This article is covering multiple ways to enumerate the resources within an AWS environment. We’ll explain how to perform enumeration, what you should look for, and multiple ways of doing it, both automated and manual.
First, the easiest way to identify attack vectors or misconfigurations is to perform a complete enumeration. This includes all the resources, permissions, and configurations.
However, not everything deserves the same attention. A higher focus should be put on services from which you can exfiltrate access credentials or on IAM resources that can lead to privilege escalation.
Additionally, you must know your goal. If you’re performing a cloud security configuration review, then you should focus on anything that can be improved, like encryption at rest or in transit, proper logging practices, and so on. Whereas, if you’re on a penetration testing/red team engagement, the previously mentioned aspects would not be of interest and the focus should be on practical exploitation.
The ideal way to perform discovery and enumeration is by having read-only access over all the resources within the target account.
For this, there are two options:
From these options, the simpler one for both parties is the role-based approach. For the second option, we would need to receive a set of access keys in order to perform checks from AWS CLI and automated tools.
There’s also the scenario where the client wants to simulate an insider threat and gives us the same level of access as another account, a case in which we might have both read and write permissions.
A good approach, especially when you also want to improve your AWS knowledge, is to enumerate literally everything by using AWS CLI.
How can you do this? Well, an AWS CLI command has the next structure:
aws [options] <command> <subcommand> [parameters]
# For example:
aws --region eu-central-1 ec2 describe-instances --instance-ids $instance_id
Every command and subcommand has good documentation that can be accessed appending help
at the end of the command.
So, if you’re new to AWS and don’t know where to start, just type aws help
and see the list of available services.
Next, choose a service or just take each one at a time and start the enumeration. There are 3 keywords available for every service that are pointing to an enumeration subcommand: describe, list, and get. The exception is the s3 service which uses ls as a subcommand for enumeration.
Nonetheless, just choose a service and hit aws service help
. Now, look for subcommands that contain “describe”, “list” and “get”. Let’s do an example with Lambda Functions.
In the above screenshot, we got a list of the commands that we can use to enumerate the Lambda service. Note that some subcommands will require information already gathered in order to enumerate. For example, by running list-functions
we’ll get the list of lambda functions. Based on this information we can enumerate further with other commands like get-policy
.
One trick to simplify the process is to directly run the subcommand. If you’re missing arguments, the AWS CLI will return an error and specify what mandatory parameters you should feed.
This process is very time-consuming but is helping you to better understand what AWS has to offer, what you should enumerate, and what are the common services that you can prioritize in the next engagement.
The last thing to keep in mind is that some AWS resources are region dependent, meaning that if you configured your AWS CLI on eu-central-1 and that resource is created in us-east-1, then you would not be able to identify it without mentioning the right region.
In part II of this article, we’ll provide a list of the most useful enumeration commands based on the service’s importance and the risk that a misconfiguration can bring there.
You can use the CIS benchmarks to go through some of the most common and of interest services in order to see what the target is using.
Although these resources are better for performing a cloud configuration review if you have limited experience with AWS this would help you to get started. The benchmark is especially useful for learning because it details the risk, but also provides remediation solutions.
References:
The CIS benchmarks can be downloaded from https://downloads.cisecurity.org/ once you made a free account.
At the moment, AWS doesn’t have a central dashboard for viewing all the resources and services used. However, if you have access to the web console, you can use the service AWS Resource Groups & Tag Editor for enumerating all the resources within the account. The next screenshot exemplifies this:
The advantages are:
The disadvantages, however:
To overcome the disadvantages, you should adjust the Resource Types so that you will get only resources of interest and also stay below the 500 results limit. A nice feature is the CSV export which can help you to process and analyze the results more efficiently.
There are multiple tools available for enumeration and each one is good for specific scenarios. I’ll present you 3 tools that make my life easier and a few mentions that I’m sure you’ll like to have them bookmarked.
URL: https://github.com/nccgroup/ScoutSuite
This is my favorite one and it also supports Azure and GCP. The tools enumerate the most important resources like IAM, EC2, Lambda Function, EKS, Secrets, S3, and more.
Besides that, it displays the result on a web page which makes it easy to navigate through the identified resources and check their configuration.
Even better, it marks certain misconfigurations and correlates them with the CIS benchmark. The tool is especially useful when you have to review multiple AWS accounts or services with numerous resources.
URL: https://github.com/RhinoSecurityLabs/pacu
This is an exploitation framework similar to Metasploit. It has multiple modules for enumeration, however, what makes this tool different is the ability to exploit the cloud environment once you have access to it.
It has some cool modules like backdooring an EC2 instance, checking for privilege escalation vectors, and more.
URL: https://github.com/andresriancho/enumerate-iam
This script is useful for determining what permissions you have. Let’s say you managed to exfiltrate a set of access credentials and now you are trying to determine what permissions are associated with them. The tool does exactly that. However, it doesn’t try to write operations, meaning that it will not discover all the permissions.
Pacu also has an IAM enumeration module but is more limited than this script.
URLs: https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation, https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py
I love the research done by Rhino Security (authors of Pacu). Make sure to check their blog for some good quality research on Cloud security. They have two articles on AWS privilege escalation vectors where they explain and exemplifies over 20 vectors of privilege escalation.
Even more, they created a script that will check if any of the known vectors are possible to be executed in the context of your permissions.
URL: https://github.com/nccgroup/PMapper
This is a tool for analyzing IAM resources (roles, users, permissions, etc.). The nice thing is that it can generate a graph that can be analyzed in order to see who can assume what role, what policy is attached to what service, and so on.
Automation:
Manual:
We saw what are the approaches when it comes to performing a cloud configuration review whether you’re doing a manual review, using tools, or both. For the best outcome, it is recommended a combination of manual configuration review and automation enumeration. Use tools to catch some low-hanging fruits, get a feel of the environment, and do the rest manually to cover those complex scenarios that would make a great article or presentation.