CEHv12-19 - Cloud Computing

Cloud computing basics

Cloud computing is integral to modern technology. The cloud is essentially “someone else’s computer.”

Types of cloud services

1. IaaS (Infrastructure as a Service)

   • Provides virtualized computing resources over the internet.
   • Users manage applications, data, runtime, middleware, and OS.
   • Providers manage virtualization, servers, storage, and networking.

2. PaaS (Platform as a Service)::

   • Offers hardware and software tools over the internet.
   • Users manage applications and data.
   • Providers handle runtime, middleware, OS, virtualization, servers, storage, and networking.

3. SaaS (Software as a Service):

   • Delivers software applications over the internet.
   • Providers manage all aspects of the service.
   • e.g. Google Suite (Gmail, Google Docs, etc.).

4. IDaaS (Identity as a Service):

   • Manages user identities and access.
   • Includes single sign-on (SSO) and multi-factor authentication (MFA).

5. SECaaS (Security as a Service):

   • Provides security services via the cloud.
   • Includes automated penetration testing, antivirus (AV), and endpoint detection and response (EDR).

6. CaaS (Container as a Service):

   • Offers container-based virtualization.
   • e.g. Amazon S3 buckets and other container services.

7. FaaS (Function as a Service):

   • Enables functions to be executed in the cloud.
   • e.g. AWS Lambda.

Responsibility areas

• On-premises: user is responsible for all aspects of infrastructure and software.
• IaaS: provider handles physical aspects and virtualization; user handles software and data.
• PaaS: provider manages everything except applications and data.
• SaaS: provider manages all aspects of the service.

Deployment models

1. Public cloud: services offered over the public internet and available to anyone.
2. Private cloud: sxclusive to a single organization, offering more control and security.
3. Community cloud: shared among multiple organizations with common concerns (e.g. Healthcare providers sharing infrastructure for secure data exchange).
4. Hybrid cloud: combination of public, private, and community cloud models.
5. Multi-cloud: utilizes services from multiple cloud providers for redundancy or specialized capabilities. Managed through a single interface by third-party brokers.

NIST cloud deployment reference architecture

1. Cloud consumer: end user or organization using the cloud service.
2. Cloud provider: entity providing cloud services.
3. Cloud carrier: enables network connectivity between consumers and providers.
4. Cloud broker: manages and integrates multiple cloud services for consumers.
5. Cloud auditor: conducts independent assessments of cloud implementations.

Cloud storage architecture

1. Front-end: user-facing interaction layer (e.g., APIs, web apps).
2. Back-end: physical hardware (servers, networking).
3. Middleware: handles data deduplication, replication, and storage efficiency.

Categories of cloud brokers

1. Service Intermediation

   • Description: Enhances an existing service by improving specific capabilities.
   • Example: A broker might add security features to a basic cloud storage service, providing encryption and access control that the original service lacks.

2. Service Aggregation

   • Description: Combines multiple services into one unified service. It handles data integration and ensures the services work together seamlessly.
   • Example: A broker could integrate cloud storage from one provider, computing power from another, and database services from a third into a single package.

3. Service Arbitrage

   • Description: Provides flexibility in choosing services from multiple providers based on current conditions and requirements. The broker evaluates and selects the best options dynamically.
   • Example: A broker might switch between cloud providers for the best price or performance for a specific task, such as shifting from AWS to Azure if Azure offers a better rate or performance for a given workload.

Container basics

A container is a portable software package that includes everything needed to run an application, such as configuration files, libraries, and dependencies. This ensures consistency, scalability, and cost-effectiveness. They simplify the development process by providing predefined environments, reducing setup time, and ensuring applications run consistently across different platforms.

Five-tier container architecture (as defined by EC-Council)

1. Developer Machines:

   • Used for image creation, testing, and accreditation.
   • Ensures the image is ready for use.

2. Testing and Accreditation Systems:

   • Verifies and validates image contents.
   • Signs the images for integrity and readiness.

3. Registries:

   • Stores container images.
   • Supports image delivery via orchestration software.

4. Orchestrators:

   • Transforms images into containers and deploys them.
   • Manages large-scale container deployments programmatically.

5. Hosts: operate and manage containers based on orchestrator instructions.

Key terms and concepts

• Docker:

  • A leading platform for building, deploying, and managing containerized applications.
  • Features:
    • Docker Images: Base templates for creating containers.
    • Docker Daemon: Manages Docker objects and handles API requests.
    • Docker Registry (e.g., Docker Hub): Repository for official and custom container images.
    • Docker Files: Text files with commands for creating container images.

• Orchestration:

  • Automates the container lifecycle, including:
    • Provisioning and deployment.
    • Resource allocation and scaling.
    • Security and monitoring.
  • Popular tools: Kubernetes, OpenShift, Docker Swarm, Ansible.

Security Challenges in Containerization

1. Untrusted images:
   • Public containers may contain outdated software or vulnerabilities.
   • Perform thorough checks before deployment.
2. Container breakout:
   • Attackers may exploit vulnerabilities to escape the container and access the host system.
   • Running containers as root increases risks.
3. Insecure secrets: API keys, usernames, and passwords stored insecurely in containers can be exploited.
4. Noisy neighbor: a container consuming excessive host resources can cause other containers to fail.
5. Vulnerable source code: containers used for testing may expose organizations to attacks if insecure code is deployed.

Hacking cloud services

Cloud vulnerability scanning

• Purpose: Identifies security weaknesses in cloud-specific configurations, not just OS or application vulnerabilities.
• Focus Areas:
  • Cloud misconfigurations (e.g., AWS, Azure).
  • Vulnerable containers and container images.
  • Sensitive information leaks and insecure practices.

Tools for Cloud Security Scanning

1. Trivy: comprehensive security scanner for container images, Git repositories, virtual machine images, Kubernetes, and AWS. Detects CVEs, IAC issues, sensitive information leaks, and software license violations.
2. Clair: open-source tool for static analysis of vulnerabilities in application containers (OCI and Docker).
3. DAGDA: performs static analysis for known vulnerabilities, malware, and anomalous activities in Docker images/containers.
4. Paloalto Prisma (previously Twistlock): cloud-native cybersecurity platform for full lifecycle security in containerized environments and cloud-native applications.
5. Sysdig: focuses on Kubernetes security, enumerating key storage, API objects, configuration files, and open ports.

S3 Discovery and Enumeration

• Common issues:
  • Publicly readable buckets exposing sensitive data (keys, credentials, private files).
  • Incorrect permissions allowing unauthorized access.
• Tools:
  • Grey Hat Warfarehttps://grayhatwarfare.com/: Enumerates open S3 buckets and their contents.
  • S3 Scanner: Command-line tool for identifying open buckets.
  • Bucket Kicker: Identifies and inspects accessible buckets.
• Manual methods:
  • Checking source code for S3 bucket URLs.
  • Using brute-forcing techniques with tools like Burp Suite or custom scripts.

AWS privilege escalation techniques

• Metadata service exploitation:

  • Access through SSRF vulnerabilities using the special IP 169.254.169.254.
  • Gaining credentials (access key, secret key, session token) from security-credentials.

• IAM role misconfigurations:

  • Exploiting overly permissive IAM roles to escalate privileges.
  • Identifying unused or improperly configured roles using AWS CLI.

• Key discovery:

  • Searching GitHub or forums for leaked keys and credentials.
  • Leveraging AWS CLI for detailed role and key analysis.

• Public AMIs: downloading and analyzing shared AMIs for sensitive information.

Pentesting AWS environments

• Tools:
  • Pakku: framework for AWS penetration testing, automating enumeration and misconfiguration analysis.
  • Cloud Goat: creates an insecure AWS environment for testing.
• Focus Areas:
  • IAM role analysis and misconfiguration.
  • Privilege escalation through found keys or roles.
  • Metadata service abuse.

Key security concerns

1. Publicly Accessible Resources: public buckets and AMIs exposing sensitive data.
2. IAM Misconfigurations: roles with excessive permissions or improper restrictions.
3. Metadata Service Exploits: using SSRF vulnerabilities to gain access to AWS credentials.

Cloud security controls

Measures implemented to enhance the security of cloud systems.

Categories

• Standard Security Controls: traditional measures applicable to cloud environments.
• Cloud-Specific Security Controls: tailored measures for cloud systems.

Standard security controls

1. Secure Software Development Lifecycle (SDLC):
   • Prevent flaws in cloud-hosted applications and APIs.
   • Example: Avoid leaking AWS credentials.
2. Patching and updates:
   • Ensure operating systems, applications, and infrastructure are up-to-date.
   • Prevent exploitation of known vulnerabilities (e.g., EternalBlue).
3. Change default configurations: avoid using default credentials or settings.
4. Firewalls and intrusion detection/prevention: use tools like IDS, IPS, and WAF for monitoring and defense.
5. Logging and monitoring: track activity to detect anomalies and respond quickly.
6. Denial-of-Service mitigation: use devices or services to prevent DoS/DDoS attacks.
7. Encryption: rncrypt sensitive data at rest and in transit.
8. Endpoint Protection: feploy antivirus and EDR solutions.

Cloud-specific security controls

1. S3 Bucket Permissions:
   • Ensure correct access controls for S3 buckets.
   • Enable features like default encryption and versioning.
2. Docker Security Best Practices (via OWASP):
   • Use trusted Docker images.
   • Limit container capabilities and use “no new privileges” flags.
   • Disable inter-container communication when unnecessary.
   • Run Docker in rootless mode.
3. Kubernetes Security Best Practices:
   • Keep Kubernetes up-to-date.
   • Restrict API access using namespaces and network policies.
   • Conduct regular security audits.

Tools for cloud security

1. Qualys: cloud vulnerability scanning and security assessments.
2. Prisma cloud: cloud-native application protection platform by Palo Alto Networks.
3. Aqua Sscurity: protects workloads, cloud platforms, and Kubernetes deployments.
4. Tenable: comprehensive tools for cloud and on-prem vulnerability management.
5. Kubebench: open-source tool for checking Kubernetes deployment security against CIS benchmarks.
6. Sumo logic: provides observability and security analytics for cloud deployments.