diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 3d6c84a..e72dabc 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -28,6 +28,7 @@ - [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) - [DynamoDB](#dynamodb) - [Security checks](#security-checks) + - [AWSome Pentesting Cheatsheet](#awsome-pentesting-cheatsheet) - [References](#references) ## Training @@ -690,7 +691,7 @@ Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://g * Ensure a log metric filter and alarm exist for route table changes * Ensure a log metric filter and alarm exist for VPC changes - +## AWSome Pentesting Cheatsheet ## Searching for open buckets ``` @@ -713,7 +714,7 @@ arn:aws:iam:100:user/admin 4. Field -> User ID 5. Field -> entity identifier -# IAM +## IAM * It's assumed that we have gain access to the AWS Credentials * We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**) * Always look for policies and roles with the * symbol. @@ -1072,7 +1073,7 @@ export AWS_SESSION_TOKEN aws sts get-caller-identity ``` -# S3 - Simple Storage System +## S3 - Simple Storage System * Storage system that allow users to store and retrieve data. * List,Get,Put and Delete operations can be performed on the objects of the bucket @@ -1147,7 +1148,7 @@ aws s3api get-object --bucket name --key object-name download-file-location aws s3 presign s3://bucket-name/object-name --expires-in 605000 ``` -# Lambda & API Gateway +## Lambda & API Gateway * Serverless event driven platform * Runs code in response to events and automatically manages computing resources required by that code * Can trigger from other AWS services or call directly from the API Gateway @@ -1445,7 +1446,7 @@ aws lambda invoke --function-name name response.json --region region aws iam list-attached-user-policies --user-name user_name ``` -# AWS Secret Manager +## AWS Secret Manager * AWS Service that encrypts and store secrets * Transparently decrypts and return in plaintext @@ -1579,7 +1580,7 @@ aws kms get-key-policy --policy-name name --key-id ID aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext ``` -# Containers +## Containers Divided into three categories @@ -1785,7 +1786,7 @@ docker tag image_name ecr_addr:Image_Name docker push ecr_addr:Image_Name ``` -# EC2 +## EC2 * AMI, images used to create virtual machines * It's possible to create a malicious image to compromise users @@ -2127,7 +2128,7 @@ TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --usernam mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN ``` -# SSO & Other Services +## SSO & Other Services ## Single Sign On (SSO) @@ -2190,7 +2191,7 @@ aws cloudtrail update-trail --name example_trail --no-include-global-service-eve * Threat detection service that monitors for malicious activity and unauthorized behavior * Works by collecting and analyzing logs -# Virtual Private Cloud +## Virtual Private Cloud * Used to create an isolated infrastructure within the cloud, including subnets and so on. * If the VPC has an internet gateway, means its a public subnet