AWS Penetration Testing Part - 5: Advanced AWS Service Pentesting Techniques

March 17, 2025
AWS SecurityPentestingroute53"sescloudformationecr

Targeting Other AWS Services: Pentesting Guide

📌 Route 53: DNS Recon and Hijacking

Hosted Zone Discovery

1aws route53 list-hosted-zones

Enumerate DNS records

1aws route53 list-resource-record-sets --hosted-zone-id <HostedZoneId>

Attacks

  • Malicious A/CNAME redirection.
  • Registering domains or modifying records for phishing.
  • Harvesting subdomains for further exploitation.

📧 SES: Social Engineering & Phishing

Identify Verified Emails & Domains

1aws ses list-identities --region us-west-2

Check sending status

1aws ses get-account-sending-enabled --region us-west-2

Verify identity status

1aws ses get-identity-verification-attributes --identities <email/domain>

Escalate Permissions by Editing SES Identity Policy

1aws ses list-identity-policies --identity <email>
2aws ses get-identity-policies --identity <email> --policy-names <policy-name>
3# Modify to include compromised user
4aws ses put-identity-policy --identity <email> --policy-name <policy-name> --policy file://ses-policy-document.json

Send Phishing Emails

1aws ses send-email ...

🏗️ CloudFormation: Secrets and Escalation

Enumerate Stacks

1aws cloudformation describe-stacks --region us-west-2

Check for secrets in Parameters and Outputs. Inspect deleted stacks:

1aws cloudformation list-stacks --region us-west-2
2# Then:
3aws cloudformation describe-stacks --stack-name <StackArn> --region us-west-2

Template Enumeration

1aws cloudformation get-template --stack-name <StackName> --region us-west-2

Escalate via UpdateStack

Modify template and update

1aws cloudformation update-stack --stack-name <StackName> --template-body file://template.json --parameters file://params.json --region us-west-2

Discover NoEcho Parameters

Strip "NoEcho": true and reupdate stack with dummy change to view parameter value.

🐳 Elastic Container Registry (ECR)

Enumerate ECR Repositories

1aws ecr describe-repositories --region us-west-2

List images

1aws ecr list-images --repository-name <repo> --region us-west-2

Pull Image & Explore

1$(aws ecr get-login --no-include-email --region us-west-2)
2docker pull <repo-uri>:latest
3docker run -it --entrypoint /bin/bash <repo-uri>:latest

Policy Abuse

1aws ecr get-repository-policy --repository-name <repo> --region us-west-2

Static Scanning Tools

Use

✅ Final Notes

Pentesting AWS services beyond the basics requires a deep understanding of the environment and the ability to spot subtle misconfigurations. Whether you're reviewing DNS records or pulling containers, these techniques can uncover valuable vulnerabilities in modern cloud setups.

← Previous: Lambda

Next: → CloudTrail