Amazon AWS

Portal is available at https://aws.amazon.com/

Assessment Guide

The AWS Assessment Guide provides a basic methodology for performing security assessments against AWS estates.

Basics guides

• https://www.expeditedssl.com/aws-in-plain-english
• Open Guide to AWS - https://github.com/open-guides/og-aws
• https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/
• https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-cloud-need-know/

Tools

• AWS Inventory, list all items within an AWS subscription - https://github.com/nccgroup/aws-inventory
• aws-nuke - List and remove all AWS resouces - https://github.com/rebuy-de/aws-nuke
• CloudMapper, AWS visualisation - https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool
• CloudQuery - The open-source cloud asset inventory powered by SQL - https://www.cloudquery.io/
• CloudSploit, AWS security analyser - https://github.com/cloudsploit/scans
• Former2 - Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources - https://former2.com/
• Pacu, AWS exploitation framework - https://github.com/RhinoSecurityLabs/pacu
• PMapper, IAM role mapper - https://github.com/nccgroup/PMapper
• ScoutSuite, multi-cloud auditing tool - https://github.com/nccgroup/ScoutSuite
• Steampipe - open-source project, with various mods and plugins, which allows users to treat cloud/SaaS provider APIs as relational databases that can be queried with SQL https://github.com/turbot/steampipe
• Workload Discovery on AWS - AWS Tool to visualize AWS Cloud workloads - https://aws.amazon.com/solutions/implementations/aws-perspective/

A much more comprehensive list is maintained by Toni de la Fuente at https://github.com/toniblyx/my-arsenal-of-aws-security-tools.

Training Resources

• flAWS - AWS security lab - http://flaws.cloud/
• flAWS 2 - AWS security lab - http://flaws2.cloud/
• Cloudgoat - https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/
• Serverless Goat - https://www.owasp.org/index.php/OWASP_Serverless_Goat
• OWASP Damn Vulnerable Serverless Application - https://github.com/OWASP/DVSA

Benchmarks, Best Practices Guides etc

• AWS Security Best Practices - https://aws.amazon.com/whitepapers/aws-security-best-practices/
• AWS Security Guidance - https://aws.amazon.com/security/guidance/
• AWS Security Maturity Model - https://maturitymodel.security.aws.dev/en/model/
• AWS Security Reference Architecture (AWS SRA) - https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html
• CIS Benchmark for AWS - https://www.cisecurity.org/benchmark/amazon_web_services
• Cloud Conformity Ruleset, good list of things to check for various services with associated risk levels - https://www.cloudconformity.com/conformity-rules/
• Cloudformation / API calls for secure configurations - asecure cloud