Part III: Hands-On Labs Chapter 7

Cloud Security Labs

Cloud misconfiguration discovery, IAM testing, and cloud-native security exercises

Chapter 7: Cloud Security Labs

Lab Overview

These labs cover cloud security assessment techniques. Some require cloud accounts.

Note on Cloud Provider Changes: These labs use CLI commands (AWS CLI, az, gcloud) which tend to remain stable across provider updates. Web console interfaces change more frequently—if a console screenshot or UI path doesn’t match what you see, the underlying CLI commands will still work. Always refer to official provider documentation for current console navigation.

Lab 7.1: S3 Bucket Enumeration

Objective

Discover exposed cloud storage.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Manual Bucket Discovery

# Check if bucket exists
curl -I https://COMPANY-backup.s3.amazonaws.com

# Response codes:
# 200 - Exists and accessible
# 403 - Exists but denied
# 404 - Does not exist

Part 2: Common Bucket Names

# Test common patterns
for name in backup data assets staging dev prod; do
    echo "Testing: $COMPANY-$name"
    curl -s -o /dev/null -w "%{http_code}" \
        "https://$COMPANY-$name.s3.amazonaws.com"
    echo ""
done

Part 3: Using Tools

# cloud_enum
python3 cloud_enum.py -k COMPANYNAME

# S3Scanner
python3 s3scanner.py --bucket COMPANY-backup

Verification

Tested bucket name patterns
Identified existing buckets
Checked permissions

Lab 7.2: Public Cloud Scanning

Objective

Use Shodan/Censys for cloud asset discovery.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Shodan Queries

# Shodan CLI
pip install shodan
shodan init YOUR_API_KEY

# Search for organization
shodan search "org:CompanyName"

# Search AWS ranges
shodan search "net:52.0.0.0/8"

# Search exposed services
shodan search "port:22 org:CompanyName"

Part 2: Cloud-Specific Searches

Shodan filters for cloud:

# AWS
org:"Amazon.com"
org:"Amazon Web Services"

# Azure
org:"Microsoft Azure"
org:"Microsoft Corporation"

# GCP
org:"Google Cloud"

# Find exposed databases
port:27017 "mongodb"
port:6379 "redis"
port:9200 "elasticsearch"

Part 3: Censys Search

# Censys for certificate analysis
# Find all certs for domain
censys search "parsed.names: example.com"

Verification

Performed Shodan searches
Found cloud-hosted assets
Identified exposed services

Lab 7.3: IAM Analysis (AWS)

Objective

Analyze IAM configuration for weaknesses.

Difficulty: Intermediate | Time: 45 minutes

Requirements

AWS CLI configured with test account credentials.

Instructions

Part 1: Enumerate Permissions

# Get current user
aws sts get-caller-identity

# List attached policies
aws iam list-attached-user-policies --user-name $USER

# Get policy document
aws iam get-policy-version --policy-arn ARN --version-id v1

Part 2: Check for Dangerous Permissions

# Dangerous permissions to look for:
# - iam:* (full IAM control)
# - sts:AssumeRole with wide scope
# - ec2:RunInstances + iam:PassRole
# - lambda:* + iam:PassRole

# Enumerate what you can do
# enumerate-iam tool
python3 enumerate-iam.py --access-key KEY --secret-key SECRET

Part 3: Privilege Escalation Paths

Common AWS Priv Esc Paths:

1. iam:CreatePolicyVersion
   - Create new version with more permissions

2. iam:AttachUserPolicy
   - Attach AdministratorAccess

3. iam:CreateAccessKey
   - Create keys for other users

4. ec2:RunInstances + iam:PassRole
   - Launch instance with privileged role

5. lambda:CreateFunction + iam:PassRole
   - Create Lambda with privileged role

Verification

Enumerated current permissions
Identified dangerous policies
Documented escalation paths

Lab 7.4: Cloud Configuration Audit

Objective

Audit cloud configuration for security issues.

Difficulty: Intermediate | Time: 45 minutes

Instructions

Part 1: Using ScoutSuite

# Install ScoutSuite
pip install scoutsuite

# Run against AWS
scout aws

# Run against Azure
scout azure

# Run against GCP
scout gcp

# Review HTML report
open scoutsuite-report/report.html

Part 2: Using Prowler (AWS)

# Install Prowler
git clone https://github.com/prowler-cloud/prowler
cd prowler

# Run full audit
./prowler

# Run specific checks
./prowler -c check11,check12,check13

# Output to file
./prowler -M csv,html

Part 3: Key Findings to Review

Critical Cloud Misconfigurations:

S3:
□ Public buckets
□ Missing encryption
□ No versioning (ransomware risk)

IAM:
□ Root account usage
□ No MFA on accounts
□ Overly permissive policies
□ Access keys not rotated

Network:
□ Security groups 0.0.0.0/0 on SSH/RDP
□ Default VPCs in use
□ No VPC flow logs

Logging:
□ CloudTrail disabled
□ No log encryption
□ Short retention periods

Verification

Ran cloud audit tool
Reviewed report
Documented findings

Lab 7.5: Container Security Scanning

Objective

Scan container images for vulnerabilities.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Using Trivy

# Install Trivy
apt install trivy

# Scan image
trivy image nginx:latest

# Scan with severity filter
trivy image --severity HIGH,CRITICAL nginx:latest

# Scan filesystem
trivy fs /path/to/project

Part 2: Analyze Results

Trivy Output Categories:

- CRITICAL: Requires immediate patching
- HIGH: Should be patched soon
- MEDIUM: Patch when convenient
- LOW: Minor issues

Look for:
- Known CVEs in base image
- Outdated packages
- Secrets in image layers

Part 3: CI/CD Integration

# Example GitHub Actions integration
name: Container Security Scan
on: push
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'myimage:latest'
        exit-code: '1'
        severity: 'CRITICAL,HIGH'

Verification

Scanned container image
Identified vulnerabilities
Understand severity levels

Lab 7.6: Kubernetes Security

Objective

Assess Kubernetes cluster security.

Difficulty: Advanced | Time: 45 minutes

Requirements

Access to Kubernetes cluster (minikube for testing).

Instructions

Part 1: Cluster Enumeration

# Get cluster info
kubectl cluster-info

# List namespaces
kubectl get namespaces

# List pods in all namespaces
kubectl get pods --all-namespaces

# Check RBAC
kubectl auth can-i --list

Part 2: Security Assessment

# Using kube-bench (CIS Benchmark)
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job.batch/kube-bench

# Using kubeaudit
kubeaudit all

# Check for privileged containers
kubectl get pods -o json | jq '.items[].spec.containers[].securityContext'

Part 3: Network Policies

# Check for network policies
kubectl get networkpolicies --all-namespaces

# If none exist, pods can communicate freely
# This is often a finding

Verification

Enumerated cluster
Ran security assessment
Checked network policies

Lab Summary

Skills Acquired

Cloud storage enumeration
Public cloud scanning
IAM analysis
Configuration auditing
Container scanning
Kubernetes assessment

Key Findings to Document

Area	Finding	Risk
S3	Public bucket	Data exposure
IAM	No MFA	Account takeover
Network	Open SG	Unauthorized access
Containers	Outdated image	Known CVEs