Welcome to the Jungle: Pentesting AWS

Presented at CactusCon 11 (2023), Jan. 28, 2023, 11 p.m. (60 minutes).

As more development environments roll infrastructure into AWS, they are also responsible with implementing the security controls to protect those resources being used. Some organizations create separate AWS accounts for development stages, others leverage a single AWS account with separate VPC's for each business unit. In all scenarios, pentesters are commonly tasked with testing thousands of resources spread across numerous AWS accounts and implemented within all available regions. To remain effective in analyzing security risks, pentesters must adapt to these emerging technology scopes while using techniques that aid in the discovery of vulnerabilities, exploit the technology stacks, and report verified risks to bring value to the organization. In this presentation, I will demonstrate adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources. Next, I will focus on the exploitation, lateral movement, and privilege escalation phases of the engagement to highlight some pentesting methodology for those looking to get their start with AWS penetration tests. Finally, I will release a tool to help extract the discovered vulnerabilities and generate boilerplate language for the report.

Presenters:

  • ustayready - Mike Felch - (@ustayready)
    Mike Felch is a Security Researcher at Black Hills Information Security (BHIS). In his role he identifies and weaponizes security vulnerabilities in emerging technologies. Mike started his career in 1997 as a Linux administrator, which led to numerous offensive security and engineering roles. Outside of work, Mike operates a family ranch where he raises cattle, chickens, goats, and horses. He regularly speaks at security conferences throughout the USA and is an active member of the central Florida infosec community.

Links:

Similar Presentations: