AWS Goat: The crossover between cybersecurity and the cloud

Cloud adoption means that the right cyber security configurations need to be in place in order to avoid vulnerabilities. To do this, you need to be able to identify them correctly.

The AWS Goat service enables simulations of attacks within the AWS environment to assess the security of the cloud infrastructure. This service makes it easier to understand common vulnerabilities in the cloud, so that the cybersecurity team can protect the organisation's critical data and services.

Carried out by Sofia Martinez | Marco Funes | Alam Pérez Aguiar | Emilio Ocejo

Qualification Cybersecurity Master

Technologies AWS Goat | GitHub | GitHub | Terraform Apply | NMAP | BurpSuite | AWS CLI | OWASP ZAP | SSH

What is the motivation?

Migrating from on-premise servers to the cloud means that security no longer only applies to the hardware and devices you have in your organisation, but extends to your chosen cloud environment. The provider is responsible for part of that security, but customers also have their share of the responsibility. In order to understand the weaknesses of this type of environment, services such as AWS Goat are used to simulate attacks and carry out a pentesting process to identify vulnerabilities and study possible solutions.

Program aims

Identify misconfigurations and OWASP vulnerabilities in the AWS Goat infrastructure.
Analyse the impact that the vulnerabilities found may have on the infrastructure.
Propose and validate solutions to mitigate vulnerabilities within the AWS environment.

Development

The cloud brings a new element that must be correctly configured in terms of cybersecurity. In order to understand this new environment in the most appropriate way possible, the following has been done:

Information gatheringIn order to find a vulnerability, it is crucial to collect as much information as possible about the entire environment. Scans of ports and services, enumerations of buckets, users and policies, as well as analysis of HTTP requests were performed.
Identification of vulnerabilitiesOnce the necessary elements were collected, detailed information on the files identified as sensitive was obtained. In parallel, we also worked on applications, intercepting and modifying them.
Exploitation of vulnerabilitiesThe weaknesses found were transformed into attack vectors, gaining remote access to servers, exploiting credentials to create users and modify policies, and exploiting vulnerabilities.

Results

Studying the vulnerabilities allowed various types of tests to be carried out to test the criticality of these weaknesses:

Injection of JavaScript code into search forms to manipulate sessions and steal credentials.
SQL injection into user input fields to gain unauthorised access to critical user data.
Manipulation of requests to access local files on the server, which collected AWS credentials, and enumerate users in EC2, which facilitated privilege escalation.
Accessing configuration files, exposing public keys, AWS credentials and critical configurations.
Manipulation of file paths to access internal files containing keys and settings.
Use of obtained credentials to create IAM users and modify policies in order to gain administrative permissions.

Conclusions

The audit revealed multiple critical vulnerabilities, especially in elements related to access controls, exposure of sensitive data and code injections. These required urgent mitigation by strengthening access policies and credential management. Strict recommendations and controls were also implemented, culminating in constant review and monitoring to ensure the continued protection of cloud resources.

The role of Disaster Recovery architectures for the protection of critical data in cloud environments|EnerIA, innovation and user-centred design to rebuild trust in Renfe