External

• Look for open S3 buckets, you might be able to exfiltrate a large amount of information and/or identify credentials.

  • We are primarily looking for AWS Access Keys and Secret Keys (Regex online)

  • We can sometimes access the AWS Metadata using an SSRF vulnerability

• Regular application vulnerabilities - SSRF, outdated software, etc.

• Scour GitHub to identify artifacts related to AWS accounts such as ARNs (Amazon Resource Names)

Initial Access

1. Use the get-session-token command to ensure that if the permanent credentials are deleted/disabled, there will still be access to the environment.

2. Run the list-user-policies, list-attached-user-policies, and list groups for users commands to see what permissions are attached.

3. Look at CloudTrail orgs to identify if there is anything interesting.

   1. In some instances you may observe that the user you have ran the 'AssumeRole' command to obtain another role (priv esc)

AWS Cognito Misconfigurations

• If AWS Cognito is misconfigured and allows for the sign-up of a new user, an attacker can login and obtain a temporary AWS token for authenticated identities.

Internal

• After compromising a users account you can utilize a script such as enumerate-iam.py to brute-force permissions available to the account.

• We can also check for quick privilege escalation opportunities using RhinoSecurityLab's AWS Escalate.py script.

• We need to enumerate buckets that we have read access to - we can sync the information and enumerate the information locally.

• We can use the Security Token Service API to enumerate what user we are running under.