AWS Pentest Methodology

Type of Access

White Box Access

• Read or view permissions to all accounts in scope

• Console + API Keys

Assumed Breach Access

• Compromised developer IAM user/role

• EC2 or Lambda roles

• Leaked access keys

• Whatever situation the client is most worried about

Automated Tools and Resources

Use white-box access for automated tools that visualize resources and API usage in the account

• https://github.com/nccgroup/PMapper

• https://medium.com/@michael.kirchner/exploring-aws-resource-explorer-825498b5307d

• https://binarybelle.medium.com/how-to-find-all-your-amazon-web-services-resources-5fd818d6503

• https://awstip.com/visualizing-api-call-activity-in-your-aws-account-e5b37b520106

Low Hanging Fruits

• Perform an automated configuration review across every account

• Tools like ScoutSuite, Prowler, CloudFox, Pacu, or a CSPM your client is using

• Programmatically identify attack paths

Manual Context Gathering

• Research and check for publicly known misconfigs or issues

• Read AWS documentation for API calls, best practices, and features

• Note attack paths to try

Dynamic Testing

• Confirm/Disprove assumptions and theories dynamically

• Write your findings

• Bonus points for recommending architecture or guardrail changes instead of "wack-a-mole" fixes

REFERENCES

• https://cloudsecurityalliance.org/artifacts/cloud-penetration-testing-playbook#

• https://medium.com/@MorattiSec/my-aws-pentest-methodology-14c333b7fb58

• https://www.youtube.com/watch?v=q51Fe_B6qY4&ab_channel=fwd%3Acloudsec

• https://www.secwiki.cloud/aws/assessment-guide

• https://fwdcloudsec.org/