Amazon Web Services (AWS)

• Documentation on AWS services (Amazon)
• AWS Pentesting (HackTricks)

💡 For S3 buckets, see Amazon Simple Storage Service (Amazon S3). When having keys/credentials, use Pacu. See also Prowler.

AWS Account Setup

Create an AWS account

Create an AWS account here. See How do I create and activate a new AWS account? (AWS).

Set a budget limit

See Configuring AWS Budgets actions (AWS).

• Click on Services -> Billing and Cost Management and click on the star to add it to favorites.
• Under Budgets and Planning, click on Budgets.
• Click on Create a budget.
• Under Budget setup, choose Use a template (simplified).
• Under Templates – new, select Monthly cost budget.
• Enter Budget name “Monthly Cost Budget”, enter an amount in dollars and your email address.
• Click Create budget.

vCPU quota

The quota increase does not have any impact on the costs on your policy, but this change allows you to launch the instances with higher cost. Those would be charged while active.

Determine the required vCPU quota

• Click on Services -> EC2.
• Under Instances, click on Instance Types.
• Search for the instance type, like “g5.12xlarge”.
• The vCPUs column indicates the quota needed.

Increase vCPU quota

• Increase vCPU quota here.
• Select region and instance type “All G instances”.
• Set the limit (e.g. 48 vCPUs for g5.12xlarge instance type).

Add a budget action to stop EC2 instances

❗ You need to create the EC2 instance first. It is not possible to specify all instances without a name.

• Click on Budgets, click on your budget name (Monthly Cost Budget).
• Click on Edit.
• Under Alerts, click on Actual cost > 100% | No actions.
• Click on actions.
• Under Alert #3 (Threshold 100%), click on Add action.
• Select IAM role AWSServiceRoleForSupport.
• Select Automate instances to stop for EC2 or RDS.
• Select your EC2 region.
• Select your EC2 instance and click Next.

AWS Client (awscli)

Installation

sudo apt install awscli

sudo apt upgrade awscli

Setup

💡 Use profiles so you can switch between configurations for different tests.

aws configure --profile <profile name>
AWS Access Key ID: PRESS ENTER
AWS Secret Access Key: PRESS ENTER
Default region name: PRESS ENTER
Default output format: PRESS ENTER

If you have the AWS session token, set it for the profile.

aws configure set aws_session_token <token> --profile <profile name>

Show profiles & configurations

aws configure list-profiles

aws configure list --profile <profile name>

aws configure get aws_session_token --profile <profile name>

Help

aws help

aws ec2 help

aws ec2 describe-instances help

# aws client version
aws --version

# Get the ID of the EC2 instance
aws configure
press ENTER for all except region: us-east-1
aws ec2 describe-instances --filters dns-name=public-dns

Amazon Elastic Compute Cloud (EC2)

Create an EC2 instance

❗ Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it is terminated or stopped. Stop your AWS instance when it is not needed or you will be charged. YOU WILL STILL BE CHARGED FOR EBS STORAGE. See Amazon EBS pricing (Amazon).

• Log in AWS with your AWS account.
• In the search bar, enter “EC2” and click on the star to add it to favorites.
• IMPORTANT: On the top right corner, select a region close to you, e.g. “us-east-1”.
• On the left, click on Instances -> Instances.
• Click on Launch instances.
• Enter a name.
• Click on Ubuntu and select an Amazon Machine Image (AMI). For example, use Ubuntu Server 20.04 LTS (HVM), SSD Volume Type (free tier eligible).
• Select instance type, like “t2.micro” (free tier eligible, but on-demand $0.0116 USD per hour). See T2 (low cost) and G5 (NVIDIA GPU-based instances).
• Click Create new key pair, choose RSA, choose .ppk and name it “EC2-<instance name>-Putty”. Click on Create key pair. Or choose .pem and name it “EC2-<instance name>-OpenSSH”. KEEP THESE KEYS SECURE. DO NOT LOOSE THEM. They cannot be downloaded from the AWS console later.
• Leave default network settings.
• Reduce storage to 1x30GB with gp3 (General Purpose SSD). See Amazon EBS pricing (Amazon).
• Leave default advanced details.
• Click on Launch instance.

Access EC2 instances

Prerequisites (Windows & Linux)

• You will need the EC2 key pair (.ppk file for Putty, or .pem for OpenSSH). It was downloaded upon creation.
• Copy public DNS address of the EC2 instance. This can be found in the AWS EC2 dashboard, by clicking Instances.

Windows

Windows with Putty (from Security Course on AWS).

• Start Putty.
• Click on Session:
  • Enter hostname ec2-user@public-dns (ec2-user is the default in EC2 instances)
• Click on Connection:
  • Seconds between keepalives: 50
  • Check “Enable TCP keepalives” (SO_KEEPALIVE option)
  • Click on SSH -> Auth:
    • Click Browse and choose the .ppk file of the EC2 key pair
• Click Open
• Enter username. For Ubuntu images, user is “ubuntu”. No password is needed since the keys were used.

Linux

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

# scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2

# Transfer file from Kali Linux to EC2 instance
# SCP is part of openssh-clients (apt install openssh-clients)
scp -i /path/my-key-pair.pem /path/SampleFile.txt ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com:~

# Transfer file from EC2 instance to Kali Linux
scp -i /path/my-key-pair.pem ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com:~/SampleFile.txt ~/SampleFile2.txt

From Linux with ssh (from Security Course on AWS)

# Change permission to key file
cd ~/Downloads
chmod 400 keys.pem

# Connect using key file
ssh -i keys.pem ec2-user@public-dns
ssh -i /path/my-key-pair.pem ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com

Session Token Service (STS) (from Security Course on AWS)

#-------------------------------------------------------------------------------
# Get token, assume the role your partner prepared for you in their account
#-------------------------------------------------------------------------------
# STS: Session token service
aws sts assume-role --role-arn arn:aws:iam::ACCOUNTID:role/RemoteSecurityAudit --role-session-name RemoteSecurityAudit
<return credentials>

export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<SessionToken>

# Display the list of EC2 instances in the other account
aws ec2 describe-instances --output table --query 'Reservations[].Instances[].[Tags[?Key==`Name`] | [0].Value,InstanceId,InstanceType]' --region <region>

Other commands (to cleanup, from AWS course)

#-------------------------------------------------------------------------------
# Information Required
#-------------------------------------------------------------------------------

# Get the ID of the instance
You can get the ID of your instance using the Amazon EC2 console (from the Instance ID column). If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command. 

# Get the public DNS name of the instance
You can get the public DNS for your instance using the Amazon EC2 console. 
Check the Public DNS (IPv4) column. If this column is hidden, choose the Show/Hide icon and select Public DNS (IPv4). If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command.

# (IPv6 only) Get the IPv6 address of the instance
If you've assigned an IPv6 address to your instance, you can optionally connect to 
the instance using its IPv6 address instead of a public IPv4 address or public IPv4 DNS hostname. Your local computer must have an IPv6 address and must be configured to use IPv6. You can get the IPv6 address of your instance using the Amazon EC2 console. Check the IPv6 IPs field. If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) command. For more information about IPv6, see IPv6 Addresses. 

# Locate the private key and verify permissions
Get the fully-qualified path to the location on your computer of the .pem file 
for the key pair that you specified when you launched the instance. 
Verify that the .pem file has permissions of 0400, not 0777.

# Get the default user name for the AMI that you used to launch your instance
    For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user.
    For a Centos AMI, the user name is centos.
    For a Debian AMI, the user name is admin or root.
    For a Fedora AMI, the user name is ec2-user or fedora.
    For a RHEL AMI, the user name is ec2-user or root.
    For a SUSE AMI, the user name is ec2-user or root.
    For an Ubuntu AMI, the user name is ubuntu.
    Otherwise, if ec2-user and root don't work, check with the AMI provider.

# Enable inbound SSH traffic from your IP address to your instance
# Ensure that the security group associated with your instance allows 
incoming SSH traffic from your IP address. The default security group does 
not allow incoming SSH traffic by default. For more information, see 
Authorizing Inbound Traffic for Your Linux Instances.

#-------------------------------------------------------------------------------
# .pem file
#-------------------------------------------------------------------------------
# Contains keys to connect to the AWS instance
# .pem file must have permissions 400 (chmod 400 file.pem)

#-------------------------------------------------------------------------------
# Connect to AWS Instance Using SSH
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
#-------------------------------------------------------------------------------
KEY="/root/Documents/key-pair.pem"
USER="ec2-user"
PUBLIC_DNS_NAME="ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com"
IPV6="XXXX:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"

# MANDATORY: set permissions to key pair or you wont be able to connect
chmod 400 $KEY

# Connect
ssh -i $KEY ${USER}@${PUBLIC_DNS_NAME}

# Connect with IP v6
ssh -i $KEY ${USER}@${IPV6}

#-------------------------------------------------------------------------------
# Transfer files between local machine and AWS with SCP
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
#-------------------------------------------------------------------------------
KEY="/root/Documents/key-pair.pem"
USER="ec2-user"
PUBLIC_DNS_NAME="ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com"
IPV6="2001:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"
FILE=/root/Documents/file.txt
REMOTE_FILE="~/SampleFile.txt"

# Enable inbound SSH traffic from your IP address to your instance
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

# MANDATORY: set permissions to key pair or you wont be able to connect
chmod 400 $KEY

# Upload file to AWS instance
scp -i $KEY $FILE $KEY ${USER}@${PUBLIC_DNS_NAME}:~

# Upload file to AWS instance using IP v6
scp -i $KEY $FILE $KEY ${USER}@\[${IPV6}\]:~

# Download file from AWS
scp -i $KEY ${USER}@${PUBLIC_DNS_NAME}:${REMOTE_FILE} $FILE

# Download file from AWS using IP v6
scp -i $KEY ${USER}@\[${IPV6}\]:${REMOTE_FILE} $FILE

#-------------------------------------------------------------------------------
# AWS Describe Instance
#-------------------------------------------------------------------------------
# https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html

INST_ID="i-1234567890abcdef0"

# To describe an Amazon EC2 instance
aws ec2 describe-instances --instance-ids "${INST_ID}"

# To describe all instances with the instance type m1.small
aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small"

# To describe all instances with a Owner tag
aws ec2 describe-instances --filters "Name=tag-key,Values=Owner"

# To describe all instances with a Purpose=test tag
aws ec2 describe-instances --filters "Name=tag:Purpose,Values=test"

# To describe an EC2 instance and filter the result to return the AMI ID, and all tags associated with the instance.
aws ec2 describe-instances --instance-id "${INST_ID}" --query "Reservations[*].Instances[*].[ImageId,Tags[*]]"

# To describe all instances, and return all instance IDs and AMI IDs, but only show the tag value where the tag key is "Application".
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,ImageId,Tags[?Key==`Application`].Value]'

# To describe all EC2 instances that have an instance type of m1.small or m1.medium that are also in the us-west-2c Availability Zone
aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small,m1.medium" "Name=availability-zone,Values=us-west-2c"

AWS Inspector agent & scan targets

From Security Course on AWS.

Install the AWS Inspector agent & scan targets

S3BUCKET="qls-xxxxxxx-xxxxxxxxxxxxxxxx-logbucket-xxxxxxxxxxxx"
CMDID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
aws ssm send-command --targets Key=tag:SecurityScan,Values=true --document-name "AmazonInspector-ManageAWSAgent" --output-s3-bucket-name $S3BUCKET --query Command.CommandId
"${CMDID}"

aws ssm list-command-invocations --command-id "${CMDID}" --details --query "CommandInvocations[*].[InstanceId,DocumentName,Status]"

# Create a resource group
aws inspector create-resource-group --resource-group-tags key=SecurityScan,value=true
#"resourceGroupArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:resourcegroup/0-xxxxxxxx"

# Create assessment target (targets that will be scanned)
aws inspector create-assessment-target --assessment-target-name GamesDevTargetGroup --resource-group-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:resourcegroup/0-xxxxxxxx"
# "assessmentTargetArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx"

# List rules
aws inspector list-rules-packages
#    "rulesPackageArns": [
#        "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
#        "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
#        "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
#        "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx",
#        "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx"

# View rule description
aws inspector describe-rules-packages --rules-package-arns "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx" --query  rulesPackages[*].[name,description] --output text

aws inspector create-assessment-template --assessment-target-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx" --assessment-template-name CISCommonVulerBestPract-Short --duration-in-seconds 900 --rules-package-arns "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:rulespackage/0-xxxxxxxx" 

#"assessmentTemplateArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx"

aws inspector preview-agents --preview-agents-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx"

# Start the scan
aws inspector start-assessment-run --assessment-template-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx" --assessment-run-name  FirstAssessment
#"assessmentRunArn": "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"

# Check status of the scan
aws inspector describe-assessment-runs --assessment-run-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"

# View agents sending data
aws inspector list-assessment-run-agents --assessment-run-arn "arn:aws:inspector:us-west-2:xxxxxxxxxxxx:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-xxxxxxxx"

### Create and apply a patch baseline
aws ssm describe-document --name "AWS-PatchInstanceWithRollback" --query "Document.[Name,Description,PlatformTypes]"
aws ssm describe-instance-information  --query "InstanceInformationList[*]"
#"i-xxxxxxxxxxxxxxxxx"

aws ssm start-automation-execution --document-name "AWS-PatchInstanceWithRollback" --parameters "InstanceId=i-xxxxxxxxxxxxxxxxx,ReportS3Bucket=${S3BUCKET}"
#"AutomationExecutionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

AWS Lambda

Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda natively supports JavaScript, Java, Python, Go, C#, F#, PowerShell, and Ruby code.

❗ This may require to set the aws_session_token. See the Setup section.

Help

aws lambda help

List Lambda functions

aws lambda list-functions --profile <profile name>

get-function

Returns information about the function or function version, with a link to download the deployment package that’s valid for 10 minutes.

aws lambda get-function --function-name <function name> --profile <profile name>

Invoke (execute) a Lambda function

aws lambda invoke --function-name <function name> --profile <profile name>

AWS WAF

• AWS Managed Rules rule groups list (Amazon)