Chapter 1 โ€” Cloud Security Fundamentals

Cloud security follows the Shared Responsibility Model: AWS secures the infrastructure, you secure everything you build on it. Most cloud breaches are not AWS vulnerabilities โ€” they are misconfigured IAM policies, exposed S3 buckets, and leaked API keys.

Chapter 2 โ€” AWS IAM Deep Dive

IAM is the most critical AWS security control. Every API call is authenticated via IAM. Key concepts: Users, Roles, Policies (JSON documents defining permissions), and the principle of least privilege.

# Check current identity
aws sts get-caller-identity

# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER

# Read a policy document
aws iam get-policy-version --policy-arn arn:aws:iam::ACCOUNT:policy/NAME --version-id v1

Chapter 3 โ€” S3 Bucket Security

# Check bucket public access settings
aws s3api get-bucket-acl --bucket BUCKET_NAME
aws s3api get-bucket-policy --bucket BUCKET_NAME

# List bucket contents (if readable)
aws s3 ls s3://target-bucket --no-sign-request

# Check public access block configuration
aws s3api get-public-access-block --bucket BUCKET_NAME

Chapter 4 โ€” EC2 & Instance Metadata

# Instance Metadata Service (IMDS) โ€” available from inside EC2
curl http://169.254.169.254/latest/meta-data/

# Get temporary credentials from instance role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME

# IMDSv2 (more secure โ€” requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

Chapter 5 โ€” AWS CLI & Enumeration

# Configure with compromised keys
aws configure

# Enumerate accessible services
python3 enumerate-iam.py --access-key KEY --secret-key SECRET

# Common enumeration commands
aws iam list-users
aws ec2 describe-instances
aws s3 ls
aws lambda list-functions
aws secretsmanager list-secrets

Chapter 6 โ€” IAM Privilege Escalation

Over 20 IAM privilege escalation techniques exist. Common paths: attaching AdministratorAccess policy, creating new access key for admin user, and exploiting PassRole to create privileged Lambda or EC2 roles.

# Attach admin policy (if iam:AttachUserPolicy is allowed)
aws iam attach-user-policy --user-name TARGET --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Create access key for admin (if iam:CreateAccessKey is allowed)
aws iam create-access-key --user-name admin

Chapter 7 โ€” Lambda & Serverless Security

# List Lambda functions
aws lambda list-functions

# Get function details (environment variables often contain secrets)
aws lambda get-function-configuration --function-name FUNCTION

# Invoke a function directly
aws lambda invoke --function-name FUNCTION output.json

Chapter 8 โ€” Logging & Monitoring

CloudTrail logs all API calls. GuardDuty detects threats. Config tracks resource changes. SecurityHub aggregates findings. Attackers often try to disable logging first โ€” always check CloudTrail status when enumerating a compromised environment.

Chapter 9 โ€” Cloud Attack Scenarios

Real-world attacks: leaked AWS keys in GitHub leading to full account takeover. SSRF in a web app reaching the IMDS endpoint to steal role credentials. Misconfigured ECR allowing attackers to pull private Docker images and extract hardcoded secrets from image layers.

Chapter 10 โ€” Hardening AWS Environments

Mandatory controls: MFA on root account, no root access keys, SCPs on all OUs, block public S3 access at org level, enforce IMDSv2, enable CloudTrail in all regions, deploy GuardDuty, rotate access keys every 90 days, and never embed credentials in code or Docker images.

โœ…
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
โ† All Workbooks
๐Ÿ“–
Sign in to track progress