AWS Penetration Testing Checklist

Today I will share a nice AWS pentest checklist I found at

You can find on this site much information and notes from many other aspects such as Recon phases, attack types, shells, SQL, password cracking… It is worth checking out.

  1. Test for Unauthenticated Bucket Access
  2. Test for Semi-Public Bucket access – Improper AC permission
  3. Targeting and compromising AWS Access keys in git commit
  4. Test for Extracting keys from an EC2 instance
  5. Exploiting AWNS Security Misconfigurations
  6. Testing to exploit EZ instance
  7. Exploiting Internal AWS Services using Lambda backdoors
  8. Test for Subdomain Takeover
  9. Testing for AWS tam Privilege Escalation
  10. Test for RCE attack
  11. Test for AWS Role Enumeration(IAM)
  12. Test for EC2 service to exploit privilege escalation
  13. Test for AWS am enumeration: Bypassing CloudTratl Logging
  14. Test for BitBuckted Server data for credentials in AWS
  15. DNS rebinding to compromise the cloud environment
  16. Test for Change of local Windows / Linux logs
  17. Test to Create jobs or serverless actions to add root certificates and ssh private keys to machines and users (such as AWS lambda)
  18. Test to Create an additional interface / assign an IP address in the target network / subnet on a compromised machine (ltke assigning a secondary private IPv4 address or interface to an AWS EC2 instance)
  19. Steal virtual machine images from storage accounts, analyze them for passwords, keys and certificates to access live systems (like VM VHD snapshots from storage accounts)
  20. Test to Gain OS level access to Instances/VMs via workload management service privileges (AWS SSM)
  21. Create systems management commands or abuse instance metadata for scheduled and triggered command and control (ANS systems manager, modify EC2 UserData to trigger a reverse shell)
  22. Test to Run or deploy a workload with an assigned/passed service or role, export instance credentials for those privileges (such as EC2 passed role and meta credentials)
  23. Fingerprint server and application versions and frameworks, detect sensitive PI in application logs
  24. Test for CV injection in ANS CloudTratl
  25. Tested for AWS secrets accessible via meta-data
  26. Attempt load balancer MiTM for session hijacking (elb) by cloud service configuration or load balancer instance compromise
  27. Steal credentials from metadata of proxy or http forwarding servers (credentials in AWS meta 28-Steal cloud workload credentials (ANS metadata sts or Azure Linux Agent (waagent) folder credentials)
  28. Steal credentials from or leverage privilege to the operation of a cloud key service (aws kms, azure key vault
  29. Alter data in the datastore for fraudulent transactions or static website compromise (s3, rds, redshift)
  30. Alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation (ANS lambda orAzure logic apps)
  31. Alter data in local SQL or MySQL databases
  32. Operate in regions where logging is not enabled or disable global logging (like CloudTrail)
  33. Alter log files in a non-validated log store or disable validation (like cloud trail log validation) 35-Tesed for Disable network traffic analysis/logging (VPC flowlogs)
  34. Tesed for Disable cloud alerting to prevent detection and response (like cloudwatch alerts, GuardDuty, Security Hub, or Azure Security Center)
  35. Tesed for Disable data store access logging to prevent detection and response (cloudtratn data access, s3 access logging, redshift user activity)
  36. Alter log retention or damage the integrity of logs (s3 lifecycle, kms decryption cmk key deletton/role privilege lockout)
  37. Process hooking, process injection, windows access token manipulation, leveraging misconfigured sudo capabilities
  38. Test to Create or reset a login, access key or temporary credential belonging to a high-privilege user (like tam: CreateAccesskey, sts or tam:UpdateLoginProfile)
  39. Test to Change the default policy for a user or new users to include additional privileges (like setdefault-policy-verston) @ Tushar Verma