Table of Content
1. Setting up the infrastructure and environment for attacks using Terraform
- Understanding pentesting requirements for AWS.
- Cloud Forensics and Recon
- Hardcoded secrets etc
2. Insight into various cloud security tools that helps in automating the daily pentesting/auditing process
- Prowler etc.
3.Basics of Cloud Security Shared responsibility model Cloud security posture
- Shared responsibility model
- Cloud security posture
- IAM service Basics.
- AWS solution architect-level Quiz on the basics of IAM
- IAM Playground with terraform
- Understanding common Misconfiguration in IAM
- Hands-on Attack & Defense
- S3 Basics
- AWS solution architect-level Quiz on the basics of S3
- Understanding common Misconfiguration in S3
- Extra Recon/Tools
- Hands-on Attack & Defense
- EC2 Basics
- Quiz on the basics of EC2
- Understanding common Misconfiguration in EC2
- IMDS v1 vs IMDS v2 and abusing temporary credentials
- Hands-on Attack & Defense
7. Subdomain Takeover
8. RDS/ Disk storage/ backups
9. Lambda / WAF
10. Overview of Auditing Cloud platforms using automated auditing tools.
11. Some More Hands-on / CTF
12. Infrastructure Disassembly
What to Bring?
- Laptop with a modern OS Windows 10/OSX/Linux.
- VirtualBox - v6.1.30 or above.
- Closer to the conference we will provide a VM that will have to be downloaded and deployed using VirtualBox. Other virtualization software may also work with the VM but the troubleshooting will be time-consuming so VirtualBox is preferred
- Updated browsers such as Chrome, and Firefox.
- Ability to connect to a wireless/wired network.
- Own AWS account which has been activated for payments.
Who should attend?
- Pentesters and Security Testers
- Security Professionals
- Cloud/IT Professionals
- DevSecOps Professionals
- And anyone who is passionate enough to get started in Cloud Security.
What attendees will get?
- Complete training hands-on guide in PDF format with all the necessary scripts to go through training again.
- References and links for further studying
What to expect?
- Completely hands-on.
- Automation scripts will be provided to bring up your AWS infrastructure.
- While we will be using free-tier AWS and free credits as much as possible, you can expect some minimal account charges
- Lots of fun interaction and some memes from Anurag.
What not to expect?
- A lot of theory. The training is designed to be hands-on. We will be covering theory to get you started.
- DevOps concepts
- Deep dive into services and implementation (we can talk about these but we will run out of time)
Please take note that each participant needs their own unique "AWS Account" (activated & working) and should not share it with other participants.
Hall Name: Hall 3
Time: 8 Hour
In this training, we will cover core AWS services and attacks based on them using an arsenal of tools and techniques. After this hands-on training, attendees will be able to discover, identify and exploit different security weaknesses in the AWS cloud. The same techniques which will be demonstrated in the training can be replicated in other cloud providers like GCP and Azure as well. The training is meant to be beginners friendly with guided walkthroughs, scenario-based attacks, and challenges with the usage of tools and techniques meant for auditing and attacking. This training will prepare them with a guided path to start their cloud security journey. Due to the attack, and focused nature of the training, we will not be spending time on security architecture, defense in depth, etc. While mitigations will be covered, we will point out the relevant security documentation provided by the cloud provider for further self-study.
Mohd Arif holds the position of Senior Product Security Engineer at Paytm, a prominent fintech organization. With three years of experience in the security industry, he has established himself as a skilled practitioner in various domains. His expertise encompasses hacking web applications, mobile apps, API security testing, source code review, architecture review, and threat modeling. His true passion lies in Cloud security, Hardware security, and IoT security. He derives immense satisfaction from discovering novel methods to bypass security mechanisms and enhancing his operational security (OPSEC) techniques. He remains deeply committed to the field of cybersecurity and actively seeks opportunities to share his knowledge and experiences. As a result, he has been invited to speak at esteemed conferences and summits, including Seasides Conference, C0C0N Conference, and Redteam Summit. Notably, Mohd Arif has been an enthusiastic volunteer at India’s beloved Seasides Conference, where he eagerly shares his hacking insights with a receptive audience. When he’s not immersed in breaking code and applications, you can find him taking delight in photography, playing video games, embarking on biking adventures on weekends, and having a knack for creating amusing memes.
Anurag Mishra loves to break apps and infra with a strong passion for hacking and cloud security. Skilled in Application security and Cloud Security, he spends most of his time setting up and hacking apps on the cloud. Anurag is a core member of the cloud security R&D and testing team at Appsecco. In addition to his technical pursuits, he actively engages in community work at conferences such as Seasides Conference, leveraging his passion to assist others. His commitment to continuous learning is evident through his possession of AWS and Azure certifications, which further fuel his curiosity to explore new cloud security tools and services. He finds great satisfaction in participating in cloud Capture The Flag (CTF) challenges and collaborating with peers to stay updated on misconfigurations in the cloud, often sharing his insights through blogs and engaging in discussions. When not building and breaking stuff in the cloud, you can find him making memes, googling for fat loss solutions, discussing when the Indian cricket team will win the world cup, or laughing at his own jokes.
Abhishek BV is a valued member of we45’s Content Development team, specializing in Cloud Security. With comprehensive expertise in various AWS resources, including EC2, S3, IAM, ECR, and more, he is well-versed in maximizing the security and functionality of these platforms. Abhishek’s notable research and focus on IAM, a fundamental AWS resource, have resulted in the creation of an easily comprehensible and hands-on playground, allowing users to gain practical experience. An additional area where he shines is the development of multiple AWS Challenge labs, specifically tailored to essential resources such as CloudWatch, CloudTrail, S3, EC2, Systems Manager, and others. These labs provide participants with hands-on opportunities to deepen their understanding of these critical components of the AWS ecosystem. Abhishek’s expertise extends beyond cloud security, as he has also actively contributed to the field of Web and Mobile Application Security Alongside offering training sessions, his vulnerability assessment and penetration testing (VAPT) skills along with threat modeling enable him to provide clients with optimal security solutions. When he’s not immersed in the digital realm, Abhishek can be found exploring the depths of India’s jungles. Additionally, he shares a great passion for Indian cricket, making him an ardent admirer of the sport.