Identifying entry points on AWS

Research Articles

• AWS Lambda
  • https://d1.awsstatic.com/whitepapers/Overview-AWS-Lambda-Security.pdf
• AWS Inspector Network Reachability can find some of this as well.
  • https://aws.amazon.com/blogs/aws/identify-unintended-resource-access-with-aws-identity-and-access-management-iam-access-analyzer/
• AWS Penetration Testing with Kali (Boto3 and Pacu)
  • https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/b333e411-e173-4bbd-8954-85f8a1ede9b2.xhtml
  • Using Boto3 and Pacu to Maintain AWS Persistence
  • https://subscription.packtpub.com/book/virtualization_and_cloud/9781789136722/11
  • https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/7ba97c2d-2afb-4b15-9912-b5841ddeb325.xhtml
  • https://subscription.packtpub.com/book/virtualization_and_cloud/9781789136722/10/ch10lvl1sec70/using-the-boto3-library-for-reconnaissance
  • https://medium.com/cloud-security/aws-iam-role-profiles-with-boto3-a1ce1e8c27b3
• AWS Policy evaluation
  • https://policysim.aws.amazon.com/home/index.jsp?#
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
• Hide Kali linux and Boto from AWS GuardDuty
  • https://www.thesubtlety.com/post/patching-boto3-useragent/
• Hacking with AWS Lambda and Python
  • https://www.rackspace.com/en-au/blog/the-devnull-s3-bucket-hacking-with-aws-lambda-and-python
• Bypassing GuardDuty Pentesting
  • https://www.linkedin.com/pulse/bypass-guardduty-pentest-alerts-nick-frichette/
• Enumerating Lambda functions for Pentesting
  • https://riyazwalikar.github.io/pentestawslambda/#/4/2
  • http://blog.blueinfy.com/2018/07/enmerating-lambda-functions-for.html

• CapitalOne – SRE exploits
  • https://www.reddit.com/r/devops/comments/cl50q6/a_technical_analysis_of_the_capital_one_hack/
  • https://www.reddit.com/r/devops/comments/cl50q6/a_technical_analysis_of_the_capital_one_hack/
  • https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea
  • https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
  • https://www.capitalone.com/tech/software-engineering/sres-architecting-with-resiliency-recovery-reliability/
• Playing with CloudGoat part 1: hacking AWS EC2 service for privilege escalation
  • https://rzepsky.medium.com/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da
• Data leaks from AWS EC2 — how can Bob reveal Alice’s secrets
  • https://medium.com/securing/data-leaks-from-aws-ec2-how-can-bob-reveal-alices-secrets-bd6fbe389966
• AWS Digital Forensics / How to Perform a Security Investigation in AWS A SANS Whitepaper
  • https://www.sans.org/reading-room/whitepapers/forensics/paper/39230
  • https://medium.com/@cloudyforensics/how-to-perform-aws-cloud-forensics-309a03a77aee
  • https://cyberforensicator.com/2018/03/28/how-to-perform-aws-cloud-forensics/
  • https://anz-resources.awscloud.com/aws-summit-sydney-2019-secure/automated-forensics-and-incident-response-on-aws-3
  • https://aws.amazon.com/mp/scenarios/security/forensics/
• AWS Penetration testing with Kali Linux
  • https://subscription.packtpub.com/book/virtualization_and_cloud/9781789136722/19/ch19lvl1sec122/privilege-escalation
  • https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/87f050c7-3ad7-4f09-a156-4a0f80182b4c.xhtml
  • https://www.amazon.com.au/Hands-Penetration-Testing-Kali-Linux-ebook/dp/B07C61YYJ4
• Working with open-source tools for Traffic Mirroring
  • https://docs.aws.amazon.com/vpc/latest/mirroring/tm-example-open-source.html
• Playing with CloudGoat part 5: hacking AWS with Pacu
  • https://rzepsky.medium.com/playing-with-cloudgoat-part-5-hacking-aws-with-pacu-6abe1cf5780d
• Privilege Escalation in AWS with PassRole Attacks
  • https://www.praetorian.com/blog/privilege-escalation-in-aws-with-passrole-attacks
• SEC588 Cloud Penetration Testing: What is Cloud Pen Testing and why is it different?
  • https://www.youtube.com/watch?v=lOhvIooWzOg
• Penetration Testing AWS Storage: Kicking the S3 Bucket
  • https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/
• AWS IAM Privilege Escalation – Methods and Mitigation
  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2
• Confused Deputy Attack
  • Example Corp requires access to certain resources in your AWS account. But in addition to you, Example Corp has other customers and needs a way to access each customer’s AWS resources. Instead of asking its customers for their AWS account access keys, which are secrets that should never be shared, Example Corp requests a role ARN from each customer. But another Example Corp customer might be able to guess or obtain your role ARN. That customer could then use your role ARN to gain access to your AWS resources by way of Example Corp. This form of permission escalation is known as the confused deputy problem.
  • https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities
  • https://disruptops.com/advanced-techniques-for-defending-aws-externalids-and-cross-account-assumerole-access/
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
• AWS GuardDuty findings.
  • https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
• AWS Incident Response and Memory capture of EC2 instances;
  • https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/using-hibernation-for-memory-capture.html
  • https://digital-forensics.sans.org/community/papers/gcfe/incident-response-amazon-ec2-first-responders-guide-security-incidents-cloud_1624
  • https://medium.com/@rav3n/capturing-linux-ec2-memory-using-aws-ssm-iam-and-s3-f6c688944967
  • https://medium.com/@rav3n/creating-a-memory-dump-of-a-windows-ec2-instance-with-alexa-and-ssm-58e7dabb16cc?source=follow_footer———0—————————-
  • https://www.linkedin.com/pulse/aws-forensics-ec2-volatile-memory-capture-stephen-mcmaster/?articleId=6654152400082874368
• AWS security audit guidelines
  • https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html
• Automatically Rotate AWS Keys
  • https://github.com/miztiik/serverless-iam-key-sentry
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_credentials_console.html
  • http://theodorejsalvo.com/post/2018/08/16/rotate-iam-access-keys/
  • https://github.com/buzzsurfr/aws-utils
  • https://aws.amazon.com/blogs/apn/automating-rotation-of-iam-user-access-and-secret-keys-with-aws-secrets-manager/
  • https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
  • https://medium.com/fluidity/rotating-aws-iam-keys-finally-made-easy-and-automated-4cb4ec8a4e20
  • https://kuharan.medium.com/using-aws-lambda-python-to-rotate-iam-access-keys-automatically-e28a41a28d50
  • https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
  • https://advancedweb.hu/aws-config-notifications-with-cloudwatch-events/
• Lesser Known Techniques for Attacking AWS Environments
  • https://tldrsec.com/blog/lesser-known-aws-attacks/

• https://twitter.com/dagrz/status/1336960817669914624?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1336960817669914624%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftldrsec.com%2Fblog%2Flesser-known-aws-attacks%2F
• Cyberware labs
  • https://cyberwarfare.live/AWSCloudRedTeamLab.php?fbclid=IwAR3-aU-0_lrLTeTkdzTHZbFoAIbYjeyRSksnvFWcnY69hXhpPEQttjDEqjA
  • https://cyberwarfare.live/Study-Material/CARTS/CARTS-Course-Contents.pdf?fbclid=IwAR2im83XHT72zfH0i6f6k89jhFBa5xLhodI_kAjFBpslFwYfdV2uKYDLcN4
• Exploit AWS EC2 metadata service (IMDSv1/IMDSv2)
  • https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/
  • https://github.com/rapid7/metasploit-framework/blob/master//modules/post/multi/gather/aws_ec2_instance_metadata.rb
  • https://medium.com/@anunayb007/ssrf-attack-on-aws-technical-demo-for-stealing-ec2-metadata-4910dafafdee
  • https://rhinosecuritylabs.com/cloud-security/aws-security-vulnerabilities-perspective/
  • https://attackiq.com/2020/04/06/defeating-a-cloud-breach-part-2/
  • https://hackerone.com/reports/53088
  • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-instance-meta-data-service-version-38fc1ba1a28a
  • https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
  • https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
  • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
  • https://javiergodinez.com/wp/?p=70
  • iptables -A OUTPUT -m owner ! –uid-owner root -d 169.254.169.254 -j DROP
  • aws ec2 modify-instance-metadata-options \ –instance-id i-1234567898abcdef0 \ –http-endpoint disabled
  • https://aws.amazon.com/about-aws/whats-new/2019/11/announcing-updates-amazon-ec2-instance-metadata-service/
  • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
    • Limiting instance metadata service access You can consider using local firewall rules to disable access from some or all processes to the instance metadata service.
    • sudo iptables –append OUTPUT –proto tcp –destination 169.254.169.254 –match owner –uid-owner apache –jump REJECT
• Cloud Security Testing
  • https://www.linkedin.com/video/live/urn:li:ugcPost:6753214425890746368/
  • Detect open SQS queues or S3 buckets
• IAM role enumerations
  • https://gist.github.com/kmcquade/4d5788f8592953f5a3a65ec3f87385b4
• How to approach threat modeling
  • https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/
• Escaped Docker in Azure Functions
  • https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
• Cloud MITRE Matrix
  • https://attack.mitre.org/matrices/enterprise/cloud/
• Blind Spots in the Cloud
  • https://www.crowdstrike.com/blog/beware-blind-spots-in-the-cloud/
• RhinoSecurity
  • https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/
• AWS IAM Privilege Escalation – Methods and Mitigation
  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
• FWDCloudSec
  • https://fwdcloudsec.org/index.html#intro
  • https://www.youtube.com/playlist?list=PLCPCP1pNWD7OBQvDY7vLCFhxWxok9DITl

Terraform

• https://github.com/bridgecrewio/checkov
• https://github.com/tfsec/tfsec
• https://github.com/accurics/terrascan
• https://github.com/terraform-linters/tflint

Known AWS breaches

AWS – Easy to get started, changes daily, difficult to secure and harder to know if you are “doing it right’. AWS has 1000s of APIs, are you confident there are all secure? Have a good nights sleep.

AWS innovates really quickly. We send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog

• Capital One
• Uber
  • GitHub repo misconfig
• Tesla
  • Unsecured IT admin console
• Dow Jones
  • S3 bucket misconfig
• WWE

Tools

• CloudQuery
  • https://mm.netsecfocus.com/signup_email
• Infection Monkey
  • https://github.com/guardicore/monkey
• Git Scaning
  • https://rtyley.github.io/bfg-repo-cleaner/
  • https://github.com/awslabs/git-secrets
  • https://github.com/zricethezav/gitleaks
  • https://github.com/dxa4481/truffleHog
  • https://github.com/eth0izzle/shhgit
  • https://www.cloudjourney.io/articles/security/aws_keys_github_disaster-so/
  • https://geekflare.com/github-credentials-scanner/
• PACU
  • Pacu is an open source AWS exploitation toolkit written by Rhino Security Labs. It was built to aid penetration testers in attacking AWS environments; so, now we will quickly install and set up Pacu to automate these attacks that we have been trying.
• Offensive Terraform – https://offensive-terraform.github.io/offensive-terraform.github.io/
• Checkov
  • https://www.checkov.io/
  • https://github.com/bridgecrewio/checkov
• TerraGoat
  • https://medium.com/bridgecrew/terragoat-vulnerable-by-design-terraform-training-by-bridgecrew-524b50728887
• Boto
  • https://medium.com/cloud-security/aws-iam-role-profiles-with-boto3-a1ce1e8c27b3
  • https://www.tutorialspoint.com/aws_automation_with_boto3_of_python_and_lambda_functions/index.asp
• Flaws
  • http://flaws.cloud/
• Cloud Custodian
  • https://cloudcustodian.io/docs/index.html
• CloudGoat
  • https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/
• CloudMapper
  • https://github.com/duo-labs/cloudmapper
  • Extending BurpSuit shite test S3https://securityonline.info/aws-extender-burpsuite-extension-identify-test-s3-buckets-google-storage/
  • https://summitroute.com/blog/2018/06/13/cloudmapper_public/
  • https://duo.com/blog/continuous-auditing-with-cloudmapper
  • https://duo.com/blog/spotting-misconfigurations-with-cloudmapper
  • https://github.com/swisskyrepo/PayloadsAllTheThings
• https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
• https://www.sonarqube.org/
• Prowler AWS Security Tool
  • https://github.com/toniblyx/prowler
• Spider
  • https://github.com/eslam3kl/3klCon
• postman
• Eyewitness
  • https://virtualizationandstorage.wordpress.com/2016/10/09/kali-cheatsheet/
• AWS IR
  • https://aws-ir.readthedocs.io/en/latest/
• Commercial Products
  • https://www.lacework.com/host-intrusion-detection/
  • TrendMico CloudConformity
  • Assetnote
  • https://cloudcustodian.io/
  • https://www.armor.com/aws/
  • Blue Heaxgon NG-NDR https://aws.amazon.com/blogs/apn/automated-cloud-network-threat-detection-and-response-with-blue-hexagon-and-aws/
  • https://cloudsploit.com/
  • https://snyk.io/
• CloudFront
  • https://registry.terraform.io/modules/binbashar/waf-owasp/aws/latest
• A SecureCloud
  • https://asecure.cloud/
• AWS Fault Injection
  • https://aws.amazon.com/fis/
• ChaosToolkit
  • https://chaostoolkit.org/
• AWS GIT
  • https://github.com/aws-samples?q=workshops&type=&language=
• Open Source Security & Monitoring in AWS: Infrastructure-as-Code
  • https://medium.com/@asankha/creating-isolated-aws-accounts-for-testing-and-experimentation-9795a8d2e2de#:~:text=To%20do%20this%2C%20go%20to,then%20select%20%27Invite%20account%27.&text=You%20will%20then%20receive%20an,%2Forganizations%2Fhome%23%2Finvites
  • https://github.com/aws-samples/aws-secure-environment-accelerator?goal=0_f50a9c9026-71deb04591-1284681329&mc_cid=71deb04591&mc_eid=8808aad977
• cloudockit.com
  • https://www.cloudockit.com/
• JQ
  • https://github.com/stedolan/jq
• DumpsterDiver
  • https://github.com/securing/DumpsterDiver
• PMapper
  • https://github.com/nccgroup/PMapper
• Prowler
  • https://github.com/toniblyx/prowler
• GKE Auditor
  • https://github.com/google/gke-auditor
• fkAWS2
  • http://flaws2.cloud/
  • https://medium.com/securing/krkanalytica-challenge-demystified-1c6477839e76
• DFIR TOOLs
  • Volatility
    • https://www.volatilityfoundation.org/
  • Comae
    • https://www.comae.com/
• Scout2
  • https://github.com/nccgroup/Scout2
• CloudSploit
• AWS_PWN
• Nimbostratus
• DumpsterDiver
• https://fwdcloudsec.org/
• http://flaws2.cloud/
• http://flaws.cloud/

AWS Digital Forensic Analysis

• Volatility
  • https://www.linkedin.com/pulse/aws-forensics-ec2-volatile-memory-capture-stephen-mcmaster/?articleId=6654152400082874368
• https://forensicate.cloud/
  • https://github.com/Resistor52/cloud_dfir_demo
• AWS Incident Response and Forensics
  • https://medium.com/@cloudyforensics/how-to-perform-aws-cloud-forensics-309a03a77aee
• Launch Forensic Workstations
  • https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/launch-forensic-workstations.html
• Digital Forensic Analysis of Amazon Linux EC2 Instances
• EC2Rescue / memory-dump
• Using Hibernation for Memory Capture
  • https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/using-hibernation-for-memory-capture.html
• Automating the capture
  • https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
  • One method to invoke the SSM Agent is to target the Run Command through Amazon
  • CloudWatch Events when the instance is tagged with a specific tag. For example, if you
  • apply the Response=Isolate+MemoryCapture tag to an affected instance, you can
  • configure Amazon CloudWatch Events to trigger two actions: 1) a Lambda function that
  • performs the isolation activities, and 2) a Run Command that executes a shell command
  • to export the Linux memory through the SSM Agent. This tag-driven response is
  • another method of event-driven response.
• Amazon EC2 now supports Diagnostic Interrupts
  • https://www.amazonaws.cn/en/new/2019/ec2-now-supports-diagnostic-interrupts/
• Security Incident: Be Prepared – Memory Dumps
  • https://www.cloudar.be/awsblog/security-incident-be-prepared-memory-dumps/
• Capturing Linux EC2 Memory
  • https://rav3n.medium.com/capturing-linux-ec2-memory-using-aws-ssm-iam-and-s3-f6c688944967
  • https://rav3n.medium.com/creating-a-memory-dump-of-a-windows-ec2-instance-with-alexa-and-ssm-58e7dabb16cc
• A free library of 400+ customizable AWS security configurations and best practices
  • https://asecure.cloud/