IAM
https://aws.amazon.com/architecture/security-identity-compliance/
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://aws.amazon.com/architecture/security-identity-compliance/
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Hacking AWS end-to-end - remastered (https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
Slides and code: https://github.com/dagrz/aws_pwn
Attacking AWS: the full cyber kill chain | SANS Cloud & DevOps Security Summit 2020 (https://www.youtube.com/watch?v=njsNy2bNuT8)
Understanding The Shared Responsibility Model AWS uses a Shared Responsibility Model, which contains two parts: \
Security of the Cloud which falls under AWS's responsibility
Security in the Cloud which is the customer’s responsibility.
The scope and boundaries are defined in the scoping process of a cloud penetration test assessment in which at least the following questions are asked:
How many non-standard AWS Identity and Access Management (IAM) policies exist?
Which services are used?
How many IAM Policies are assigned?
How many accounts exist?
In a cloud penetration test we first need to determine (even though this was also included during the scoping process) which services are:
Used by the application (e.g., EC2 vs Lambda)
Externally exposed (e.g., S3 bucket with static CSS files vs DynamoDB)
Managed by AWS or by the customer
This also involves enumerating and fingerprinting the cloud infrastructure for used components and further third-party software.
Depending on the information given before the penetration test or information identified throughout the assessment, this may also involve stepping into AWS Identity and Access Management (IAM). AWS Identity and Access Management service is used to control access to AWS resources by defining policies.
- Programmatic access (Access ID and Key for aws cli)
- AWS access key that has the
SecurityAuditandReadOnlyAccesspolicies - some tools like cloudfox may need a custom policy (https://github.com/BishopFox/cloudfox/blob/main/misc/aws/cloudfox-policy.json)
- prowler may need
SecurityAuditandViewOnlyAccess
- Learn the 21 original privesc paths pioneered by Spencer Gietze (https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
- lambda privesc https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
- lambda privesc example https://resources.infosecinstitute.com/topic/cloudgoat-walkthrough-lambda-privilege-escalation/
todo
pacu - https://github.com/RhinoSecurityLabs/pacu
prowler - https://github.com/prowler-cloud/prowler
scoutsuite - https://github.com/nccgroup/ScoutSuite
steampipe - https://github.com/turbot/steampipe
aws stealh scan - https://github.com/cyberark/SkyArk
iam action hunter - https://github.com/RhinoSecurityLabs/IAMActionHunter
s3 buckets auditing - https://github.com/toniblyx/my-arsenal-of-aws-security-tools#s3-buckets-auditing
s3scanner - https://github.com/sa7mon/S3Scanner
bucketstream - https://github.com/eth0izzle/bucket-stream
redteam scripts - https://github.com/ihamburglar/Redboto
cloudfox - https://github.com/BishopFox/cloudfox
whispers (find secrets) - https://github.com/Skyscanner/whispers
trufflehog (s3 tool) - https://github.com/trufflesecurity/trufflehog
dufflebag (ebs tester) - https://github.com/bishopfox/dufflebag
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/BishopFox/iam-vulnerable
https://github.com/ine-labs/AWSGoat
http://flaws.cloud/
http://flaws2.cloud/