Deep Dive into AWS Penetration Testing
Getting Started into AWS Penetration Testing: Part 1
In this blog, we’ll learn about various AWS services, pen-testing tools for AWS services, and how to get started with AWS Pentest.
What is AWS Penetration Testing?
Traditional pen-testing processes are completely different from AWS pen-testing approaches. The first and most significant factor is ownership of the system. AWS is an Amazon subsidiary that owns the company’s basic infrastructure. Since regular “ethical hacking” utilized in pen testing would violate AWS’s acceptable policies, the security response team uses unique processes.
Many data breaches have occurred recently, exposing various vulnerabilities such as s3 buckets, corrupted AWS infrastructures, and others.
To comprehend AWS attacks, one needs to be familiar with the various services offered by AWS.
AWS service misconfiguration is responsible for a large number of data breaches.
For AWS penetration testing, there are four main areas to concentrate on:
- External Infrastructure of your AWS cloud
- Applications you are hosting/building on your platform
- Internal Infrastructure of your AWS cloud
- AWS configuration review
Penetration Testing Methodologies for AWS
An AWS platform’s security testing can be divided into two categories:
- Security of Cloud: The security of the cloud is Amazon’s (AWS) responsibility to ensure that their cloud platform is secure against any potential vulnerabilities and cyber threats for businesses that use AWS services. All zero-day and logic defects that can be exploited at any step to interrupt the performance of an AWS server/s are included in cloud security.
- Security in Cloud: It is the user’s/duty company’s to ensure that their deployed applications/assets on AWS infrastructure are secure against any type of cyberattack. By following required security procedures, a user/company can improve the security of their apps on the AWS cloud.
We will explore how these services can be exploited if they are not set up properly in this series of blog posts, as well as countermeasures.
Let’s have a look at some of the services provided by AWS.
1. S3 Bucket
S3 stands for Simple Storage Service
- Storage services that are highly scalable and have almost infinite capacity.
- The bucket, which serves as a container, is the most important part of the service.
- Objects are the contents of the bucket, such as files, backups, documents, photos, sensitive files, source code, static websites, and so on
- You can store and retrieve any amount of data on the internet using Amazon S3
- For S3 buckets, a different access control technique is used
- ACLs (Access Control Lists)
- Policies based on buckets
- Policies relating to IAM (Identity and Access Management)
- S3 buckets can be accessed using the AWS CLI and the HTTP interface
http://s3.amazonaws.com/bucket_name
http://bucket_name.s3.amazonaws.com
2. EC2
- Elastic Cloud Compute is what EC2 stands for
- The most extensively utilized service in the cloud that provides secure and resizable compute capacity
- On a pay-as-you-go basis, it can be used to launch as many virtual servers as you require
Refer to this link to understand EC2 in detail https://aws.amazon.com/ec2/
3. Identity and Access Management (IAM)
- To be able to manage privileges
- To be able to assign Roles & Groups & Policies
- It is possible to use a web service in conjunction with all Amazon Services
- Can be Used to Connect Federated Application\User from different Org
- Manage Cross-Account Access, From one AWS account to another
Refer to this link to understand IAM in detail. https://aws.amazon.com/iam/
4. AWS Lambda
- FaaS (Function as a Service)
- Serverless functions and applications are available
- In reaction to events, code is executed
Refer to this link to understand AWS Lambda in detail. https://aws.amazon.com/lambda/
As more businesses migrate to the cloud, the risk of a data breach is increasing every day, demanding the use of pen-testing to safeguard against it.
What kind of pen-testing can you do in AWS?
AWS allows an enterprise to completely test their AWS EC2 instance while eliminating chores linked to disruption of continuity for User-Operated services that incorporate cloud products and are controlled by users.
AWS limits pen-testing to setup and deployment of cloud environments, ignoring the underlying infrastructure, for Vendor Operated services (cloud products that are managed and configured by a single third-party).
AWS offers pen-testing of various EC2 (Elastic Cloud Computing) domains, including:
- Application Programming Interface (API)
- Your company’s web applications are housed on its servers
- Programming languages
- Operating systems and virtual machines
The following are the sections of the AWS cloud that cannot be tested due to legal restrictions:
- Amazon Web Services (AWS) servers
- Other companies’ physical hardware, facilities, or underlying infrastructure that belongs to AWS EC2
- Amazon’s Relational Database Service (RDS)
- Other suppliers manage security appliances
AWS Controls to be Strictly Tested for Security
1. Governance
- Define AWS boundaries and identify assets
- Policies governing access
- Risks should be identified, reviewed, and evaluated
- Inventory and documentation
- AWS should be considered in the risk assessment
- Information technology (IT) security and program policy
- Understand AWS usage/implementation
2. Network Management
- Controls for network security
- There are physical ties
- Access permissions are granted and revoked
- Isolation from the environment
- Inventory and documentation
- Layered DDoS protection
- Malicious code is in charge
3. Encryption Control
- Access to the AWS Console
- Access to the AWS API
- IPSec Tunnels are a type of Internet Protocol Security (IPsec) tunnel
- Management of SSL keys
- At repose, keep PINs safe
4. Logging and Monitoring
- Centralized log storage
- Examine policies for their adequacy
- Examine the credentials report from Identity and Access Management (IAM)
- Combine data from many sources
- Detection and response to intrusions
Before performing AWS Penetration Testing, there are a few things you should do.
- Define the penetration test’s scope, including the target systems
- Make your own preliminary tests
- Decide what kind of security test you’ll run
- Outline the expectations for stakeholders as well as pen-testing. business (if outsourced)
- To handle the technical assessment, create a timeline
- Define a set of processes to follow if the test finds that security has already been compromised
- Obtain the connected parties’ signed permission to conduct a pen test
How to Perform Penetration Testing on Amazon Web Services?
1. Identity and Access Management
Identifying the assets of data stores and applications is the first and most significant phase in the penetration testing procedure. The following are some key considerations to keep in mind when identifying assets:
- The root account’s keys have been removed.
- Two-factor authentication should be implemented.
- Do not automate or use the root account for daily tasks.
- Allow only service accounts to get access.
- Each user is only allowed to use one key.
- Change your SSH and PGP keys regularly.
- Delete any security accounts that are no longer active.
2. Logical Access Control
Following the asset identification, the next step is to handle access control in the cloud. It is a method of assigning various actions to a resource. Controlling access to AWS resources, processes, and users is the main process of Logical Access Control. The credentials for AWS accounts must be kept safe and secure
3. S3 Buckets
Following the asset identification, the next step is to handle access control in the cloud. It is a method of assigning various actions to a resource. Controlling access to AWS resources, processes, and users is the main process of Logical Access Control. The credentials for AWS accounts must be kept safe and secure
- Permissions (for HTTP methods such as GET, PUT, DELETE, and LIST) should be restricted to certain users.
- The bucket’s logging and versioning should be enabled.
4. Database Service
The database is an essential component of almost all web services. It’s also crucial to take the required precautions to secure your application’s database. The following are the essential considerations to keep in mind when conducting a security audit:
- Back up your data regularly.
- Set the automatic backup timer for no more than a week.
- The Multi-AZ deployment approach should be used.
- Access is restricted to specific IP addresses.
AWS Security Testing Tools:
There are many tools that you can use to pentest your AWS integrated services. A different set of tools are available to carry out different types of tests. Here are some of them.
Pmapper
PMapper (Principal Mapper) is a script and library for finding hazards in an AWS account’s AWS Identity and Access Management (IAM) configuration.
Source: https://github.com/nccgroup/PMapper
AWS-inventory
A Python script that finds all AWS resources created in a given account.
Source:https://github.com/nccgroup/aws-inventory
Bucket_finder
Using a Ruby script, a brute force attack on an S3 bucket can be carried out.
Source: https://github.com/FishermansEnemy/bucket_finder
Prowler
A prowler is a command-line tool for implementing AWS Security Best Practices, auditing, and hardening following the CIS AMAZON Web Services Foundations Benchmark.
Source: https://github.com/toniblyx/prowler
Nimbostratus
Tools for fingerprinting and exploiting Amazon cloud infrastructures. These tools are a PoC which I developed for my “Pivoting in Amazon clouds” talk, developed using the great boto library for accessing Amazon’s API.
Source: https://github.com/andresriancho/nimbostratus
CloudSploit
CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
Source: https://github.com/aquasecurity/cloudsploit
Cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
Source: https://github.com/salesforce/cloudsplaining
Pacu
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
Source: https://github.com/RhinoSecurityLabs/pacu
For the time being, that’s all for now. The exploitation of S3 buckets, Setting Up and Pen-testing AWS Aurora RDS, Setting up AWS CLI, Assessing and Pen-testing Lambda Services, Assessing AWS API Gateway, Knowing your pentest and the unknowns of AWS pen-testing will be covered in the upcoming blogs.
Thank you for reading my post; please leave a comment below if you have any suggestions :)
Thanks,
Yasser Khan
Here is my Twitter handle @N3T_hunt3r Feel free to reach me.
Special Thanks to Jonathan Helmus, For writing an awesome book that has a detailed explanation for performing security assessments of major AWS resources and securing them.
Reference: https://www.packtpub.com/product/aws-penetration-testing/9781839216923
