This is the checklist of the AWS Pentesting for the Security testing of AWS environments to find misconfigurations, vulnerabilities and security flaws in security policies.
Here are some tools to scan the
- ScoutSuite
- Pacu
- AWS Security Benchmarks
- Prowler
- CloudSploit
Steps to do AWS Penetration Testing
- Reconnaissance
- Credential Enumeration and Discovery
- IAM Privilege Escalation and Exploitation
- S3 Bucket Enumeration and Data Exfiltration
- Network Reconnaissance and Exploitation
- Exploiting Serverless Applications and APIs
- Misconfigured Service Exploitation
- Reconnaissance
– Enumerating the AWS Regions:
“`
aws ec2 describe-region –query “Regions[].RegionName”
“`
– List Active Resources:
| aws ec2 describe-instances | List running EC2 instances |
| aws s3 ls | List available S3 buckets |
| aws lambda list-functions | Enumerate RDS databases |
| aws apigateway get-rest-apis | Enumerate API Gateway instances |
– Metadata Enumeration:
EC2 instances, query metadata service:
“`
curl http://169.254.169.254/latest/meta-data/
“`
IAM role:
“`
/latest/meta-data/iam/security-credentials/
“`
Instance identity document:
“`
/latest/dynamic/instance-identity/document
“`
Credential Enumeration and Discovery
Locate Hardcoded Secrets:
Check AWS credentials stored locally:
“`
cat ~/.aws/credentials
cat ~/.aws/config
“`
– EC2 Instance Profile Exploitation
Leverage IAM role credentials:
“`
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
aws sts get-caller-identity
“`
IAM Privilege Escalation and Exploitation
Privilege Escalation
Check for permissions allowing privilege escalation:
“`
aws iam list-roles
aws iam list-policies
“`
Test IAM Privilege Escalation
Using Pacu :
“`
pacu
use iam__privesc_scan
run
“`
S3 Bucket Enumeration and Data Exfiltration
– S3 Bucket Vulnerabilities
List all S3 buckets:
“`
aws s3api list-buckets
“`
– Check public access:
aws s3api get-bucket-acl –bucket <bucket-name>
aws s3api get-bucket-policy –bucket <bucket-name>
– Try to upload malicious files:
“`
aws s3 cp malicious-file.txt s3://<bucket-name>/
“`
– EBS Snapshots and Volumes
Enumerate EBS snapshots:
“`
aws ec2 describe-snapshots –owner-id self
“`
Network Reconnaissance and Exploitation
– VPC Enumeration
List security groups and ACLs:
“`
aws ec2 describe-security-groups
aws ec2 describe-network-acls
“`
– Check for open ports:
“`
aws ec2 describe-security-groups –query “SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==’0.0.0.0/0′]]]”
“`
– Route53 Misconfigurations
“`
aws route53 list-hosted-zones
aws route53 list-resource-record-sets –hosted-zone-id <zone-id>
“`
Check for subdomain hijacking potential:
“`
dig subdomain.example.com
“`
- Exploiting Serverless Applications and APIs
AWS Lambda Security Checks
List all Lambda functions:
“`
aws lambda list-functions
“`
Analyze Lambda function permissions:
“`
aws lambda get-policy –function-name <lambda-name>
“`
Extract environment variables (which may contain secrets):
“`
aws lambda get-function-configuration –function-name <lambda-name>
“`
API Gateway Security Testing
List API Gateway endpoints:
“`
aws apigateway get-rest-apis
“`
Scan for exposed API endpoints:
“`
nmap -p 443 –script http-enum api.example.com
“`
- Misconfigured Service Exploitation
DynamoDB Misconfigurations
List all DynamoDB tables:
“`
aws dynamodb list-tables
“`
Check access policies:
“`
aws dynamodb get-item –table-name <table-name>
“`
Elastic Beanstalk Misconfigurations
“`
aws elasticbeanstalk describe-applications
aws elasticbeanstalk describe-environments
“`
EKS (Kubernetes) Misconfigurations
“`
aws eks list-clusters
kubectl get pods –all-namespaces
“`
