AWS

List of best practices for every AWS services: AWS SECURITY DOCS

AWS Security Cheatsheet: Hacktricks

Treat the parent account like root. Long password with hardware base MFA. Don't use the parent account for anything besides required services, create less privileged child accounts for everything else.

Buckets and AWS Console

# List the content of a bucket using aws console.
aws s3 ls s3://<LOCATION> --no-sign-request
# Interact with s3 web api
aws --endpoint=http://s3.domain.com s3 ls
aws --endpoint=http://s3.domain.com s3 ls s3://discoveredbucket


# Download content from a bucket 
curl http://<LOCATION>.s3.amazonaws.com/<ITEM>.xml
aws s3 cp s3://<LOCATION>/<ITEM>.xml . --no-sign-request

# Upload shell non-secure to s3 bucket
aws --endpoint=http://s3.domain.com s3 cp shell.php s3://domain.com

# Sign in with Credentials. Creds stored in .aws/config and .aws/credentials
aws configure --profile <PROFILENAME>
aws s3 ls --profile <PROFILENAME>

# Find account ID belonging to access key
aws sts get-access-key-info --access-key-id <KEYVALUE>

# Get Username access key belongs to
aws sts get-caller-identity --profile <PROFILENAME>

# Get EC2 instances for an account
aws ec2 describe-instances --output text --profile <PROFILENAME>
aws ec2 describe-instances --output text --region us-east-1 --profile <PROFILENAME>

IAM (Identity and Access Management)

Identity Federation.

• Using identity federation allows for access control to be managed by a on prem authentication server... allowing for easier control of authenticated accounts.

• Use groups for allowing access, not accounts.

Access Advisor & Analyzer

• Part of the IAM console that show what assets uses and accesses, allowing you to more finely tune least privilege.

• Access Analyzer allows you to view and manage an assets accessibility based on what it uses.

General Access Control Rules:

• If there is a deny anywhere it is denied.

• If there is no deny and there is an allow anywhere, its allowed.

• If nobody says anything about it, it is denied.

IAM Rule Creation

// This rule states that you are allowed to do anything in a bucket
{
  "Version": "2012-10-17",
  "Statement": {
	// Either allow or deny
    "Effect": "Allow",
    "Action": [
	    // Specifies what you can or cant do
	    "s3:*"
    ],
    // What you can or cant do to the resource. * is a wildcard
    "Resource": "arn:aws:s3:us-east-2:111122223333:bucketname/*"
  }
}

// more specific rule to only allow access to specific commands
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
	    "dynamodb:BatchGetItem",
	    "dynamodb:GetItem",
	    "dynamodb:Query"
    ],
    "Resource": [
	    "arn:aws:dynamodb:us-east-2:111122223333:Tablename",
	    "arn:aws:dynamodb:us-east-2:111122223333:Tablename/index/*"
    ]
  }
}

For kms encrypted assets, You need to specifically allow decryption permissions for assets using a specific key. Decryption permissions are not automatically granted if retrieve permissions are granted.

AWS VPC (Virtual Private Cloud)

Security Groups: They are just statefull firewalls.

• You can allow one security group to allow in another security group.

• You can specify what traffic you expect on what group from what port

Rout tables: Allows you to specify traffic paths. Anything not specified will be black-holed. Also allows you to specify default gateways.

Cloud trail

Used to record all api-calls made by an application.

• Use a second account for logging so an attacker can not delete access logs.

Region Deny

From Aws Docs

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}

Amazon Simple Storage Service (s3)

• Always deny public access to buckets unless explicitly needed. You can deny public bucket access at an account level which overrides individual bucket settings.