Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Cloud Security Podcast: Cloud Pen Test of AWS with Open Source

Hear from Bishop Fox's Seth Art in Episode 161 of Cloud Security Podcast as he shares his extensive experience with cloud penetration testing.

Hear from Bishop Fox's Seth Art in Episode 161 of Cloud Security Podcast as he talks about his extensive experience with cloud penetration testing. If your organization is thinking about getting a pen test done on your AWS account or you want to learn how to pen test in AWS, you don’t want to miss this conversation with Ashish Rajan, Cloud Security Podcast host, and Seth Art.

Discussion with Seth Art:

  • 00:00 Introduction
  • 04:24 A bit about Seth
  • 06:10 Web App Pentesting vs Cloud Pentesting
  • 08:11 Working with scale of multiple AWS accounts
  • 10:20 What can you expect to find with Cloud Pentesting?
  • 12:14 Foundational pieces about approaching pentesting in Cloud
  • 15:19 How to start a Cloud Pentest?
  • 18:25 The importance of IAM
  • 23:43 Common services in AWS to look at
  • 25:58 Mistakes people make for scoping
  • 29:18 The role of shared responsibility in Cloud Pentesting
  • 32:38 Boundaries for AWS pentesting
  • 35:13 Nmapping between 2 EC2 instances
  • 36:37 How do you explain the findings?
  • 40:26 Skillsets required to transition to Cloud Pentesting
  • 45:41 Transitioning from Kubernetes to Cloud Pentesting
  • 48:55 Resources for learning about Cloud Pentesting.
  • 49:47 The Fun Section


Seth art

About the author, Seth Art

Principal Security Consultant

Seth Art (OSCP) is a Principal Security Consultant at Bishop Fox, where he currently focuses on penetration testing cloud environments, Kubernetes clusters, and traditional internal networks.

Seth is the author of multiple open-source projects including CloudFox, CloudFoxable, IAM Vulnerable, Bad Pods, celeryStalk, and PyCodeInjection. He has presented at security conferences, including fwd:cloudsec, DerbyCon, and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.

More by Seth

Extend Your Knowledge

Check out these related resources.

Bishop Fox Tool Talk episode 7 CloudFox to find exploitable attack paths in cloud infrastructure presented by three security consultants
Webcast

Tool Talk: CloudFox

Watch as we explore Bishop Fox’s very own CloudFox, a command line tool that helps offensive security practitioners navigate unfamiliar cloud environments and find exploitable attack paths in cloud infrastructure. Tune in to our livestream for a demo of CloudFox!

Learn More
Penetrating the Cloud title on dark purple background and security consultants, Seth Art & Nate Robb headshots.
Webcast

Penetrating the Cloud: Uncovering Unknown Vulnerabilities

Seth Art, Principal Security Consultant at Bishop Fox, and Nate Robb, Senior Operator at Bishop Fox, discuss two distinct ways (zero-knowledge & assumed-breach perspectives) to proactively identify, understand, and mitigate the most impactful vulnerabilities lurking in your cloud environment.

Learn More
Video thumbnail featuring the three panelist headshots: Matt Johansen, Andrew Martin, and Moses Frost.
Livestream

"Exploiting the Cloud" Session - DEF CON 31

In this session, we take a deep dive into the cloud's underbelly, exploring its vulnerabilities and exploiting its weaknesses.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.