Many people want to know "how do I get started with AWS security?", and this blog post is for them. The pathway in this blog post will help many beginners to get started with learning AWS security. We introduce the prerequisites to know before learning AWS security, hands-on labs to learn the security of key AWS services, some key tools to be familiar with, and also highlight a real-world data breach in the cloud.
Pwned Labs Academy is the place to get real-world experience and kickstart your cloud security career. Whether you're a total beginner or you’re currently studying for an AWS security certification, Pwned Labs has over 40 hours of free hands-on cloud security scenarios providing you with job-ready skills.
In demand skills 📈
Cloud security is a great career choice. There’s increasing demand for and awareness of cybersecurity, and most organizations are on some journey towards hybrid multi-cloud, if they aren’t cloud native already. On-premises isn’t going away, but the accelerating adoption of the cloud and growth of cybersecurity means that the future is bright for aspiring cloud security professionals.
As an aspiring AWS security professional you can use the following pathway as well as the free Cloud Security Engineer roadmap included in the useful resources section to get started with AWS security, whatever your starting point!
Let's get started! 💥
For newcomers to Pwned Labs, welcome!
With Pwned Labs you can get hands-on with realistic scenarios that can be put into practice straight away. Head over to https://pwnedlabs.io you’ll find a range of free and premium content that are suitable for beginners and pros alike. Most of the labs don’t require you to have your own AWS account - just plug and pwn.
This blog post provides a suggested path through the Pwned Labs content library that we would recommend to take, if starting from the beginning. Once you have some labs under your belt, feel free to leave the path and explore on your own! 🚀
Featured content creator: Tyler Ramsbey ▶️
Sometimes we might want to learn by ourselves, but often it’s more fun with others! Tyler Ramsbey from Rhino Security has created a YouTube playlist of AWS security labs from Pwned Labs. Pwn your way through the labs and learn AWS security with Tyler!
Tyler’s content is excellent and if you haven’t yet checked out his friendly discord community Hack Smarter then you definitely should! It’s a great place to get advice and support from industry peers and beginners alike.
What should I know before learning AWS security? 🧐
You need to be familiar with the Linux command-line. We frequently use the Linux command-line to perform tasks in the cloud, due to its customizability and great support for cloud platform, security and DevOps tooling. Ubuntu is a solid choice of Linux distro given its ease of use and large community. Set up and play with Linux, then work your way through the OvertheWire Bandit wargame to get practice with Linux shell commands!
You also need to have a basic familiarity with AWS services. The Cloud Resume Challenge created by Forrest Brazeal is a great way to do this: https://cloudresumechallenge.dev/ . The Cloud Resume Challenge is a hands-on project designed to guide participants through the essentials of cloud computing. It incorporates many of the skills that real Cloud and DevOps engineers use in their daily work.
What is an AWS account ID? ☁️
An AWS Account ID is a unique 12-digit number that identifies an AWS account. This number is used by Amazon Web Services to differentiate each individual account registered on their platform. The AWS Account ID is important for setting permissions, managing access, and segregating resources between accounts when using AWS services. It is also commonly used in constructing ARNs (Amazon Resource Names), which uniquely identify AWS resources.
In our first lab we're presented with the website below of the company Mega Big Tech and learn how we can find the AWS account ID from any public S3 bucket.
FREE hands-on lab:
https://pwnedlabs.io/labs/identify-the-aws-account-id-from-a-public-s3-bucket
Follow along with Tyler:
https://www.youtube.com/watch?v=O1HPnYCzh7g&list=PLMoaZm9nyKaPBtCuAQVbvhJa8a4HTrZgc
Leveraging an AWS account ID to access resources 🎯
If threat actors get their hands on an AWS Account ID, they can try to identify the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services return when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help threat actors compile a list of possible targets in the AWS account. It's also possible to filter public resource snapshots by the AWS Account ID that owns it.
This chains nicely together to the next lab! We’ll use the AWS account ID to identify sensitive resources that a company seems to have shared publicly. This lab is based on real-world research. In 2018, Duo Security published an article stating that they found 116,386 public EBS (Elastic Block Store) snapshots from 3,213 accounts. At DEFCON 27 (2019) Ben Morris presented some interesting research on publicly exposed EBS volumes, in which he confirmed 50 exposures and estimated a total of 750-1250 exposures across all AWS regions 🙀
FREE hands-on lab:
https://pwnedlabs.io/labs/loot-public-ebs-snapshots
Follow along with Afshan:
https://www.youtube.com/watch?v=Ma9e0AmFpDE
Key service: AWS IAM 🪖
IAM (Identity and Access Management) is central to building, defending and attacking cloud services. Both offensive and defensive security practitioners need a solid understanding of IAM and how to enumerate permissions: attackers look for overly-permissive settings or misconfigurations in a potential attack chain, while defenders ensure need to enforce the principle of least privilege and identify any resources or services that are in the blast radius of a compromised IAM user.
FREE hands-on lab:
https://pwnedlabs.io/labs/intro-to-aws-iam-enumeration
Follow along with Micah:
https://www.youtube.com/watch?v=RvrZ52ngh5Q
Key service: Amazon S3 🪣
Amazon S3 (Simple Storage Service) is a very popular AWS service (and the second oldest!) and is used to store files and backups, and can even be used to serve websites. This multi-use functionality has led some to argue that this service would be more secure if it were split into separate public web hosting and private file storage services. In recent years AWS have introduced more visual warnings when customers are making buckets world-readable, but still, if this setting is available, people will set it! Misconfigurations and overly permissive settings in S3 have resulted in many data breaches over the years.
FREE hands-on lab:
https://pwnedlabs.io/labs/aws-s3-enumeration-basics
Follow along with Tyler:
https://www.youtube.com/watch?v=aBzJeG_fTuY&pp=ygUKcHduZWQgbGFicw%3D%3D
Key service: Amazon EC2 🖥️
EC2 (Elastic Compute Cloud) is one of the most popular AWS services, and until early 2023 the EC2 metadata service didn't require authentication by default. The EC2 instance metadata service (IMDS) is a service that is only accessible from the EC2 instance. This metadata can contain sensitive information such as credentials of IAM roles that are attached to the instance.
In 2019 a threat actor exploited a SSRF (Server-Side Request Forgery) vulnerability in a web application belonging to Capital One, that allowed the threat actor to access instance metadata that should not have been accessible remotely. The threat actor found security credentials for an IAM role in the metadata that was found to have extensive permissions in the internal AWS environment. After assuming the role they were able to access data stored in an AWS S3 bucket that contained sensitive information of Capital One customers.
The data breach resulted in the exposure of personal information of over 100 million people in the United States and 6 million people in Canada. The exposed data included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Also compromised were customer status data, credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data.
Let’s replicate this real-world breach and learn about EC2 instance metadata.
FREE hands-on lab:
https://pwnedlabs.io/labs/ssrf-to-pwned
Follow along with Tadi:
https://www.youtube.com/watch?v=wWdp7N6LgCQ
Key service: AWS CloudTrail 🧢
Blue teamers can use AWS CloudTrail to monitor and track user activities and API usage across AWS infrastructure. IAM brute force attacks are a significant threat to the security of AWS cloud environments, with threat actors attempting to gain unauthorized access to cloud environments by repeatedly guessing IAM user credentials. Common credentials brute force techniques include password spraying, which involves trying to login with a large number of potential users and one or two passwords (e.g. <Season><Year>) , or credential stuffing, where a large number of username and password combinations are attempted. In both cases threat actors use tools to automate the attacks.
AWS CloudTrail’s account logging capability, combined with Amazon Athena's querying capability allows security professionals to rapidly analyze logs for suspicious patterns. Blue teamers can get visibility of repeated failed (and successful) login attempts, helping to identify potential IAM breaches or ongoing brute force attacks. Let's get hands-on with these services and see how we can detect malicious behavior.
FREE hands-on lab:
https://pwnedlabs.io/labs/identify-iam-breaches-with-cloudtrail-and-athena
Key service: Amazon RDS 📒
Amazon Relational Database Service (RDS) is a web service that allows for easy set up, operation, and scaling of relational databases in the cloud. One of the most important steps in defense is knowing your installed base of applications and resources, where they are accessible from, and who has permissions over them. Performing frequent inventories of current assets is a low-tech but impactful exercise. In this exercise we highlight the risks of leaving an RDS database exposed to the internet.
FREE hands-on lab:
https://pwnedlabs.io/labs/pillage-exposed-rds-instances
Follow along with Afshan:
https://www.youtube.com/watch?v=Sbvi-5QqQfQ
Industry tool highlight: Splunk ❇️
Now we’ve explored some of the fundamental AWS services, let’s examine an popular tool that can help us secure and detect threats in our AWS environment. Although AWS has some excellent native security services, CloudTrail logs can also be imported to and examined in third-party solutions such as Splunk. Splunk is a powerful SIEM (Security Information and Event Management) tool that is widely used by organizations globally to detect malicious behavior.
Premium hands-on lab:
https://pwnedlabs.io/labs/hunt-in-the-cloud-with-splunk
Follow along with Afshan:
https://www.youtube.com/watch?v=_-_yqPIywjw
Community tool highlight: Cloudfox 🦊
Getting situational awareness is an important step when assessing the security of unfamiliar cloud environments. While penetration testers and red teamers will do this on engagements, it's also a good exercise for blue and purple teamers to undertake periodically. The shifting permissions environment of the cloud can unintentionally expose secrets and open up unintended paths for resource and data access. Cloudfox (created by Seth Art) can do a lot of the heavy lifting for us when getting situational awareness in AWS!
Premium hands-on lab:
https://pwnedlabs.io/labs/get-situational-awareness-in-aws-with-cloudfox
Follow along with Tyler:
https://www.youtube.com/watch?v=-lMpj5RlJaY&list=PLMoaZm9nyKaPBtCuAQVbvhJa8a4HTrZgc
Real-world data breach case study 🔥
This lab examines a real-world scenario with TeamCity instances exposed on the internet. TeamCity is a very popular continuous integration (CI) and continuous delivery (CD) server developed by JetBrains. It provides automation capabilities for building, testing, and deploying software, ensuring that code changes are automatically tested and ready for production. It provides easy integration with cloud services such as AWS, and can store credentials for accessing cloud resources.
The New York Times reported in 2021 that hackers might have leveraged JetBrains TeamCity to infiltrate both U.S. federal government and private sector networks. Searching on shodan.io reveals that over 4000 TeamCity server login pages are exposed to the entire internet.
Premium hands-on lab:
https://pwnedlabs.io/labs/pwn-teamcity-in-the-cloud
Follow along with Tyler:
https://www.youtube.com/watch?v=_N4TFAkF6zM&list=PLMoaZm9nyKaPBtCuAQVbvhJa8a4HTrZgc&index=5
Hot wash 🧽
At this point you have 10 labs under your belt, and are on your way to becoming an AWS security ninja! There are over 30 hours of free AWS labs at Pwned Labs, and lots of premium labs to help prepare for the AWS Certified Security Speciality certification. While the AWS syllabus is comprehensive and provides a solid theoretical basis, you can supplement this with continuous learning using Pwned Labs and gain a more holistic understanding of security in the real-world.
Once you feel ready for the ultimate cloud challenge, the ThunderDome cyber range and a certificate of completion awaits!
Good luck on your AWS Security journey!
- Ian
Let’s connect! - www.linkedin.com/in/iаn-аustin
Useful resources
Pwned Labs Discord
https://discord.gg/pwnedlabs
Pwned Labs Cloud Security Roadmap
https://pwnedlabs.io/roadmaps/cloud-security-engineer/
