Hacker Days: Understanding AWS cloud attacks using CloudGoat

Jun 10, 2021
6 mins
Kavisha Sheth

We did an hour-long webinar for OWASP Bay Area Meetup group where I spoke about AWS attacks. As part of the online webinar, I demonstrated attack scenarios for AWS across different services.

The slides and video recording from the online seminar, along with Questions & Answers are presented in this blog post.


View Slides

Questions & Answers

How is the permission enumeration done after a get-caller-identity call?

Once the identity of the user is known, the next logical step for an attacker is to identify what privileges they have. In case of AWS there are tools like enumerate-iam that can be used to brute force different List and Get APIs and identify which is success. For more comprehensive results, all Write permissions (Set, Delete, Modify etc.) will also need to be tested which can disrupt the target AWS environment.

It’s not a sure shot way but gives you an idea of what services the user has access to. The only way (without being destructive) to get a complete permission state of the user or role is to look at the attached policy.

Will we just have PPT based walkthrough?

Yes. The screenshots in the presentation are from step-by-step attacks performed on labs that were setup using Cloud Goat.

Can you please explain how SSRF can be protected / mitigated using IMDSv2 at end of session if possible?

IMDSv2 offers API level protection to the instance metadata. So to a certain extent, all Vanilla SSRF can be mitigated.

The new Metadata protocol, EC2 Instance Metadata Service (IMDSv2), mandates making a PUT request in order to get a token. This token must be used in all subsequent requests.

The token is never stored by IMDSv2 and can never be retrieved by subsequent calls, so a session and its token are effectively destroyed when the process using the token terminates. Sessions can last up to six hours and a session token can only be used directly from the EC2 instance where that session began.

You can also refer this for reference:

getting started with version2 of AWS EC2 Instance Metadeta service
appsecco blog on getting started with IMBSv2

But, if your application is hosted on EC2 and provides the ability to users to add custom headers and make requests using arbitrary HTTP methods, then IMDSv2 will not protect the server, as the application can completely mimic requests as if they originate from the server itself.

Is metadata endpoint enabled by default?


Can you provide references?

Yes. Here they are. These are also included in the presentation.



This book aims to be a step-by-step walkthrough of CloudGoat 2.0 scenarios. CloudGoat 2.0 is a "vulnerable by design"…


Server Side Request Forgery (SSRF) and AWS EC2 instances after Instance Meta Data Service version…

A short blogpost about the how introduction of IMDSv2 affects SSRF attempts on AWS EC2 instances, especially when…



CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool - RhinoSecurityLabs/cloudgoat



Exploits written by the Rhino Security Labs team. Contribute to RhinoSecurityLabs/Security-Research development by…



Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud…________________________________________________________________________________________


Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous…


Getting shell and data access in AWS by chaining vulnerabilities

Slides from a talk on using mis-configurations, overtly permissive IAM policies and application security…


Instance metadata and user data

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance…________________________________________________________________________________________

From CloudTrail, will we be able to identify these attacks?

CloudTrail will log AWS API requests, which means that all of the demonstrated attacks where an AWS API request was made will be logged.

However, like any logging system, the log themselves will not be flagged as suspicious. A review or analysis of the logs must be done to identify if there was an actual attack. Given that most of these APIs will be used in any case as part of everyday operations, it can get tricky to identify if there was an attack unless a pattern is identified. Source IP address for example could be one of the things to look out for.

What is preventing someone from generating token?

To generate token in IMDSV2, you must be on the EC2 server. So, either you need to have SSH access or console access of the machine or have access to the system in any other way (perhaps via a web application shell) that could allow you to execute cURL commands to perform a PUT request and then pass the token via custom headers.

The IP address is non routable it means you can’t access outside of machine. You have to generate request from machine itself.

If web application is vulnerable to SSRF then user can request for meta data. but if someone outside EC2 instance then there is no way to generate token.

Is there any tool to enumerate s3 bucket?

Here, we are assuming enumerate s3 bucket means finding S3 buckets.

There are multiple tools you can use like Shodan, Certificate Transparency Logs, Censys, GrayHat Warfare bucket search, numerous bucket finder scripts

A few Bucket finder script /Tools :



Find aws s3 buckets and extract datas. Contribute to gwen001/s3-buckets-finder development by creating an account on…________________________________________________________________________________________


Find aws s3 buckets and extract datas. Contribute to gwen001/s3-buckets-finder development by creating an account on…________________________________________________________________________________________


Tool to check AWS S3 bucket permissions. Compatible with Linux, MacOS and Windows, python 2.7 and 3. May be used as AWS…________________________________________________________________________________________


AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer…________________________________________________________________________________________


Contribute to nahamsec/lazys3 development by creating an account on GitHub.


But, I suggest not to limit yourself to enumerating bucket and downloading data. Also, look for writing permission as well and perform write task as well.

Is there any methodology to Pentest AWS?

There are a lot of resources on the Internet that will walk you through on how to approach a pentest of AWS environment.

From an external attacker point of view, it is not very different from attacking any Internet facing network. You are going to focus the initial discovery on the services that are exposed instead of looking at them as independent AWS things. For example, enumeration of DNS information will point you to EC2 or S3 and then you can test them individually as AWS services.

The MITRE ATTACK threat matrix for IaaS is a good reference document when it comes to AWS. Also, awesome-AWS-security repository on GitHub is a great collection of techniques to use. Focusing on discovery, enumeration and exploitation of each service under AWS is the way to go.



A common curated list of links, references, books videos, tutorials (Free or Paid), Exploit, CTFs, Hacking Practices…________________________________________________________________________________________

At Appsecco we provide advice, testing and training around software, infra, web and mobile apps, especially that are cloud hosted. We also specialise in auditing AWS environments as per the AWS CIS Foundations Benchmark to create a picture of the current state of security in your AWS environment. Our experience has led us to creating multiple hands on training courses like the very popular “Breaking and Pwning Apps and Servers on AWS and Azure” and “Automated Defence using Cloud Services for AWS, Azure and GCP”.

Drop us an email at if you would like us to assess the security of your AWS infrastructure or if you would like your security team trained in advanced pentesting techniques against


Build a website that actually performs better.

Lorem ipsum dolor sit amet consectutar
Lorem ipsum dolor sit amet consectutar
Lorem ipsum dolor sit amet consectutar