Today I will share a nice AWS pentest checklist I found at https://guide.offsecnewbie.com/cloud-pentesting.
You can find on this site much information and notes from many other aspects such as Recon phases, attack types, shells, SQL, password cracking… It is worth checking out.
- Test for Unauthenticated Bucket Access
- Test for Semi-Public Bucket access – Improper AC permission
- Targeting and compromising AWS Access keys in git commit
- Test for Extracting keys from an EC2 instance
- Exploiting AWNS Security Misconfigurations
- Testing to exploit EZ instance
- Exploiting Internal AWS Services using Lambda backdoors
- Test for Subdomain Takeover
- Testing for AWS tam Privilege Escalation
- Test for RCE attack
- Test for AWS Role Enumeration(IAM)
- Test for EC2 service to exploit privilege escalation
- Test for AWS am enumeration: Bypassing CloudTratl Logging
- Test for BitBuckted Server data for credentials in AWS
- DNS rebinding to compromise the cloud environment
- Test for Change of local Windows / Linux logs
- Test to Create jobs or serverless actions to add root certificates and ssh private keys to machines and users (such as AWS lambda)
- Test to Create an additional interface / assign an IP address in the target network / subnet on a compromised machine (ltke assigning a secondary private IPv4 address or interface to an AWS EC2 instance)
- Steal virtual machine images from storage accounts, analyze them for passwords, keys and certificates to access live systems (like VM VHD snapshots from storage accounts)
- Test to Gain OS level access to Instances/VMs via workload management service privileges (AWS SSM)
- Create systems management commands or abuse instance metadata for scheduled and triggered command and control (ANS systems manager, modify EC2 UserData to trigger a reverse shell)
- Test to Run or deploy a workload with an assigned/passed service or role, export instance credentials for those privileges (such as EC2 passed role and meta credentials)
- Fingerprint server and application versions and frameworks, detect sensitive PI in application logs
- Test for CV injection in ANS CloudTratl
- Tested for AWS secrets accessible via meta-data
- Attempt load balancer MiTM for session hijacking (elb) by cloud service configuration or load balancer instance compromise
- Steal credentials from metadata of proxy or http forwarding servers (credentials in AWS meta 28-Steal cloud workload credentials (ANS metadata sts or Azure Linux Agent (waagent) folder credentials)
- Steal credentials from or leverage privilege to the operation of a cloud key service (aws kms, azure key vault
- Alter data in the datastore for fraudulent transactions or static website compromise (s3, rds, redshift)
- Alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation (ANS lambda orAzure logic apps)
- Alter data in local SQL or MySQL databases
- Operate in regions where logging is not enabled or disable global logging (like CloudTrail)
- Alter log files in a non-validated log store or disable validation (like cloud trail log validation) 35-Tesed for Disable network traffic analysis/logging (VPC flowlogs)
- Tesed for Disable cloud alerting to prevent detection and response (like cloudwatch alerts, GuardDuty, Security Hub, or Azure Security Center)
- Tesed for Disable data store access logging to prevent detection and response (cloudtratn data access, s3 access logging, redshift user activity)
- Alter log retention or damage the integrity of logs (s3 lifecycle, kms decryption cmk key deletton/role privilege lockout)
- Process hooking, process injection, windows access token manipulation, leveraging misconfigured sudo capabilities
- Test to Create or reset a login, access key or temporary credential belonging to a high-privilege user (like tam: CreateAccesskey, sts or tam:UpdateLoginProfile)
- Test to Change the default policy for a user or new users to include additional privileges (like setdefault-policy-verston) @ Tushar Verma