This document outlines steps for penetration testing an AWS environment, including: 1. Requesting permission from AWS for testing 2. Testing SSH security like default credentials and open ports 3. Scanning with tools like Nessus, Nmap, and OpenVAS to check vulnerabilities 4. Using tools like Nimbostratus to extract metadata like permissions and users

1. AWS-PT
By
Vengatesh.N

2. AWS & Its Terminologies
1. AWS
2. VPC
3. Emc2 Instances
4. AMI(Amazon Machine Image)

3. AWS-Scenario

4. AWS-Scenario

5. AWS Pen-testing Methodology
1. Testing SSH
2. Scanning with tools
3. Finger Printing or Extracting Meta-Data

6. Caution..!!!!!!
To perform VAPT on AWS, prior permission is needed from AWS
team
https://aws.amazon.com/forms/penetration-testing-request

7. Testing SSH
1. Direct root access allowed or not
2. Default username password changed or not
3. Login using. pem file or password
4. Environment variables are accessible to the user or not
5. Default port 22 is used or not
6. Try to create a new user with password authentication

8. Default SSH
Credentials

9. VPC Firewall-Rules Configuration

10. Scanning with tools
To name few:
 Nessus
 Nmap
 Nexpose
 OpenVAS
 Qualys

11. Nessus Compliance check

12. Nexpose AWS Audit

13. Whole Audit Process Explained
Auditing with Nessus:
https://www.tenable.com/blog/nessus-amazon-aws-auditing-now-
available
Auditing With Nexpose:
http://www.esecforte.com/auditing-your-cloud-infrastructure-with-
nexpose-enterprise/

14. Extracting Metadata
Extracting Juicy information
 Manual
 Using Nimbostratus Tool

15. Manual Method
Use curl to access Metadata
Metadata Information Will be available Here:
curl http://publicIP/
http:// publicIP /latest/

16. Manual Method

17. Using Nimbostratus
Nimbostratus can fingerprint & Exploit AWS Infrastructures
Features:
 Dump permissions
 Dump instance meta-data
 Create new user
More: http://andresriancho.github.io/nimbostratus/

18. Conclusion
Points to Remember while Securing AWS:
Different users for different tasks
Audit users and groups periodically
Security Practices applicable for SSH or service
Security Best Practices:
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

19. References
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-tutorials.html
https://thoughtsandideas.files.wordpress.com/2012/05/step-2-2-amazon-ec2-
instance1.png
https://www.youtube.com/watch?v=CaJCmoGIW24
http://unix.stackexchange.com/questions/82626/why-is-root-login-via-ssh-so-bad-that-
everyone-advises-to-disable-it
https://www.blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-
Clouds-WP.pdf