6.

Cloud Basics &

Penetration Testing
Cloud Basics

➤ Cloud computing refers to on-demand delivery and utilization of

computing resources like servers, software, networking, databases etc.

➤ Companies have big data centers located at various regions of country

which is offered as solutions to the clients

➤ It follows pay as you go model, which means running your infrastructure on

their premise on rental basis
• Currently, cloud services are offered by leading vendors like:
 Cloud Computing Types
Public Cloud Private Cloud
• Owned & managed • Owned & managed by
by Cloud Service Cloud Service Providers
Providers (CSP) (CSP) or hosted
• Client's access these on-premise
infra from browser or • Restricted access as it is
CLI. hosted on a private
• Ex : AWS, Azure, GCP network
• Ex : VMWare Cloud, OVH
etc
Hybrid Cloud
• Combines both Public +
Private Cloud
• Data & Applications are
shared b/w each other.
The cloud service provider
might be present on
different locations.
• Ex : AWS + Azure etc

Infrastructure as a Service
(IaaS)
• Infrastructure like servers,
VM etc are managed by
the providers & can be
used on-demand
• Compute, storage,
networking & virtualization
etc are provided.
• As it is managed, there is
no requirement of
maintaining our infra.
• Ex : AWS
Types of Cloud Services
Software as a Service
Platform as a Service (SaaS)
(PaaS)
• Provider take care of
• Platform are provided by entire IT application stack
the providers to build, run • From H/W to Application
& manage applications itself.
etc • Ex : Gmail
• Storage, networking, tools,
OS all are managed by
the providers
• Ex : Azure
Ref : https://www.stackscale.com/blog/cloud-service-models/
➤ Cloud Computing Stacks

Clients
User
Interface
Application
Services
Components Platform
Compute
Network
Infrastructure Storage
Servers
Cloud Firewall (security groups)

➤ They are hosted in cloud

environment. They can
protect on-premise as well
as cloud resources

➤ Authorized users can

connect to the cloud from
anywhere and on any
network

➤ The main use case is that it

can be scaled to handle
more traffic
 Cloud Services

Compute Services Security

Services
Networking Services
Database Services Storage
AWS : EC2,
Services
Lambda, EKS AWS : Cloud Trail
Azure : Virtual AWS : Virtual
AWS : RDS AWS : S3 Private Cloud Azure : Log
Machine, Azure
Functions (VPC) Analytics
Azure : SQL Azure : Blob
Azure : Virtual Database Storage Azure : Virtual GCP : Event
Machine Networks Threat Detection
GCP : Cloud SQL GCP : Cloud
Storage GCP : Virtual
GCP : Google
Private Cloud
Compute Engine,
(VPC)
Google Cloud
Functions
COMPUTE
➤ Amazon Elastic Compute Cloud (EC2)

■ Web based computing

■ Resources can be scaled as per requirement

■ Resources are shared among customers but are isolated from each other
 Select Application & OS Image

Select Instance Type

Generate Key Pair Login

➤ Spawn a compute resource in AWS

Configure Firewall

Launch the Instance

Connect to the
Instance
DEMO 1 : Spawning AWS EC2
DEMO 2 : Accessing EC2 from :

1. Linux / Mac Machine

2. Windows Machine
 EC2 Security

Virtual Operating Host Operating

System Firewall Meta Data System
➤ Virtual Operating Systems

■ Vulnerability in amazon machine image (AMI) template

■ Example : OS specific vulnerability, Application focused vulns etc

■ Installed unknown middleware agents in the Virtual Machines

■ The installed middleware agents open a new attack surface unknown to

the end customers / organizations
 Middleware Operating system Open source
Open Management
Linux https://github.com/microsoft/omi
Infrastructure (OMI)
Microsoft Azure Guest Agent https://github.com/Azure/WALi
Linux
(WALinuxAgent) nuxAgent
Operations Management Suite https://github.com/microsoft/O
Linux
(OMS) MS-Agent-for-Linux
Dependency agent Linux No
https://github.com/microsoft/az
Azure pipelines agent Linux, Windows
ure-pipelines-agent
Azure RD Agent Service Windows No
 Middleware Operating system Open source
https://github.com/GoogleCloudPlatform/compu
te-image-packages/blob/master/packages/pytho
Google Accounts Daemon Linux n-google-compute-engine/google_compute_engi
ne/accounts/accounts_daemon.py

https://github.com/GoogleCloud
Google OSConfig agent Windows, Linux
Platform/osconfig

https://github.com/GoogleCloud
Google guest agent Windows, Linux
Platform/guest-agent
 Middleware Operating system Open source
AWS Systems Manager Agent https://github.com/aws/amazon-
Windows, Linux, macOS
(SSM Agent) ssm-agent

AWS PV Drivers Windows No

https://github.com/aws/amazon-
AWS ECS container agent Windows, Linux
ecs-agent
AWS EC2 Hibernation https://github.com/aws/amazon-
Linux
Initialization Agent ec2-hibinit-agent
➤ Metadata Service

■ Data that provides information about other data

■ It provides data that we can use to manage the running instance

■ The Metadata can be retrieved locally from the following URL :

http://169.254.169.254/latest/meta-data
➤ The attacker with enough rights can retrieve the metadata & steal the
instance identity

➤ Enumeration about the instance, role attached to it etc can be done

STORAGE
 Amazon S3

Create Bucket

Specify Region

➤ Spawn a Storage resource in AWS

Configure ACLs

Create Bucket

Upload Data to the

bucket
DEMO 2 : Creating AWS S3 Bucket
NETWORKING
Virtual Private Cloud

➤ It is a secure, isolated private

cloud hosted within a public
cloud
➤ VPC uses the following
networking technologies for
isolating computing resources
from public cloud:
■ Subnets
■ VLAN
■ VPN
Network Access Control Lists (NACLs)

➤ They are firewall of the VPC Subnets and are applicable at the VPC
subnet level.
➤ NACL’s are stateless, which means any rule applied to the incoming rule
will not be applicable to the outgoing rule.
➤ It supports both allow as well as deny rule.
➤ Security Groups

■ Set of Firewall rules that control the traffic for the instance.
EXERCISES

Exercise 1 : Setup a Web Server Rule in EC2 Security Group

Exercise 2 : Setup a Database Server Rule in EC2 Security Group

AWS SECURITY SERVICE
➤ CloudWatch
■ It monitors AWS resources and applications in real time
■ Alarms can be created during the analysis of the resource metrics
■ An AWS service like EC2 provides metrics into a repository and CloudWatch
retrieve and create statistics based on those metrics
■ There are AWS services that publish CloudWatch metrics. Listed here

Ref :
https://docs.aws.amazon.com/AmazonC
loudWatch/latest/monitoring/cloudwatc
h_architecture.html
➤ CloudTrail
■ Actions taken by a user, role or an AWS services are recorded as
events
■ It enables auditing, security monitoring by tracking user activity and
API usage
■ CloudWatch monitors performance, whereas CloudTrail monitors
actions in the AWS environment

Ref :
https://www.whizlabs.com/wp-content/uploa
ds/2016/12/AWS-Article2-1.jpg
➤ AWS Guard Duty

■ Threat Detection service that continuously monitors for malicious activity and
unauthorized behaviour in AWS services
■ Targets Amazon S3, Workloads, AWS accounts and logs / events from
Cloudtrail, VPC & DNS
Case Study 1 : Threat Detection – Compromised EC2 Instance

https://scalesec.com/blog/threat-detection-with-aws-guardduty/
Case Study 2 : Threat Detection – Compromised IAM Credentials

https://scalesec.com/blog/threat-detection-with-aws-guardduty/
➤ AWS WAF & Shield

■ Web application firewall which monitors web requests forwarded to API

Gateway, CloudFront & Load Balancer
■ It limits the web traffic and stop various typical crime patterns
■ AWS WAF works with : Access Control Lists (ACL), Rules & Rule Group
■ One of the feature “AWS Managed Rules” provides protection against
common vulnerabilities (apart from custom rule writing functionality)
IDENTITY AND ACCESS
MANAGEMENT (IAM):
➤ IAM

■ IAM enables the administrators to control “who” can perform “what”

actions in AWS account
■ Users / services are denied by-default to access the resources until they
are provided with explicit permissions
■ Permissions are generally assigned to each IAM entity. For Example :
● Backend Developer -> Access to Amazon S3

Console Password MFA Device

Access Key
 ➤ IAM Policies

■ Permissions are assigned using Policies

■ Policies can belong to identity based as well as resource based
permissions
■ It contains a statement (permissions in JSON) which details the following:

Who Yash (IAM User)

What Actions Can GET/PUT objects in S3
Which AWS resources *
When Till 31st March 2024
Where From XYZ IP Range
How After MFA
 Permissions

Identity based Resource based

permissions permissions

IAM User Prod Folder

Can Read, Write, IAM User 1 : Can
List Read, Write, List

On Resource : IAM User 2 : Can

Prod-Folder Read, List
➤ IAM Roles

■ When the root user do not need to share the security credentials, roles are
used.
■ Roles are permission policies that determine what an identity can or cannot
perform
■ It can be assumed by anyone who has permission to do as granted by
administrator
■ Permission are assigned to :
● The Principal (Who will assuming the role)
● The Role (Who can assume the role)

■ Generally roles are preferred instead of long term credentials as credentials

will not be shared
■ Least privilege concept are applicable in scenarios
 1. Authentication

XYZ-role
IAM User

2. XYZ-role is
assumed
IAM User – Identity Based XYZ Role – Resource Based
Permission Permission
DEMO 3 : Creating IAM User with S3 Full
Access
DEMO : Creating IAM User &
Authenticate using CLI
Google Cloud Platform (GCP)
Google Compute Engine (GCE)

➤ It is a part of Google’s IaaS (Infrastructure as a Service) service that

provides virtual machines (VMs)
➤ Users can select machine type customize it and spawn it within
seconds
DEMO : Google Compute Engine (GCE)
GCE Firewall Rules

➤ Firewall rules are defined at the network level & only apply to network
➤ Explicit ingress / egress rules with Deny / Allow rules can be defined
➤ Firewall Network Tags can then be applied to the compute engine to
apply the firewall
DEMO : GCE Firewall Rules
Google Storage

➤ Cloud Storage is a service for storing your objects in Google Cloud

➤ Storage contains buckets where we can place objects like file etc.

➤ Permissions are generally assigned to each IAM entity. For Example :

DEMO : GCP Storage
IAM

➤ IAM enables the administrators to control “who” can perform “what”

actions in GCP account
➤ Users / services are denied by-default to access the resources until they
are provided with explicit permissions
➤ GCP IAM Roles contains set of permissions that determine which
operations can be used on a specific resource

➤ GCP IAM Policies define which identities have what kind of access to an
attached specified resource

Basic Custom

Predefined
DEMO : GCP IAM User
Microsoft Azure
Azure Virtual Machine

➤ They are image service instances that provide on-demand and

scalable computing resources with usage-based pricing

➤ Access the spawned machine using SSH, RDP or Browser based

DEMO : Azure Virtual Machine
Network Security Group (NSG)

➤ NSG filters traffic in network level, implementing this will prevent traffic
to & from the azure resources

➤ It is a Network Security Firewall

DEMO : Azure VM Network Security
Groups
Azure Blob Storage

➤ Azure Blob Storage is Microsoft's object storage solution for the cloud

➤ Storage have containers, which store blobs

DEMO : Azure Blobs
Azure Active Directory

➤ Azure Active Directory (Azure AD) is a cloud-based identity and access

management service

➤ This service helps employees access external resources, such as

Microsoft 365, the Azure portal, and thousands of other SaaS
applications
DEMO : Azure Active Directory
Penetration Testing in Cloud Environment
➤ Scout Suite

https://github.com/nccgroup/ScoutSuite
 EXERCISE

Exercise : Configure, Run & Create a

report of Assessment using ScoutSuite
Module 6 : Capstone Project
➤ Thoroughly understand the case studies present in
Page 39 & 40
➤ Create a VPC having 2 subnets which contains 2 EC2
instances. The condition is that one will be public &
other private. Public instance must be accessible using
IP (implement NACL & SGs) & public can communicate
with public & vice-versa
➤ Explore, Understand & Configure ScoutSuite in VM
environment
 Thank You
For Professional Red Team / Blue Team / Purple Team,
Cloud Cyber Range labs / Courses / Trainings, please contact

[email protected]

To know more about our offerings, please visit:

https://cyberwarfare.live