AWS Cloud

Blogs/Research

• Hacking Serverless Runtimes: Profiling Lambda, Azure, and more
• Bypassing and exploiting Bucket Upload Policies and Signed URLs
• Cloud basics for pen testers, red teamers, (and defenders)
• Many-faced threats to Serverless security – Hacker Noon
• Elevating Permissions in AWS IAM – CloudSploit
• Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’ - Rhino Security Labs
• AWS Privilege Escalation – Methods and Mitigation
• Exploiting SSRF in AWS Elastic Beanstalk
• AWS resource naming patterns
• Internet-Scale analysis of AWS Cognito Security
• Hacking AWS Misconfigurations
• AWS IAM User Enumeration
• AWS IAM User Enumeration-2
• Bypassing IP Based Blocking with AWS API Gateway
• An SSRF, privileged AWS keys and the Capital One breach
• From SSRF To AWS Credentials Disclosure
• Gaining AWS Console Access via API Keys
• Pivoting in Amazon Clouds
• Escalating AWS IAM Privileges with an Undocumented CodeStar API
• CloudGoat AWS Scenario Walkthrough: “EC2_SSRF”
• Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT)
• Pillaging AWS ECS Task Definitions for Hardcoded Secrets
• Phishing Users with MFA on AWS
• S3 Ransomware Part 1: Attack Vector
• S3 Ransomware Part 2: Prevention and Defense
• Abusing VPC Traffic Mirroring in AWS
• Exploiting email address parsing with AWS SES
• Weaponizing AWS ECS Task Definitions to Steal Credentials From Running Containers
• Auditing PassRole: A Problematic Privilege Escalation Permission
• Lesser Known Techniques for Attacking AWS Environments
• Gaining Persistency on Vulnerable Lambdas
• Bypassing and exploiting Bucket Upload Policies and Signed URLs
• S3 Bucket Namesquatting - Abusing predictable S3 bucket names
• Securing your Amazon AWS S3 presigned URLs, tips and tricks
• Dangling DNS: Amazon EC2 IPs
• Hacking the Cloud
• Sensitive AWS API Calls That Return Credentials and Data
• Hackers as Cloud Customers
• Security checklist for cloud workload protection
• Security Logging in Cloud Environments - AWS
• Auditing PassRole: A Problematic Privilege Escalation Permission
• Presenting the Risk: Do You Know About this AWS Authorization Misuse?
• Cloud Storage Security: Attacking & Auditing
• Cloud lateral movement: Breaking in through a vulnerable container
• Kubernetes Multi tenancy with Amazon EKS: Best practices and considerations
• Hacking AWS: HackerOne & AWS CTF 2021 writeup
• Exploiting weak configurations in Amazon Cognito
• Password reset code brute-force vulnerability in AWS Cognito
• Domain Hijacking Via Logic Error - Gandi And Route 53 Vulnerability
• Post Exploitation
  • Post Exploitation in AWS using Nimbostratus - Cloud Security Operations
  • A centralized source of all AWS IAM privilege escalation methods
  • AWS Serverless Security Workshop - In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora.

Tools

S3 Buckets Finder

• S3Scanner: Scan for open AWS S3 buckets and dump the contents
• smiegles/mass3: Quickly enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading.
• AWS-Scanner: Scans a list of websites for Cloudfront or S3 Buckets
• goGetBucket: A penetration testing tool to enumerate and analyse Amazon S3 Buckets owned by a domain.
• s3-inspector: Tool to check AWS S3 bucket permissions
• buckets.grayhatwarfare.com: Search for open buckets using online service
• AWSBucketDump: Security Tool to Look For Interesting Files in S3 Buckets
• bucket-stream: Find interesting Amazon S3 Buckets by watching certificate transparency logs.
• CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
• kicks3: S3 bucket finder from html,js and bucket misconfiguration testing tool.

DFIR

• aws_ir: Python installable command line utiltity for mitigation of host and key compromises.
• aws-security-automation: Collection of scripts and resources for DevSecOps and Automated Incident Response Security
• GDPatrol: A Lambda-powered Security Orchestration framework for AWS GuardDuty
• awslog: Show the history and changes between configuration versions of AWS resources
• aws_responder: AWS Incident Response Kit (AIRK) - AWS Incident Response

Defensive

• ScoutSuite: Multi-Cloud Security Auditing Tool
• prowler: AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+90).
• scans: AWS security scanning checks
• cloudmapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
• cloudtracker: CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
• aws-security-benchmark: Open source demos, concept and guidance related to the AWS CIS Foundation framework.
• aws_public_ips: Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services
• PMapper: A tool for quickly evaluating IAM permissions in AWS.
• aws-inventory: Discover resources created in an AWS account.
• SkyArk: SkyArk helps to discover, assess and secure the most privileged entities in AWS
• lunar: A UNIX security auditing tool based on several security frameworks
• cloud-reports: Scans your AWS cloud resources and generates reports
• cs-suite: Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.
• cloud-service-enum: These script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service.
• Chamber: Tool for managing secrets. It does so by storing secrets in SSM Parameter Store, an AWS service for storing secrets.
• Policy Sentry: IAM Least Privilege Policy Generator by Salesforce
• Antiope: AWS Inventory & Compliance Framework
• rpCheckup: Catch AWS resource policy backdoors
• AWS CloudFormation Guard: AWS CloudFormation Guard is an open-source general-purpose policy-as-code evaluation tool.

Offensive

• DumpsterDiver: Tool to search secrets in various filetypes.
• weirdAAL: WeirdAAL (AWS Attack Library)
• pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
• aws_pwn: A collection of AWS penetration testing junk
• cloudjack: Route53/CloudFront Vulnerability Assessment Utility
• cloudfrunt: A tool for identifying misconfigured CloudFront domains
• mad-king: Proof of Concept Zappa Based AWS Persistence and Attack Platform
• cloud-nuke: A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
• cloud-service-enum: These script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service.
• Cloudsplaining: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
• security-cloud-scout - Cloud Scout is a plugin which works on top of BloodHound, leveraging its visualization capabilities in order to visualize cross platform attack paths.
• Red-Shadow - Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured
• S3 Account Search - This tool lets you find the account id an S3 bucket belongs too.

Continous Monitoring

• streamalert: StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
• security_monkey: Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
• keynuker: 🔐💥 KeyNuker - nuke AWS keys accidentally leaked to Github

Miscellaneous

• kube-hunter: Hunt for security weaknesses in Kubernetes clusters
• Testing IAM Policies with the IAM Policy Simulator
• An AWS IAM Policy Linter: Parliament

Edit me on Github