Penetration Test for AWS Environments

The Penetration Tests services can be delivered for set-ups ranging from simple applications to complex infrastructures, checking the AWS environment against best practices, potential vulnerabilities and misconfigurations, leveraging in-depth expertise, a well attuned tool set and broad experience.

The scope for a Penetration Test for an AWS Environment includes the following test scenarios:

IAM (Identity Access Managament)

• Enumerating IAM users and roles Cross-account AWS roles and user enumeration
• Abusing overly permissive IAM trust policies Escalating privileges by abusing IAM policies and permissions

**API Gateway

• Enumerating API Gateway and API keys
• Understanding stage variables and usage plans
• Bypassing authentication by verb tampering
• Abusing overly permissive resource policies
• Attacking misconfigured private API endpoints
• Bypassing poorly implemented WAF
• Performing Denial of Service attack on API Gateway

AWS Lambda

• Enumerating Lambda functions and layers. Event data injection
• Command injection & Function runtime code injection
• Specific Attacks : XML external entity (XXE), Server-side request forgery (SSRF), Object deserialization attacks, SQL injection, etc
• Abusing overly permissive resource policies & AWS Lambda permissions
• Manipulating function execution flows
• Retrieving application secrets, keys, and credentials
• Retrieving sensitive information from Lambda
• Runtime API Exploiting vulnerable component and custom runtimes
• Abusing temporary and shared file systems Maintaining access on an AWS account (backdoor)

DynamoDB

• NoSQL injection attack on a DynamoDB-based application.
• SQL injection attack through PartiQL support on a DynamoDB-based application
• NoSQL injection attack on a MongoDB-based application. SQL injection attack on an RDS-based application.

Cloud Storage:

• S3 Misconfigurations
• Enumerating public S3 buckets#
• Identifying bucket policy/ACL constraints on an S3 bucket
• Identifying anonymous write operations on an S3 bucket
• Leveraging misconfigured bucket policies and ACPs
• Anonymous/Authorized public read
• Reading policies and identifying object names
• Writing objects to buckets
• Overwriting bucket ACL and object ACL
• Overwriting bucket policies
• Performing denial of service
• Identifying writable buckets without performing a write operations
• Chaining web application attacks through S3 resources
• S3 ransomwares

A typical project timeline for an AWS Environment Penetration requires between 2 (for Simple Environment) and 6 weeks (for very complex environments).

Deliverables

Following each test, a detailed report about the test results is prepared. At the beginning of the report, a management summary outlines the test parameters and findings. The management summary is accompanied by a visual representation of the identified risks and a tabular list of the findings. Furthermore, a system description is given, as well as a description of the test scope and any possible test exclusions. The main part of the document is the description of the actual findings. For each finding, a summary, a detailed technical description and a recommendation for the mitigation is given. Different stakeholders (management and technical staff) are considered in each section.