- Documentation on AWS services (Amazon)
- AWS Pentesting (HackTricks)
For S3 buckets, see Amazon Simple Storage Service (Amazon S3). When having keys/credentials, use Pacu. See also Prowler.
AWS Account Setup
Create an AWS account
Create an AWS account here. See How do I create and activate a new AWS account? (AWS).
Set a budget limit
See Configuring AWS Budgets actions (AWS).
- Click on Services -> Billing and Cost Management and click on the star to add it to favorites.
- Under Budgets and Planning, click on Budgets.
- Click on Create a budget.
- Under Budget setup, choose Use a template (simplified).
- Under Templates – new, select Monthly cost budget.
- Enter Budget name “Monthly Cost Budget”, enter an amount in dollars and your email address.
- Click Create budget.
vCPU quota
The quota increase does not have any impact on the costs on your policy, but this change allows you to launch the instances with higher cost. Those would be charged while active.
Determine the required vCPU quota
- Click on Services -> EC2.
- Under Instances, click on Instance Types.
- Search for the instance type, like “g5.12xlarge”.
- The vCPUs column indicates the quota needed.
Increase vCPU quota
- Increase vCPU quota here.
- Select region and instance type “All G instances”.
- Set the limit (e.g. 48 vCPUs for g5.12xlarge instance type).
Add a budget action to stop EC2 instances
You need to create the EC2 instance first. It is not possible to specify all instances without a name.
- Click on Budgets, click on your budget name (Monthly Cost Budget).
- Click on Edit.
- Under Alerts, click on Actual cost > 100% | No actions.
- Click on actions.
- Under Alert #3 (Threshold 100%), click on Add action.
- Select IAM role AWSServiceRoleForSupport.
- Select Automate instances to stop for EC2 or RDS.
- Select your EC2 region.
- Select your EC2 instance and click Next.
AWS Client (awscli)
Installation
sudo apt install awscli
sudo apt upgrade awscli
Setup
Use profiles so you can switch between configurations for different tests.
aws configure --profile <profile name>
AWS Access Key ID: PRESS ENTER
AWS Secret Access Key: PRESS ENTER
Default region name: PRESS ENTER
Default output format: PRESS ENTER
If you have the AWS session token, set it for the profile.
aws configure set aws_session_token <token> --profile <profile name>
Show profiles & configurations
aws configure list-profiles
aws configure list --profile <profile name>
aws configure get aws_session_token --profile <profile name>
Help
aws help
aws ec2 help
aws ec2 describe-instances help
# aws client version
aws --version
# Get the ID of the EC2 instance
aws configure
press ENTER for all except region: us-east-1
aws ec2 describe-instances --filters dns-name=public-dns
Amazon Elastic Compute Cloud (EC2)
Create an EC2 instance
Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it is terminated or stopped. Stop your AWS instance when it is not needed or you will be charged. YOU WILL STILL BE CHARGED FOR EBS STORAGE. See Amazon EBS pricing (Amazon).
- Log in AWS with your AWS account.
- In the search bar, enter “EC2” and click on the star to add it to favorites.
- IMPORTANT: On the top right corner, select a region close to you, e.g. “us-east-1”.
- On the left, click on Instances -> Instances.
- Click on Launch instances.
- Enter a name.
- Click on Ubuntu and select an Amazon Machine Image (AMI). For example, use Ubuntu Server 20.04 LTS (HVM), SSD Volume Type (free tier eligible).
- Select instance type, like “t2.micro” (free tier eligible, but on-demand $0.0116 USD per hour). See T2 (low cost) and G5 (NVIDIA GPU-based instances).
- Click Create new key pair, choose RSA, choose .ppk and name it “EC2-<instance name>-Putty”. Click on Create key pair. Or choose .pem and name it “EC2-<instance name>-OpenSSH”. KEEP THESE KEYS SECURE. DO NOT LOOSE THEM. They cannot be downloaded from the AWS console later.
- Leave default network settings.
- Reduce storage to 1x30GB with gp3 (General Purpose SSD). See Amazon EBS pricing (Amazon).
- Leave default advanced details.
- Click on Launch instance.
Access EC2 instances
Prerequisites (Windows & Linux)
- You will need the EC2 key pair (.ppk file for Putty, or .pem for OpenSSH). It was downloaded upon creation.
- Copy public DNS address of the EC2 instance. This can be found in the AWS EC2 dashboard, by clicking Instances.
Windows
Windows with Putty (from Security Course on AWS).
- Start Putty.
- Click on Session:
- Enter hostname ec2-user@public-dns (ec2-user is the default in EC2 instances)
- Click on Connection:
- Seconds between keepalives: 50
- Check “Enable TCP keepalives” (SO_KEEPALIVE option)
- Click on SSH -> Auth:
- Click Browse and choose the .ppk file of the EC2 key pair
- Click Open
- Enter username. For Ubuntu images, user is “ubuntu”. No password is needed since the keys were used.
Linux
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
# scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2
# Transfer file from Kali Linux to EC2 instance
# SCP is part of openssh-clients (apt install openssh-clients)
scp -i /path/my-key-pair.pem /path/SampleFile.txt ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com:~
# Transfer file from EC2 instance to Kali Linux
scp -i /path/my-key-pair.pem ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com:~/SampleFile.txt ~/SampleFile2.txt
From Linux with ssh (from Security Course on AWS)
# Change permission to key file
cd ~/Downloads
chmod 400 keys.pem
# Connect using key file
ssh -i keys.pem ec2-user@public-dns
ssh -i /path/my-key-pair.pem ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com
Session Token Service (STS) (from Security Course on AWS)
#-------------------------------------------------------------------------------
# Get token, assume the role your partner prepared for you in their account
#-------------------------------------------------------------------------------
# STS: Session token service
aws sts assume-role --role-arn arn:aws:iam::ACCOUNTID:role/RemoteSecurityAudit --role-session-name RemoteSecurityAudit
<return credentials>
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<SessionToken>
# Display the list of EC2 instances in the other account
aws ec2 describe-instances --output table --query 'Reservations[].Instances[].[Tags[?Key==`Name`] | [0].Value,InstanceId,InstanceType]' --region <region>
Other commands (to cleanup, from AWS course)
#-------------------------------------------------------------------------------
# Information Required
#-------------------------------------------------------------------------------
# Get the ID of the instance
You can get the ID of your instance using the Amazon EC2 console (from the Instance ID column). If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command.
# Get the public DNS name of the instance
You can get the public DNS for your instance using the Amazon EC2 console.
Check the Public DNS (IPv4) column. If this column is hidden, choose the Show/Hide icon and select Public DNS (IPv4). If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command.
# (IPv6 only) Get the IPv6 address of the instance
If you've assigned an IPv6 address to your instance, you can optionally connect to
the instance using its IPv6 address instead of a public IPv4 address or public IPv4 DNS hostname. Your local computer must have an IPv6 address and must be configured to use IPv6. You can get the IPv6 address of your instance using the Amazon EC2 console. Check the IPv6 IPs field. If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command. For more information about IPv6, see IPv6 Addresses.
# Locate the private key and verify permissions
Get the fully-qualified path to the location on your computer of the .pem file
for the key pair that you specified when you launched the instance.
Verify that the .pem file has permissions of 0400, not 0777.
# Get the default user name for the AMI that you used to launch your instance
For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user.
For a Centos AMI, the user name is centos.
For a Debian AMI, the user name is admin or root.
For a Fedora AMI, the user name is ec2-user or fedora.
For a RHEL AMI, the user name is ec2-user or root.
For a SUSE AMI, the user name is ec2-user or root.
For an Ubuntu AMI, the user name is ubuntu.
Otherwise, if ec2-user and root don't work, check with the AMI provider.
# Enable inbound SSH traffic from your IP address to your instance
# Ensure that the security group associated with your instance allows
incoming SSH traffic from your IP address. The default security group does
not allow incoming SSH traffic by default. For more information, see
Authorizing Inbound Traffic for Your Linux Instances.
#-------------------------------------------------------------------------------
# .pem file
#-------------------------------------------------------------------------------
# Contains keys to connect to the AWS instance
# .pem file must have permissions 400 (chmod 400 file.pem)
#-------------------------------------------------------------------------------
# Connect to AWS Instance Using SSH
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
#-------------------------------------------------------------------------------
KEY="/root/Documents/key-pair.pem"
USER="ec2-user"
PUBLIC_DNS_NAME="ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com"
IPV6="XXXX:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"
# MANDATORY: set permissions to key pair or you wont be able to connect
chmod 400 $KEY
# Connect
ssh -i $KEY ${USER}@${PUBLIC_DNS_NAME}
# Connect with IP v6
ssh -i $KEY ${USER}@${IPV6}
#-------------------------------------------------------------------------------
# Transfer files between local machine and AWS with SCP
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
#-------------------------------------------------------------------------------
KEY="/root/Documents/key-pair.pem"
USER="ec2-user"
PUBLIC_DNS_NAME="ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com"
IPV6="2001:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"
FILE=/root/Documents/file.txt
REMOTE_FILE="~/SampleFile.txt"
# Enable inbound SSH traffic from your IP address to your instance
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
# MANDATORY: set permissions to key pair or you wont be able to connect
chmod 400 $KEY
# Upload file to AWS instance
scp -i $KEY $FILE $KEY ${USER}@${PUBLIC_DNS_NAME}:~
# Upload file to AWS instance using IP v6
scp -i $KEY $FILE $KEY ${USER}@\[${IPV6}\]:~
# Download file from AWS
scp -i $KEY ${USER}@${PUBLIC_DNS_NAME}:${REMOTE_FILE} $FILE
# Download file from AWS using IP v6
scp -i $KEY ${USER}@\[${IPV6}\]:${REMOTE_FILE} $FILE
#-------------------------------------------------------------------------------
# AWS Describe Instance
#-------------------------------------------------------------------------------
# https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html
INST_ID="i-1234567890abcdef0"
# To describe an Amazon EC2 instance
aws ec2 describe-instances --instance-ids "${INST_ID}"
# To describe all instances with the instance type m1.small
aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small"
# To describe all instances with a Owner tag
aws ec2 describe-instances --filters "Name=tag-key,Values=Owner"
# To describe all instances with a Purpose=test tag
aws ec2 describe-instances --filters "Name=tag:Purpose,Values=test"
# To describe an EC2 instance and filter the result to return the AMI ID, and all tags associated with the instance.
aws ec2 describe-instances --instance-id "${INST_ID}" --query "Reservations[*].Instances[*].[ImageId,Tags[*]]"
# To describe all instances, and return all instance IDs and AMI IDs, but only show the tag value where the tag key is "Application".
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,ImageId,Tags[?Key==`Application`].Value]'
# To describe all EC2 instances that have an instance type of m1.small or m1.medium that are also in the us-west-2c Availability Zone
aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small,m1.medium" "Name=availability-zone,Values=us-west-2c"
AWS Inspector agent & scan targets
From Security Course on AWS.
Install the AWS Inspector agent & scan targets
S3BUCKET="qls-xxxxxxx-xxxxxxxxxxxxxxxx-logbucket-xxxxxxxxxxxx"
CMDID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
aws ssm send-command --targets Key=tag:SecurityScan,Values=true --document-name "AmazonInspector-ManageAWSAgent" --output-s3-bucket-name $S3BUCKET --query Command.CommandId
"${CMDID}"
aws ssm list-command-invocations --command-id "${CMDID}" --details --query "CommandInvocations[*].[InstanceId,DocumentName,Status]"
# Create a resource group
aws inspector create-resource-group --resource-group-tags key=SecurityScan,value=true
#"resourceGroupArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:resourcegroup/0-xxxxxxxx"
# Create assessment target (targets that will be scanned)
aws inspector create-assessment-target --assessment-target-name GamesDevTargetGroup --resource-group-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:resourcegroup/0-xxxxxxxx"
# "assessmentTargetArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx"
# List rules
aws inspector list-rules-packages
# "rulesPackageArns": [
# "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
# "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
# "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
# "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
# "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx"
# View rule description
aws inspector describe-rules-packages --rules-package-arns "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx" --query rulesPackages[*].[name,description] --output text
aws inspector create-assessment-template --assessment-target-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx" --assessment-template-name CISCommonVulerBestPract-Short --duration-in-seconds 900 --rules-package-arns "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx"
#"assessmentTemplateArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx"
aws inspector preview-agents --preview-agents-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx"
# Start the scan
aws inspector start-assessment-run --assessment-template-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx" --assessment-run-name FirstAssessment
#"assessmentRunArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"
# Check status of the scan
aws inspector describe-assessment-runs --assessment-run-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"
# View agents sending data
aws inspector list-assessment-run-agents --assessment-run-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"
### Create and apply a patch baseline
aws ssm describe-document --name "AWS-PatchInstanceWithRollback" --query "Document.[Name,Description,PlatformTypes]"
aws ssm describe-instance-information --query "InstanceInformationList[*]"
#"i-xxxxxxxxxxxxxxxxx"
aws ssm start-automation-execution --document-name "AWS-PatchInstanceWithRollback" --parameters "InstanceId=i-xxxxxxxxxxxxxxxxx,ReportS3Bucket=${S3BUCKET}"
#"AutomationExecutionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
AWS Lambda
Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda natively supports JavaScript, Java, Python, Go, C#, F#, PowerShell, and Ruby code.
This may require to set the aws_session_token. See the Setup section.
Pricing:
Free Tier: 1 million requests per month.
$0.20 (USD) per 1 million request thereafter, or $0.0000002 per request.
Help
aws lambda help
List Lambda functions
aws lambda list-functions --profile <profile name>
get-function
Returns information about the function or function version, with a link to download the deployment package that’s valid for 10 minutes.
aws lambda get-function --function-name <function name> --profile <profile name>
Invoke (execute) a Lambda function
aws lambda invoke --function-name <function name> --profile <profile name>
AWS WAF
- AWS Managed Rules rule groups list (Amazon)
See WAF Bypass