AWS

AWS Cloud Architecture

Cloud Space Overview

Cloud architecture refers to the components and subcomponents required for cloud computing. It typically involves a front-end platform (client or device), back-end platforms (servers, storage), cloud-based delivery, and a network.

1. GUI: AWS Web Portal

   • Users log into the AWS Web Portal (Management Console) to perform actions like creating resources (EC2 instances, S3 buckets) using a user-friendly interface.

2. Control Plane: AWS Services

   • The control plane handles the orchestration and management of AWS services. When a user creates an EC2 instance from the GUI, these actions are routed through the control plane, which governs how AWS services are used.

   • Security Point: Unauthorized access to the control plane can lead to attackers gaining control over your resources. Monitoring API calls in the control plane is critical.

3. Data Plane: Compute and Storage

   • The data plane consists of compute resources (like EC2 instances) and storage resources (like S3, EBS). This is where the actual data resides and where the computation happens.

   • Security Point: Protecting the data plane is essential. Misconfigurations like public S3 buckets or insecure EC2 instances can lead to data leaks or breaches.

4. End User Interaction

   • Web Client/Browser: Users log in using IAM or Single Sign-On (SSO) credentials. From here, the AWS Web Portal (GUI) is accessed to manage services.

   • AWS CLI or SDK/API: Allows programmatic access to the control plane using long-term credentials (Access Key ID & Secret Key) or short-term credentials (Access Key ID, Secret Key, and Token). These credentials are used to interact with AWS services.

Interaction Flow:

• AWS Web Portal (GUI) interacts with AWS Services (Control Plane).

• AWS Services (Control Plane) interact with Compute and Storage (Data Plane).

AWS Cloud Services

AWS offers a wide range of services for compute, storage, identity, and security. Here are some of the key services and how they fit into the cloud pentesting/security context.

Compute Services:

1. EC2 – Elastic Compute Cloud: Virtual machines hosted in the cloud.

   • Security Point: Misconfigured security groups can expose EC2 instances to attacks.

   • Pentesting Tip: Enumerate open ports and services running on EC2.

2. Lambda – Serverless compute.

   • Security Point: Function permissions need to be strictly managed to prevent unauthorized access to data or other services.

3. ECS/EKS – Container orchestration.

   • Security Point: Misconfigurations in containers or incorrect IAM roles in ECS/EKS can lead to privilege escalation.

Identity Services:

1. IAM – Identity and Access Management: Manages access to AWS resources.

   • Security Point: Least privilege principles should be enforced to limit the blast radius of compromised credentials.

2. SSO – Single Sign-On: Centralized authentication for AWS and third-party services.

   • Security Point: Ensure SSO configurations do not allow over-permissioning.

Security Services:

1. CloudWatch – Monitoring and logging for AWS resources.

   • Security Point: Ensure CloudWatch is configured to log critical events (API calls, errors, etc.).

2. GuardDuty – Threat detection service that continuously monitors AWS accounts and workloads for malicious activity.

   • Security Point: Regularly review findings from GuardDuty to detect potential threats.

3. CloudTrail – Tracks API calls made in your AWS account.

   • Security Point: Critical for incident response and forensic analysis. Make sure CloudTrail logs are protected and stored securely.

Storage Services:

1. S3 – Simple Storage Service.

   • Security Point: Publicly accessible S3 buckets are a common source of data leaks. Use Bucket Policies and ACLs carefully.

2. RDS – Relational Database Service.

   • Security Point: Ensure database snapshots and configurations aren’t publicly accessible.

3. EBS – Elastic Block Store: Provides block storage for EC2 instances.

   • Security Point: Encrypt EBS volumes and manage snapshots securely to avoid exposure.

Identity and Access Management (IAM)

IAM Overview

AWS IAM allows you to control who has access to your resources and how they can interact with them. In a security/pentesting context, incorrect or overly permissive IAM policies are a significant attack vector.

IAM Identities

1. Users: Represents an individual with long-term credentials.

2. Groups: A collection of users with common permissions.

3. Roles: Used to grant temporary permissions to services or applications.

All of these identities can have policies attached that define their permissions.

Policies in IAM

Policies consist of permissions that allow or deny actions on AWS resources.

• Effect: Can be set to either Allow or Deny.

• Action: Specifies what actions (e.g., s3:GetObject, ec2:StartInstances) are allowed or denied.

• Resource: Defines the AWS resources (e.g., specific S3 buckets or EC2 instances) that the action applies to.

There are two types of policies:

1. Inline Policies: Embedded directly in an IAM identity (user, group, or role). These are often more prone to errors as administrators may over-provision permissions.

   • Red Teaming Tip: Inline policies are a common weak spot where misconfigurations occur, leading to privilege escalation or data exposure.

2. Managed Policies:

   • AWS Managed Policies: Pre-built by AWS for common use cases.

   • Customer Managed Policies: Custom policies created by the user.

Roles in AWS

Roles are used to delegate permissions to AWS services (e.g., Lambda functions or EC2 instances). These roles allow services to interact with one another securely.

• Security Tip: Attackers may attempt to exploit misconfigured roles to gain unauthorized access to resources.

Other Notes:

1. AWS Architecture Security:

   • Shared Responsibility Model: AWS secures the infrastructure, but the customer is responsible for securing what they build (e.g., configuring S3 permissions correctly, encrypting data at rest).

   • Least Privilege Principle: Ensure users and services have the minimum permissions necessary to perform their tasks.

2. Cloud Pentesting Basics:

   • AWS environments often have many entry points, such as IAM roles, exposed services, or poorly configured security groups.

   • Understanding and enumerating cloud services like S3, EC2, and IAM is critical to identifying potential weaknesses.

   • CloudTrail and GuardDuty logs are essential for tracing attacker behavior post-breach.

AWS Authentication

There are 2 different types of credentials:

• Long Term Credential

  • GUI -> IAM Username & Password or SSO Username & Password

  • CLI/SDK -> Access Key ID and Secret Access Key

• Short Term Credential

  • CLI/SDK -> Access Key ID, Secret Access Key, and Session Token

# Access using CLI (Long Term Credential)

aws configure --profile <profile_name>

# Enter Access Key ID and Secret Access Key
# If Access Key ID starts with AKI, it means it is long term credential

# Short Term Credential (12 hrs validity)

set AWS_ACCESS_KEY = <blah>
set AWS_SECRET_ACCESS_KEY = <blahblah>
set AWS_SESSION_TOKEN = <longblah>
aws configure

# If Access Key ID starts with ASI, it means it is short term credential

aws sts get-caller-identity --profile <profile_name>

In Windows, these credentials are stored in C:\UserName\.aws\credentials

In Linux, /home/user/.aws/credentials