[CLOUD] Amazon S3 and IAM Services

<aside> 💡 Shadow IT - use of information technology systems, devices, software, applications, and services without explicit IT department approval

</aside>

<aside> 💡 Public Cloud is an easy way for business units to engage in shadow IT.

</aside>

<aside> 💡 Amazon S3 -

• Used as a simple Hosted object storage service. Stored in Buckets.
• Buckets are key-value stores, with object being a full pathname of a file and the value being the contents of the file.
• Buckets use a global namespace.
• Sometimes data gets mixed up, and data that shouldn't be public gets made public
• Discovering bucket names :-
  • S3 links will be in the form
    • http://BUCKETNAME.s3.amazonaws.com/FILENAME.ext
    • http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
• Listing the contents of Buckets :-
  • aws s3 ls s3://irs-form-990/ --no-sign-request
    • -no-sign-request allows you to request data without being an AWS customer
• Downloading Objects :-
  • aws s3 cp s3://irs-form-990/201101319349101615_public.xml . --no-sign-request
• Object permissions are different from bucket permissions
  • Bucket permissions allow you to list the objects in the bucket
  • Object permissions allow you to download the object </aside>

<aside> 💡 AWS IAM (Identity and Access Management) :-

• All requests to AWS services must be signed, which require IAM access keys
• IAM access keys
  • Consist of an access key id and a secret access key
  • Access Key ID
    • Begin with letters 'AKIA' and are 20 characters long
    • Acts as a username for the AWS API
  • Secret Access Key
    • 40 characters long
• When you find credentials to AWS, you can add them to your AWS profile in the CLI with aws configure --profile PROFILENAME
  • This adds entries to the .aws/config and .aws/credentials files
• Now you can execute a command using these credentials
  • aws s3 ls --profile PROFILENAME
  • Never store a set of access keys in the [default] profile. Doing so forces you always to specify a profile and never accidentally run a command against an account you don't intend to.
• A few other common AWS reconnaissance techniques are:
  • Finding the Account ID belonging to an access key:
    • aws sts get-access-key-info --access-key-id AKIAEXAMPLE
  • Determining the Username the access key you're using belongs to
    • aws sts get-caller-identity --profile PROFILENAME
  • Listing all the EC2 instances running in an account
    • aws ec2 describe-instances --output text --profile PROFILENAME
  • Listing all the EC2 instances running in an account in a different region
    • aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
• AWS ARNs (Amazon Resource Names uniquely identify AWS resources)
  • Generate a unique identifier for all resources in the AWS cloud
  • arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name> </aside>

Questions ➖

1 - URL Inspection

2, 3 - Enumeration in s3 services

4 - unzipand grep -r command. file contains all passwords/keys

5 - configure and add details (generally, not in a profile yet)

6 - configure and add details in a profile

7 - list the ec2 instances

8 - secretsmanager list-secrets, secretsmanager get-secret-value --secret-id <name>, secretsmanager get-secret-value --secret-id <name> --region <name>

Last one’s a little lengthy but if done slowly and understood then could be done easily