diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 040f2c6..6b1b027 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -791,13 +791,76 @@ solutions can not be snapshotted. Snapshots can be created from EBSs, which are stored in S3 buckets. Snapshots can be encrypted through KMS and can be shared accross accounts. -Snapshots deliver a lot of useful content. List metadata of a snapshot via aws cli. +Snapshots deliver a lot of useful content. +List metadata of a snapshot via aws cli. ```sh -aws ec2 describe-snapshots --snapshot-ids +aws ec2 describe-snapshots --region --snapshot-ids ``` -#### Restore an Amazon Machine Image +This shows the size of the volume in GBs, state of the drive, encryption, ownerId and so on. + +A snapshot can be used to create a volume. Snapshots are available in a complete region after they got created, but they need to be in an explicit AZ to mount them. + +Create a volume from a snapshot through metadata service on an EC2 instance using the following commands. + +Get the current AZ through a metadata token. + +```sh +TOKEN=$(curl -s -XPUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token +availability_zone=$(curl -s -H "X-aws-ec2-metdata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/availability-zone) +``` + +A volume can be created with the use of the snapshot-id, the type, the region and the previously gathered AZ. + +```sh +aws ec2 create-volume --snapshot-id --volume-type gp3 --region +--availability-zone $availability_zone +``` + +The output contains the `VolumeId` to attach the volume to an EC2 instance. + +```sh +instance_id=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id) +aws ec2 attach-volume --region --device /dev/sdh --instance-id $instance_id --volume-id +``` + +Mount the created and attached device to the file system + +```sh +lsblk +sudo mkdir /mnt/attached-volume +sudo mount /dev/ /mnt/attached-volume +``` + +#### EC2 Amazon Machine Image (AMI) Configuration + +An AMI is an image of a VM. This image can be configured before it is deployed via cloud-init scripts. These scripts may contain interesting data like credentials or other intel. +The files are stored in `/var/lib/cloud/instance/scripts/` + +List all available or user specific AMIs on the account via aws cli. + +```sh +aws ec2 describe-images +aws ec2 decribe-images --owners +``` + +Get the configuration file contents through Instance Connect to the EC2 or through the SSM Session Manager via curl. + +```sh +TOKEN=$(curl -s -XPUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token +curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data +``` + +Alternatively use aws cli to get the configuration files + +```sh +TOKEN=$(curl -s -XPUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token +instance_id=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id) +aws ec2 describe-instance-attribute --attribute UserData --instance-id $instance_id --region --query UserData --output text | base64 -d +``` + +#### Restore an Amazon Machine Image (AMI) An EC2 VM can be created from an Amazon Machine Image, that can be found in some S3 buckets. @@ -835,4 +898,9 @@ aws ec2 run-instances --image-id --instance-type t3a.mic Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair. +#### EC2 & AutoScaling + Load Balancing +* The AutoScaling Group (ASG) scales down the oldest instance. +* Only the Loadbalancer gets exposed, not the EC2 VMs. +* A ELB can terminate the TLS session. +* An Application ELB can have a WAF attached