2. ABOUT ME
• Lalit Sharma
• Working with Paytm as Security Engineer
• Reachable via:
https://twitter.com/0xklaue
https://www.linkedin.com/in/0xklaue/
3. CLOUD =! AWS
Top service providers:
• Amazon Web Services
• Google Cloud
• Microsoft Azure
• IBM
• Oracle
• Alibaba Cloud
• And many more…
4. AMAZON WEB SERVICES
• Started in 2006
• Currently offers more than 175 services
• Services revolve around computing, storage, database, and much more
• Significant services: EC2, S3, RDS, DynamoDB, AWS Lambda
• Some services are free (to a certain limit). Some are “Pay as you use. Not when you
need it.”
• Others bill right from the provisioning.
5. TESTING YOUR AWS
• Run basics tools to identify low-hanging fruits
• AWS Inspector
• NMAP
• Identify misconfigured AWS S3 Buckets
• Perform VAPT. Specially for your publicly exposed web applications / APIs / publicly exposed EC2
instances.
• Secure data storage. Specially for situations when PII is involved.
7. AWS INSPECTOR
• Inspector is an automated security assessment service that helps improve the
security and compliance of applications deployed on AWS. Amazon Inspector
automatically assesses applications for exposure, vulnerabilities, and deviations from
best practices.
• Helps in:
• Identify application security issues
• Security compliance (checks w.r.t. CIS
controls)
• Checks against security standards
• Inspector != Qualys / Nessus
8. COMPRMISING AWS IAM KEYS
• Many times you would find AWS IAM credentials on GitHub.
• This will be found in cases when developers want to take their organization’s
workbench from their office to home for development.
• This, however, is a security violation.
• Notably, bug bounty programs rate this issue as high to critical when a security
researchers submits issue like this.
9. COMPROMISING AWS IAM KEYS: WEB
APPLICATIONS
• Web applications that are running on EC2 instances communicate with back-end resources.
• Sometimes, web applications use native OS commands to communicate with these resources, or call
files
• In case the web application suffers from SSRF, local file reads or worse RCE, you can get a dump of
AWS credentials
#508459 SSRF in webhooks leads to AWS private keys disclosure (hackerone.com)
Fig.: Local File Read
10. SECURING YOUR AWS
• To secure your cloud environment / infrastructure, it is recommended to:
1.Know the services offered by cloud service provider
2.Know how the cloud services provided works
3.Understand technicalities of each service offered - To secure your implementation
4.Use the cloud services more - You cannot think of ways to secure a service if you don't use it.
• Use a framework to secure your cloud infrastructure has its advantages:
1. Reduces the burden of satisfying auditors that infrastructure is compliant
2. Showcase maturity and improvement
3. Helps in obtaining support from management for resources and changes
• NIST SP 800-144 points out security considerations to organizations and individuals when
outsourcing information to cloud service providers
• Some AWS services are already compliant to certain existing standards.
• CIS Controls can be really helpful for reviewing your AWS EC2 AMIs and instances
• Perform routine audits and VAPT
11. • The following services can become a cornerstone for securing your AWS cloud instances
• Web Application Firewall (WAF)
• Identity and Access Management (IAM)
• Segregation of roles, users and their responsibilities
• Helps in identifying which users are allowed to what services
• Key Management Service (KMS)
• Security Groups
• Alerting and Monitoring Services (CloudWatch)
• Logging (CloudTrail)
• Billing
• GuardDuty
• Macie (Data Classification)
• Cognito (SSO)
• VPC
• Amazon Organizations
SECURING YOUR AWS
12. • To practice your penetration testing skills for AWS, you can follow these resources:
• CloudGoat
• flaws.cloud
• Blogs from RhinoSecurity Labs
• SANS Book: Practical Guide to Security in Cloud
• AWS YouTube Channel (re:Invent)
• AWS Documentation for services such as KMS, VPC, IAM, etc.
SECURING YOUR AWS
13. REFERENCES
• Top cloud service providers - ZDNET
• Penetration Testing – AWS
• AWS Pre-Compliant Services
• AWS Shared Responsibility Model