DTS Solution
DTS Solution

AWS Security Assessment

AWS Security Assessment
What is a AWS?
Amazon Web Services (AWS) is a cloud service from Amazon, which provides services in the form of building blocks, these building blocks can be used to create and deploy any type of application in the cloud. These services or building blocks are designed to work with each other, and result in applications which are sophisticated and highly scalable.
Each type of service in AWS, is categorized under a domain, the few domains which are widely used are:
  1. Compute
  2. Storage
  3. Database
  4. Migration
  5. Network and Content Delivery
  6. Management Tools
  7. Security & Identity Compliance
  8. Messaging

AWS Security Assessment

What is a AWS?
Amazon Web Services (AWS) is a cloud service from Amazon, which provides services in the form of building blocks, these building blocks can be used to create and deploy any type of application in the cloud. These services or building blocks are designed to work with each other, and result in applications which are sophisticated and highly scalable.
Each type of service in AWS, is categorized under a domain, the few domains which are widely used are:
  1. Compute
  2. Storage
  3. Database
  4. Migration
  5. Network and Content Delivery
  6. Management Tools
  7. Security & Identity Compliance
  8. Messaging
Why AWS Security Assessment is different than VAPT Engagement?
The methodologies used to pentest traditional security infrastructure and the AWS Cloud differ in a multitude of ways. Most of these differences refer back to the ownership of the systems. Since Amazon owns the core infrastructure, the methodology used in traditional VAPT would violate the AWS acceptable use policies and potentially invoke incident response procedures by the AWS security team.
Amazon Cloud Penetration Testing Rules
Amazon Cloud Penetration Testing Rules
  1. AWS EC2 instance excluding tactics related to disruption of business continuity such as launching Denial of Service (DOS) attacks
  2. The implementation and configuration of Vendor Operated Services,
  3. AWS services such as Cloudfront and the API Gateway configuration may be pentested but the hosting infrastructure is off limits.
  4. Areas of the AWS Elastic Cloud Computing (EC2) service including:
  • The Application Programming Interface (API) (e.g. HTTP/HTTPS)
  • Various Web and mobile applications that hosted by your organization
  • The application server and associated stack (e.g. programming languages such Python, React)
  • Virtual machines and operating systems
Top 5 Vulnerabilities to Test for in AWS
While there are a number of common AWS-specific vulnerabilities we often see, some are more regular than others. Below are the top 5 vulnerabilities we see when testing against this architecture:
  1. Testing S3 bucket configuration and permissions flaws
  2. Targeting and compromising AWS IAM keys
  3. Cloudfront/WAF Misconfiguration Bypasses
  4. Establishing private-cloud access through Lambda backdoor functions
  5. Cover tracks by obfuscating CloudTrail logs

Why AWS Security Assessment is different than VAPT Engagement?

The methodologies used to pentest traditional security infrastructure and the AWS Cloud differ in a multitude of ways. Most of these differences refer back to the ownership of the systems. Since Amazon owns the core infrastructure, the methodology used in traditional VAPT would violate the AWS acceptable use policies and potentially invoke incident response procedures by the AWS security team.
Amazon Cloud Penetration Testing Rules
AWS permits security testing for User-Operated Services, which includes cloud offerings created and configured by the user. Here are a few examples:
  1. AWS EC2 instance excluding tactics related to disruption of business continuity such as launching Denial of Service (DOS) attacks
  2. The implementation and configuration of Vendor Operated Services,
  3. AWS services such as Cloudfront and the API Gateway configuration may be pentested but the hosting infrastructure is off limits.
  4. Areas of the AWS Elastic Cloud Computing (EC2) service including:
  • The Application Programming Interface (API) (e.g. HTTP/HTTPS)
  • Various Web and mobile applications that hosted by your organization
  • The application server and associated stack (e.g. programming languages such Python, React)
  • Virtual machines and operating systems
Top 5 Vulnerabilities to Test for in AWS
While there are a number of common AWS-specific vulnerabilities we often see, some are more regular than others. Below are the top 5 vulnerabilities we see when testing against this architecture:
  1. Testing S3 bucket configuration and permissions flaws
  2. Targeting and compromising AWS IAM keys
  3. Cloudfront/WAF Misconfiguration Bypasses
  4. Establishing private-cloud access through Lambda backdoor functions
  5. Cover tracks by obfuscating CloudTrail logs
WHAT STEPS SHOULD I TAKE BEFORE THE PENTEST?
Performing a pentest within the cloud requires adequate planning and expert knowledge. General steps and preparation that should be taken before the pentest begins include:
  1. Defining the scope, including the AWS environment and target systems
  2. Run your own preliminary
  3. Determine the type of pentest you would like conducted (e.g. black box, white box, gray box)
  4. Outline expectations for both internal stakeholders and the pentesting company
  5. Establishing a timeline for the technical assessment to occur, receive formal reports, and potential remediation and follow-up testing
  6. Developing the protocol and rules of engagement if the pentest reveals the client may already have been breached or is under an ongoing (live) attack
  7. Obtaining written approval to conduct the test by the client (and other third parties that may be involved)
DevSecOps Pipelines Considerations in AWS
Amazon clouds support multiple services which can be used in a DevOps environment like:
  • Cloud9 SDK which is a cloud-based IDE where you can write, run and debug your code from a browser.
  • AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.
  • AWS CodeBuild is a service where developers can compile their source code , perform integration from multiple SCMs and create build artifacts.
  • AWS S3 buckets are used for storing the final build artifacts and binaries.
  • AWS CodeDeploy is a service that pulls the binary artifacts from S3 buckets and deploys them in pre-provisioned AWS environments like EC2, ElasticBeanstalk and ECS.
  • Finally, we have the AWS CodePipeline which orchestrates the various builds and deploy stages defined in CodeBuild and CodeDeploy giving you a fully managed continuous delivery service.
Hence AWS provides a lot of security tools in native cloud format, however, those tools generally focus more on monitoring and reporting, thus, requiring us to deploy and use and our own tools to address other areas.
Integrating security in an AWS environment will take similar steps as required in an On-prem environment like integrating a code analyzer tool in SAST (static application security testing) or a dependency checker in the SCA (software composition analysis) however The configuration of various tools in AWS environment for execution will be different.
In an on-prem model tools can be downloaded at will and executed in a script or a docker container. However in cloud, as billing is generally on usage, download incurs extra charges and hence the strategy with using these tools in AWS would be to create a tools repository using an S3 bucket and referencing this S3 bucket in each build configuration file. Each stage will have its own build configuration file wherein the tools would be fetched from the internal S3 bucket and executed.

These tools will be needed to be updated regularly for which we can employ a Lambda function which would periodically check for new versions. If the tool is compatible with the AWS Lambda specifications, then converting the tool as a Lambda service would be an exceptionally great task and for vulnerability management. Refer to “Tools” section for suitable tools.

DevSecOps Pipelines Considerations in AWS

Amazon clouds support multiple services which can be used in a DevOps environment like:
  • Cloud9 SDK which is a cloud-based IDE where you can write, run and debug your code from a browser.
  • AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.
  • AWS CodeBuild is a service where developers can compile their source code , perform integration from multiple SCMs and create build artifacts.
  • AWS S3 buckets are used for storing the final build artifacts and binaries.
  • AWS CodeDeploy is a service that pulls the binary artifacts from S3 buckets and deploys them in pre-provisioned AWS environments like EC2, ElasticBeanstalk and ECS.
  • Finally, we have the AWS CodePipeline which orchestrates the various builds and deploy stages defined in CodeBuild and CodeDeploy giving you a fully managed continuous delivery service.
Hence AWS provides a lot of security tools in native cloud format, however, those tools generally focus more on monitoring and reporting, thus, requiring us to deploy and use and our own tools to address other areas.
Integrating security in an AWS environment will take similar steps as required in an On-prem environment like integrating a code analyzer tool in SAST (static application security testing) or a dependency checker in the SCA (software composition analysis) however The configuration of various tools in AWS environment for execution will be different.
In an on-prem model tools can be downloaded at will and executed in a script or a docker container. However in cloud, as billing is generally on usage, download incurs extra charges and hence the strategy with using these tools in AWS would be to create a tools repository using an S3 bucket and referencing this S3 bucket in each build configuration file. Each stage will have its own build configuration file wherein the tools would be fetched from the internal S3 bucket and executed.

These tools will be needed to be updated regularly for which we can employ a Lambda function which would periodically check for new versions. If the tool is compatible with the AWS Lambda specifications, then converting the tool as a Lambda service would be an exceptionally great task and for vulnerability management. Refer to “Tools” section for suitable tools.

Threat Landscape in AWS DevOps Environment
Here are the issues describing the complete AWS threat landscape
Access Control Security Misconfiguration
In AWS, access control is managed through the IAM Policies. A policy is an object in AWS that, when associated with an identity or resources, define their permissions. If an EC2 object needs to access an S3 bucket, specific permissions are needed. An oversight or granting of excessive privileges can lead to various scenarios where S3 buckets have public access leading to a possible leakage of sensitive information.
Network Security Misconfiguration

The diagram on the right shows a typical flow of network traffic and the different places where it can be tapped. Security Groups are like host-based firewalls for individual EC2 instances. Network Access Control Lists (NACL) can be configured for a group of EC2 instances. Route Tables are configured for routing traffic amongst different networks and finally we have VPC’s which are the final overarching network segmentation module connected to an Internet Gateway.

It is very much possible to have misconfiguration in such complex infrastructure.

Below section focuses on various tools offered by AWS as well as some other open source tools that can be utilized.
Tool Category Description
AWS CloudWatch Logging and Monitoring
  • Single point log aggregation utility
  • SDK for application logging
  • Define metrics and configure alerts
  • Example: monitoring CPU utilization across all systems for possible BITCOIN mining
AWS CloudTrail Logging and Auditing
  • Auditing for all API events
  • Users as well as system events are recorded
  • Can feed into CloudWatch for alerts
  • Example: admin user logging in from a different country
AWS Config Compliance and Configuration Management
  • Audit and review changes in AWS infrastructure
  • Assess changes against a set of rules by setting alerts for any deviation
  • Example: new security group added
AWS Inspector Security and Compliance
  • Vulnerability assessment tool for EC2 instances
  • Example: running a vulnerable service or server not setup as per a defined template
Prowler Security Hardening
  • Open source tool for hardening an AWS infrastructure
  • Runs checks against CIS benchmarks for AWS
Security Monkey Configuration Management
  • Checks for changes in configuration and policy changes
  • Assess changes against secure practices and sends alerts for any insecure changes
ScoutSuite Security and Compliance
  • Multi-cloud security auditing tools against the deployed configuration
  • Reads configurations and highlights security gaps
AWS Secrets Manager Secrets Management
  • Manages application credentials to avoid exposure
  • Tokenizes credentials which can be rotated
  • Policy enforcement
AWS WAF Firewall
  • Web application firewall for monitoring of application security issues
AWS IAM Keys Leakage
AWS if an EC2 instance needs to access an S3 bucket, proper IAM roles needs to be configured. IAM roles are permissions between AWS services which are different than user permissions. Hence if a service needs programmatic access to AWS resources then it needs a set of AWS access keys which can be obtained from a metadata URL.
There are two ways in which these keys can be leaked/exposed
  • If an application deployed on an EC2 instance is having an RCE or an SSRF vulnerability then an attacker can request the URL, obtain the AWS Access Keys and gain access to all available AWS resources.
  • Accidentally committing source code containing the AWS Keys, exposed in publicly accessible folders etc.
AWS IAM keys leakage can be prevented by employing pre-commit hooks like Talisman which detect for such information before developers can commit changes into a repo.
Exploiting Billing Caps
If your AWS keys are compromised the very first thing that attackers would do is setup EC2 instances and start BITCOIN mining.
The key point to understand here is that it is not just storage costs, but also “Per Request” costs that need to be considered.
One of the best practices while using AWS is to create billing alerts for your AWS accounts so as to protect yourself from being overcharged.
Tools to help you secure your AWS clouds environment
Keep in mind the following tools are not the industry de facto and are subject to constant change.
  • Archery, Open source vulnerability assessment and management tool which can be utilized in a DevOps CI/CD environment
  • AWS Recipes by NCCGroup, helpful CloudFront and IAM templates and policies to lock down your environment
AWS Security benchmark by AWSLabs, contains benchmark governance rules

Threat Landscape in AWS DevOps Environment

Here are the issues describing the complete AWS threat landscape
Access Control Security Misconfiguration
In AWS, access control is managed through the IAM Policies. A policy is an object in AWS that, when associated with an identity or resources, define their permissions. If an EC2 object needs to access an S3 bucket, specific permissions are needed. An oversight or granting of excessive privileges can lead to various scenarios where S3 buckets have public access leading to a possible leakage of sensitive information.
Network Security Misconfiguration

The diagram on the right shows a typical flow of network traffic and the different places where it can be tapped. Security Groups are like host-based firewalls for individual EC2 instances. Network Access Control Lists (NACL) can be configured for a group of EC2 instances. Route Tables are configured for routing traffic amongst different networks and finally we have VPC’s which are the final overarching network segmentation module connected to an Internet Gateway.

It is very much possible to have misconfiguration in such complex infrastructure.

Below section focuses on various tools offered by AWS as well as some other open source tools that can be utilized.

ToolCategoryDescription
AWS CloudWatchLogging and Monitoring
  • Single point log aggregation utility
  • SDK for application logging
  • Define metrics and configure alerts
  • Example: monitoring CPU utilization across all systems for possible BITCOIN mining
AWS CloudTrailLogging and Auditing
  • Auditing for all API events
  • Users as well as system events are recorded
  • Can feed into CloudWatch for alerts
  • Example: admin user logging in from a different country
AWS ConfigCompliance and Configuration Management
  • Audit and review changes in AWS infrastructure
  • Assess changes against a set of rules by setting alerts for any deviation
  • Example: new security group added
AWS InspectorSecurity and Compliance
  • Vulnerability assessment tool for EC2 instances
  • Example: running a vulnerable service or server not setup as per a defined template
ProwlerSecurity Hardening
  • Open source tool for hardening an AWS infrastructure
  • Runs checks against CIS benchmarks for AWS
Security MonkeyConfiguration Management
  • Checks for changes in configuration and policy changes
  • Assess changes against secure practices and sends alerts for any insecure changes
ScoutSuiteSecurity and Compliance
  • Multi-cloud security auditing tools against the deployed configuration
  • Reads configurations and highlights security gaps
AWS Secrets ManagerSecrets Management
  • Manages application credentials to avoid exposure
  • Tokenizes credentials which can be rotated
  • Policy enforcement
AWS WAFFirewall
  • Web application firewall for monitoring of application security issues
AWS IAM Keys Leakage
AWS if an EC2 instance needs to access an S3 bucket, proper IAM roles needs to be configured. IAM roles are permissions between AWS services which are different than user permissions. Hence if a service needs programmatic access to AWS resources then it needs a set of AWS access keys which can be obtained from a metadata URL.
There are two ways in which these keys can be leaked/exposed
  • If an application deployed on an EC2 instance is having an RCE or an SSRF vulnerability then an attacker can request the URL, obtain the AWS Access Keys and gain access to all available AWS resources.
  • Accidentally committing source code containing the AWS Keys, exposed in publicly accessible folders etc.
AWS IAM keys leakage can be prevented by employing pre-commit hooks like Talisman which detect for such information before developers can commit changes into a repo.
Exploiting Billing Caps
If your AWS keys are compromised the very first thing that attackers would do is setup EC2 instances and start BITCOIN mining.
The key point to understand here is that it is not just storage costs, but also “Per Request” costs that need to be considered.
One of the best practices while using AWS is to create billing alerts for your AWS accounts so as to protect yourself from being overcharged.
Tools to help you secure your AWS clouds environment
Keep in mind the following tools are not the industry de facto and are subject to constant change.
  • Archery, Open source vulnerability assessment and management tool which can be utilized in a DevOps CI/CD environment
  • AWS Recipes by NCCGroup, helpful CloudFront and IAM templates and policies to lock down your environment
    AWS Security benchmark by AWSLabs, contains benchmark governance rules

See also:

API Security Assessment

April 6, 2021

SOAR Features and Use Cases

January 10, 2021

Dark Web and Threat Intelligence

December 31 , 2020

Linkedin X-twitter Facebook Youtube

© Copyrights 2024.
All rights reserved by DTS Solution 
– Cyber Security Redefined

Solutions

Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response

Industry

Critical Infrastructure
Education
Energy and Utilities
Enterprise and Service Providers
Financial Services and FinTech
Government
Healthcare and BioTech
Legal
Manufacturing
Media and Entertainment
Retail and Ecommerce
Technology and Digital

Services
Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber Resilience
Products

COMPLYAN
FYNSEC
HAWKEYE CSOC WIKI
Firewall Policy Builder

Other

About Us
Awards
Board of Directors
Leadership
Careers
Support
Contact
Vendors
Resources
Press Center
Privacy Policy

Accreditations
ISO27001
ISO45001
CREST
Accreditations
ISO27001
ISO45001
CREST

  Dubai

Office 4, Oasis Center
Sheikh Zayed Road
PO Box 128698
Dubai, UAE

+971 4 3383365
[email protected]
   Abu Dhabi

Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE

+971 2 6573566
[email protected]

   Kuwait

Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait


+971 4 3383365
[email protected]

   London

160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574

+44 20 3287 3942
[email protected]

The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.

DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.