerable S3 buckets
4. Tools
a. Pacu
b. S3Scanner
60. Possible Vulnerabilities
● Stored & reflected cross site scripting
● Causing availability issue
● Sensitive information disclosure
● Remote code execution (Hosting Malware)
61. Pentesting EC2 ● Why everyone needs to pentest their
cloud
● Intro to AWS EC2
● Tools to pentest the ec2
● Attack Vectors
● Demo SSRF to RCE
62. Cloudgoat
CloudGoat is Rhino Security Labs' "Vulnerable by
Design" AWS deployment tool. It allows you to hone
your cloud cybersecurity skills by creating and
completing several "capture-the-flag" style scenarios.
● Focused, Curated, High-Quality Learning
Experiences
● Created and maintained by Rhino Security
● Provides Modularity and Expandability
63. AWS attack vectors for EC2
● Enumerating Instances, Security Groups, and AMIs to stage EC2
attacks
● Abusing Simple Systems Manager for remote access to instances
● Analyzing EC2 User Data for secrets or system credentials
● Identifying routes between VPCs for lateral movement and escalation
64. Tools you'll need to pentest EC2
1. Vulnerable EC2 instance
2. Tools
2.1 AWS CLI
2.2 PACU
65. PACU
Pacu is an open source AWS exploitation framework,
designed for offensive security testing against cloud
environments.
● Pacu is an open source AWS exploitation
framework.
● Created and maintained by Rhino Security Labs
● Pacu allows penetration testers to exploit
configuration flaws within an AWS account
● Can perform permissions enumeration, privilege
escalation, enumerating EC2 instances,
establishing backdoor persistence in an account,
and remotely executing code as root/SYSTEM on
EC2
67. Pentesting IAM ● Features if IAM
● Terminology for IAM
● Tools to pentest the IAM
● Attack Vectors
● Demo
68. Features of IAM
● Centralized control of your AWS account
● Shared access to your AWS account
● Granular Permissions
● Identity Federation (including Active Directory, Facebook, LinkedIn etc)
● Multi-factor Authentication.
● Provides temporary access for users/devices and services when necessary
● Allows you to set up your own password rotation policy
● Integrates with many different AWS services
● Supports PCI DSS compliance
69. Terminology for IAM
● Users
○ End Users such as people, employees of an organization etc
● Groups
○ A collection of users, each user in the group will inherit the permissions
from the group.
● Policies
○ Policies are made up of documents, called Policy documents. These
documents are in a format called JSON and they give permissions as to
what User/Group/Role is able to do.
● Roles
○ You create roles and then assign them to AWS Resources.
70. Attack Vector
● There are 21 different methods to Escalate IAM Privilege
○ Create Access key for other user
○ Creating a new policy version
○ Attaching policy to a user/group/role
○ Creating/updating an inline policy for a user/group.role
○ Adding user to a group
72. Create Access key for other user
● Attacker can create new key of an IAM policy iam:CreateAccessKey
● This allows them to create a access key for any user
Command:
aws iam create-access-key -user-name target-user
73. Attaching policy to a user
● Attacker can escalate priviliges by attaching policy using iam:AttachUserPolicy
Command:
aws iam attach-user-policy –user-name my_username –policy-arn
arn:aws:iam::aws:policy/AdministratorAccess
77. Best Practices for IAM
● Users – Create individual users.
● Groups – Manage permissions with groups.
● Permissions – Grant least privilege.
● Auditing – Turn on AWS CloudTrail.
● Password – Configure a strong password policy.
● MFA – Enable MFA for privileged users.
● Roles – Use IAM roles for Amazon EC2 instances.
● Sharing – Use IAM roles to share access.
● Rotate – Rotate security credentials regularly.
● Conditions – Restrict privileged access further with conditions.
● Root – Reduce or remove use of root.
78. How Lambda Function can be executed?
● Manually in Lambda console
● AWS SDK to call Lambda API
● HTTP request via API Gateway
● Events raised in AWS (S3 operations, Kinesis stream)
79. Use cases
● Data processing
○ Real-time File Processing
○ Real-time Stream Processing
○ Extract, Transform, Load
● Backends
○ IoT Backends
○ Mobile Backends
○ Web Applications
80. Example 1
● An image is uploaded to the s3 bucket
● AWS lambda is triggered
● Images are processed and converted into the
thumbnails based on the devices
81. Example 2
● AWS Kinesis Gathers # tag trending data
● AWS lambda is triggered
● Data stored in database and later can be used for
analysis
82. Attack Vectors
● Attacking Lambda function with Read access
● Attacking Lambda functions with read and write
access