In this post, we covered AWS cloud security enumeration such as bucket and container images enumeration. We used Lab material from TryHackMe Advent of Cyber 3 Day 17 and 18.
Amazon AWS is a public cloud service provider. As of their most recent financial disclosures, AWS accounts for the bulk of Amazon’s profit. Most major enterprises leverage AWS in some form or another for Compute Services, Big Data or Machine Learning, Data Archive, Video Streaming, IoT, etc.
Amazon S3 (Simple Storage Service) is their hosted object storage service. Objects are stored in Buckets. To highly simplify the concept of object storage, Buckets are key-value stores, with the Object Key being a full pathname for a file and the value being the contents of the file. S3 is a publicly hosted service – it doesn’t exist behind a corporate firewall, making it convenient for hosting public content. AWS has an entire feature set around hosting a public website in S3.
In Amazon S3, Object permissions are different from Bucket permissions. Bucket permissions allow you to list the objects in a bucket, while the object’s permissions will enable you to download the object. In the case of the irs-form-990 bucket, both the bucket and all the objects in the bucket are publicly readable. But that doesn’t have to be the case. Objects can be readable while the bucket is not, or the bucket can be publicly readable, but the Objects are not.
Excluding a few older services like Amazon S3, all requests to AWS services must be signed. This is typically done behind the scenes by the AWS CLI or the various Software development Kits that AWS provides. The signing process leverages IAM Access Keys. These access keys are one of the primary ways an AWS account is compromised.
IAM Access Keys
IAM Access Keys consist of an Access Key ID and the Secret Access Key.
Access Key IDs always begin with the letters AKIA and are 20 characters long. These act as a user name for the AWS API. The Secret Access Key is 40 characters long. AWS generates both strings; however, AWS doesn’t make the Secret Access Key available to download after the initial generation.
There is another type of credentials, short-term credentials, where the Access Key ID begins with the letters ASIA and includes an additional string called the Session Token.
Advent of Cyber 3 Day 17 Answers
What is the name of the S3 Bucket used to host the HR Website announcement?
What is the message left in the flag.txt object from that bucket?
It’s easy to get your elves data when you leave it so easy to find!
What other file in that bucket looks interesting to you?
What is the AWS Access Key ID in that file?
What is the AWS Account ID that access-key works for?
What is the Username for that access-key?
There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?
What is the database password stored in Secrets Manager?