Attacking AWS: the full cyber kill chain

Paweł Rzepa 2019.06.08

While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security.

The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I’ll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the Jenkins server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS service to escalate privileges to administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe other potential, cloud-specific threats, e.g. cryptojacking.

The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.

As a supplement to the presentations we recommend downloading the guide: Seven-Step Guide to SecuRing your AWS Kingdom[LINK] and reading an article about cloud infrastructure pentesting.[LINK]

Paweł Rzepa
Paweł Rzepa Senior IT Security Consultant