Open in app

Sign in

Write

Sign in

Guide to AWS Penetration Testing

Osama Avvan
6 min readJun 5, 2024

--

Cloud security is an ever-evolving domain, and AWS, being a leader in cloud services, is often a target for penetration testers aiming to identify and mitigate security vulnerabilities. There are several tools designed specifically for AWS pentesting that can help security professionals assess the security posture of their AWS environments. This write-up covers four popular AWS pentesting tools: Pacu, ScoutSuite, Enumerate-IAM, and PMapper.

Pacu

Pacu is an open-source AWS exploitation framework designed for offensive security testing. It allows penetration testers to simulate real-world attack scenarios on AWS environments to identify security weaknesses.

Features:

Modular Design: Pacu has a modular architecture, enabling users to load specific modules for various tasks such as enumeration, privilege escalation, and exploitation.
Automation: Automates many of the tedious tasks associated with AWS penetration testing.
Credential Management: Handles multiple AWS credentials, making it easier to switch between different accounts.
Custom Modules: Users can develop and integrate custom modules to extend Pacu’s functionality.

While Pacu comes with loads of modules, below are some common modules.

Common Modules:

  1. Enum IAM: Enumerates IAM users, roles, policies, and groups.
  2. S3 Buckets: Identifies misconfigured S3 buckets and attempts to access their contents.
  3. Privilege Escalation: Identifies potential privilege escalation paths within the AWS environment.
  4. Lambda Backdoor: Deploys a backdoor in AWS Lambda functions.

Installation:

pip3 install -U pacu

Usage:

pacu
Figure 1: Pacu initialization.

Create a new Session, and you are good to go.

set_keys
Figure 2: Setting AWS Credentials.
list
Figure 3: Listing Pacu modules.
run aws__enum_account
Figure 4: Running enum module.
console
Figure 5: Generate a URL that will log the current user/role into
the AWS web console

ScoutSuite

ScoutSuite is an open-source multi-cloud security auditing tool that works with AWS, Azure, and GCP. It provides a comprehensive view of the security posture of cloud environments by leveraging the APIs of cloud services.

Features:

Cross-Cloud Support: Supports AWS, Azure, and GCP, making it versatile for multi-cloud environments.
Detailed Reports: Generates HTML reports that provide an in-depth analysis of the security configuration.
Agentless: Does not require the installation of agents within the cloud environment.

Key Capabilities:

  1. IAM Analysis: Assesses IAM configurations, identifying overly permissive roles and policies.
  2. Storage Services: Evaluate the security settings of S3 buckets, ensuring they are not publicly accessible.
  3. Network Configuration: Review security group rules and VPC configurations to identify potential misconfiguration.
  4. Logging and Monitoring: Checks the configuration of CloudTrail and CloudWatch to ensure proper logging and monitoring.

Installation:

 pip3 install scoutsuite

Usage:

Set your AWS CLI profile If you haven’t.

aws --profile <profile-name> configure
scout aws --profile <profile-name> -f

Once the execution is complete, it will generate an HTML report that includes the findings and the Cloud account configuration.

Figure 6: HTML report of the findings.

You can go through each AWS component or service and filter the findings based on severity.

Figure 7: IAM Findings Dashboard.

PMapper

PMapper is a tool for analyzing and visualizing AWS IAM permissions. It helps in understanding the complex relationships between IAM policies and the effective permissions they grant.

Features:

Graph-Based Analysis: Uses a graph-based approach to map IAM entities and their permissions.
Visualizations: Provides visual representations of IAM relationships and permissions, making it easier to identify potential security issues.
Policy Simulation: Simulates IAM policy evaluations to understand the impact of specific policies on permissions.
Query Language: Allows users to query the IAM graph to find specific relationships or misconfiguration.

Key Capabilities:

  1. IAM Graph Construction: Constructs a graph of IAM entities and their relationships based on the AWS account’s IAM policies.
  2. Risk Identification: Identifies high-risk permissions and potential privilege escalation paths.
  3. Interactive Queries: Users can interactively query the IAM graph to explore specific permissions and relationships.
  4. Effective Permissions: Determines the effective permissions of users and roles by simulating policy evaluations.

Installation:

 git clone https://github.com/nccgroup/PMapper.git 
 cd PMapper
 pip install .

If you encounter the error below when running pmapper, follow the guide.

Figure 8: Library error when running pmapper.

The error is due to the change in the collections interface in Python 3. Open the highlighted file in your text editor and make the following changes. At the top of the file, change the import statement as follows:

from collections import Mapping, MutableMapping , OrderedDict

To this code.

from collections.abc import Mapping, MutableMapping
from collections import OrderedDict

Usage:

pmapper --profile <profile-name> graph create
Figure 9: Enumerating the account and generating graph.

Note that whichever IAM Role/User you use will need broad read-access to the account. The ReadOnlyAccess managed policy will suffice.

Figure 10: Example Graph.

Run a query to see who can make IAM Users.

pmapper --profile <profile-name> query ‘who can do iam:CreateUser’

Run the privilege escalation preset query.

pmapper --profile <profile-name> query "preset privesc *"
Figure 11: Query Output.

We can run queries to see who has access to what. For example, knowing that there’s an object named test.txt in the S3 bucket named writeup-bucket, we can run a query to see who in the account can access that object.

pmapper --account <account-id> query --with-resource-policy --resource-owner <account-id> 'who can do s3:GetObject with arn:aws:s3:::writeup-bucket/test.txt'
Figure 12: Query Output for S3 bucket object.

Enumerate-IAM

Enumerate-IAM is a tool designed to perform a detailed enumeration of AWS IAM users, roles, policies, and groups. It helps security professionals understand the permissions structure within an AWS account.

Features:

Detailed Enumeration: Provides comprehensive information about IAM entities and their permissions.
Policy Analysis: Analyzes IAM policies to identify overly permissive or misconfigured policies.
JSON Output: Outputs the results in JSON format, making it easy to integrate with other tools or processes.

Key Capabilities:

  1. User and Role Enumeration: Lists all IAM users and roles within an AWS account.
  2. Policy Extraction: Extracts and analyzes inline and managed policies.
  3. Group Enumeration: Lists all IAM groups and their associated users and policies.
  4. Effective Permissions: Determines the effective permissions of IAM users and roles.

Installation:

git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam
pip install -r requirements.txt

Usage:

python enumerate-iam.py -h
Figure 13: Running Enumerate-iam.
python enumerate-iam.py --access-key <key-here> --secret-key <secret-here>
Figure 14: Brute force all API calls allowed by the IAM policy.

Conclusion

AWS penetration testing is a critical aspect of cloud security, and tools like Pacu, ScoutSuite, Enumerate-IAM, and PMapper provide valuable capabilities to security professionals.

Thank you for Reading.

AWS
Cybersecurity
Bugbounty Writeup
Devsecops
Cloud Security

--

--

Osama Avvan

Written by Osama Avvan

1K Followers

Security Researcher, ❤️ To Code. Find me at: https://twitter.com/osamaavvan

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams