Skip to content

AWS Pentest

The NodeZero AWS Pentest is a gray-box style pentest that utilizes a role with read only permissions to comprehensively assess the security of your AWS accounts.

Why should I run a NodeZero AWS Pentest?
How to Run an AWS Pentest

Why should I run a NodeZero AWS Pentest?

An AWS pentest is a security test focused on determining the exploitable weaknesses that exist in an AWS account that an attacker could utilize to negatively impact the organization.

The NodeZero AWS Pentest is a gray-box style pentest because without being able to see what exists in an AWS account it is impossible to assess the security of it. With read-only permissions NodeZero gains a comprehensive view of your AWS account and is able to determine the exploitable weaknesses that could most negatively impact your organization.

While a black-box pentest is the most realistic, a gray-box approach is often necessary to find the most critical weaknesses that given enough time an attacker will find.

How to Run an AWS Pentest

To conduct an AWS Pentest you must first set up an AWS cloud connection. An AWS cloud connection is what enables NodeZero to assume a role in your AWS account. These cloud connections are long-lived, meaning you only need to set up one cloud connection for each of your AWS accounts. An AWS Pentest can utilize more than one connection.

Create an AWS Cloud Connection

1. Navigate to Cloud Connections

Navigate to the Cloud Connections page, you will need to create a cloud connection for each of your AWS accounts you would like to test.

Screenshot

2. Click create Cloud Connection

On the Cloud Connections page, click + Connection to open the connection creation form.

3. Configure the Cloud Connection

Name the Cloud Connection, enter an AWS account ID, select the IAM policy you want the connection to use and, if desired, add an expiration date. Click Submit.

Which IAM policy should I choose?

  • SecurityAudit: An AWS Managed Policy that only grants access to read security configuration metadata. This allows NodeZero to analyze IAM and security configurations of cloud resources.
  • ReadOnlyAccess: An AWS Managed Policy that provides read-only access to all AWS services and resources. This allows NodeZero to analyze IAM, security configurations of cloud resources, and sensitive information stored in cloud resources such as S3 buckets and Lambda functions.

Screenshot

4. Launch the CloudFormation Stack

What permissions are needed to deploy the CloudFormation stack?

  • cloudformation:CreateStack
  • iam:GetRole
  • iam:CreateRole
  • iam:PutRole
  • iam:AttachRolePolicy

Log in to the AWS account you specified in the previous step.

Click the CloudFormation Launch Stack button.

Screenshot

You will be re-directed to a pre-populated AWS "Quick create stack" form. Select the I acknowledge check-box and click Create Stack.

Screenshot

AWS CLI

Instead of using the Launch Stack button, you can use the AWS CLI and the CloudFormation CLI command provided in the Create Connection form.

5. Verify that the Connection was created properly

After the CloudFormation stack has successfully been created, click the Verify Connection button to confirm that the role was created properly. Cloud connections will be automatically re-verified once every 24 hours. You can manually re-verify a connection by using the action menu in the connection table.

Screenshot

Create AWS Cloud Connections in Bulk

Advanced

The bulk connection setup process is intended for experienced users familiar with AWS IAM and AWS CloudFormation StackSets. The setup process utilizes AWS CloudFormation StackSets to setup the cloud connections in all of your selected AWS accounts from a single account.

1. Navigate to Cloud Connections

Navigate to the Cloud Connections page, you will need to create a cloud connection for each of your AWS accounts you would like to test.

Screenshot

2. Click create Cloud Connection

On the Cloud Connections page, click + Connection to open the connection creation form and select Bulk.

3. Configure the Cloud Connection

Name the Cloud Connection and provide a list of comma separated AWS account IDs. Select the IAM policy you want the connection to use and, if desired, add an expiration date. Click Submit.

Which IAM policy should I choose?

  • SecurityAudit: An AWS Managed Policy that only grants access to read security configuration metadata. This allows NodeZero to analyze IAM and security configurations of cloud resources.
  • ReadOnlyAccess: An AWS Managed Policy that provides read-only access to all AWS services and resources. This allows NodeZero to analyze IAM, security configurations of cloud resources, and sensitive information stored in cloud resources such as S3 buckets and Lambda functions.

Screenshot

4. Run the CloudFormation StackSets Deployment Script

Configure a terminal with the AWS CLI and authenticate to your AWS StackSets administrator account. In the terminal, run the CloudFormation StackSets deployment script that was copied from the module displayed above.

5. Verify the Connections were created properly

After the deployment script runs and both the StackSet and StackSet instances have successfully been created, click the Verify Connections button to confirm that the role was created properly.

Cloud connections will be automatically re-verified once every 24 hours.

Start an AWS Pentest

1. Navigate to Pentests to Run an AWS Pentest

Once a Cloud Connection is created and verified, you may navigate to the Pentests page to start an AWS pentest. Click + Run Pentest to open the Pentest Configuration and select the Identity Attack Surface test category.

Screenshot

Then select AWS Pentest.

Screenshot

2. Configure the AWS Pentest

2.1 Select the Cloud Connections

Name the AWS Pentest, select a pentest template, and select the cloud connections you would like to use.

Note

Only verified connections will appear when running a pentest.

Screenshot

2.2 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit. Click Next.

2.3 Review the AWS Pentest Configuration

Once satisfied with your pentest selections, check the box to indicate you represent and have the legal authority to conduct Horizon3.ai's AWS Penetration Testing. Then click Run Pentest.

Cleanup a Cloudformation StackSet

Advanced

This is used to cleanup the AWS resources created during the bulk cloud connection process that uses AWS Cloudformation Stacksets. The commands shown below make use of the aws cli and will need to be ran authenticated to the management account where the Stackset was provisioned.

1. Identify the Stackset Name

Run the following command to view a list of the Stacksets that are in your account and identify the name of your NodeZero stackset. It will be prepended with NodeZeroStackSet. 

aws cloudformation list-stack-sets

example output: 

{
    "Summaries": [
        {
            "StackSetName": "NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111",
            "StackSetId": "NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111:11111111-1111-1111-1111-111111111111",
            "Status": "ACTIVE",
            "DriftStatus": "NOT_CHECKED"
        }
... TRUNCATED

2. Delete all associated Stackset instances

In order to delete the Stackset, you will need to delete all its associated instances. To do this you will need the same list of aws account ids that was provided to the bulk connection setup process. Provide the Stackset name identified above and the list of space delimited account ids to the command. 

aws cloudformation delete-stack-instances \
  --stack-set-name $STACKSET_NAME \
  --no-retain-stacks --regions us-east-1 --accounts $ACCOUNT_IDS

example: 

aws cloudformation delete-stack-instances \
  --stack-set-name NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111 \
  --no-retain-stacks --regions us-east-1 --accounts 1111111111111 2222222222222 3333333333333

3. Verify the Stackset instances have been deleted

List the Stackset instances to verify they have been deleted for that specific Stackset. 

aws cloudformation list-stack-instances \
  --stack-set-name $STACKSET_NAME

example: 

aws cloudformation list-stack-instances \
  --stack-set-name NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111

Once deleted, you should see the following output: 

{
    "Summaries": []
}

4. Delete the Stackset

Once all the Stackset instances have been deleted, you can delete the Stackset itself. 

aws cloudformation delete-stack-set \
  --stack-set-name $STACKSET_NAME

example: 

aws cloudformation delete-stack-set \
  --stack-set-name NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111

A successful deletion will not yield any output.

5. Verify Stackset deletion

You can verify that the Stackset was properly deleted by attempting to describe it. 

aws cloudformation describe-stack-set \
  --stack-set-name $STACKSET_NAME

example: 

aws cloudformation describe-stack-set \
  --stack-set-name NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111

If it was properly deleted, you should see a similar error message: 

An error occurred (StackSetNotFoundException) when calling the DescribeStackSet operation: 
  StackSet NodeZeroStackSet-SecurityAudit-Role-11111111-1111-1111-1111-111111111111 not found