2018-024- Pacu, a tool for pentesting AWS environments

Ben Caudill @rhinosecurity Spencer Gietzen @spengietz   Rhino Security - https://rhinosecuritylabs.com/blog/   AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/   What is the difference between this and something like Scout or Lynis?   Is it a forensic or IR tool?   How might offensive people use this tool? What is possible when you're using this as a 'redteam' or 'pentesting' tool?   S3 bucket perms?   Security Group policy fails   Some of the hardening policies for Security groups? RDS?   Where are you speaking… BSLV? DefCon? https://aws.amazon.com/whitepapers/aws-security-best-practices/   https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf   https://aws.amazon.com/whitepapers/   https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/   https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/ Slack Patreon Bsides Springfield   Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec