Exercise 3: Cloud Storage Bucket Encryption Weakness

Objective:

Understand the risks of disabling encryption in cloud storage buckets, including the potential for data interception during transmission. Learn how to exploit improperly configured encryption and recommend best practices for securing data at rest and in transit.

---

Scenario:

Your team is conducting a security assessment for an organization using AWS S3 buckets for storing sensitive data. During the audit, you discover that one of the buckets has encryption disabled. Your task is to simulate a scenario where sensitive data is uploaded to this bucket and intercepted during transmission, highlighting the security risks.

---

Lab Setup:

Prerequisites:

1. AWS account (free-tier account is sufficient).
2. A machine with:
   • AWS CLI installed (Installation Guide).
   • Wireshark installed for network packet analysis (Download Wireshark).

---

Steps to Set Up the Lab:

1. Create an S3 Bucket:
   • Log in to the AWS Management Console.
   • Navigate to S3 > Create bucket.
   • Configure the bucket as follows:
     • Bucket Name: pentesterworld-no-encryption.
     • Region: Choose your preferred region.
     • Disable Default Encryption: Ensure that no encryption settings (e.g., AES-256 or AWS-KMS) are applied.
   • Complete the creation process.
2. Upload Sensitive Files:
   • Prepare dummy sensitive files, such as:
     • passwords.txt: Containing mock credentials.
     • sensitive-doc.pdf: A sample PDF document.
   • Use the AWS CLI to upload the files:bashCopyEditaws s3 cp passwords.txt s3://pentesterworld-no-encryption/ aws s3 cp sensitive-doc.pdf s3://pentesterworld-no-encryption/

---

Exercise: Exploiting Non-Encrypted Data

Objective:

Demonstrate the risk of transmitting data without encryption by intercepting unencrypted traffic using Wireshark.

1. Simulate Data Transmission:
   • Download a file from the S3 bucket using the AWS CLI:bashCopyEditaws s3 cp s3://pentesterworld-no-encryption/passwords.txt .
2. Intercept Traffic with Wireshark:
   • Start capturing packets on your active network interface using Wireshark.
   • Filter traffic related to S3 by using the following filter:javascriptCopyEdittcp.port == 443 && ip.addr == <Your Machine's IP>
   • Observe the HTTPS traffic and confirm that the file is transmitted over a secure connection by analyzing the packets.
3. Simulate Non-HTTPS Traffic (Optional Advanced Step):
   • Modify your AWS CLI configuration to use an endpoint that doesn’t enforce HTTPS (for demonstration purposes only):
     • Edit the AWS CLI configuration file:bashCopyEditnano ~/.aws/config
     • Add the following line under your default profile:luaCopyEdits3 = address-style = path use-https = false
   • Re-run the upload and download commands and observe the traffic in Wireshark. You should see unencrypted data being transmitted.

---

Tools Required:

1. AWS S3: For bucket creation and file management.
2. aws-cli: For programmatically interacting with S3.
3. Wireshark: For analyzing network traffic.

---

Deliverables:

1. Document your findings:
   • Screenshot of Wireshark showing secure (or insecure) traffic.
   • Analysis of how the data could be intercepted if encryption is improperly configured.
2. Recommendations for securing cloud storage:
   • Enable encryption at rest.
   • Enforce HTTPS for data in transit.

---

Solution:

1. Identified Vulnerabilities:
   • Encryption is not enabled for the bucket (no default encryption).
   • Potential for data interception if HTTPS is not enforced.
2. Consequences:
   • Data Breach: Sensitive files can be intercepted during transmission or accessed directly if the bucket is misconfigured.
   • Compliance Violations: Failure to meet regulatory requirements, such as GDPR or HIPAA, which mandate encryption.
3. Prevention Techniques:
   • Enable Encryption at Rest:
     • Use S3’s default encryption settings (AES-256 or AWS-KMS) to automatically encrypt all uploaded data.
   • Enforce HTTPS for Data in Transit:
     • Configure bucket policies to reject requests made over HTTP.
     • Example bucket policy to enforce HTTPS:jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTLSRequests", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::pentesterworld-no-encryption/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

---

Conclusion:

This exercise demonstrates the critical importance of enabling encryption for cloud storage buckets. Proper encryption settings protect data at rest and in transit, mitigating the risk of data breaches and ensuring compliance with security standards. By following best practices, organizations can prevent attackers from exploiting encryption weaknesses in cloud storage.