AWS API Security Auditing Cheat Sheet
AWS provides a number of cloud based services for building out an entire information technology infrastructure. The API allows for a scriptable and command line interface for manipulating these various services in all kinds of ways. If you happen to come across AWS API keys in your penetration tests they can be extremely valuable for pivoting into this cloud infrastructure further penetrating your client organization. So let's jump right into the various services offered by AWS and some of their general vulnerabilities, before diving into the cheat sheet.
Some general AWS API vulnerabilities include:
Using the API and expressly not checking the SSL certificate.
Using the root account instead of limited IAM accounts.
Create config file w/ their keys:
echo "[default]" >> ~/.aws/config
echo "aws_access_key_id=[YOUR ACCESS KEY]" >> ~/.aws/config
echo "aws_secret_access_key=[YOUR SECRET KEY]" >> ~/.aws/config
It's also easy to spot the difference a user and a root key based on the naming convention:
root keys start with: AKIAIUM....
user keys starts with: AKIAIKA....
IAM or Identity and Access Management is a service that you can use to manage users and user permissions under your AWS account.
General AWS IAM vulnerabilities include:
Lack of key rotation
Lack of (inactive) key rotation
Lack of Multi-Factor Authentication (on root accounts)
Password and Access Key authorized for a given account
Existence of user policy
root account has active keys
root account used recently
EC2 allows users to launch instances, set network firewall rules to instance, move volume storage, and create snapshots of volumes.
General AWS EC2 vulnerabilities include:
Sensitive ports open to the Internet (e.g. SSH, RDP, SQL, ...)
Plaintext-protocol ports open (e.g. FTP, Telnet, ...)
Lack of network firewall rules (Inbound)
Lack of network firewall rules (Outbound)
Permissions to stand up fraudulent servers
Lack of monitoring for fraudulent servers
Unencrypted volumes
S3 allows users to store volumes, snapshots, and anything else in cloud hosted storage.
General AWS S3 vulnerabilities include:
Bucket world-writable
Bucket world-readable
CloudTrial allows organizations to create logging and audit trails of AWS API interactions.
General AWS CloudTrail vulnerabilities include:
Access CloudTrail logs
Disable CloudTrail logging
RDS or Relational Database Service makes it easy to set up, operate, and scale a relational databases in the cloud. These include MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon's Aurora DB engine.
General AWS RDS Vulnerabilities include:
Database is exposed to internet
CloudFormation is a template service that describes all the AWS resources that you want to deploy (like EC2 instances or RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you.
General AWS CloudFormation vulnerabilities include:
Templates with database passwords
Elastic Beanstalk is a service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
General AWS Elastic Bean Stalk vulnerabilities include:
Permissions to stand up fraudulent stacks
Lack of monitoring for fraudulent stacks
Get your current user:
aws iam get-user
List all users of IAM (Identity / Access Management):
aws iam list-users
List user's access key for IAM:
aws iam list-access-keys --user-name [username]
List the groups a user belongs to:
aws iam list-groups-for-user --user [username]
List policy names applied to a group:
aws iam list-group-policies --group-name [groupname]
Get the contents of a policy:
aws iam get-group-policy --group-name [groupname] --policy-name [policyname]
List Cloudtrail logs:
aws --region us-east-1 cloudtrail describe-trails
Get Cloudtrail log status:
aws --region us-east-1 cloudtrail get-trail-status --name [default]
Stop Cloudtrail logging:
aws --region us-east-1 cloudtrail stop-logging --name [default]
List s3 storage buckets:
aws s3 ls
Download files from s3:
aws s3 cp s3://[bucket]/[sub-folder]/[file.txt] ./localfile.txt
List CloudFormation stacks:
aws cloudformation list-stacks
Describe CloudFormation stacks:
aws cloudformation describe-stacks
List user's access keys for ec2:
aws --region us-east-1 ec2 describe-key-pairs
List information about virtual machines / instances, such as volume IDs:
aws --region us-east-1 ec2 describe-instances
Get currently running output from a specific virtual machine:
aws --region us-east-1 ec2 get-console-output --instance-id [id]
Get group IDs and group names:
aws --region us-east-1 ec2 describe-security-groups
List user's access keys for ec2:
aws --region us-east-1 ec2 describe-key-pairs
To view volumes:
aws --region us-east-1 ec2 describe-volumes
To view snapshots, and find snapshot IDs:
aws --region us-east-1 ec2 describe-snapshots #FilterOptions: --filter "status=pending" --filter "tag-value=*db_*"
View a snapshots attributes:
aws --region us-east-1 ec2 describe-snapshot-attribute --snapshot-id [id]
Start a new volume from a snapshot with encryption off:
aws --region us-east-1 ec2 ec2-create-volume --encryption off --snapshot [id]
Less useful password-data, not actual passwords :
aws --region us-east-1 ec2 get-password-data --instance-id [id]
If you are looking at a massive AWS environment, I suggest using iSECPartner's Scout2 to automate the assessment, it even takes multi-factor authentication. This tool is great for its output! It lists all of the categories based on the services which makes grouping, details, seeing specific vulnerabilities and the scope they effect easy to digest. Further, this tool automates the process across all regions to make sure you didn't miss any services in any regions. You can also add custom rule sets to the default findings, allowing the addition of vulnerabilities your organization has determined independently or within the scope of your assessment. To use it simply install it and follow the instructions below:
Export your keys as environment variables:
export AWS_ACCESS_KEY_ID=[YOUR ACCESS KEY]
export AWS_SECRET_ACCESS_KEY=[YOUR SECRET KEY]
Or create CSV file w/ API keys:
echo "[YOUR USERNAME],[YOUR ACCESS KEY],[YOUR SECRET KEY]" > ~/.aws/creds.csv
And run scout pointing to your CSV:
python Scout2.py --credentials ~/.aws/creds.csv
Another good tool out there for both auditing and monitoring your AWS instance is Netflix's Security Monkey. Netflix produces a lot of AWS tools, but security monkey is perfectly inline with our goals of finding AWS misconfigurations as well as alerting if these misconfigurations pop back up in the future. There's a lot of documentation on Security Monkey, so I'm not going to go into this tool too much now.
Lastly, I want to leave you with a general overview of AWS security, and why this is such a cool platform to mess with:
Some general AWS API vulnerabilities include:
Using the API and expressly not checking the SSL certificate.
Using the root account instead of limited IAM accounts.
Create config file w/ their keys:
echo "[default]" >> ~/.aws/config
echo "aws_access_key_id=[YOUR ACCESS KEY]" >> ~/.aws/config
echo "aws_secret_access_key=[YOUR SECRET KEY]" >> ~/.aws/config
It's also easy to spot the difference a user and a root key based on the naming convention:
root keys start with: AKIAIUM....
user keys starts with: AKIAIKA....
IAM or Identity and Access Management is a service that you can use to manage users and user permissions under your AWS account.
General AWS IAM vulnerabilities include:
Lack of key rotation
Lack of (inactive) key rotation
Lack of Multi-Factor Authentication (on root accounts)
Password and Access Key authorized for a given account
Existence of user policy
root account has active keys
root account used recently
EC2 allows users to launch instances, set network firewall rules to instance, move volume storage, and create snapshots of volumes.
General AWS EC2 vulnerabilities include:
Sensitive ports open to the Internet (e.g. SSH, RDP, SQL, ...)
Plaintext-protocol ports open (e.g. FTP, Telnet, ...)
Lack of network firewall rules (Inbound)
Lack of network firewall rules (Outbound)
Permissions to stand up fraudulent servers
Lack of monitoring for fraudulent servers
Unencrypted volumes
S3 allows users to store volumes, snapshots, and anything else in cloud hosted storage.
General AWS S3 vulnerabilities include:
Bucket world-writable
Bucket world-readable
CloudTrial allows organizations to create logging and audit trails of AWS API interactions.
General AWS CloudTrail vulnerabilities include:
Access CloudTrail logs
Disable CloudTrail logging
RDS or Relational Database Service makes it easy to set up, operate, and scale a relational databases in the cloud. These include MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon's Aurora DB engine.
General AWS RDS Vulnerabilities include:
Database is exposed to internet
CloudFormation is a template service that describes all the AWS resources that you want to deploy (like EC2 instances or RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you.
General AWS CloudFormation vulnerabilities include:
Templates with database passwords
Elastic Beanstalk is a service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
General AWS Elastic Bean Stalk vulnerabilities include:
Permissions to stand up fraudulent stacks
Lack of monitoring for fraudulent stacks
Get your current user:
aws iam get-user
List all users of IAM (Identity / Access Management):
aws iam list-users
List user's access key for IAM:
aws iam list-access-keys --user-name [username]
List the groups a user belongs to:
aws iam list-groups-for-user --user [username]
List policy names applied to a group:
aws iam list-group-policies --group-name [groupname]
Get the contents of a policy:
aws iam get-group-policy --group-name [groupname] --policy-name [policyname]
List Cloudtrail logs:
aws --region us-east-1 cloudtrail describe-trails
Get Cloudtrail log status:
aws --region us-east-1 cloudtrail get-trail-status --name [default]
Stop Cloudtrail logging:
aws --region us-east-1 cloudtrail stop-logging --name [default]
List s3 storage buckets:
aws s3 ls
Download files from s3:
aws s3 cp s3://[bucket]/[sub-folder]/[file.txt] ./localfile.txt
List CloudFormation stacks:
aws cloudformation list-stacks
Describe CloudFormation stacks:
aws cloudformation describe-stacks
List user's access keys for ec2:
aws --region us-east-1 ec2 describe-key-pairs
List information about virtual machines / instances, such as volume IDs:
aws --region us-east-1 ec2 describe-instances
Get currently running output from a specific virtual machine:
aws --region us-east-1 ec2 get-console-output --instance-id [id]
Get group IDs and group names:
aws --region us-east-1 ec2 describe-security-groups
List user's access keys for ec2:
aws --region us-east-1 ec2 describe-key-pairs
To view volumes:
aws --region us-east-1 ec2 describe-volumes
To view snapshots, and find snapshot IDs:
aws --region us-east-1 ec2 describe-snapshots #FilterOptions: --filter "status=pending" --filter "tag-value=*db_*"
View a snapshots attributes:
aws --region us-east-1 ec2 describe-snapshot-attribute --snapshot-id [id]
Start a new volume from a snapshot with encryption off:
aws --region us-east-1 ec2 ec2-create-volume --encryption off --snapshot [id]
Less useful password-data, not actual passwords :
aws --region us-east-1 ec2 get-password-data --instance-id [id]
If you are looking at a massive AWS environment, I suggest using iSECPartner's Scout2 to automate the assessment, it even takes multi-factor authentication. This tool is great for its output! It lists all of the categories based on the services which makes grouping, details, seeing specific vulnerabilities and the scope they effect easy to digest. Further, this tool automates the process across all regions to make sure you didn't miss any services in any regions. You can also add custom rule sets to the default findings, allowing the addition of vulnerabilities your organization has determined independently or within the scope of your assessment. To use it simply install it and follow the instructions below:
Export your keys as environment variables:
export AWS_ACCESS_KEY_ID=[YOUR ACCESS KEY]
export AWS_SECRET_ACCESS_KEY=[YOUR SECRET KEY]
Or create CSV file w/ API keys:
echo "[YOUR USERNAME],[YOUR ACCESS KEY],[YOUR SECRET KEY]" > ~/.aws/creds.csv
And run scout pointing to your CSV:
python Scout2.py --credentials ~/.aws/creds.csv
Another good tool out there for both auditing and monitoring your AWS instance is Netflix's Security Monkey. Netflix produces a lot of AWS tools, but security monkey is perfectly inline with our goals of finding AWS misconfigurations as well as alerting if these misconfigurations pop back up in the future. There's a lot of documentation on Security Monkey, so I'm not going to go into this tool too much now.
Lastly, I want to leave you with a general overview of AWS security, and why this is such a cool platform to mess with: