Getting Started into AWS Penetration Testing
Deep Dive into AWS Penetration Testing
We’ll learn about various AWS services, pen-testing tools for AWS services, and how to get started with AWS Pentest.
What is AWS Penetration Testing?
Traditional pen-testing processes are completely different from AWS pen-testing approaches. The first and most significant factor is ownership of the system. AWS is an Amazon subsidiary that owns the company’s basic infrastructure. Since regular “ethical hacking” utilized in pen testing would violate AWS’s acceptable policies, the security response team uses unique processes.
Many data breaches have occurred recently, exposing various vulnerabilities such as s3 buckets, corrupted AWS infrastructures, and others.
To comprehend AWS attacks, one needs to be familiar with the various services offered by AWS.
AWS service misconfiguration is responsible for a large number of data breaches.
For AWS penetration testing, there are four main areas to concentrate on:
- External Infrastructure of your AWS cloud
- Applications you are hosting/building on your platform
- Internal Infrastructure of your AWS cloud
Penetration Testing Methodologies for AWS
1. Security of Cloud:
The security of the cloud is Amazon’s (AWS) responsibility to ensure that their cloud platform is secure against any potential vulnerabilities and cyber threats for businesses that use AWS services. All zero-day and logic defects that can be exploited at any step to interrupt the performance of an AWS server/s are included in cloud security.
For S3 buckets, a different access control technique is used
- ACLs (Access Control Lists)
- Policies based on buckets
- Policies relating to IAM (Identity and Access Management)
- S3 buckets can be accessed using the AWS CLI and the HTTP interface
- http://s3.amazonaws.com/bucket_name
- http://bucket_name.s3.amazonaws.com
2. EC2
Elastic Cloud Compute is what EC2 stands for The most extensively utilized service in the cloud that provides secure and resizable compute capacity on a pay-as-you-go basis, it can be used to launch as many virtual servers as you require.
Refer to this link to understand EC2 in detail https://aws.amazon.com/ec2/
3. Identity and Access Management (IAM)
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.
Refer to this link to understand IAM in detail. https://aws.amazon.com/iam/
4. AWS Lambda
AWS offers pen-testing of various EC2 (Elastic Cloud Computing) domains, including:
Application Programming Interface (API)
Your company’s web applications are housed on its servers
Programming languages
Operating systems and virtual machines
The following are the sections of the AWS cloud that cannot be tested due to legal restrictions:
Other companies’ physical hardware, facilities, or underlying infrastructure that belongs to AWS EC2
Amazon’s Relational Database Service (RDS)
Other suppliers manage security appliances
AWS Controls to be Strictly Tested for Security
1. Governance
- Policies governing access
- Risks should be identified, reviewed, and evaluated
- Information technology (IT) security and program policy
- Understand AWS usage/implementation
2. Network Management
- Isolation from the environment
- Layered DDoS protection
- Examine policies for their adequacy
- Examine the credentials report from Identity and Access Management (IAM)
- Combine data from many sources
- Detection and response to intrusions
Before performing AWS Penetration Testing, there are a few things you should do.
- Define the penetration test’s scope, including the target systems.
- Make your own preliminary tests.
- Decide what kind of security test you’ll run.
- Outline the expectations for stakeholders as well as pen-testing. business (if outsourced).
- To handle the technical assessment, create a timeline.
- Define a set of processes to follow if the test finds that security has already been compromised
- Obtain the connected parties’ signed permission to conduct a pen test
How to Perform Penetration Testing on Amazon Web Services?
Identity and Access Management
Identifying the assets of data stores and applications is the first and most significant phase in the penetration testing procedure. The following are some key considerations to keep in mind when identifying assets:
- Do not automate or use the root account for daily tasks.
- Allow only service accounts to get access.
- Change your SSH and PGP keys regularly.
- Delete any security accounts that are no longer active.
Logical Access Control
Following the asset identification, the next step is to handle access control in the cloud. It is a method of assigning various actions to a resource. Controlling access to AWS resources, processes, and users is the main process of Logical Access Control. The credentials for AWS accounts must be kept safe and secure S3 Buckets
- Permissions (for HTTP methods such as GET, PUT, DELETE, and LIST) should be restricted to certain users.
- The bucket’s logging and versioning should be enabled.
Database Service
The database is an essential component of almost all web services. It’s also crucial to take the required precautions to secure your application’s database. The following are the essential considerations to keep in mind when conducting a security audit:
AWS Security Testing Tools:
PMapper
Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.PMapper includes a querying mechanism that uses a local simulation of AWS's authorization behavior. When running a query to determine if a principal has access to a certain action/resource, PMapper also checks if the user or role could access other users or roles that have access to that action/resource. This catches scenarios such as when a user doesn't have permission to read an S3 object but could launch an EC2 instance that can read the S3 object.
Source: https://github.com/nccgroup/PMapper
AWS-inventory
This is a tool that tries to discover all AWS resources created in an account. AWS has many products (a.k.a. services) with new ones constantly being added and existing ones expanded with new features. The ecosystem allows users to piece together many different services to form a customized cloud experience. The ability to instantly spin up services at scale comes with a manageability cost. It can quickly become difficult to audit an AWS account for the resources being used. It is not only important for billing purposes, but also for security. Dormant resources and unknown resources are more prone to security configuration weaknesses. Additionally, resources with unexpected dependencies pose availability, access control, and authorization issues.It uses botocore to discover AWS services and what regions they run in. It is also used in invoking the service APIs. The APIs that are invoked are those which should list or describe resources. The results can be printed to stdout in JSON format. They can also be written across several files:
- Raw responses from API endpoints can be written to a file specified on the command line. The file format is Python pickle.
- Exceptions raised during tool execution can be written to a file specified on the command line. The file format is Python pickle.
- gui/aws_inventory_data-<environment_name>.json - JSON format. Parsed responses structured for input to the GUI.
Bucket_finder
Bucket Finder - Trawl Amazon S3 buckets for interesting files. Each group of files on Amazon S3 has to be contained in a bucket and each bucket has to have a unique name across the system. This means that it is possible to brute force names, this script does this, and more.Prowler
A prowler is a command-line tool that helps you with AWS security assessment, auditing, hardening and incident response.
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2, and others.
Read more about CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018
Features
+180 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:
- Identity and Access Management [group1]
- Logging [group2]
- Monitoring [group3]
- Networking [group4]
- CIS Level 1 [cislevel1]
- CIS Level 2 [cislevel2]
- Extras see Extras section [extras]
- Forensics related group of checks [forensics-ready]
- GDPR [gdpr] Read more here
- HIPAA [hipaa] Read more here
- Trust Boundaries [trustboundaries] Read more here
- Secrets
- Internet exposed resources
- EKS-CIS
- Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain).
CloudSploit
CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
Source: https://cloudsploit.com/
Pacu
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
For the time being, that’s all for now. The exploitation of S3 buckets, Setting Up and Pen-testing AWS Aurora RDS, Setting up AWS CLI, Assessing and Pen-testing Lambda Services, Assessing AWS API Gateway,
Post a Comment