![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/03\/AWS-Pentesting-1-1024x573.png\" "\\"AWS")
\nNowadays, we have experienced many data breaches exposing different vulnerabilities like s3 buckets, compromised AWS cloud environments, and many more so avoid this it is important to perform AWS Pentesting.<\/p>\n
\nNowadays, we have experienced many data breaches exposing different vulnerabilities like s3 buckets, compromised AWS cloud environments, and many more so avoid this it is important to perform AWS Pentesting.<\/p>\n
<\/p>\n
To understand the attacks on AWS, one must be aware of the different services provided by AWS.<\/p>\n
In this blog, we will understand the different services provided by AWS, data breaches on AWS cloud services, tools used for Pentesting the AWS services, and how to start with the AWS CLI.<\/p>\n
<\/p>\n AWS offers many services. Like EC2, S3, AWS Lambda, CloudTrail, CloudWatch, and many more\u2026.<\/p>\n Many of the data breaches happen because of the misconfiguration of AWS services.<\/p>\n In this series of blog posts, we will discuss how these services can be exploited if it is not configured properly and countermeasures of course.<\/p>\n <\/p>\n \u00a0<\/strong><\/p>\n Source: https:\/\/blog.lawrencemcdaniel.com\/integrating-aws-s3-cloudfront-with-wordpress-2\/<\/a><\/p>\n <\/p>\n S3 stands for Simple Storage Service<\/p>\n Refer to the link to understand S3 in detail. https:\/\/aws.amazon.com\/s3\/<\/a><\/p>\n <\/p>\n Source: https:\/\/medium.com\/awesome-cloud\/aws-amazon-ec2-instance-purchasing-options-d57f9b20dfa7<\/a><\/p>\n Refer to this link to understand EC2 in detail https:\/\/aws.amazon.com\/ec2\/<\/a><\/p>\n <\/p>\n Source: https:\/\/medium.com\/@niharmishra511\/aws-iam-7b48e997ecb9<\/a><\/p>\n Refer to this link to understand IAM in detail. https:\/\/aws.amazon.com\/iam\/<\/a><\/p>\n <\/p>\n Source: https:\/\/blog.iron.io\/aws-lambda-reviews\/<\/a><\/p>\n Refer to this link to understand AWS Lambda in detail. https:\/\/aws.amazon.com\/lambda\/<\/a><\/p>\n <\/p>\n As more and more organizations moving towards the cloud, a data breach is increasing day by day, and to protect this data breach Pentesting requirement has become necessary. Let us discuss about the data breach on the cloud in brief.<\/p>\n <\/p>\n A data breach on Cloud<\/u><\/strong><\/p>\n According to Gartner, Gartner analyst Neil MacDonald says that 99 percent of cloud security<\/a> failures will be the customer\u2019s fault through 2025.<\/p>\n <\/p>\n <\/p>\n <\/p>\n There are many data breaches that happened in the past like the GoDaddy data breach due to s3 cloud bucket misconfiguration, Verizon due to S3 leak, AgentRun leaks customer health information, and many more.<\/p>\n <\/p>\n These data breaches can be minimized by performing pen-testing, security audits<\/a> on different AWS cloud services.<\/p>\n <\/p>\n <\/p>\n Tools<\/u><\/strong><\/p>\n \u00a0<\/strong>Python script to discover all AWS resources created in an account.<\/p>\n Source:https:\/\/github.com\/nccgroup\/aws-inventory<\/a><\/p>\n <\/p>\n <\/p>\n Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM)<\/a> in an AWS account.<\/p>\n \u00ad\u00ad\u00ad\u00ad\u00adSource: https:\/\/github.com\/nccgroup\/PMapper<\/a><\/p>\n <\/p>\n <\/p>\n Ruby script to perform brute force attack on s3 bucket<\/p>\n <\/p>\n Source: https:\/\/github.com\/FishermansEnemy\/bucket_finder<\/a><\/p>\n <\/p>\n Prawler is a CLI tool for AWS Security Best Practices, auditing, hardening as per CIS AMAZON Web Services Foundations Benchmark.<\/p>\n Source: https:\/\/github.com\/toniblyx\/prowler<\/a><\/p>\n <\/p>\n Tools for fingerprinting and exploiting Amazon cloud infrastructures.<\/p>\n Source: https:\/\/github.com\/andresriancho\/nimbostratus<\/a><\/p>\n Find out the link for more tools\u00e0https:\/\/github.com\/toniblyx\/my-arsenal-of-aws-security-tools<\/a><\/p>\n <\/p>\n Steps:<\/strong><\/p>\n Enter access keys and secret keys of your AWS account with AWS CLI.<\/p>\n <\/p>\n That\u2019s it for now. In the next blog, we will learn about the s3 bucket exploitation part.<\/p>\n Till then bye-bye!<\/strong><\/p>\n <\/p>\n https:\/\/blog.eccouncil.org\/all-you-need-to-know-about-pentesting-in-the-aws-cloud\/<\/a><\/p>\n https:\/\/www.lacework.com\/top-cloud-breaches-2019\/<\/p>\n https:\/\/securityaffairs.co\/wordpress\/64150\/data-breach\/accenture-data-leak.html<\/a><\/p>\n https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2018\/08\/09\/the-one-cloud-security-metric-every-ciso-should-know\/?sh=4a2b44ae5375<\/a><\/p>\n![\"AWS](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/AWS-Pentesting.png\")
<\/strong><\/p>\nLet\u2019s have a look at S3 Bucket Basic Services.<\/u><\/strong><\/h3>\n
\n
![\"S3](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/S3-Bucket.png\")
<\/p>\nNow the question is what is S3?<\/strong><\/h3>\n
\n
\n
\n
\n
![\"Amazon](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Amazon-EC2.png\")
<\/p>\n\n
\n
![\"AWS](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/AWS-IAM.png\")
<\/p>\n\n
\n
![\"AWS](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/AWS-Lambda.png\")
<\/p>\n\n
Now the question is why there is a need for pentesting?<\/strong><\/h3>\n
![\"Data](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Data-Breach-on-Cloud.png\")
<\/p>\n\n
![\"Capital](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Capital-One.png\")
<\/p>\n\n
\n
![\"Accenture\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Accenture.png\")
<\/p>\n\n
Now the question is what are the tools required to start for pentesting AWS cloud?<\/strong><\/h3>\n
![\"Tools\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Tools.png\")
<\/u><\/strong><\/p>\n\n
![\"aws-inventory\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/aws-inventory.png\")
<\/p>\n\n
![\"PMapper\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/PMapper.png\")
<\/p>\n\n
\n
![\"Prawler\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Prawler.png\")
<\/p>\n\n
Now it\u2019s time to set up AWS CLI in kali linux.<\/u><\/strong><\/h3>\n
\n
![\"Go](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Go-to-the-link.png\")
<\/li>\n![\"Save](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Save-the-zip-file.png\")
<\/li>\n![\"Unzip](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Unzip-the-aws-cli.png\")
<\/li>\n![\"Install](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Install-the-aws-cli.png\")
<\/li>\n![\"Verify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Verify-aws-cli-is-installed-or-not-by-using-command.png\")
<\/li>\n![\"Next](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/03\/Next-step-is-to-configure-your-AWS-account.png\")
<\/p>\nReference:<\/strong><\/h3>\n