Intro to AWS Hacking

New to AWS security? Want to learn more about AWS hacking techniques? You should definitely attend my “Intro to AWS Hacking” training at Ekoparty Los Angeles!

The training was designed for penetration testers, DevOps, SecDevOps, application security specialists, web developers and team leaders. And covers these areas:

  • Shared responsibility model
    • AWS’ responsibility
    • Client’s responsibility
  • Getting your hands on AWS credentials
    • SSRF to instance metadata
    • Hard-coded (GitHub, mobile application, etc.)
    • Amazon Cognito
    • Compromise employee laptop and access ~/.aws/credentials
  • Checking permissions
    • aws sts get-caller-identity
    • nimbostratus
    • Brute-forcing tools
  • S3
    • Open buckets
    • Signed policy vulnerabilities
  • sts:AssumeRole
    • Pivoting between users
    • Pivoting between accounts
  • Escalating IAM privileges
    • Insecure IAM policies
    • Detection
    • Exploitation
  • Inspecting EC2 user-data
  • Inspecting lambda function source code
    • Hard-coded AWS credentials for a different account
  • Sniffing traffic (ELB debug feature)
  • Snapshot and restore
    • Gain access to EC2 and RDS data
Recommended Posts