AWS Penetration Testing Services, Compute, Storage, And Netw

AWS PenTestaws Servicescompute Servicestorage Servicenetworking Cont

AWS PenTest AWS Services Compute Service Storage Service Networking & Content Delivery Create User by logged in as ROOT user Click Add User Set Permissions Attach existing policies directly Programmatic Access It is important we record Access Key ID , Secret access key by downloading CSV file. Setup two-factor authentication for cbutest Cont… Select a User name from the Users where you want to setup a two-factor authentication. Go to Security credentials Very Important Select MFA Device Cont… Cont… Cont… Type two consecutive MFA codes from the virtual device for this user account. Lets login with cbutest user account Login MFA enable Change password since we are accessing first time Cont… Successful login Console Home We have created an account and we have set up a working IAM user to administer it.

There are a few things we should do to protect our accounts. We should set up a multi-factor authentication on the root account and delete its programmatic access ID and secret key. We still be able to use the root user interactive access, but the programmatic option will be erased. We now have an AWS account set up and we can start provisioning and using cloud services. AWS Services Let’s take a look at one of the latest Amazon services which makes launching a new cloud server very easy.

This is the Lightsail service. Lightsail is a quick and easy way to launch servers. Lightsail Service Cont… Cont… OS Only Cont… Cont… Cont… Cont…. Cont… Cont… Cont…. Cont… RDP access Access VM using RDP Windows Subsystem for Linux Windows 10 includes a Windows Subsystem for Linux (WSL) WSL is command line only Ubuntu, Debian, SUSE, and Kali Configure the Windows Subsystem for Linux Settings -> Apps -> Programs and Features -> Turn Windows features on or off We need to reboot for this to activate.

Search the Microsoft store for Linux. Installing AWS Tools Best approach is to install directly from the AWS site. $ curl –o “awscliv2.zip†Unpack the awscliv2.zip Check the version Cont… We have to set up access credentials to log into our cloud account. The access and secret keys we were given when we set up our user accounts in IAM $ aws configure Cont… We can use the AWSCLI now to access out cloud account. The command line interface tool can be used for the complete set of AWS services. Let’s explore ec2 command.

Cloud Infrastructure Automation When we are dealing with cloud deployments, the Amazon Management Console and Amazon’s command line tool provide everything we need to deploy, configure, and manage our resources. However, especially with larger deployments, this can be quite time-consuming. One of the key performance and reliability options for a business running in the cloud is automation. HashiCorp provide a tool called Terraform which enabled cloud automation. The CloudGoat testing environement uses Terraform to deploy its scenarios.

Installation of Terraform The Downloads page ( ) has the details of the latest Terraform packages. Pen Testing the Cloud Hands-on learning Getting hands-on with tools and creating custom scripts that you can further develop and use when on an engagement is a great way to build your skills. To do this requires a set of cloud targets that you can use to try out the tools and scripts. For traditional pen testing, we can manually deploy targets on our testing network. We can do the same with cloud.

Manually provisioning resources through the AWS management console and configuring them with vulnerabilities. An easier approach for traditional pen testing is to deploy a ready to go testing environment, such as the OWASP WebGoat, the Web Security Dojo, or Rapid7’s Metasploitable. Cont… Similarly, we have a better way to test cloud than manually provisioning targets. A good starter for learning about AWS cloud testing ( is to run the cloud flAWS challenge. Which take you through the use of the AWS command line interface to find a number of typical cloud configuration and operational flaws.

This uses a fixed deployment of accessible cloud resources. There are a more advanced capability available from the Rhino Security folks called CloudGoat. ( ) Cont… This is being actively supported and enhanced. And CloudGoat version two is now available. It’s also supported by an AWS testing framework Pacu. CloudGoat and Pacu CloudGoat and Pacu are both Python applications which can be installed directly onto a Linux system, including the windows subsystem for Linux (WSL).

CloudGoat uses Terraform automation to deploy a set of cloud resources automatically. And these can then be used as the target for testing with the Pacu framework. These resources can be provisioned and deprovisioned with simple one-line CloudGoat commands, with no requirement of any further cloud resource management. CloudGoat is designed to work within the permitted AWS testing activities. And so can be used without any requirement for notification or approvals.

Deployment Scenarios The deployments are provided in the form of scenarios. Each having a specific vulnerability in the deployment resources. The resources are deployed into an existing cloud account and are typically designed for exploitation to start at the point where you found some exposed AWS credentials. In addition, white listing is used to limit access to the CloudGoat deployment. Rhino security advises that the CloudGoat solution does not require much if any investments in cloud services.

It should operate within the free tier or for a charged account should be limited to a few dollars a day. The deployed scenarios are not just limited to testing through Pacu. Testing Methods Pacu They can also be used for testing manually by the AWS command line interface or by writing python scripts using the AWS software development kit library, boto3. Testing CloudGoat deployments is a great way to learn about the CLI commands and to get familiar with boto3 coding. Installing CloudGoat CloudGoat is an easy tool to install and use.

We already have loaded what it needs to run: Python, the Terraform Cloud building tool, and the AWS command line tool. We are now ready to install CloudGoat. Later in the course we will use an associated cloud testing tool: Pacu. So let’s create a Pacu folder. Unload CloudGoat into it.

Cont… Cont… Scenarios So let’s see what scenarios we have available to deploy. Cont… Now we have CloduGoat scenarios, and we can set up an AWS deployment and get started on testing it. We’ll configure the default profile for the CloudGoat to use to deploy the scenarios. Load Scenarios Cont… AWS Profile Cont… Cont… As Cloud Goat is designed for running authenticated pen testing. Cont… Let’s see what user policies we have associated with our scenario one credentials.

We will use the AWS command line tool for this. $ aws iam list-policies - - profile scenario1 Cont… We can see there are a lot of policies associated with this account. We want to be a bit more selective and look at just the relevant ones. We know from the start.txt file that the username is Raynor, but we could, in any case find this using the get caller identity request. $ aws sts get-caller-identity --profile scenario1 Cont… Okay, Raynor hasn’t any managed user policies. Let’s try the attached policies Cont… Cont… Gaining Privileges by changing policies We have determined that we have the authority to set the default policy, but so far we only seen version one. Let’s see how we list all the versions, Cont… Okay, so now we know there are five policies.

We know what’s in v1. So let’s get each of the other policies in turn, staring with v2 and see what they can offer. Cont…. Cont…. Cont… Not Ahuthorized Destroy the Scenario This is a 2-hour timed closed book exam.

Paper For Above instruction

The provided document encompasses the comprehensive process of setting up and managing AWS cloud accounts, focusing on security best practices, cloud automation, penetration testing, and vulnerability assessment. The initial steps include user creation, configuring permissions, enabling multi-factor authentication (MFA), and securing root account access. Proper account security is crucial, especially disabling programmatic access for root users to prevent unauthorized API calls. The setup involves configuring IAM users, setting permissions, and MFA to ensure robust security protocols.

Following account setup, the document introduces AWS services like Lightsail, which simplifies launching cloud servers. It explains the process of using Windows Subsystem for Linux (WSL) to run Linux commands on Windows, and details how to install AWS command-line interface (CLI) tools for efficient cloud management. The AWS CLI allows users to perform comprehensive resource management, including EC2 instance deployment and configuration, enabling scalable and automated cloud operations.

Automation tools like Terraform are discussed as essential for managing complex or large-scale cloud deployments reliably and efficiently. Terraform's infrastructure-as-code approach reduces manual effort and potential errors. The document highlights the importance of automating deployment, configuration, and vulnerability testing with tools like CloudGoat, which uses Terraform to deploy vulnerable scenarios securely within AWS environments, facilitating realistic security assessments.

The use of testing frameworks like Pacu is emphasized for penetration testing activities on cloud environments. These tools support scripting and automation, providing a controlled environment for security testing without risking actual production resources. CloudGoat scenarios are designed to simulate typical vulnerabilities, allowing security practitioners to identify misconfigurations and weaknesses systematically.

Furthermore, the document discusses the process of analyzing existing IAM policies, gaining privileges, and escalating permissions through policy modifications, which are crucial skills for understanding security postures in the cloud. It advocates for continuous monitoring, testing, and improvement of cloud security practices, emphasizing the necessity of keeping environments compliant and protected against unauthorized access and exploits.

References

  • AWS Documentation. (2023). AWS Identity and Access Management. https://docs.aws.amazon.com/iam/latest/UserGuide/
  • HashiCorp. (2023). Terraform Documentation. https://www.terraform.io/docs/index.html
  • Rhino Security Labs. (2022). CloudGoat Vulnerability Scenarios. https://github.com/RhinoSecurityLabs/cloudgoat
  • Amazon Web Services. (2023). Amazon Lightsail Overview. https://aws.amazon.com/lightsail/
  • Microsoft. (2023). Windows Subsystem for Linux. https://docs.microsoft.com/en-us/windows/wsl/
  • Cybersecurity and Infrastructure Security Agency (CISA). (2022). Cloud Security Tips. https://www.cisa.gov/uscert/ncas/tips/ST04-003
  • Metasploit Project. (2022). Penetration Testing Tools. https://metasploit.help.rapid7.com/docs
  • Boto3 Documentation. (2023). AWS SDK for Python. https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
  • OWASP. (2023). WebGoat Project. https://owasp.org/www-project-webgoat/
  • Web Security Dojo. (2022). Penetration Testing Environment. https://websecuritydojocloud.com/

Related Assignments