DeepSec2019 Talk: Mastering AWS Pentesting and Methodology — Ankit Giri *
The Cloud (whatever it really is) is the future (of whomever taking advantage of it). This is how information security experts see the outsourcing technologies based on virtualisation and application containment. Ankit Giri explains at DeepSec 2019 what defenders need to be aware of and how you can test your security controls before your adversaries do this.
(Pen)Testing the Cloud
The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS (Amazon Web Services) has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS Identity and Access Management (IAM) keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs.
The Question we are trying to answer, or the Problem we are trying to solve
The flaws reported in AWS environment have the highest impact. When we talk about vulnerabilities found in a cloud environment there seems to be not much information available, as there is no specific exploit scenario. These bugs vary drastically from one cloud vendor to another. These flaws are much more complex than they appear to be because one can’t completely rely on the AWS security implementation as a cloud environment works on a shared responsibility model. This can lead organisations to underestimate the risk that they are susceptible to. However, this is what makes the configuration of the AWS platform and the traditional application code or assets in the environment even more crucial from the security standpoint of an organizations point of view.
Takeaway for the Audience from the Talk
There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owners organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner.
The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this as an exhaustive toolset for a comprehensive pentest.
Session Objectives
- Developing an approach towards pentesting a specific cloud environment
- Different tools available for pentesting cloud-specific environments, short demo of a couple of tools.
- Areas to look in an AWS for flaws and misconfigurations, understanding the shared responsibility model.
Looking forward to see you all for Ankit’s presentation!
Speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs. A penetration tester by profession with 4+ years of experience. Part time bug bounty hunter. Featured in Hall of fame of EFF,GM,SONY, HTC, Pagerduty, HTC, AT&T,Mobikwik and multiple other Hall Of Fames. He loves speaking at conferences, has given talks at RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun, Cyber Square Summit, OWASP Jaipur and has been a regular feature at Infosec meetups like Null and OWASP Delhi Chapter. He also leads the show for Peerlyst Delhi-NCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS pentesting and methodology.
Tags: AWS pentesting, AWS policis, Cloud Systems, DeepSec2019, Pen Test
Originally published at https://blog.deepsec.net on August 28, 2019.
