Amazon AWS cloud-based configuration review is an exercise in which Cobalt Core pentesters assess an organization’s Amazon-based cloud environment, and its internal and external components. Cobalt follows industry standard methodology based primarily on Amazon’s CIS security standards and additional security testing methodologies, such as OWASP ASVS.
We perform the following steps to ensure full coverage:
Logistics
To perform this testing, pentesters require read-only Identity and Access Management (IAM) API credentials for each AWS account the configuration review should be performed on. Customers should also add the AWS SecurityAudit and ViewOnlyAccess managed policies to the user or role being used for testing.
The required Policy Amazon Resource Names (ARN) are:
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Target scope reconnaissance
Initially, Cobalt examines the provided documentation and confirmed scope. Using various tools, pentesters then test the presence of different components and technologies within the cloud-based environment. We also perform external scope discovery exercises during this initial stage to determine the discoverable attack surface and externally exposed landscape.
This step helps us ensure that all necessary levels of access are granted, that pentesters can fully access the scope, and that externally exposed components are not unreachable. This stage enables pentesters to develop a further assessment execution plan to follow throughout the rest of the engagement.
| ℹ️ During this phase, testers use multiple reconnaissance scanning tools, such as Scout2, Security Monkey, or Prowler.
Note: The tools testers use may vary from test to test. |
Component enumeration
During this stage, testers perform automated component discovery and enumeration within the AWS environment while using client-provided AWS access keys. For this exercise, the key is to gather as much information as possible about components that are being used within the environment, to measure potential impact on the environment by using various tools, and to perform basic scanning of the existing configuration.
During this phase, pentesters familiarize themselves with the AWS internal footprint and get detailed reports from various tools about the current setup of cloud components, such as IAM, S3, RDS, and others.
| ℹ️ During this phase, testers use multiple component scanning tools, such as Scout2, Security Monkey, or Prowler.
Note: The tools testers use may vary from test to test. |
Automated component configuration assessment
During the third phase of an AWS assessment, Cobalt pentesters perform reviews of the reports to determine risks across the environment. We gather and analyze all the reports from different tools in detail, while also comparing them with potential client-defined areas of focus.
Testers then re-test or confirm any detected anomalies or misconfigurations prior to risk assessment exercise. Testers perform risk assessment exercises based on a CIS industry best practices template, and score all the risks based on their impact and likelihood.
| ℹ️ During this phase, testers use multiple component configuration testing tools, such as Scout2, Security Monkey, Prowler, or Cloudsploit Scan.
Note: The tools testers use may vary from test to test. |
Automated and manual assessment of externally exposed services
Based on the scope, Cobalt pentesters perform an external manual and automated assessment over all externally exposed systems and services. During this phase, the testers' goal is to perform basic vulnerability assessment and potentially detect some service-related vulnerabilities that were not detected during the internal configuration scans.
Additionally, for any configuration related findings that have external impact, pentesters will also confirm these through the public interfaces while using internally gathered endpoint web addresses.
| ℹ️ During this phase, testers use multiple component configuration testing tools, such as Scout2, Security Monkey, Prowler, or Cloudsploit Scan.
Note: The tools testers use may vary from test to test. |
Architectural design analysis
The last stage of the active AWS security assessment is a manual review of the AWS architecture provided by the client. During this stage pentesters review and assess the current AWS overall layout from the risks perspective and search for security-related issues. The design for AWS infrastructure is critical to ensuring that the environment has a strong overall security posture, and can deter ever-evolving threats. Cobalt pentesters follow industry best practices when reviewing the architecture and combine the findings with component configuration reports to make sure that risks are assessed realistically.
Additionally, on clients request and to ensure better coverage, testers can gather additional information about internal procedures, Continuous Integration/Continuous Delivery (CI/CD), patching, access granting and other aspects. This allows Cobalt pentesters to fully assess and advise on the overall security posture.
| ℹ️ During this phase, testers use multiple component configuration testing tools, such as Scout2, Security Monkey, Prowler, or Cloudsploit Scan.
Note: The tools testers use may vary from test to test. |
Reporting, triaging, and additional testing
Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pentesters through our online platform. Clients have full visibility over discoveries in real-time through the Cobalt platform.
In the findings and final report, pentesters provide detailed remediation steps and advice on further improvements of the security posture.
The client can perform remediation efforts on critical discoveries during and after the testing timeframe, and pentesters can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.
Common tools used during these assessments
For more information on the testing tools mentioned above, see the following resources:
- Scout2: Security auditing tool for AWS environments
- Prowler: AWS security best practices assessment tool
- Security Monkey: AWS / GCP insecure configuration monitoring tool
- CloudSploit Scan: detection of security risks in an AWS account
Comments
0 comments
Please sign in to leave a comment.