AWS Vulnerability Assessment and Penetration Testing Checklist- Part 1
In this blog, I am sharing my experience with AWS vulnerabilities that have been identified during AWS security testing. I have seen a less amount of AWS vulnerabilities tutorials online, so the reason here is to provide you with as many vulnerabilities so that we can provide a better assertion to our customers.
Tools to perform AWS Penetration Testing-
· AWS CLI
· PACU Framework
· AWS PWN
· SecurityHub
· S3 Browser
· Prowler
· Cloudsploit
· Buckethead
· Bucky
Sqlite3
To use the above tools you need the AWS access and secret key.
I am using CIS Benchmark, google and AWS documentation to find out the below vulnerabilities.
Let's walk through the vulnerabilities-
- Default encryption is not implemented on s3 buckets
While using any s3 bucket, ensure the default encryption is enabled.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the properties
2. No Policy is configured on s3 Buckets
In every s3 bucket, the bucket policy should not be blanked. The bucket configuration should be configured
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the Permissions
3. AWS Secure Transport policy not configured on the s3 bucket
AWS secure transport policy should be configured on s3 buckets. We can configure permissions through a bucket policy making the objects accessible only through HTTPS.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the properties
4. EBS Volume encryption should be enabled
Encrypting data at rest reduces the possibility that it is unintentionally exposed and can invalidate the impact of disclosure if the encryption remains unchanged.
Login to AWS Management Console and open EC2
https://console.aws.amazon.com/ec2/
Review the volumes
5. Multiple Access keys found for a single IAM user
Access keys are long-term credentials for an IAM user or the AWS account ‘root’ user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the most useful ways to defend your account is to not allow users to keep multiple access keys.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Review the users configuration
6. Object-level logging for writing and reading events should be enabled for S3 buckets
S3 Bucket Access Logging generates a log that holds access records for each request made to your S3 bucket. An access log record contains facts about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Click the Permissions and check for sever accessing
7. MFA Delete and Bucket Versioning were not enabled
MFA delete and bucket versioning should be enabled on s3 buckets.
Adding MFA delete to an S3 bucket needs extra authentication when you change the version state of your bucket or you delete an object version adding another layer of protection in the event your security credentials are compromised or unauthorized access is given.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the properties
8. Improper Password Policy Management
Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is advised that the password policy requires a minimum password length of 14 or 32.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Click on Account Settings
9. Access Keys Rotation Misconfiguration
Rotating access keys will reduce the window of possibility for an access key that is associated with a compromised or terminated account to be used.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Review the users configuration
Access keys should be revolved to assure that data cannot be accessed with an ancient key which might have been lost, cracked, or stolen
10. IAM Password Policy prevent reuse not configured
IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Click on Account Settings
11. Unused Credentials should be disabled/removed
AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is suggested that all credentials that have been unused for 90 or greater days be deactivated or terminated.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Review the users configuration
12. Access Analyzer should be enabled for all regions
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are communicated with an external entity.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Click on Access Analyzer
This lets you determine unintended access to your resources and data. Access Analyzer identifies resources that are shared with external leads by using logic-based reasoning to investigate the resource-based procedures in your AWS environment.
13. Multi-factor authentication (MFA) should be enabled for all IAM users
Multi-Factor Authentication (MFA) plays an important role in the extra layer of authentication. MFA should be enabled who have console access.
Login to AWS Management Console and open IAM console
https://console.aws.amazon.com/iam
Review the users configuration
14. CloudTrail Logs Should be encrypted at rest
Configuring CloudTrail to use SSE-KMS provides extra confidentiality controls on log data as a given user must have S3 read permission on the related log bucket and must be endowed with decrypt permission by the CMK policy.
Login to AWS Management Console and open Cloudtrail
https://console.aws.amazon.com/cloudtrail
Review the configuration
15. S3 Bucket settings are not configured with “Block Public” Access
S3 Block public access controls the incidental or hostile public exposure of data contained within the individual bucket. Block public access should be enabled for all s3 buckets.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the permissions
16. CloudTrail Logging should be Enabled
Login to AWS Management Console and open Cloudtrail
https://console.aws.amazon.com/cloudtrail
Review the configuration
17. CloudTrail trails should be integrated with cloudwatch logs
Login to AWS Management Console and open Cloudtrail
https://console.aws.amazon.com/cloudtrail
Review the configuration
18. AWS Organization Trusted Access is not enabled
Enable trusted access with AWS Organizations. After trusted access is enabled, StackSets builds the necessary IAM roles in the organization’s management account and target user accounts when you create stack sets with service-managed permissions.
19. NACLs allow unrestricted ingress access to remote server ports
Analyse this in the VPCs-
Open AWS console
Navigate to VPCs and click on Network ACLs
Review the security posture of NACLs incoming and outgoing traffic
Check for the ingress traffic and administration ports should not be allowed
20. Security groups allow unrestricted ingress access to remote server ports
Open AWS console
Navigate to VPCs and click on Network ACLs
Review the security posture of Security groups incoming and outgoing traffic
Check for the ingress traffic and administration ports should not be allowed
21. Default Security groups allow all traffic
Open AWS console
Navigate to VPCs and click on security groups
Review the security posture of security groups incoming and outgoing traffic
Check for the ingress traffic and administration ports should not be allowed
22. Flow logging is not configured in all VPCs
VPC Flow Logs should be enabled
Open AWS console
Navigate to VPCs and click on VPC and check the configuration
23. Secret Manager- Key Rotation is not Enabled
To secure the secrets, the Secrets Manager can automatically rotate them at a scheduled time. When it rotates a secret, Secrets Manager updates the credentials in both the secret and the database or service so that you don’t have to change the credentials manually. Secrets Manager uses a Lambda rotation function to communicate with both Secrets Manager and the database or service.
Open AWS console
Navigate to Secret Manager
Review the security posture of the secret manager and check the rotation of the key is enabled
24. RDS Snapshot Encryption should be enabled
Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted.
25. Amazon ECR Lifecycle Policy should be created/configured
A lifecycle policy allows you to create a set of rules that lapse unused repository images. ECR lifecycle should be created
26. EC2 EBS Snapshots not encrypted
Ensures EBS snapshots are encrypted-
Run Pacu module- unencrypted snapshots
Review the output in the Pacu local directory
27. S3 Object Lock should be enabled
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the properties
28. S3 Transfer Acceleration not enabled
Not using the transfer acceleration component is a misconfiguration.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the properties
29. S3 Buckets Lifecycle Configuration not created
Your Amazon S3 buckets should have lifecycle configuration enabled for security purposes.
Login to AWS Management Console and open s3 Buckets
https://console.aws.amazon.com/s3/
Review the s3 bucket
30. No IAM role is declared for cloud transformation
IAM is an AWS service used to manage users and their permissions within AWS. Within AWS CloudFormation, this service may define the actions that each user is permitted to perform such actions include viewing stack templates, creating stacks, or deleting stacks.
Open AWS console
Navigate to CloudFormation
Click on cloud formation properties and Review the security posture.
Navigate to PART 2 …………………………………………………………
Reference-
CIS Amazon Web Services Foundations Benchmark
