Book Image

AWS Penetration Testing

By : Jonathan Helmus
Book Image

AWS Penetration Testing

By: Jonathan Helmus

Overview of this book

Cloud security has always been treated as the highest priority by AWS while designing a robust cloud infrastructure. AWS has now extended its support to allow users and security experts to perform penetration tests on its environment. This has not only revealed a number of loopholes and brought vulnerable points in their existing system to the fore, but has also opened up opportunities for organizations to build a secure cloud environment. This book teaches you how to perform penetration tests in a controlled AWS environment. You'll begin by performing security assessments of major AWS resources such as Amazon EC2 instances, Amazon S3, Amazon API Gateway, and AWS Lambda. Throughout the course of this book, you'll also learn about specific tests such as exploiting applications, testing permissions flaws, and discovering weak policies. Moving on, you'll discover how to establish private-cloud access through backdoor Lambda functions. As you advance, you'll explore the no-go areas where users can’t make changes due to vendor restrictions and find out how you can avoid being flagged to AWS in these cases. Finally, this book will take you through tips and tricks for securing your cloud environment in a professional way. By the end of this penetration testing book, you'll have become well-versed in a variety of ethical hacking techniques for securing your AWS environment against modern cyber threats.

Related Content you might be interested in

Current Title:

Small book image
AWS Penetration Testing
Jonathan Helmus
Dec, 2020 | 330 pages
Small book image
Hands-On AWS Penetration Testing with Kali Linux
Kirit Sankar Gupta | Benjamin Caudill
Apr, 2019 | 508 pages
Small book image
Learn Kali Linux 2019
Glen D Singh
Nov, 2019 | 550 pages
Small book image
The Ultimate Kali Linux Book
Glen D Singh
Feb, 2022 | 742 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Setting Up AWS and Pentesting Environments
Section 1: Setting Up AWS and Pentesting Environments
Free Chapter
2
Chapter 1: Building Your AWS Environment
Chapter 1: Building Your AWS Environment
Technical requirements
Exploring Amazon Web Services (AWS)
Understanding our testing environment
Configuring your environment
Exploring vulnerable services
Attacking vulnerabilities
The AWS Command Line Interface (CLI)
Summary
Further reading
3
Chapter 2: Pentesting and Ethical Hacking
Chapter 2: Pentesting and Ethical Hacking
Technical requirements
What is penetration testing?
Kali Linux
Operating systems
Summary
Further reading
4
Section 2: Pentesting the Cloud – Exploiting AWS
Section 2: Pentesting the Cloud – Exploiting AWS
5
Chapter 3: Exploring Pentesting and AWS
Chapter 3: Exploring Pentesting and AWS
Technical requirements
Exploring reconnaissance
Enumerating and understanding AWS services
Scanning and examining targets for reconnaissance
Knowing the attacker
Creating attack paths
Discovering SSH keys
Scanning and connecting to AWS
Learning from experience
Summary
Further reading
6
Chapter 4: Exploiting S3 Buckets
Chapter 4: Exploiting S3 Buckets
Technical requirements
AWS Regions and Availability Zones
Connecting and manipulating S3 buckets
Bucket policies and ACLs
Public buckets
Scripts to find private buckets
Goal-based pentesting scenarios
Discovering buckets with Grayhat Warfare
S3 Burp Suite extensions
Summary
Further reading
7
Chapter 5: Understanding Vulnerable RDS Services
Chapter 5: Understanding Vulnerable RDS Services
Technical requirements
Understanding RDS
Setting up RDS (MySQL)
Understanding basic SQL syntax
Database maneuvering and exploration
Understanding misconfigurations
Learning about injection points
Summary
Further reading
8
Chapter 6: Setting Up and Pentesting AWS Aurora RDS
Chapter 6: Setting Up and Pentesting AWS Aurora RDS
Technical requirements
Understanding and setting up the Aurora RDS
White box/functional pentesting Aurora
Setting up a lab for SQLi
Fun with SQLi
Avoiding DoS
Summary
Further reading
9
Chapter 7: Assessing and Pentesting Lambda Services
Chapter 7: Assessing and Pentesting Lambda Services
Technical requirements
Understanding and setting up a Lambda service
Digging into Lambda
Understanding misconfigurations
Popping reverse shells with Lambda
Summary
Further reading
10
Chapter 8: Assessing AWS API Gateway
Chapter 8: Assessing AWS API Gateway
Technical requirements
Exploring and configuring AWS APIs
Creating our first API with AWS
Getting started with Burp Suite
Inspecting traffic with Burp Suite
Manipulating API calls
Summary
Further reading
11
Chapter 9: Real-Life Pentesting with Metasploit and More!
Chapter 9: Real-Life Pentesting with Metasploit and More!
Technical requirements
Real pentesting with Metasploit
The pentest pregame
Targeting WordPress for exploitation
Targeting vulnerable service applications
Exploring AWS Metasploit modules
Summary
Further reading
12
Section 3: Lessons Learned – Report Writing, Staying within Scope, and Continued Learning
Section 3: Lessons Learned – Report Writing, Staying within Scope, and Continued Learning
13
Chapter 10: Pentesting Best Practices
Chapter 10: Pentesting Best Practices
Technical requirements
Pentesting methodology for AWS
Knowing your pentest and the unknowns of AWS pentesting
Pre-conditioning for the pentest
Avoiding communication breakdown
Achieving security and not obscurity
Post-pentest – after the pentest
Summary
Further reading
14
Chapter 11: Staying Out of Trouble
Chapter 11: Staying Out of Trouble
Prohibited activities
Avoiding legal issues
Stress testing
Summary
Further reading
15
Chapter 12: Other Projects with AWS
Chapter 12: Other Projects with AWS
Technical requirements
Understanding the MITRE ATT&CK framework
Taking the bait with phishing
Summary
Further reading
16
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Exploring Amazon Web Services (AWS)

AWS is a cloud service provided by Seattle tech company, Amazon. AWS's comprehensive and easy-to-use setup makes it very attractive to small start-ups and large corporations. It works by allowing companies and businesses to set up their infrastructure off-premises and within the physical resources of Amazon. This type of service, called Infrastructure as a Service, delivers cloud computing as a whole service. You will see more of how easy it is to automate and build in AWS as we set up our lab throughout this book. However, you'll also notice some issues that may commonly be overlooked, such as security.

AWS doesn't take full responsibility for companies' data and security. In fact, Amazon has put out a shared responsibility model that ensures that both parties understand their rights and responsibilities in terms of customers' data. After all, Amazon is a company that is known as customer-obsessed.

AWS security and penetration testing

As you read through this book, you'll be exposed to some different concepts that may not have been discussed before. The reason for this is due to AWS pentesting being a relatively new subject that is gaining popularity in the security space of information technology. The good thing about this is it allows subject matter experts to lend a hand in helping to create a pentesting culture around AWS and provides newer ideas for how penetration testing is executed in both AWS and system security.

Next, you're going to dive into AWS and create an account of your very own. After that, we'll get started by creating our own cloud pentest playground where we will set up a vulnerable host that can be tested later on.

Previous Section
End of Section 3
Next Section