The document provides an overview of pentesting AWS environments. It discusses differences from traditional pentesting and covers AWS fundamentals like IAM security issues, S3 misconfigurations, and IMDSv1 vs IMDSv2. Hands-on exercises are demonstrated using tools like Flaws.cloud, CloudGoat scenarios, and the Pacu exploitation framework to find and exploit vulnerabilities. Requirements and best practices for pentesting AWS are also outlined.
2. Who IAM
12+ years of Experience in
â—Ź Application Security
â—‹ Threat Modeling
â—‹ Secure Code Review
â—‹ Secure Code Training
â—Ź Cloud Security
â—Ź Security Automation using
Python3
â—Ź Pentest & OWASP Top 10
Sanjeev Jaiswal (Jassi)
3. What you know
in AWS
Minimal AWS assumptions
â—Ź Can access AWS Console access
â—Ź Good idea of IAM features
â—Ź EC2 related operations
â—Ź How to work with S3 buckets
â—Ź Aware of ELB
â—Ź Security group, NACL
â—Ź API gateway
â—Ź Understanding of Lambda
â—Ź Various topics in VPC
â—Ź Security of|in the cloud
4. What I will cover
Fundamentals
â—Ź IAM pitfalls
â—Ź S3 Security
â—Ź IMDSv1 vs IMDSv2
â—Ź Vulnerable Public IPs, ELBs,
Endpoints
â—Ź Lambda Security (Intermediate)
â—Ź ECS Security (Advanced)
Hands-On
â—Ź Flaws.cloud (1&2)
â—Ź CloudGoat Scenarios
â—Ź Pacu
â—Ź Prowler
Prerequisites: Python3, Terraform,
aws-cli, git
7. Rules for Pentest in AWS
â—Ź Testing AWS Infrastructure
â—Ź No DoS and DDoS without notification
â—Ź No Port flooding
â—Ź No Protocol flooding
â—Ź No Network Stress testing without
Notification
â—Ź Mail if you are unsure:
â—‹ aws-security-simulated-event@amazon.com
Testing Customer Owned Application
Free to use any Pentest Tools
8 permitted Amazon Services
â—Ź Amazon EC2 instances, NAT Gateways, and Elastic
Load Balancers
â—Ź Amazon RDS
â—Ź Amazon CloudFront
â—Ź Amazon Aurora
â—Ź Amazon API Gateways
â—Ź AWS Lambda and Lambda Edge functions
â—Ź Amazon Lightsail resources
â—Ź Amazon Elastic Beanstalk environments
Pacu/CloudGoat Testing environments follow
AWS security Best Practices
https://aws.amazon.com/security/penetration-testing/
8. IAM Security issues
â—Ź Permissive policies
â—‹ Resource policy: No * please
â—‹ IAM policy: put*, attach*, policy versioning, group|user management related policies
â—‹ Service Role Trust Policy
â—Ź Cross-Account Permissions
â—Ź Misconfigured IAM Role combination
â—Ź Poorly written policies
â—Ź Published without proper validation and review
9. S3 Security issues
â—Ź Publicly listed buckets and objects majorly in us-east-1 and eu-west-1 region
â—Ź Authorised to any AWS user
â—Ź Authorised to any AWS user in a specific region
â—Ź Common bucket enumeration
â—Ź No Cloudfront or WAF to avoid direct bucket exposure
â—Ź Default Encryption is not enabled
â—Ź No https enforcement for put objects
â—Ź Permissive bucket policy or bucket policy missing
â—Ź Virtual hosted: https://bucketname.s3.Region.amazonaws
â—Ź Path Style: https://s3.Region.amazonaws.com/bucket-name/
10. IMDSv1 vs IMDSv2
â—Ź IMDS: Instance Metadata Service
● Instance Metadata Service Version 1 (IMDSv1) – a request/response method
● Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
â—Ź By default you can use either IMDSv1 or IMDSv2 or both
â—Ź IMDS makes available metadata about the instance, its network, and its storage.
â—Ź It makes AWS creds available for any IAM role that is attached to the instance.
â—Ź SSRF attack is quite possible
13. flaws.cloud
Get the real heat
â—Ź Url: http://flaws.cloud/
â—Ź It has total 6 levels
â—Ź Covering misconfigurations in
â—‹ S3 (3 scenarios)
â—‹ EC2 snapshot is made public
â—‹ Reverse Proxy with IMDSv1 enabled
â—‹ Lambda with excessive permission
14. Cloudgoat
Exploit the vulnerable settings
â—Ź Cloudgoat
â—‹ By Rhino Security Labs
â—‹ Vulnerable by design
â—‹ Overview and tool walkthrough
â—Ź Demo of some scenarios
â—‹ iam_privsec_by_rollback
â—‹ cloud_breach_s3
â—‹ ec2_ssrf
â—‹ rce_webapp
15. How to use Cloudgoat
1. Once you clone the repo, go to cloudgoat directory
2. run `pip3 install -r ./core/python/requirements.txt`
3. Make sure cloudgoat.py is executable `chmod u+x cloudgoat.py`
4. run ./cloudgoat.py config profile and click y, then give profile name as default
5. whitelist your IP, run this command: `./cloudgoat.py config whitelist --auto` and
type yes to continue
6. List all scenarios: ./cloudgoat.py list all|undeployed|deployed
7. Deploy the scenario: ./cloudgoat.py create scenario_name
16. Pacu - Cloud
Pentesting
Framework
Tool to make attackers job easier
â—Ź Pacu
â—‹ Open-source AWS Exploitation
Framework
â—‹ By Rhino Security Labs
â—‹ Written in Python
â—Ź Exploitation Demo
â—‹ Introduction and setup
â—‹ cloud_breach_s3
â—‹ iam_privsec_by_rollback
â—‹ ec2_ssrf
â—‹ codebuild_secrets
17. How to use Pacu
1. You can use pacu for cloudgoat scenarios
1. First deploy some scenarios to make pacu working easily
2. Once you clone the repo, go to pacu directory
3. Run cli.py as python3 cli.py or ./cli.py
4. Set a new session name or use existing one
5. Import all keys or import only one key `import_keys --all`
6. choose which key you want to import
1. import_keys <profile-name>
2. run whoami
7. Check if pacu settings are working. Run aws sts get-caller-identity --profile
<profile-name>
8. See what modules are available in pacu: `list` (run once import key step is done)
18. What’s Next
â—Ź AWS Security Automation: https://github.com/awslabs/aws-security-automation
â—Ź SANS SEC573: https://www.sans.org/course/automating-information-security-with-python
● Automate event-driven security stuffs using AWS Lambda in Python
â—Ź Automate AWS Services security assessment using Python
â—Ź Automate AWS CIS benchmarks
â—Ź Automate AWS Exploits
â—Ź Automate/Solve AWS Based CTF challenges
â—Ź Use Pacu, Prowler, ScoutSuite for AWS Exploitation and Security Assessment
â—Ź Make command line tool using click module, similar to weirdAAL
â—Ź Breaking and Pwning Apps and Servers on AWS and Azure - Free Training Courseware and Labs
19. Resources
AWS Pentesting By PackT
AWS CLI by Amazon
Boto3 Documentation
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/RhinoSecurityLabs/pacu
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
https://sra.io/blog/aws-iam-exploitation/
https://github.com/jassics/awesome-aws-security