AWS Penetration Testing – CloudTrail

AWS CloudTrail is the service which monitors access and changes to the cloud environment. CloudTrail aids in risk auditing, governance, and compliance of the AWS account.

CloudTrail is active on any AWS account when created, it doesn’t require any manual setup. When activity occurs within the account, that activity is recorded in a CloudTrail event. The event history can be reviewed either through the AWS console or by exporting it as a JSON or CSV file. To have access to CloudTrail, a user would usually have either the AWSCloudTrail_ReadOnlyAccess or AWSCloudTrail_FullAccess policies attached.

Although CloudTrail is typically used for security and auditing, it can provide valuable insight into an organisation due to the amount of information it stores. Within CloudTrail event history, IP addresses, user agents and usernames can all be found. Additionally, it can also provide some insight into user privileges as it’ll log any usage.

terminal$ aws --profile jessies-bookstore cloudtrail lookup-events --max-items 1
    "EventId": "88iklf06-6304-4u74-a8b1-5572hsj8888f",
    "EventName": "ListGroupsForUser",
    "ReadOnly": "true",
    "AccessKeyId": "AXKFAKEMS34WW57T4YRED",
    "EventTime": 1702670562.0,
    "EventSource": "",
    "Username": "root",
    "Resources": [],
    "CloudTrailEvent": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"234597155117\",\"arn\":\"arn:aws:iam::234597155117:root\",\"accountId\":\"234597155117\",\"accessKeyId\":\"AFAKEXEMS34WW5REKAL3\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2023-12-15T11:08:29Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2023-12-15T20:02:42Z\",\"eventSource\":\"\",\"eventName\":\"ListGroupsForUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"\",\"userAgent\":\"AWS Internal\",\"requestParameters\":{\"userName\":\"jessie\"},\"responseElements\":null,\"requestID\":\"107ujipcb-4229-78wc-a35f-c8fak3f55a87\",\"eventID\":\"fakedf06-6004-4uib-a8b1-55l0lfak397888f\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"23722111825397\",\"eventCategory\":\"Management\",\"sessionCredentialFromConsole\":\"true\"}"

In the event above, it appears that the user root had requested any groups belonging to the user jessie. It also reveals that the request was made through the AWS Internal and even provides the source IP address.

Furthermore, CloudTrail also identifies that the root user is not using MFA to authenticate to the AWS console, this in itself would be worth reporting on any penetration test or audit.

Up Next “Pacu Exploitation Framework”

Spread the love