This presentation is an overview of available tools and techniques of conducting a reconnaissance phase against AWS services – the first step in a cyber kill chain. Starting with barely no information, e.g. knowing only company name or AWS account ID, I’ll go through all potential paths to find any valuable information about the target. Firstly, I’ll present which services can be public and why it is possible. I’ll present different techniques of discovering such public resources and what can be found there. Then, I want to go through “classic” OSINT methods to find any misconfigured AWS service configurations, such as misconfigured roles’ Trust Policy. Furthermore, I’ll show various attack vectors, which can be applied based on the reconnaissance results, like enumerating role names. Finally, I’ll release the Cloud Custodian scripts, which can easily be applied to protect anyone from such public leaks.
The goal of my presentation is to give practical instructions about collecting AWS-related information to penetration testers / redteamers as well as to give practical instructions to administrators how to defend from such leaks. Additionally, I’d like to raise awareness about lesser known reconnaissance techniques among all cloud users and security folks.