Tech with Tyler
LinkedInGitHubYouTube
  • 👋Welcome!
    • whoami
    • !!! Disclaimer !!!
  • 🎓Academy
    • AWS Security Cookbook
      • AWS Control Tower
        • Lab: Deploying AWS Control Tower via Terraform
        • Lab: Blocking Regions with AWS Control Tower
      • AWS CloudTrail
      • AWS GuardDuty
        • Lab: Deploying AWS GuardDuty via Terraform
        • Lab: Logging GuardDuty Findings to S3
        • Lab: Adversary Simulation Detection with Stratus Red Team and GuardDuty
      • AWS Organizations
        • Lab: Deploying AWS Organizations via Terraform
      • AWS Root Account Management
        • Lab: Deploying AWS Root Account Management via Terraform
      • AWS Service Control Policies (SCPs)
        • Lab: Deploying AWS Service Control Policies (SCPs) via Terraform
      • TBD - Coming Soon!
        • [TBD] AWS Account Factory
        • [TBD] AWS Identity Center
    • My content on Cybr
      • Course - Terraform on AWS: From Zero to Cloud Infrastructure
      • Lab - Create Static AWS S3 Website with Terraform
      • Lab - Secure EC2 Access with SSM Session Manager and KMS
      • Lab - Encrypt and Decrypt Data with KMS and Data Encryption Keys
    • My content on PwnedLabs
      • Cyber Range - Electra
      • Lab - Abusing Identity Providers in AWS
      • Lab - Prowler and AWS Security Hub
      • Blog - Abusing Identity Providers in AWS
      • Blog - Building Security Guardrails with AWS Resource Control Policies
      • Blog - Defending Against the whoAMI Attack with AWS Declarative Policies
    • My content on YouTube
      • AWS Security Engineering
      • Linux in 60 Seconds!
  • ☁️Cloud Security
    • AWS Attacks and Techniques
      • Enumerate AWS Account IDs
      • Enumerate AWS IAM Users
      • Enumerate (Unauthenticated) IAM Users and Roles
      • Enumerate AWS Public Resources
      • Enumerate Secrets in AWS
      • Generate AWS Console Session
      • Generate IAM Access Keys from CloudShell
      • Password Spraying AWS IAM Users
      • Subdomain Takeovers
    • AWS Privilege Escalation
      • Identity Access Management (IAM)
      • IAM Trust Policies
      • Key Management Service (KMS)
      • Lightsail
      • OpenID Connect (OIDC)
      • S3
      • Secrets Manager
      • Security Token Service (STS)
    • AWS General Info
      • Amazon Bedrock
      • EC2
      • KMS
      • S3
      • SNS Topic
    • AWS CLI Cheat Sheet
    • Capture the Flags (CTFs)
      • Flaws.Cloud
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
      • PwnedLabs
        • Escalate Privileges by IAM Policy Rollback
        • Exploiting Weak S3 Bucket Policies
        • Leveraging S3 Bucket Versioning
        • S3 Enumeration Basics
        • Pillage Exposed RDS Instances
        • EC2 SSRF Attack
        • Hunt for Secrets in Git Repos
      • Cybr
        • Challenge - Secrets Unleashed
    • Tools
      • Tooling Index
      • dsnap
      • Pacu
      • s3-account-search
      • GoAWSConsoleSpray
      • aws_consoler
      • cloudenum
  • 📦Containers & Orchestration
    • Kubernetes
  • 👨‍💻Coding & CLI Tooling
    • CLI Tools
      • AWS CLI
      • Git
      • GitHub Copilot (CLI)
      • Homebrew
      • jq
      • ngrok
      • ssh
    • Coding and Scripting
      • Bash
      • Python
    • Terminal Customization
  • ⚙️DevSecOps
    • CI/CD
      • GitLab
    • Hashicorp Terraform
    • Hashicorp Vault
    • IAC Scanning
      • tfsec
    • Secrets Scanning
      • Trufflehog
  • 🎁Miscellaneous
    • Jenkins
  • 💻Operating Systems
    • Linux
      • APT Package Manager
      • CLI Tools Cheat Sheet
      • Man Pages
      • Services
      • Users and Groups
  • 🏗️Projects
    • Active Directory Homelab Automation
    • AWS Cloud Resume Challenge
    • Proxmox Homelab as Code
  • 📌Other
    • Useful Resources
Powered by GitBook
On this page
  • Dangers of Public Resources
  • S3 Buckets
  • EBS Snapshots
  • RDS Snapshots
  • SSM Documents

Was this helpful?

  1. Cloud Security
  2. AWS Attacks and Techniques

Enumerate AWS Public Resources

Public resources like EBS and RDS snapshots or SSM Documents can lead to data and credential leaks.

Dangers of Public Resources

  • Many AWS resources can become public whether intentionally or not and these resources may contain sensitive data and/or credentials that may lead to a compromised environment

  • There are legitimate use cases for exposing resources publicly (such as providing customers with easy access) but due diligence should be performed to ensure sensitive data and credentials are not contained in these resources


S3 Buckets

  • Since all S3 buckets have a unique URL, they can automatically be discovered

  • cloudenumworks by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents s3:ListBucket

# python3 ./cloud_enum.py -k tylerexposedbucket234 --disable-gcp --disable-azure

[+] Checking for S3 buckets
  OPEN S3 BUCKET: http://tylerexposedbucket234.s3.amazonaws.com/
      FILES:
      ->http://tylerexposedbucket234.s3.amazonaws.com/tylerexposedbucket234
      ->http://tylerexposedbucket234.s3.amazonaws.com/dogs.txt
      ->http://tylerexposedbucket234.s3.amazonaws.com/secrets.txt
  Protected S3 Bucket: http://tyler.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler-1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler2.s3.amazonaws.com/

EBS Snapshots

  • EBS Snapshots are backups of EC2 instances

aws ec2 describe-snapshots --restorable-by-user-ids all
aws ec2 describe-snapshots --owner-ids 222222222222 --restorable-by-user-ids all
#!/bin/bash

# Description: Finds all public ebs snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public EBS snapshots in region: $region"
    
    # check for snapshots in region
    aws ec2 describe-snapshots --owner-ids $account --restorable-by-user-ids all --region "$region" | jq -r '.Snapshots[]'
done

# reset IFS
unset IFS

RDS Snapshots

  • RDS Snapshots are backups of RDS Databases

aws rds describe-db-snapshots --include-public
export account='111111111111'

aws rds describe-db-snapshots --include-public | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'
aws rds describe-db-snapshots --snapshot-type Public
#!/bin/bash

# Description: Finds all public rds snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public RDS snapshots in region: $region"
    
    # check for snapshots in region
    aws rds describe-db-snapshots --include-public --region $region | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'
done

# reset IFS
unset IFS

SSM Documents

  • SSM Documents allow for running commands and automation

  • These may contain sensitive information

#/bin/bash

# Variables
RED="\033[31m"
RESET="\033[0m"

my_ssm_docs=$(aws ssm list-documents | jq -r '.DocumentIdentifiers[] | select(.Owner | contains("111111111111")) | (.Name)')

for doc in $(echo $my_ssm_docs); do
    status=$(aws ssm describe-document-permission --name $doc --permission-type Share | jq -r '.AccountIds[]')

    if [ "$status" != "all" ]; then
        echo "The $doc is not public."
    else
        echo "${RED}The $doc is PUBLIC.${RESET}"
    fi
done
 aws ssm get-document --name <documentName> | jq -r '.Content'
PreviousEnumerate (Unauthenticated) IAM Users and RolesNextEnumerate Secrets in AWS

Last updated 4 months ago

Was this helpful?

dsnap is a useful tool for downloading snapshots for local inspection otherwise you can

☁️
create an EC2 in your AWS account with the snapshot