AWS AZURE Google Cloud Penetration Testing and Security

Michael Mancuso
Jul 11 · 7 min read

A) Links and Resources for Cloud fundamentals

1) Introduction to Cloud Computinghttps://www.gracefulsecurity.com/an-introduction-to-cloud-computing/

2) SANShttps://pen-testing.sans.org/blog/2012/07/05/pen-testing-in-the-cloud

B) AWS Official Guide for permission and Penetration Testinghttps://aws.amazon.com/security/penetration-testing/

C) Links and Resources for AWS Pen testing

1) https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/

2) https://www.provensec.com/penetration-testing-aws-s3-bucket/

3) Rhinosecuritylabs links — https://rhinosecuritylabs.com/blog/?category=aws

Check all the links. One of the best resource available on internet for AWS Pen testing. It includes S3 bucket vulnerability, IAM, AWS privilege escalation etc etc….

4) https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/

D) Links and Resources for Azure Pen testing

1) An Introduction to Pen testing Azurehttps://www.gracefulsecurity.com/an-introduction-to-pentesting-azure/

E) Write-ups

1) https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/

2) https://hackerone.com/reports/128088

F) Tools

1) https://www.peerlyst.com/posts/a-list-of-tools-you-can-use-to-security-test-your-amazon-aws-services-guurhart

2) SkyArk — https://github.com/cyberark/SkyArk

3) Pacu — https://github.com/RhinoSecurityLabs/pacu

4) Script for checking/testing Privilege Escalation on AWS — https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

5) AWS Exploitation Frameworkhttps://github.com/RhinoSecurityLabs/pacu

G) CTF

  1. AWS — http://flaws.cloud/

How to harden AWS Architecture? Security Recommendations and Personal Experience.

“Cloud implies someone’s else computer or server connected to a network.” — This was my favorite answer to my audience when I conducted cyber security awareness training.

The current interest about cloud comes from the fact that businesses are going digital and mobile. This, therefore leads to a transformation, and mainly cloud adoption.

Implementing cloud MUST be aligned with security measures to tackle the associated cyber risks.

Security is an advantage, and a competitive value. I believe that the responsibilities of the security professional handling cloud transformation include architecture review and hardening the configuration of the cloud architecture and subsequent security requirements. Amazon’s shared security model outlines the security responsibility under the customer’s obligations, but does not provide detailed guidance on building secure systems.

The popular cloud service providers are Microsoft and Amazon. Recently, I have been working on AWS and would like to have your feedback and comments on the hardening recommendations that I have been advising and putting in place.

The purpose of this resource is to establish security recommendations of the current AWS platform.

I also read and use the AWS Best Practices Whitepaper on:

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

AWS Regions and Services

Let’s take an example of a the below architecture

I have used Amazon Virtual Private Cloud. VPCs let you provisioning a logically separate unit. The unit allows you to launch the AWS resources that you will use. You can choose your IP address range, create subnets, configure routing tables and network gateways. AWS consents both IPv4 and IPv6.

Ensure that you read the documentation on AWS website. Focus on the related topics to your case. There is a lot of information and therefore can become overwhelming.

In the VPC, I have hosted Amazon Elastic Compute Cloud EC2 instances. Amazon EC2 are held in multiple locations around the world. AWS has defined these locations as per regions and availability zones. Each region is a distinct geographic area.

Ensure that you look at the regions and available services. There are a lot of unavailable services that might be critical like WAF, for example is not available in Singapore directly on a load balancer. To use WAF, you need to use Cloud Front in this particular region.

I have also defined a public and a privet subnet. Access to the Internet was only available from the public subnet through an Internet Gateway.

The table below can be easily found on AWS website.

My recommendations in alignment with AWS best practices are:

  • Enable a log metric filter and alarm for VPC changes.
  • Enable VPC flow logging.
  • Ensure that the security group limits all traffic by default.
  • Ensure least access for VPC routing tables.

Implement Security Groups and Network ACL

The first important thing to do is to configure correctly Security Groups and Network ACL. This will support the access restriction and define granularity levels.

In AWS both Network ACLs and Security Groups are equivalent to firewalls. Network ACL is equivalent to a “firewall” securing VPCs and Subnets. Security Group is equivalent to a “firewall” securing Instances.

Security groups represent the first level of defense and Network ACL represent the second level of defense.

In Security Groups, you can stipulate allow rules, but not deny rules and you can stipulate distinct rules for inbound and outbound traffic. Network ACL supports both allow and deny rules.

My recommendations in alignment with AWS best practices are:

  • Ensure that there are no security groups allowing ingress from 0.0.0.0/0 to port 22.
  • Ensure that there are no security groups allowing ingress from 0.0.0.0/0 to port 3389.
  • Ensure that you enabled a log metric filter and an alarm for security group changes.
  • Ensure that you enabled a log metric filter and alarm for changes to NACL.
  • Ensure that you enabled a log metric filter and alarm for changes to network gateways.

Create Users using IAM & Enable Password Policy

AWS allows you to control the access to the services for your users through AWS Identity and Access Management (IAM).

You need to define various users for your company and attribute them the adequate roles through IAM. You need to properly think about this step. I also added contact details for support and maintenance.

My recommendation in alignment with AWS best practices are:

  • Ensure that IAM Master and IAM Manager roles are active.

Before addressing details about the different users’ configurations, password policy is a must. You need to ensure that you put in place the right password policy for IAM users.

From AWS best practices and my own approach, I have followed the below:

  • A minimum length of 12 or greater. AWS best practices suggest 14 characters, however I left 12 characters with two factor authentications, using Google Authenticator.
  • Limit password reuse. I have configured a minimum of 10 old passwords to remember.
  • Set up an expiry time for passwords. I have configured that passwords expire within 90 days.

IAM consider all users’ roles including the root account. The root account is critical and therefore it is important to apply the right measures. I have applied two factor authentication, and enabled hardware MFA.

Please make sure that when you create a user, you do not setup access keys during initial user setup for all IAM users that have a console password.

Another security measure helping you with an additional layer of security are the security questions that are registered in the AWS account. They should be verified and approved manually.

You need to ensure after setting up your users, that you have put in place the right permissions through the IAM policies. The policy will allow you to allocate permissions to a user, group, role, or resource. You will describe which actions you will allow, on which resource and to obtain which result.

You will need to ensure that IAM policies are attached only to groups or roles.

Enable detailed billing

Considering that AWS services are not available in all regions, you might want to follow up your billing with details. Adding new services might end up costly. Detailed billing information provides you details about your charges, but calculate the individual line items differently than the AWS cost report.

Enable CloudTrail & CloudWatch

Cloudtrial and CloudWatch allow you to monitor your AWS services. However, there are different. CloudTrail main function is to monitor the API calls made to a service, while CloudWatch is used for logging events that happen on a AWS service.

My recommendation in alignment with AWS best practices are:

  • Ensure that CloudTrail is enabled in your region. (yes, yes, even if it seems common sense 😊 )
  • Ensure that the CloudTrail log file validation is enabled.
  • Ensure that CloudTrail logs are not publicly available.
  • Ensure that CloudTrail trails are cohesive with CloudWatch Logs.
  • Ensure that you enable log metric filter for unauthorized api calls.

I have tried to describe the main essential points to harden the AWS configuration as per my experience and AWS best practices. Please feel free to comment, ask or share your own experience.

Next episode on how to harden AWS configuration, coming soon. Keep Tuned.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade