AWS Penetration Testing Review

What is AWS Penetration Testing?

AWS (Amazon Web Service) Penetration Testing can also be considered as one of the areas that pentester will invest in during Red Team Activities. The finding that might catch the eyes of the attacker would be AWS Privilege Access where the attacker can penetrate the system from low until full administrative privileges.

AWS Privileges Escalation penetrate

The vulnerabilities that been identified in AWS escalation penetrate which can be given the potential impact on each AWS system. The potential impact can be found listed below:

  1. Policy version new creation
  2. Default policy version to an updated version setup
  3. Access key for new user creation

Policy version new creation

If an attacker gain permission for an instance called iam: CreatePolicyVersion where the new IAM policy can be created that allow the attacker to configure their own custom permission in the AWS system.

For the attacker to successfully configure the new Policy Version, they will have to require the Default Policy Version permission to be executed. However, they have also configured “-set-as-default” within the new policy version.

Exploit Impact: The attacker will gain full administrator access into the AWS account.

Default policy version to an updated version setup

It can also the considered as the same privileges access as been mentioned above, the only different would that the attacker can able to escalate the privileges from the current policy version that will not currently been used.

When the attacker gains access to the IAM system where it been revealed as default, the attacker able to change the default version to another version that was available.

Exploit Impact: An privileges escalation from zero will change to gaining full administrator access to any AWS account according the policy version been assigned to.

Access key for new user creation

This privileges access can be compromised by the attacker where they can create an access key ID and secret access key which can belong to any exist user that resides within the AWS environment.

Based on the best practice, the administrator shouldn’t configure it as having two sets that been associated with the IAM system itself.

Exploit Impact: An attacker can gains permission for the same level as any available user that exist within the IAM system.

Security Assessment on AWS System

One of the Security Assessment that free to the public to use would be CIS AWS benchmark which can be found here

Another way of doing Security Assessment on the AWS system would use automated scanning which called ScoutSuite. This ScoutSuite is an open-source tool that will run a security audit for a multi-cloud system such as the AWS system.

For those who found ScoutSuite interesting, the user can download using the following command

git clone https://github.com/nccgroup/ScoutSuite.git

Once it completed, the user can set up the tool by running the following command so that it will fully configure in your machine

setup.py

The ScoutSuite will audit the following cloud service

  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform
  • Alibaba Cloud (alpha)
  • Oracle Cloud Infrastructure (alpha)

Source: Github ScoutSuite, CIS AWS Benchmarks

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *