AWS Cloud Penetration Testing Test Cases

  • Test for Unauthenticated Bucket Access
  • Test for Semi-Public Bucket access – Improper ACL permission
  • Targeting and compromising AWS Access keys in git commit
  • Test for Extracting keys from an EC2 instance
  • Exploiting AWS Security Misconfigurations
  • Testing to exploit EC2 instance
  • Exploiting Internal AWS Services using Lambda backdoors
  • Test for Subdomain Takeover
  • Testing for AWS iam Privilege Escalation
  • Test for RCE attack
  • Test for AWS Role Enumeration (IAM)
  • Test for EC2 service to exploit privilege escalation
  • Test for AWS Iam enumeration: Bypassing CloudTrail Logging
  • Test for BitBuckted Server data for credentials in AWS
  • DNS rebinding to compromise the cloud environment
  • Test for Change of local windows / Linux logs
  • Test to Create jobs or serverless actions to add root certificates and ssh private keys to machines and users (such as AWS lambda)
  • Test to Create an additional interface / assign an IP address in target network / subnet on a compromised machine (like assigning a secondary private IPv4 address or interface to an AWS EC2 instance
  • Steal virtual machine images from storage accounts, analyze them for passwords, keys and certificates to access live systems (like VM VHD snapshots from storage accounts)
  • Test to Gain OS level access to Instances/VMs via workload management service privileges (AWS SSM)
  • Create systems management commands or abuse instance metadata for scheduled and triggered command and control (AWS systems manager, modify EC2 User Data to trigger a reverse shell)
  • Test to Run or deploy a workload with an assigned/passed service or role, export instance credentials for those privileges (such as EC2 passed role and meta credentials)
  • Fingerprint server and application versions and frameworks, detect sensitive PII in application logs
  • Test for CSV injection in AWS CloudTrail
  • Tested for AWS secrets accessible via meta-data
  • Attempt load balancer MiTM for session hijacking (elb) by cloud service configuration or load balancer instance compromise
  • Steal credentials from metadata of proxy or http forwarding servers (credentials in AWS meta
  • Steal cloud workload credentials (AWS metadata sts or Azure Linux Agent (waagent) folder credentials)
  • Steal credentials from or leverage privilege to operation of a cloud key service (aws kms, azure key vault
  • Alter data in datastore for fraudulent transactions or static website compromise (s3, rds, redshift)
  • Alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation (AWS lambda or Azure logic apps)
  • Alter data in local sql or mysql databases
  • Operate in regions where logging is not enabled or disable global logging (like CloudTrail)
  • Alter log files in a non-validated log store or disable validation (like cloud trail log validation)
  • Tesed for Disable network traffic analysis / logging (VPC flowlogs)
  • Tesed for Disable cloud alerting to prevent detection and response (like cloudwatch alerts, GuardDuty, Security Hub, or Azure Security Center)
  • Tesed for Disable data store access logging to prevent detection and response (cloudtrain data access, s3 access logging, redshift user activity)
  • Alter log retention or damage the integrity of logs (s3 lifecycle, kms decryption cmk key deletion/role privilege lockout)
  • Process hooking, process injection, windows access token manipulation, leveraging misconfigured sudo capabilities
  • Test to Create or reset a login, access key or temporary credential belonging to a high privilege user (like iam:CreateAccessKey, sts or iam:UpdateLoginProfile)
  • Test to Change the default policy for a user or new users to include additional privileges (like setdefault-policy-version)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s