In this chapter, we will be looking at a real-world AWS pentest from start to finish. This should help tie together many of the chapters in this book and demonstrate the flow of penetration testing an AWS environment. We will skip over many of the technical details of how certain attacks work, because they have already been outlined in their respective chapter in this book.
When pentesting an AWS environment, it is important to be thorough and to investigate every attack possible with the access that you are granted. This ensures that the results you provide the client at the end of the engagement are thorough, complete, and useful, and assure them that they can feel confident that their infrastructure was investigated on a wide scale.
Throughout this chapter, we will be referencing two IAM users at different points. One IAM user will be referred to as PersonalUser. PersonalUser is an IAM user that we have created in our own attacker-controlled AWS account to use for such activities as cross-account enumeration. This user is required to have the iam:UpdateAssumeRolePolicy and s3:ListBucket permissions for the cross-account recon to work correctly. The other IAM user will be referred to as CompromisedUser, and that user is who we compromised in this attack scenario and who we will use throughout the normal process. Our scenario will mock a scenario where a company, Acme Co., that uses AWS, comes to our pentesting company, looking for an AWS pentest.
In this chapter, we will cover the following topics:
- Pentest kickoff
- Unauthenticated reconnaissance
- Authenticated reconnaissance plus permissions enumeration
- Privilege escalation
- Persistence
- Post-exploitation
- Auditing for compliance and best practices