THM -Attacking and Defending AWS

Link : Attacking and Defending AWS New Security Training

Introduction to Amazon Web Services
Learn about the unique characteristics associated with cloud technologies and core fundamentals required to use AWS.

Introduction to Identity and Access Management (IAM)
Set a good foundation for attacking and defending this service by understanding how permissions work on AWS.

Attacking and Defending core Services
Explore security misconfiguration on commonly used AWS services including EC2, S3, VPC, KMS and more.

Attacking and Defending Serverless
Work with Serverless components within AWS like Lambda functions, Step functions and more to understand how they can be exploited.

Identity and Access Management (IAM) Privilege Escalation
After understanding how the IAM service works, put this knowledge to practice by covering key concepts required to enumerate, exploit and persist across IAM.

Amazon Web Services is the most popular cloud service provider in the world offering hundreds of services. With a large number of businesses adopting cloud technologies like AWS, cyber practitioners must understand the security implications of moving to the cloud.

This pathway will give you hands on access with common misconfigurations across AWS environments and understand defensive mitigations to prevent these attacks including

• identifying, enumerating and exploiting overly permissive IAM users, roles and policies
• exploring serverless infrastructure and common attack vectors present within these services
• exploiting weaknesses in the most common AWS services including S3, EC2, VPC and more

Learn how attackers compromise AWS environments

INDEX

SECTION 1
Introduction to AWS
-AWS: Cloud 101
-AWS Basic Concepts
SECTION 2
Introduction to IAM
-Introduction to AWS IAM
-IAM Principals
-IAM Permissions
-IAM Credentials
-The Quest for Least Privilege
-STS Credentials Lab
SECTION 3
Attacking and Defending Core Services
-AWS S3 — Attack and Defense
-Amazon EC2 — Attack & Defense
-Amazon EC2 — Data Exfiltration
-AWS VPC — Attack and Defense
-AWS VPC — Data Exfiltration
-AWS Encryption Services
SECTION 4
Attacking and Defending Serverless
-AWS Lambda
-Lambda — Data Exfiltration
-AWS API Gateway
SECTION 5
IAM Privilege Escalation
-AWS IAM Initial Access
-AWS IAM Enumeration
Conclusion

SECTION 1
Introduction to AWS
-AWS: Cloud 101
-AWS Basic Concepts

Amazon Web Services (AWS) is a comprehensive cloud computing platform offered by Amazon. It provides a wide range of cloud services that help businesses and individuals build and deploy various types of applications and services.

Cloud Computing: Cloud computing refers to the delivery of computing resources (such as servers, storage, databases, networking, software, analytics, and more) over the internet. Instead of owning and maintaining physical infrastructure, users can access these resources on-demand, pay only for what they use, and scale their resources as needed.

Key Concepts in AWS:

Regions and Availability Zones: AWS operates in multiple geographic regions worldwide. Each region consists of multiple Availability Zones (AZs), which are physically separate data centers within a region. AZs provide fault tolerance and high availability for applications.

Services: AWS offers a vast array of services across different categories. Some popular services include:

Compute: EC2 (Elastic Compute Cloud) provides virtual servers, while Lambda offers serverless compute capacity.
Storage: S3 (Simple Storage Service) provides object storage, while EBS (Elastic Block Store) offers block-level storage for EC2 instances.
Databases: AWS provides various managed database services like RDS (Relational Database Service), DynamoDB, and Aurora.
Networking: VPC (Virtual Private Cloud) enables you to create isolated network environments, while CloudFront is a content delivery network (CDN) service.
Management and Governance: Services like IAM (Identity and Access Management) manage access to AWS resources, and CloudWatch monitors resources and applications.
Security: AWS provides a range of security services like AWS Identity and Access Management (IAM), AWS WAF (Web Application Firewall), and AWS Shield for DDoS protection.
Elasticity and Scalability: One of the key advantages of AWS is its ability to scale resources up or down based on demand. Elasticity refers to the ability to automatically provision and release resources, while scalability refers to the ability to handle increased workload efficiently.

Pay-as-you-go Pricing: AWS follows a pay-as-you-go model, where users are billed for the resources they consume. This pricing model offers flexibility and cost optimization.

Security: AWS has various security measures in place to protect customer data and ensure compliance. However, it’s important for users to understand and configure their resources securely, including managing access control, encryption, and network security.

SECTION 2
Introduction to IAM
-Introduction to AWS IAM
-IAM Principals
-IAM Permissions
-IAM Credentials
-The Quest for Least Privilege
-STS Credentials Lab

Introduction to IAM:

IAM (Identity and Access Management) is a vital service provided by AWS that enables users to manage access to their AWS resources securely. IAM helps organizations maintain control over who can access their AWS infrastructure and what actions they can perform. Let’s delve into the key aspects of IAM.

1. Introduction to AWS IAM:

AWS IAM stands for Amazon Web Services Identity and Access Management. It is a service provided by AWS that allows you to manage access to your AWS resources in a secure manner. With IAM, you can control who has access to your resources and what actions they can perform.

IAM enables you to create and manage users, groups, and roles. Users are individual AWS accounts that can be assigned permissions to access resources. Groups are collections of users that share the same permissions. Roles are sets of permissions that can be assigned to users or groups.

Fine-grained permissions refer to the ability to grant or restrict access to specific resources or actions within a resource. This means that you can define exactly what a user or group can do within a resource, rather than giving them blanket access to everything within that resource.

Overall, AWS IAM provides a comprehensive solution for managing access to your AWS resources, allowing you to maintain security and control over who can access your data and applications.

AWS IAM allows you to manage users, groups, and roles within your AWS account. Users represent individual entities such as employees or administrators, while groups allow you to group users together based on shared permissions. Roles, on the other hand, are used to grant permissions to AWS services or external identities.

IAM provides a centralized approach to manage authentication and authorization for accessing AWS resources. By utilizing IAM, organizations can adhere to the principle of least privilege, ensuring that users only have the necessary permissions required to perform their tasks.

2. IAM Principals:
IAM Principals are entities that can be authenticated and authorized to access AWS resources. They can be AWS accounts, IAM users, or roles assumed by services or federated users. Principals are assigned unique identifiers called ARNs (Amazon Resource Names) to differentiate them.

IAM allows you to assign permissions to principals by defining policies, which are JSON documents that specify the allowed or denied actions on AWS resources. These policies can be attached directly to IAM users, groups, or roles.

IAM (Identity and Access Management) Principals are entities that can access AWS (Amazon Web Services) resources after being authenticated and authorized. These entities can be AWS accounts, IAM users, or roles assumed by services or federated users. Each Principal is assigned a unique identifier called an ARN (Amazon Resource Name) to differentiate them.

Each IAM Principal is assigned a unique identifier called an ARN (Amazon Resource Name) to differentiate them. ARNs are used to identify and access AWS resources across different AWS services.

IAM policies are JSON (JavaScript Object Notation) documents that specify the allowed or denied actions on AWS resources. These policies can be attached directly to IAM users, groups, or roles. IAM policies provide a flexible and powerful way to control access to AWS resources.

In summary, IAM allows assigning permissions to IAM Principals by creating policies. These policies are JSON documents that specify the allowed or denied actions on AWS resources. IAM policies can be attached directly to IAM users, groups, or roles, providing a flexible and powerful way to control access to AWS resources.

3. IAM Permissions:
IAM permissions control what actions are allowed or denied on AWS resources. Each AWS service has a set of permissions that can be granted to IAM principals. Permissions are defined using AWS Identity and Access Management (IAM) policy language.

IAM policies consist of statements that specify the effect (allow or deny), the actions (API calls), the resources (AWS resources to which the actions apply), and optional conditions. By carefully crafting IAM policies, you can ensure that the right users have access to the right resources at the right time.

IAM Permissions determine the actions that a principal (such as a user, group, or role) can perform on AWS resources. These permissions are defined through IAM policies, which are JSON documents that specify the actions allowed or denied on specific resources.

IAM policies consist of a set of statements that define the permissions for a principal. Each statement includes the following elements:

Effect: This specifies whether the statement allows or denies the specified actions. The effect can be either “Allow” or “Deny”.

Action: This specifies the actions that are allowed or denied. Actions can be specific API actions (such as “s3:GetObject” or “ec2:DescribeInstances”) or a wildcard (*) to represent all actions.

Resource: This specifies the AWS resources on which the actions can be performed. Resources can be specific resources (such as an S3 bucket ARN or an EC2 instance ARN) or a wildcard (*) to represent all resources.

4. IAM Credentials:
IAM credentials are used to authenticate and authorize users, applications, or services to access AWS resources. IAM supports two types of credentials: access keys and security tokens. Access keys consist of an access key ID and a secret access key, which are used to make programmatic requests to AWS APIs. Security tokens, known as AWS Security Token Service (STS) tokens, are temporary credentials that can be obtained by assuming roles or federating identities.

IAM provides options to manage and rotate access keys to maintain the security of your AWS resources. It’s important to follow security best practices such as regularly rotating access keys and avoiding the use of root account access keys.

5. The Quest for Least Privilege:
The principle of least privilege is a fundamental concept in security, emphasizing that users should only be granted the minimum level of access necessary to perform their tasks. By following this principle, organizations can minimize the risk of unauthorized access and limit the potential impact of compromised credentials.

IAM allows you to implement least privilege by assigning permissions at a granular level, granting only the necessary actions on specific resources. Regularly reviewing and auditing IAM policies can help ensure that permissions remain aligned with business requirements and that overly permissive policies are avoided.

6. STS Credentials Lab:
The AWS Security Token Service (STS) enables you to generate temporary security credentials that can be used to access AWS resources. STS provides different ways to obtain temporary credentials, such as assuming IAM roles, federating identities, or using web identity federation for mobile or web applications.

Through the STS Credentials Lab, you can gain hands-on experience with requesting and using temporary security credentials. This lab allows you to understand how to assume roles, manage session duration, and implement multi-factor authentication (MFA) for added security.

By mastering IAM and understanding its various components, you can effectively manage access to your AWS resources, enforce the principle of least privilege, and strengthen the security posture of your AWS environment.

SECTION 3

Attacking and Defending Core Services
AWS S3 — Attack and Defense
Amazon EC2 — Attack & Defense
Amazon EC2 — Data Exfiltration
AWS VPC — Attack and Defense
AWS VPC — Data Exfiltration
AWS Encryption Services

Securing Your AWS Infrastructure: A Comprehensive Guide to Attacking and Defending Core Services

Introduction:
In today’s digital landscape, securing cloud infrastructure is paramount. AWS (Amazon Web Services) offers a wide range of services that are the backbone of many organizations’ IT infrastructure. However, these services can be vulnerable to security misconfigurations if not properly understood and managed. In this comprehensive guide, we will explore the security aspects of commonly used AWS services such as EC2, S3, VPC, and more. By understanding the attack vectors and implementing effective defense strategies, you can enhance the security posture of your AWS infrastructure.

Section 1: AWS S3 — Attack and Defense :
AWS S3 (Simple Storage Service) is a highly scalable and flexible storage solution. It allows you to store and retrieve data from anywhere on the web. However, misconfigurations in S3 buckets can lead to data leaks and unauthorized access. This section provides an in-depth exploration of the security features offered by S3, such as bucket policies, access control lists (ACLs), and encryption options. It also delves into common attacks, including public access misconfigurations, account compromises, and data exposure. Practical defense strategies will be discussed, covering topics like secure bucket configurations, IAM policies, and S3 access logging. By mastering S3 security, you can protect your data assets and prevent costly breaches.

Section 2: Amazon EC2 — Attack & Defense :
Amazon EC2 (Elastic Compute Cloud) is a fundamental service for deploying and managing virtual servers in the AWS environment. This section focuses on understanding the architecture of EC2 instances and potential attack vectors. It covers common attack techniques such as exploiting misconfigurations, weak authentication, and remote code execution. Additionally, you will learn about defense mechanisms like security groups, network ACLs, and instance hardening techniques. By implementing proper security measures, you can defend against unauthorized access and ensure the integrity of your EC2 infrastructure.

Section 3: Amazon EC2 — Data Exfiltration :
Data exfiltration is a critical concern for organizations, and EC2 instances can be a target for such attacks. This section provides an in-depth exploration of the techniques used to compromise an EC2 instance and exfiltrate sensitive data. It covers topics such as privilege escalation, lateral movement, and data extraction methods. Additionally, it discusses defense strategies such as data encryption, network segmentation, and monitoring/logging. By understanding the tactics employed by attackers and implementing robust security controls, you can mitigate the risk of data exfiltration and protect your valuable information.

Section 4: AWS VPC — Attack and Defense :
AWS VPC (Virtual Private Cloud) allows you to create a logically isolated network within the AWS cloud. This section provides a comprehensive overview of VPC and its security implications. It covers topics such as VPC components, subnets, security groups, and network access control lists (NACLs). You will learn about common attack scenarios, including network sniffing, spoofing, and lateral movement within a VPC. To bolster your defenses, the section explores strategies such as VPC peering, bastion hosts, and flow logs for monitoring network traffic. By implementing robust security controls at the VPC level, you can establish a secure network foundation for your AWS infrastructure.

Section 5: AWS VPC — Data Exfiltration :
Building upon the previous section, this exercise focuses on compromising an existing VPC and exfiltrating data. It provides practical scenarios and techniques to understand the potential vulnerabilities within a VPC. The section covers topics such as compromised instances, unauthorized data access, and covert communication channels. It also discusses defense mechanisms such as network segmentation, intrusion detection systems (IDS

), and incident response strategies. By simulating real-world scenarios, you will enhance your understanding of potential vulnerabilities and gain practical knowledge in securing your VPC against data breaches.

Section 6: AWS Encryption Services :
Encryption plays a crucial role in securing sensitive data in the AWS environment. This section focuses on AWS Encryption Services, including Key Management Service (KMS) and Certificate Manager (ACM). It explores attack vectors related to encryption, such as key compromise, unauthorized key usage, and SSL/TLS vulnerabilities. You will learn how to leverage encryption options in various AWS services, implement secure key management practices, and ensure the integrity of your encrypted data. By mastering encryption techniques and implementing robust defense strategies, you can safeguard your data assets from unauthorized access and maintain compliance with regulatory requirements.

Attacking and Defending Serverless: Securing Your AWS Infrastructure in a Serverless Environment

Introduction:
Serverless technologies have revolutionized the way infrastructure is designed and managed. By leveraging AWS Lambda and API Gateway, organizations can build scalable and cost-effective applications without the need for traditional server management. However, it is essential to understand the security aspects of these serverless components and be aware of potential vulnerabilities that could be exploited. In this guide, we will explore the security considerations, attack vectors, and defensive strategies related to AWS Lambda and API Gateway, enabling you to build and protect secure serverless architectures.

Section 1: AWS Lambda — Learn the Security Aspects :
AWS Lambda is a key component of serverless architectures, allowing you to run code without provisioning or managing servers. This section focuses on understanding the security aspects of Lambda functions. You will explore topics such as function isolation, resource allocation, and permissions. Gain insights into securing Lambda by implementing appropriate IAM policies, managing environment variables securely, and leveraging AWS Secrets Manager for sensitive data storage. By understanding Lambda’s security features, you can mitigate risks and build resilient serverless applications.

Section 2: Lambda — Data Exfiltration :
Data exfiltration is a significant concern in serverless environments, and Lambda functions can become a target for attackers. In this section, you will delve into the techniques used to compromise Lambda functions and access secret data. Explore attack vectors such as insecure coding practices, misconfigured permissions, and unauthorized access to environment variables. Implement defensive strategies like encrypting sensitive data, using secure coding practices, and monitoring function behavior for potential anomalies. By gaining hands-on experience in identifying and mitigating data exfiltration risks, you can protect your serverless applications and sensitive information.

Section 3: AWS API Gateway — Overview of Security Features and Common Attacks :
AWS API Gateway is a managed service that enables the creation, deployment, and management of APIs at scale. This section provides an overview of the security features offered by API Gateway and the importance of securing API endpoints. Explore topics such as authentication, authorization, and traffic management. Understand common attacks, including injection attacks, DDoS attacks, and API key compromises. Learn how to implement security measures like JWT authentication, rate limiting, and AWS WAF integration to protect your APIs from unauthorized access and potential abuse.

IAM Privilege Escalation: Mastering Identity and Access Management in AWS

Introduction :
Identity and Access Management (IAM) is a crucial component of securing your AWS environment. Understanding the concepts and techniques related to IAM privilege escalation is essential for maintaining a robust security posture. In this guide, we will delve into the key concepts required to enumerate, exploit, and persist across IAM. By gaining practical knowledge and hands-on experience, you will be equipped to effectively manage IAM access and protect your AWS infrastructure.

Section 1: AWS IAM Initial Access :
Gaining initial access to AWS IAM principals is the first step in the privilege escalation process. This section explores the methods and techniques used to gain initial access to IAM identities. Learn about common attack vectors, such as credential theft, phishing, and social engineering. Discover how attackers exploit weak authentication mechanisms and vulnerabilities in IAM policies to gain unauthorized access. Additionally, understand the importance of multifactor authentication (MFA) and secure credential management practices to prevent initial access compromises. By comprehending the techniques used by attackers, you can proactively secure IAM identities and mitigate the risk of unauthorized access.

Section 2: AWS IAM Enumeration :
IAM enumeration involves identifying and gathering information about IAM principals and the services they have access to. This section focuses on the process of enumerating IAM principals and the services they have permissions for. Learn about techniques like analyzing IAM policies, using IAM APIs, and exploring service-specific permissions. Discover the role of privilege escalation in the enumeration process and the implications of misconfigured policies. Gain insights into defensive strategies such as implementing least privilege, regular policy reviews, and using AWS Config for monitoring and compliance. By understanding IAM enumeration, you can strengthen your IAM implementation and reduce the attack surface of your AWS environment.

Practical Lab Exercises for AWS Security Topics:

1. Introduction to AWS: Project: Setting up a Basic EC2 Instance

Description:
In this lab exercise, you will learn how to create and configure an EC2 instance in AWS. You will understand the steps involved in launching an instance, selecting the appropriate instance type, configuring security groups, and connecting to the instance via SSH. This exercise will give you hands-on experience with the core fundamentals of AWS and help you gain confidence in using AWS services.

Methods to Complete:

1. Create an AWS account if you don’t have one already.
2. Navigate to the EC2 service in the AWS Management Console.
3. Launch a new EC2 instance and select the desired configuration options.
4. Configure security groups to allow necessary inbound and outbound traffic.
5. Connect to the instance using SSH and verify the successful connection.
6. Introduction to IAM: Project: Creating IAM Users and Assigning Permissions

Description:
In this lab exercise, you will learn how to create IAM users and assign them appropriate permissions in AWS. You will understand the IAM user lifecycle, how to create user accounts, and how to assign permissions using IAM policies. This exercise will provide you with a solid foundation in IAM and enable you to effectively manage user access in AWS.

Methods to Complete:

1. Navigate to the IAM service in the AWS Management Console.
2. Create a new IAM user and provide necessary user details.
3. Assign permissions to the user by creating and attaching an IAM policy.
4. Test the user’s access by logging in with the newly created IAM user credentials.
5. Verify that the user has the appropriate permissions by attempting various AWS actions.
6. Attacking and Defending Core Services: Project: Securing an S3 Bucket

Description:
In this lab exercise, you will focus on the security of AWS S3, a commonly used service for storing and retrieving data. You will understand the importance of securing S3 buckets and implementing best practices to prevent unauthorized access. This exercise will allow you to explore S3 security features and gain hands-on experience in securing S3 buckets against potential attacks.

Methods to Complete:

1. Create an S3 bucket in the AWS Management Console.
2. Enable server-side encryption for the S3 bucket.
3. Configure bucket policies to restrict access to trusted entities.
4. Set up access logging for the bucket to monitor activity.
5. Test the security configuration by attempting unauthorized access and verifying access restrictions.
6. Attacking and Defending Serverless: Project: Building a Serverless Application with AWS Lambda and API Gateway

Description:
In this lab exercise, you will work with AWS Lambda and API Gateway to build a serverless application. You will understand the architecture of serverless applications, how to deploy Lambda functions, and how to secure API Gateway endpoints. This exercise will provide you with hands-on experience in working with serverless technologies and understanding their potential vulnerabilities.

Methods to Complete:

1. Create an AWS Lambda function to handle a specific functionality (e.g., image resizing, data processing).
2. Set up an API Gateway endpoint to trigger the Lambda function.
3. Configure appropriate permissions for the Lambda function to interact with other AWS services if necessary.
4. Implement security measures for the API Gateway endpoint, such as authentication and rate limiting.
5. Test the serverless application by invoking the API Gateway endpoint and verifying the expected behavior.
6. IAM Privilege Escalation: Project: Analyzing and Mitigating IAM Privilege Escalation Risks

Description:
In this lab exercise, you will dive deeper into IAM privilege escalation and learn how to identify and mitigate associated risks. You will explore techniques for enumerating IAM principals, identifying potential vulnerabilities, and implementing defense mechanisms to prevent privilege escalation. This exercise will provide you with practical knowledge in securing IAM and reducing the risk of unauthorized access.

Methods to Complete:

1. Perform IAM enumeration by analyzing IAM policies, roles, and user configurations.
2. Identify any overly permissive IAM policies or misconfigured access settings.
3. Implement the principle of least privilege by adjusting IAM permissions and policies.
4. Enable multi-factor authentication (MFA) for IAM users to enhance security.
5. Monitor IAM activity using AWS CloudTrail and implement alerting mechanisms for suspicious events.

By : 𝓞𝓟 𝓚𝓮𝓿𝓲𝓷 ッ
https://t.me/GDB_hack