Chapter 1 โ Cloud Security Fundamentals
Cloud security follows the Shared Responsibility Model: AWS secures the infrastructure, you secure everything you build on it. Most cloud breaches are not AWS vulnerabilities โ they are misconfigured IAM policies, exposed S3 buckets, and leaked API keys.
Chapter 2 โ AWS IAM Deep Dive
IAM is the most critical AWS security control. Every API call is authenticated via IAM. Key concepts: Users, Roles, Policies (JSON documents defining permissions), and the principle of least privilege.
# Check current identity
aws sts get-caller-identity
# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER
# Read a policy document
aws iam get-policy-version --policy-arn arn:aws:iam::ACCOUNT:policy/NAME --version-id v1
Chapter 3 โ S3 Bucket Security
# Check bucket public access settings
aws s3api get-bucket-acl --bucket BUCKET_NAME
aws s3api get-bucket-policy --bucket BUCKET_NAME
# List bucket contents (if readable)
aws s3 ls s3://target-bucket --no-sign-request
# Check public access block configuration
aws s3api get-public-access-block --bucket BUCKET_NAME
Chapter 4 โ EC2 & Instance Metadata
# Instance Metadata Service (IMDS) โ available from inside EC2
curl http://169.254.169.254/latest/meta-data/
# Get temporary credentials from instance role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
# IMDSv2 (more secure โ requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
Chapter 5 โ AWS CLI & Enumeration
# Configure with compromised keys
aws configure
# Enumerate accessible services
python3 enumerate-iam.py --access-key KEY --secret-key SECRET
# Common enumeration commands
aws iam list-users
aws ec2 describe-instances
aws s3 ls
aws lambda list-functions
aws secretsmanager list-secrets
Chapter 6 โ IAM Privilege Escalation
Over 20 IAM privilege escalation techniques exist. Common paths: attaching AdministratorAccess policy, creating new access key for admin user, and exploiting PassRole to create privileged Lambda or EC2 roles.
# Attach admin policy (if iam:AttachUserPolicy is allowed)
aws iam attach-user-policy --user-name TARGET --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Create access key for admin (if iam:CreateAccessKey is allowed)
aws iam create-access-key --user-name admin
Chapter 7 โ Lambda & Serverless Security
# List Lambda functions
aws lambda list-functions
# Get function details (environment variables often contain secrets)
aws lambda get-function-configuration --function-name FUNCTION
# Invoke a function directly
aws lambda invoke --function-name FUNCTION output.json
Chapter 8 โ Logging & Monitoring
CloudTrail logs all API calls. GuardDuty detects threats. Config tracks resource changes. SecurityHub aggregates findings. Attackers often try to disable logging first โ always check CloudTrail status when enumerating a compromised environment.
Chapter 9 โ Cloud Attack Scenarios
Real-world attacks: leaked AWS keys in GitHub leading to full account takeover. SSRF in a web app reaching the IMDS endpoint to steal role credentials. Misconfigured ECR allowing attackers to pull private Docker images and extract hardcoded secrets from image layers.
Chapter 10 โ Hardening AWS Environments
Mandatory controls: MFA on root account, no root access keys, SCPs on all OUs, block public S3 access at org level, enforce IMDSv2, enable CloudTrail in all regions, deploy GuardDuty, rotate access keys every 90 days, and never embed credentials in code or Docker images.