AWS
Amazon Web Services
AWS Cloud Pentesting Playbook
This playbook outlines foundational concepts of AWS architecture and provides technical guidance and attack strategies derived from practical labs and real-world exploitation scenarios. Each section includes purpose, context, exploitation techniques, AWS CLI commands, and mitigation strategies to guide red teamers, cloud security engineers, and blue teams.
1. AWS Foundations (for Red Teamers)
1.1 Control plane vs data plane
Control plane: where API calls are processed (IAM, EC2 start/stop, policy changes). Compromise ⇒ account takeover.
Data plane: where workloads/data live (EBS blocks, S3 objects, Lambda code). Compromise ⇒ data theft, service abuse.
1.2 Identities & credentials
IAM principals: users, roles, federated identities (SSO/OIDC/SAML).
Key types:
AKIA…→ long-term access keys (avoid in prod).ASIA…→ STS temporary creds (role sessions; preferred).
Session chain: caller →
sts:AssumeRole→ session in target account.
1.3 AWS CLI & profiles (quick mastery)
Prefer named profiles; don’t overwrite
default.Disable pager and pick JSON output; filter with JMESPath
--query.
Extra tips (stdin/stdout to/from S3; account id from keys; using endpoint-url for attacker infra) are consolidated later in §13 (sourced from HackingThe.Cloud). hackingthe.cloud+2hackingthe.cloud+2
2. Red Team Methodology in AWS (end-to-end)
Information gathering / enumeration → 2) Initial access →
Privilege escalation → 4) Post-exploitation & objectives →
Lateral movement (often cross-account) → 6) Persistence & cleanup Every section below includes high-value commands and short scenarios.
3. Information Gathering & Enumeration
3.1 Account & caller validation
(Why: confirm who you are, resolve unknown keys, and avoid noisy blind enumeration.) hackingthe.cloud
3.2 Identity (IAM) surface
3.3 Compute, storage, serverless inventory
3.4 Logging, detection & posture
4. Initial Access
4.1 SSRF → IMDS (v1 & v2) credential theft
The target: http://169.254.169.254/latest/meta-data/ (IMDS).
IMDSv1: simple unauthenticated HTTP GET. SSRF that can make plain GETs can often fetch credentials (high risk).
IMDSv2: requires a session token (client must
PUTto get a token, thenGETwith header). SSRF often can’t craftPUT+ header, reducing risk. Adopt IMDSv2 and disable v1. Amazon Web Services, Inc.+1Datadog Security LabsEngineering at SlackF5, Inc.
4.1.1 Manual IMDS checks (from inside an instance)
4.1.2 SSRF step-by-step (red team path)
Discover SSRF param that fetches URLs (e.g.,
?url=http://…).Probe IMDSv1 via SSRF: request
…/iam/security-credentials/→ role name.Fetch creds: request role path →
AccessKeyId,SecretAccessKey,Token.Load into CLI:
Enumerate safely with read-only calls (see §3). This mirrors the AWS portion of your CTF flow while redacting all specific names/values.
4.2 Leaked keys & public resource abuse (quick wins)
Search code repos for
AKIA/ASIApatterns, validate withsts get-access-key-info.Publicly accessible AWS resources (S3/ECR/Snapshots) can often be interacted with programmatically; see “Exploiting Public AWS Resources – CLI Attack Playbook” for a breadth of targets and tooling references (e.g., coldsnap for EBS snapshots). hackingthe.cloud
5. Privilege Escalation (IAM)
Common privesc patterns to test for once you have any foothold:
6. Post-Exploitation Objectives
6.1 Data discovery & exfiltration
(The --endpoint-url trick is a known TTP used in the wild; see SCARLETEEL notes). hackingthe.cloud
6.2 Serverless & APIs
6.3 EC2 artifacts (user-data, instance profile, disks)
6.4 KMS, Secrets, SSM
7. Lateral Movement
7.1 Cross-account pivots (role chains)
7.2 Service pivots (containers & clusters)
8. Persistence (ethical use in labs only)
(Use of a rogue OIDC Identity Provider for persistence is documented in the wild; treat this as lab-only knowledge.) hackingthe.cloud
9. Detection, Hardening & OPSEC quick wins
9.1 Instance Metadata (IMDS)
Enforce IMDSv2 only, set hop limit to 1, and audit legacy v1.
Rollout guidance from AWS shows org-scale inventory and enforcement patterns. Amazon Web Services, Inc.
9.2 GuardDuty & CloudTrail hygiene
Keep CloudTrail multi-region, S3 log integrity (log file validation) on.
GuardDuty + Detective for anomaly investigation.
(Red team OPSEC: be aware that some CLI user-agents can be flagged; research shows ways to alter UA for testing. Use only in authorized labs.) hackingthe.cloud
9.3 SCPs & boundaries
Organization-level SCPs to restrict risky actions (
iam:CreatePolicyVersion,iam:PassRole,kms:*), blast-radius control.Permission boundaries for delegated admins.
10. Real-World-Style Scenarios (all specifics redacted)
The flows below are adapted from the AWS portion of the CTF write-up you shared, but scrubbed of any actual names/domains/keys. They demonstrate enumeration → exploitation → post-ex steps you’ll meet in practice.
10.1 SSRF → IMDSv1 → STS creds → S3 data
Find SSRF param (e.g.,
?url=).Request
http://169.254.169.254/latest/meta-data/iam/security-credentials/→ get role.Request role path to obtain
AccessKeyId/Secret/Token.Configure profile and verify identity:
Enumerate IAM and S3, then read a sensitive object:
(Why this works & defenses: see §4.1 + IMDS references.) Amazon Web Services, Inc.+1
10.2 IAM graph Q&A exploration (groups, inline policies, role trust)
Use
list-groups,list-group-policies,list-attached-group-policies, andget-policy*to answer “who can do what.”Example (answering “which group has X user” & “what inline policy is on Y user”):
(This mirrors the investigative steps without revealing any challenge keys or domains.)
10.3 Role-pivot (assumable by devops-role)
Inspect trust on
devops-roleto find assumable roles, thensts:AssumeRole:
(CTF asked a similar question about “which role can be assumed by X.”)
11. Service-by-Service Attack & Defend (condensed)
11.1 S3
Attacks: public buckets, mis-policies, website mode, object ACL confusion.
Mitigate: Block Public Access, SCP deny on
s3:PutBucketPolicyoutside pipeline, access logs.
11.2 EC2 & Networking
Attacks: IMDSv1, permissive SGs, user-data secrets, EBS forensics.
Mitigate: IMDSv2 only, SG least-privilege, encrypt & tag disks, SSM Session Manager instead of SSH.
11.3 Lambda & API Gateway
Attacks: over-permissive Lambda role, unauth’d API stages, leaky resource policies.
Mitigate: Auth (IAM/JWT), per-function KMS keys, env var secrets in Secrets Manager.
11.4 ECR/EKS
Attacks: pull private images, kubeconfig pivot to cluster.
Mitigate: scoped repository policies, IR/scan images, IRSA for pods, network policies.
11.5 RDS/DynamoDB
Attacks: snapshot copy, overly-broad IAM reading tables.
Mitigate: snapshot sharing controls, VPC-only, IAM condition keys (
aws:SourceVpce).
11.6 Secrets/KMS/SSM
Attacks: decrypt via mis-scoped roles; harvest SSM params.
Mitigate: resource-level grants, key separation, rotation, access analyzer.
12. Cloud Observability & Response (what to watch)
CloudTrail: look for
iam:CreatePolicyVersion,iam:PassRole,sts:AssumeRole,secretsmanager:GetSecretValue,ssm:GetParameter.GuardDuty: findings for
UnauthorizedAccess:IAMUser/*,Stealth:IAMUser/PasswordPolicyChange,CredentialAccesspatterns.Config/Inspector/Security Hub: posture and finding aggregation; ensure they’re enabled and sending to a central account.
13. AWS CLI Power-User Notes (HackingThe.Cloud extracts)
These are field-tested tricks that speed up red team & blue team work alike:
(From the HackingThe.Cloud “AWS CLI Tips & Tricks” and related enumeration articles.) hackingthe.cloud+1
14. Deep Dive: IMDSv1 vs IMDSv2 (don’t skip this)
IMDSv1
Stateless, unauthenticated GET interface. Any code able to issue HTTP GETs from the instance network namespace can read metadata, including temporary role credentials. This makes SSRF, header injection, or open proxy bugs especially dangerous.
If a workload exposes any path that can fetch arbitrary URLs (even without custom headers), it can often read IMDSv1. Datadog Security LabsTenable®
IMDSv2
Session-oriented: client must first
PUTto obtain a token (X-aws-ec2-metadata-token), then include that token header for subsequentGETs. Tokens are TTL-bounded and tied to the calling process path + hop limit, reducing abuse by SSRF/proxies.Many SSRF sinks can’t make
PUTwith custom headers, so v2 reduces exploitability substantially.Migration guidance exists to discover where v1 is still on and to enforce v2 across fleets. Amazon Web Services, Inc.+1Engineering at Slack
Operator checklist
15. Build-Your-Own Labs (safe practice)
SSRF/IMDS lab: a tiny Flask app with URL-fetch; deploy on a t3.micro with IMDSv1 enabled, then upgrade to v2 and retest.
IAM privesc lab: create a role that can
CreatePolicyVersionbut notPutUserPolicy; show escalation by version switch.ECR/EKS lab: push an image with a fake secret, then prove repo policy + IR scanning; lock down and retest.
Appendix A — Quick Command Index (by phase)
A.1 Info-gathering
A.2 Exploitation & privesc
A.3 Post-exploitation
A.4 Lateral movement & persistence
Last updated