Python: Pen Testing AWS

Discover how to use Python to test your AWS deployments for vulnerabilities that are unique to the cloud.

Introduction

• Using Python to test for cloud deployment weaknesses through pen testing
• What you need to know

1. Using Python to Manage AWS

• Understanding AWS
• Rules for pen testing AWS
• Setting up an AWS account
• Provisioning an AWS resource
• Setting up the Windows Subsystem for Linux
• AWS Command Line Interface
• Automating cloud deployments with Terraform

2. Using CloudGoat for Testing

• Understanding the CloudGoat testing paradigm
• Installing CloudGoat
• Launching CloudGoat scenarios
• Listing the user policy
• Gaining privileges by changing policies
• Exploiting a misconfigured server
• Closing down a CloudGoat scenario

3. Using the AWS Robot Framework

• Taking a first look at the Python boto3 AWS library
• Enumerating policies
• Adding sessions to your Python scripts
• Checking for guards
• Managing IAM programmatically
• Creating users programmatically
• Managing secrets using Python
• Listing all EC2 instances
• Listing all RDS instances
• Challenge
• Solution

4. The Python AWS Trace Enumerator

• The Python AWS Trace Enumerator
• Looking inside Pate
• Challenge
• Solution

5. Python Testing Tools

• Looking at a weird Python script
• The PACU pen testing framework
• Navigating the PACU console
• Exploring PACU test modules
• Account privilege escalation
• Deploying the ec2_ssrf scenario
• Pen testing Lambda with PACU
• Cleaning up your cloud

Conclusion

• What's next?