AWS Penetration Testing: What You Need to Know 

Amazon Web Services (AWS) is the most complete and widely used cloud platform in the world, with over 200 fully-featured services available from data centers all around the world.


AWS is used by millions of clients, including the fastest-growing startups, corporations, and top government agencies to reduce costs, improve efficiency, and accelerate innovation.


AWS offers more services and features than any other cloud provider, ranging from traditional infrastructure technologies like computation, storage, and databases to new technologies like machine learning and AI, data lakes and analytics, and the Internet of Things. 


This enables moving your existing apps to the cloud and building practically everything you can imagine faster, simpler, and more cost-effective. For all these great features, we should consider cloud security that holds our data. 


Each pentester can have his own methodology for the AWS penetration testing. In this article, we will discuss some steps and tips during the activity.

What are the 5 Stages of Penetration Testing? 

Before we dive into the AWS Pentesting methodology we need to discuss the basics of penetration testing in general. As we have mentioned, each pentester has his own methodology that he has built based on his experience in the field.


Penetration testing is the activity of testing systems for vulnerabilities. It is one of the most famous activities in the cybersecurity field. 


Usually, a company will hire another service provider to start the process based on a contract and a clearly defined scope. The service provider will eventually deliver a report containing the vulnerabilities they have found and some suggested mitigations.


The penetration testing process can be divided into 5 main steps:

1-  Passive Information Gathering 

At this step, you are collecting public information about the target, maybe you get some idea about the infrastructure you are facing, the operating systems the company is using, software, and other surprising information you can obtain without even interacting with the target.


Remember! At this step you are not interacting with the target by any means, you may make use of OSINT techniques.  


Note: This step is not mandatory for a pentester. But it is important to tell the client if he has any sensitive information publicly exposed.

2- Scanning the Target 

Now you are interacting with the target. The scanning process is mandatory as it will reveal the status of ports and then reveal the services running. Some tools also can identify the versions of the services based on a fingerprint database.


There are a lot of tools that can be used but the most robust and reliable tool is Nmap. If you are given a large network range you can start the process with Masscan as “It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine”.


Then, when you want to focus on a specific host you can use the Nmap tool which can help you identify services running, services versions,  and vulnerable services. Also, it has other options that can ease your research. 

3- Exploit Vulnerabilities

After you have identified the open ports and the services running by the previously mentioned tools or by interacting directly with the ports if you got the versions of the services you can start searching if the services running are vulnerable.


Maybe you find public exploits you can make use of. You can search on some famous websites like Exploit-DB and Packet storm.


Note: Never run public exploits blindly on your targets.


Before running any code you have found online, you should read the exploit. You don’t have to fully understand the mechanism behind the vulnerability but you should get an overview of what it does.


If you are not sure about the code then don’t run it. Some online exploits specifically the ones with the shellcodes hardcoded in them are not safe to run blindly. Also, requiring the root privilege to run an exploit seems odd. 


This step will determine where to go next. If you were able to get access to the target then you have accomplished this step. And if you don’t find vulnerable services you can start analyzing the services mechanism, maybe there is a miss-configuration or a vulnerable function.


For example: If you have found web applications you can start testing them for famous vulnerabilities like the OWASP Top 10.


Exploitation is the main core of the penetration testing process so it is completely fine to take the longest time. Keep in mind that exploiting the service and getting the low privilege access doesn’t end this stage.


Don’t leave this step without exploiting any exploitable services even if you have already got the low privilege access on the system. Maybe other vulnerable services get you higher privileges or reveal more sensitive information that can help you later.

4- Get Higher Privileges

Based on the scope agreed between the pen-testers team and the company, sometimes the activity ends once you have got access to the system with any privilege. If that is the case then you will start the reporting step. Otherwise, you will try to get higher privileges on the systems.


There are a lot of potential factors that can help you get the higher privilege, like :

-  Vulnerable services running locally.

-  Old operating systems like (windows XP, and Windows 7) that Microsoft stopped supporting a while ago. 

-  Vulnerable running software versions.

-  Miss-configurations.


Note that as the AWS technologies are quite new there are a lot of admins who can make some misconfigurations.

5- Reporting

The reporting step is the final step in the penetration testing process. You will write a detailed report that contains the findings and how to reproduce the steps. 


Consider that this report is what the company’s technical team will follow to confirm the findings. Your report also should start with some pages for non-technical people like the CEO and others that help them understand the risk. 


Here are some penetration testing reports examples.

What is AWS Penetration Testing?

When it comes to AWS penetration testing you need to know the infrastructure is owned by amazon and you should perform the process according to their rules and terms.


Now first let’s discuss some definitions in the AWS environment:

Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web-based service that allows enterprises to execute application programs on Amazon Web Services (AWS) public cloud. 


A developer may use Amazon EC2 to create virtual machines (VMs) which provide computational power for IT projects and cloud workloads that operate on AWS data centers across the world.

AWS S3 Buckets

S3 stands for Simple Storage Service. The primary distinction between Amazon EC2 and Amazon S3 is that EC2 is a cloud-based service that allows businesses to run servers in the cloud. 


S3, on the other hand, is an object storage service that allows you to save and retrieve data from AWS via the Internet. Objects are the contents of the bucket, such as documents, photos, source code, files, backups,  websites, etc


S3 acts as a virtual hard drive but EC2 provides CPU and RAM in addition to storage. For their cloud computing needs, most developers use both services. Read more here.

AWS Lambda

AWS Lambda is a serverless event-driven computing service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. 


You can trigger Lambda from over 200 AWS services and software as a service (SaaS) applications. Check here to understand how lambda processes different services.

Identity and Access Management (IAM)

According to the AWS definition of the IAM: 


“AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure the least privilege permissions”.

How do you do AWS Penetration Testing? 

First, you need to know that the security of the cloud is Amazon's responsibility. However, it is the company’s mission to make sure they have the right configurations and to make sure they have deployed their assets in an intended way.


AWS enables an organization to fully test their AWS EC2 instances while removing tasks associated with service disruption which means Pen-testing is limited to the setup and deployment of cloud environments, ignoring the underlying infrastructure.


The following steps are based on other security researchers' discussions, so in some cases, you can have more detailed steps or less.

1-  Identify and Access Management

First, you need to make sure the IAM permissions and application configurations are okay. There are very helpful tools that can scan your account and some of them provide graphs for better representation: 


CloudMapper: It helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser.


PMapper: Identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS. 


- Prowler: It is a command-line tool that helps you with AWS security assessment, auditing, hardening, and incident response. It has a lot of features like scanning your account for potential vulnerabilities, IAM permissions, and others.


- Aws-inventory: The tool tries to discover all AWS resources created in an account.

2-  Logical Access Control

After you have successfully identified the assets you need to check the permissions to them, this is the main goal for the IAM to provide fine-grained access control across all of AWS and to control access to AWS accounts and services. 


Some of the previously mentioned tools do this step next to the identification but here are other tools that can also be helpful:


Cloud Tracker: Helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.


IAM Finder: Enumerates and finds users and IAM roles in a target AWS account.

3- S3 Buckets Testing

As we have mentioned before that S3 Bucket is an object storage-based so we need to scan for the permissions on them and the request methods (GET, POST, DELETE, PUT, etc) that can be performed on them and which users can do what actions.


Also, it is recommended to have the logging and versioning of the bucket enabled. Versioning briefly stores old versions of your object in case you need them in the future.


S3 Buckets Auditing Tools: 

S3Scanner: Finds open S3 buckets and dumps their contents.

S3-inspector: Checks AWS S3 bucket permissions.

Bucket-stream: Finds interesting Amazon S3 Buckets by watching certificate transparency logs.

AWSBucketDump: Quickly enumerates AWS S3 buckets to look for lo.

Sandcastle: AWS S3 bucket enumeration, formerly known as bucketCrawler.

Festin: S3 bucket weakness discovery.

4- Database Service 

Databases are fundamental for web applications so they should have the appropriate permissions and be well-configured. 


The developers should follow the best practices to avoid some attacks like SQL injections. Here are some other recommendations:

- If it is not a publicly exposed database then restrict access to specific IPs or users

- Backup your data

- Use  Amazon RDS Multi-AZ 


There are also some tools that can help: 

- Policy-sentry

- Cartography


You can see that most of the previously mentioned tips will be done from a valid account on the target, however, the attacker will be attacking from outside without legitimate access. 


In case you want to perform black-box testing, you can test for some vulnerabilities that usually happen due to miss-configurations like:

- Server Side request forgery (SSRF) 

- SQL Injection 

- Lambda XXE Injection,

- S3 Bucket Public 'READ' Access

- S3 Bucket Authenticated Users 'WRITE' Access

- S3 Directory Traversal

- Weak S3 POST Upload Policy


Check some offensive tools here

AWS Pentesting Resources


- AWS Penetration Testing: Beginner's guide to hacking AWS

- Hands-On AWS Penetration Testing with Kali Linux


- SANS courses


- AWS Penetration Testing: A DIY Guide for Beginners

- Deep Dive Into AWS Penetration Testing

- Amazon S3 Security: master S3 bucket policies and ACLs


- Different AWS tools

- PayloadAllTheThings

- AWS - Pentest Book


- Kontra AWS Top 10


So in the end, you should know that AWS is a pretty new technology for a lot of people and it is not very uncommon to see vulnerabilities in big tech companies.


To protect your assets, you can perform the AWS Pentesting process by going through the four steps we mentioned above and then performing black-box testing. All these security solutions should minimize the chance of being compromised.


CyberTalents provides AWS Penetration Testing for companies to help secure your business. Start Now.