Nowadays, we have experienced many data breaches exposing different vulnerabilities like s3 buckets, compromised AWS cloud environments, and many more so avoid this it is important to perform AWS Pentesting.
To understand the attacks on AWS, one must be aware of the different services provided by AWS.
In this blog, we will understand the different services provided by AWS, data breaches on AWS cloud services, tools used for Pentesting the AWS services, and how to start with the AWS CLI.
AWS offers many services. Like EC2, S3, AWS Lambda, CloudTrail, CloudWatch, and many more….
Many of the data breaches happen because of the misconfiguration of AWS services.
In this series of blog posts, we will discuss how these services can be exploited if it is not configured properly and countermeasures of course.
Source: https://blog.lawrencemcdaniel.com/integrating-aws-s3-cloudfront-with-wordpress-2/
S3 stands for Simple Storage Service
Refer to the link to understand S3 in detail. https://aws.amazon.com/s3/
Source: https://medium.com/awesome-cloud/aws-amazon-ec2-instance-purchasing-options-d57f9b20dfa7
Refer to this link to understand EC2 in detail https://aws.amazon.com/ec2/
Source: https://medium.com/@niharmishra511/aws-iam-7b48e997ecb9
Refer to this link to understand IAM in detail. https://aws.amazon.com/iam/
Source: https://blog.iron.io/aws-lambda-reviews/
Refer to this link to understand AWS Lambda in detail. https://aws.amazon.com/lambda/
As more and more organizations moving towards the cloud, a data breach is increasing day by day, and to protect this data breach Pentesting requirement has become necessary. Let us discuss about the data breach on the cloud in brief.
A data breach on Cloud
According to Gartner, Gartner analyst Neil MacDonald says that 99 percent of cloud security failures will be the customer’s fault through 2025.
There are many data breaches that happened in the past like the GoDaddy data breach due to s3 cloud bucket misconfiguration, Verizon due to S3 leak, AgentRun leaks customer health information, and many more.
These data breaches can be minimized by performing pen-testing, security audits on different AWS cloud services.
Tools
Python script to discover all AWS resources created in an account.
Source:https://github.com/nccgroup/aws-inventory
Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) in an AWS account.
Source: https://github.com/nccgroup/PMapper
Ruby script to perform brute force attack on s3 bucket
Source: https://github.com/FishermansEnemy/bucket_finder
Prawler is a CLI tool for AWS Security Best Practices, auditing, hardening as per CIS AMAZON Web Services Foundations Benchmark.
Source: https://github.com/toniblyx/prowler
Tools for fingerprinting and exploiting Amazon cloud infrastructures.
Source: https://github.com/andresriancho/nimbostratus
Find out the link for more toolsàhttps://github.com/toniblyx/my-arsenal-of-aws-security-tools
Steps:
Enter access keys and secret keys of your AWS account with AWS CLI.
That’s it for now. In the next blog, we will learn about the s3 bucket exploitation part.
Till then bye-bye!
https://blog.eccouncil.org/all-you-need-to-know-about-pentesting-in-the-aws-cloud/
https://www.lacework.com/top-cloud-breaches-2019/
https://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html
https://www.slideshare.net/ObikaGellineau/capital-one-data-breach
Author,
Bhamini Shah
Attack & Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…