PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • AWS Cloud Architecture
  • Cloud Space Overview
  • AWS Cloud Services
  • Identity and Access Management (IAM)
  • IAM Overview
  • IAM Identities
  • Policies in IAM
  • Roles in AWS
  • AWS Authentication
  1. Cloud Security

AWS

Amazon Web Services

AWS Cloud Architecture

Cloud Space Overview

Cloud architecture refers to the components and subcomponents required for cloud computing. It typically involves a front-end platform (client or device), back-end platforms (servers, storage), cloud-based delivery, and a network.

  1. GUI: AWS Web Portal

    • Users log into the AWS Web Portal (Management Console) to perform actions like creating resources (EC2 instances, S3 buckets) using a user-friendly interface.

  2. Control Plane: AWS Services

    • The control plane handles the orchestration and management of AWS services. When a user creates an EC2 instance from the GUI, these actions are routed through the control plane, which governs how AWS services are used.

    • Security Point: Unauthorized access to the control plane can lead to attackers gaining control over your resources. Monitoring API calls in the control plane is critical.

  3. Data Plane: Compute and Storage

    • The data plane consists of compute resources (like EC2 instances) and storage resources (like S3, EBS). This is where the actual data resides and where the computation happens.

    • Security Point: Protecting the data plane is essential. Misconfigurations like public S3 buckets or insecure EC2 instances can lead to data leaks or breaches.

  4. End User Interaction

    • Web Client/Browser: Users log in using IAM or Single Sign-On (SSO) credentials. From here, the AWS Web Portal (GUI) is accessed to manage services.

    • AWS CLI or SDK/API: Allows programmatic access to the control plane using long-term credentials (Access Key ID & Secret Key) or short-term credentials (Access Key ID, Secret Key, and Token). These credentials are used to interact with AWS services.

Interaction Flow:

  • AWS Web Portal (GUI) interacts with AWS Services (Control Plane).

  • AWS Services (Control Plane) interact with Compute and Storage (Data Plane).


AWS Cloud Services

AWS offers a wide range of services for compute, storage, identity, and security. Here are some of the key services and how they fit into the cloud pentesting/security context.

Compute Services:

  1. EC2 – Elastic Compute Cloud: Virtual machines hosted in the cloud.

    • Security Point: Misconfigured security groups can expose EC2 instances to attacks.

    • Pentesting Tip: Enumerate open ports and services running on EC2.

  2. Lambda – Serverless compute.

    • Security Point: Function permissions need to be strictly managed to prevent unauthorized access to data or other services.

  3. ECS/EKS – Container orchestration.

    • Security Point: Misconfigurations in containers or incorrect IAM roles in ECS/EKS can lead to privilege escalation.

Identity Services:

  1. IAM – Identity and Access Management: Manages access to AWS resources.

    • Security Point: Least privilege principles should be enforced to limit the blast radius of compromised credentials.

  2. SSO – Single Sign-On: Centralized authentication for AWS and third-party services.

    • Security Point: Ensure SSO configurations do not allow over-permissioning.

Security Services:

  1. CloudWatch – Monitoring and logging for AWS resources.

    • Security Point: Ensure CloudWatch is configured to log critical events (API calls, errors, etc.).

  2. GuardDuty – Threat detection service that continuously monitors AWS accounts and workloads for malicious activity.

    • Security Point: Regularly review findings from GuardDuty to detect potential threats.

  3. CloudTrail – Tracks API calls made in your AWS account.

    • Security Point: Critical for incident response and forensic analysis. Make sure CloudTrail logs are protected and stored securely.

Storage Services:

  1. S3 – Simple Storage Service.

    • Security Point: Publicly accessible S3 buckets are a common source of data leaks. Use Bucket Policies and ACLs carefully.

  2. RDS – Relational Database Service.

    • Security Point: Ensure database snapshots and configurations aren’t publicly accessible.

  3. EBS – Elastic Block Store: Provides block storage for EC2 instances.

    • Security Point: Encrypt EBS volumes and manage snapshots securely to avoid exposure.


Identity and Access Management (IAM)

IAM Overview

AWS IAM allows you to control who has access to your resources and how they can interact with them. In a security/pentesting context, incorrect or overly permissive IAM policies are a significant attack vector.

IAM Identities

  1. Users: Represents an individual with long-term credentials.

  2. Groups: A collection of users with common permissions.

  3. Roles: Used to grant temporary permissions to services or applications.

All of these identities can have policies attached that define their permissions.

Policies in IAM

Policies consist of permissions that allow or deny actions on AWS resources.

  • Effect: Can be set to either Allow or Deny.

  • Action: Specifies what actions (e.g., s3:GetObject, ec2:StartInstances) are allowed or denied.

  • Resource: Defines the AWS resources (e.g., specific S3 buckets or EC2 instances) that the action applies to.

There are two types of policies:

  1. Inline Policies: Embedded directly in an IAM identity (user, group, or role). These are often more prone to errors as administrators may over-provision permissions.

    • Red Teaming Tip: Inline policies are a common weak spot where misconfigurations occur, leading to privilege escalation or data exposure.

  2. Managed Policies:

    • AWS Managed Policies: Pre-built by AWS for common use cases.

    • Customer Managed Policies: Custom policies created by the user.

Roles in AWS

Roles are used to delegate permissions to AWS services (e.g., Lambda functions or EC2 instances). These roles allow services to interact with one another securely.

  • Security Tip: Attackers may attempt to exploit misconfigured roles to gain unauthorized access to resources.


Other Notes:

  1. AWS Architecture Security:

    • Shared Responsibility Model: AWS secures the infrastructure, but the customer is responsible for securing what they build (e.g., configuring S3 permissions correctly, encrypting data at rest).

    • Least Privilege Principle: Ensure users and services have the minimum permissions necessary to perform their tasks.

  2. Cloud Pentesting Basics:

    • AWS environments often have many entry points, such as IAM roles, exposed services, or poorly configured security groups.

    • Understanding and enumerating cloud services like S3, EC2, and IAM is critical to identifying potential weaknesses.

    • CloudTrail and GuardDuty logs are essential for tracing attacker behavior post-breach.


AWS Authentication

There are 2 different types of credentials:

  • Long Term Credential

    • GUI -> IAM Username & Password or SSO Username & Password

    • CLI/SDK -> Access Key ID and Secret Access Key

  • Short Term Credential

    • CLI/SDK -> Access Key ID, Secret Access Key, and Session Token

# Access using CLI (Long Term Credential)

aws configure --profile <profile_name>

# Enter Access Key ID and Secret Access Key
# If Access Key ID starts with AKI, it means it is long term credential

# Short Term Credential (12 hrs validity)

set AWS_ACCESS_KEY = <blah>
set AWS_SECRET_ACCESS_KEY = <blahblah>
set AWS_SESSION_TOKEN = <longblah>
aws configure

# If Access Key ID starts with ASI, it means it is short term credential

aws sts get-caller-identity --profile <profile_name>

In Windows, these credentials are stored in C:\UserName\.aws\credentials

In Linux, /home/user/.aws/credentials

PreviousCloud SecurityNextGCP

Last updated 8 months ago