AWS

AWS Cloud Pentesting Playbook

This playbook outlines foundational concepts of AWS architecture and provides technical guidance and attack strategies derived from practical labs and real-world exploitation scenarios. Each section includes purpose, context, exploitation techniques, AWS CLI commands, and mitigation strategies to guide red teamers, cloud security engineers, and blue teams.

1. AWS Foundations (for Red Teamers)

1.1 Control plane vs data plane

• Control plane: where API calls are processed (IAM, EC2 start/stop, policy changes). Compromise ⇒ account takeover.

• Data plane: where workloads/data live (EBS blocks, S3 objects, Lambda code). Compromise ⇒ data theft, service abuse.

1.2 Identities & credentials

• IAM principals: users, roles, federated identities (SSO/OIDC/SAML).

• Key types:

  • AKIA… → long-term access keys (avoid in prod).

  • ASIA… → STS temporary creds (role sessions; preferred).

• Session chain: caller → sts:AssumeRole → session in target account.

1.3 AWS CLI & profiles (quick mastery)

• Prefer named profiles; don’t overwrite default.

• Disable pager and pick JSON output; filter with JMESPath --query.

Extra tips (stdin/stdout to/from S3; account id from keys; using endpoint-url for attacker infra) are consolidated later in §13 (sourced from HackingThe.Cloud). hackingthe.cloud+2hackingthe.cloud+2

2. Red Team Methodology in AWS (end-to-end)

1. Information gathering / enumeration → 2) Initial access →

2. Privilege escalation → 4) Post-exploitation & objectives →

3. Lateral movement (often cross-account) → 6) Persistence & cleanup Every section below includes high-value commands and short scenarios.

3. Information Gathering & Enumeration

3.1 Account & caller validation

(Why: confirm who you are, resolve unknown keys, and avoid noisy blind enumeration.) hackingthe.cloud

3.2 Identity (IAM) surface

3.3 Compute, storage, serverless inventory

3.4 Logging, detection & posture

4. Initial Access

4.1 SSRF → IMDS (v1 & v2) credential theft

The target: http://169.254.169.254/latest/meta-data/ (IMDS).

• IMDSv1: simple unauthenticated HTTP GET. SSRF that can make plain GETs can often fetch credentials (high risk).

• IMDSv2: requires a session token (client must PUT to get a token, then GET with header). SSRF often can’t craft PUT + header, reducing risk. Adopt IMDSv2 and disable v1. Amazon Web Services, Inc.+1Datadog Security LabsEngineering at SlackF5, Inc.

4.1.1 Manual IMDS checks (from inside an instance)

4.1.2 SSRF step-by-step (red team path)

1. Discover SSRF param that fetches URLs (e.g., ?url=http://…).

2. Probe IMDSv1 via SSRF: request …/iam/security-credentials/ → role name.

3. Fetch creds: request role path → AccessKeyId, SecretAccessKey, Token.

4. Load into CLI:

1. Enumerate safely with read-only calls (see §3). This mirrors the AWS portion of your CTF flow while redacting all specific names/values.

4.2 Leaked keys & public resource abuse (quick wins)

• Search code repos for AKIA/ASIA patterns, validate with sts get-access-key-info.

• Publicly accessible AWS resources (S3/ECR/Snapshots) can often be interacted with programmatically; see “Exploiting Public AWS Resources – CLI Attack Playbook” for a breadth of targets and tooling references (e.g., coldsnap for EBS snapshots). hackingthe.cloud

5. Privilege Escalation (IAM)

Common privesc patterns to test for once you have any foothold:

6. Post-Exploitation Objectives

6.1 Data discovery & exfiltration

(The --endpoint-url trick is a known TTP used in the wild; see SCARLETEEL notes). hackingthe.cloud

6.2 Serverless & APIs

6.3 EC2 artifacts (user-data, instance profile, disks)

6.4 KMS, Secrets, SSM

7. Lateral Movement

7.1 Cross-account pivots (role chains)

7.2 Service pivots (containers & clusters)

8. Persistence (ethical use in labs only)

(Use of a rogue OIDC Identity Provider for persistence is documented in the wild; treat this as lab-only knowledge.) hackingthe.cloud

9. Detection, Hardening & OPSEC quick wins

9.1 Instance Metadata (IMDS)

• Enforce IMDSv2 only, set hop limit to 1, and audit legacy v1.

• Rollout guidance from AWS shows org-scale inventory and enforcement patterns. Amazon Web Services, Inc.

9.2 GuardDuty & CloudTrail hygiene

• Keep CloudTrail multi-region, S3 log integrity (log file validation) on.

• GuardDuty + Detective for anomaly investigation.

• (Red team OPSEC: be aware that some CLI user-agents can be flagged; research shows ways to alter UA for testing. Use only in authorized labs.) hackingthe.cloud

9.3 SCPs & boundaries

• Organization-level SCPs to restrict risky actions (iam:CreatePolicyVersion, iam:PassRole, kms:*), blast-radius control.

• Permission boundaries for delegated admins.

10. Real-World-Style Scenarios (all specifics redacted)

The flows below are adapted from the AWS portion of the CTF write-up you shared, but scrubbed of any actual names/domains/keys. They demonstrate enumeration → exploitation → post-ex steps you’ll meet in practice.

10.1 SSRF → IMDSv1 → STS creds → S3 data

1. Find SSRF param (e.g., ?url=).

2. Request http://169.254.169.254/latest/meta-data/iam/security-credentials/ → get role.

3. Request role path to obtain AccessKeyId/Secret/Token.

4. Configure profile and verify identity:

1. Enumerate IAM and S3, then read a sensitive object:

(Why this works & defenses: see §4.1 + IMDS references.) Amazon Web Services, Inc.+1

10.2 IAM graph Q&A exploration (groups, inline policies, role trust)

• Use list-groups, list-group-policies, list-attached-group-policies, and get-policy* to answer “who can do what.”

• Example (answering “which group has X user” & “what inline policy is on Y user”):

(This mirrors the investigative steps without revealing any challenge keys or domains.)

10.3 Role-pivot (assumable by devops-role)

• Inspect trust on devops-role to find assumable roles, then sts:AssumeRole:

(CTF asked a similar question about “which role can be assumed by X.”)

11. Service-by-Service Attack & Defend (condensed)

11.1 S3

• Attacks: public buckets, mis-policies, website mode, object ACL confusion.

• Mitigate: Block Public Access, SCP deny on s3:PutBucketPolicy outside pipeline, access logs.

11.2 EC2 & Networking

• Attacks: IMDSv1, permissive SGs, user-data secrets, EBS forensics.

• Mitigate: IMDSv2 only, SG least-privilege, encrypt & tag disks, SSM Session Manager instead of SSH.

11.3 Lambda & API Gateway

• Attacks: over-permissive Lambda role, unauth’d API stages, leaky resource policies.

• Mitigate: Auth (IAM/JWT), per-function KMS keys, env var secrets in Secrets Manager.

11.4 ECR/EKS

• Attacks: pull private images, kubeconfig pivot to cluster.

• Mitigate: scoped repository policies, IR/scan images, IRSA for pods, network policies.

11.5 RDS/DynamoDB

• Attacks: snapshot copy, overly-broad IAM reading tables.

• Mitigate: snapshot sharing controls, VPC-only, IAM condition keys (aws:SourceVpce).

11.6 Secrets/KMS/SSM

• Attacks: decrypt via mis-scoped roles; harvest SSM params.

• Mitigate: resource-level grants, key separation, rotation, access analyzer.

12. Cloud Observability & Response (what to watch)

• CloudTrail: look for iam:CreatePolicyVersion, iam:PassRole, sts:AssumeRole, secretsmanager:GetSecretValue, ssm:GetParameter.

• GuardDuty: findings for UnauthorizedAccess:IAMUser/*, Stealth:IAMUser/PasswordPolicyChange, CredentialAccess patterns.

• Config/Inspector/Security Hub: posture and finding aggregation; ensure they’re enabled and sending to a central account.

13. AWS CLI Power-User Notes (HackingThe.Cloud extracts)

These are field-tested tricks that speed up red team & blue team work alike:

(From the HackingThe.Cloud “AWS CLI Tips & Tricks” and related enumeration articles.) hackingthe.cloud+1

14. Deep Dive: IMDSv1 vs IMDSv2 (don’t skip this)

IMDSv1

• Stateless, unauthenticated GET interface. Any code able to issue HTTP GETs from the instance network namespace can read metadata, including temporary role credentials. This makes SSRF, header injection, or open proxy bugs especially dangerous.

• If a workload exposes any path that can fetch arbitrary URLs (even without custom headers), it can often read IMDSv1. Datadog Security LabsTenable®

IMDSv2

• Session-oriented: client must first PUT to obtain a token (X-aws-ec2-metadata-token), then include that token header for subsequent GETs. Tokens are TTL-bounded and tied to the calling process path + hop limit, reducing abuse by SSRF/proxies.

• Many SSRF sinks can’t make PUT with custom headers, so v2 reduces exploitability substantially.

• Migration guidance exists to discover where v1 is still on and to enforce v2 across fleets. Amazon Web Services, Inc.+1Engineering at Slack

Operator checklist

15. Build-Your-Own Labs (safe practice)

• SSRF/IMDS lab: a tiny Flask app with URL-fetch; deploy on a t3.micro with IMDSv1 enabled, then upgrade to v2 and retest.

• IAM privesc lab: create a role that can CreatePolicyVersion but not PutUserPolicy; show escalation by version switch.

• ECR/EKS lab: push an image with a fake secret, then prove repo policy + IR scanning; lock down and retest.

Appendix A — Quick Command Index (by phase)

A.1 Info-gathering

A.2 Exploitation & privesc

A.3 Post-exploitation

A.4 Lateral movement & persistence