Create the required programmatic keys in Amazon Web Services (AWS)
Briefly explain the importance of programmatic keys for accessing AWS services programmatically, which is often a prerequisite for pentesting.
1. Sign In to the AWS Management Console
Go to the AWS Management Console
Sign in with your account credentials
2. Accessing IAM in AWS Console
In the console, locate and select “IAM” (Identity and Access Management) from the services' menu.
3. Navigate to User Details
In the IAM dashboard, select “Users” from the left navigation pane. Choose the IAM user for which you want to generate access keys.
If you need to create a new user, click Add user and follow the prompts to set up the user with programmatic access.
4. Generate Access Keys
Within the selected IAM user’s details page, navigate to the “Security credentials” tab.
In the “Access keys” section, click on the “Create access key” button.
Then select the Command Line Interface (CLI) and tick the confirmation to proceed to create an access key.
Then confirm and click “Next.
5. Download Access Key
Once the access key is created, download the .csv file that contains the Access Key ID and Secret Access Key
Note: You will not be able to view the secret access key again after this step, so make sure to download and store it securely.
6. Set Permissions
Ensure the user has the necessary permissions to perform actions required for your pentest. This may involve assigning specific I AM
policies or roles.
If you encounter issues, ensure the user has the correct permissions and that the keys are properly configured in your tools.
You can use IAM in the AWS Management Console to enable and manage a virtual MFA device for an IAM user in your account
Note: You must have physical access to the hardware that will host the user's virtual MFA device in order to configure MFA.
To enable a virtual MFA device for an IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Users.
In the Users list, choose the name of the IAM user.
Choose the Security Credentials tab. Under Multi-factor authentication (MFA), choose Assign MFA device.
In the wizard, type a Device name, choose Authenticator app, and then choose Next.
Open your virtual MFA app. For a list of apps that you can use for hosting virtual MFA devices, see Multi-Factor Authenticatio If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.
Determine whether the MFA app supports QR codes, and then do one of the following:
From the wizard, choose Show QR code, and then use the app to scan the QR code. This might be a camera icon or Scan code option that the
device's camera to scan the code.
From the wizard, choose Show secret key, and then type the secret key into your MFA app.
When you are finished, the virtual MFA device starts generating one-time passwords.
On the Set up device page, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA code 2 box. Choose Add MFA.
Important: Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
1. Sign In to the AWS Management Console
Go to the AWS Management Console
Sign in with your account credentials
2. Accessing IAM in AWS Console
In the console, locate and select “IAM” (Identity and Access Management) from the services' menu.
3. Navigate to User Details
In the IAM dashboard, select “Users” from the left navigation pane. Choose the IAM user for which you want to generate access keys.
If you need to create a new user, click Add user and follow the prompts to set up the user with programmatic access.
4. Generate Access Keys
Within the selected IAM user’s details page, navigate to the “Security credentials” tab.
In the “Access keys” section, click on the “Create access key” button.
Then select the Command Line Interface (CLI) and tick the confirmation to proceed to create an access key.
Then confirm and click “Next.
5. Download Access Key
Once the access key is created, download the .csv file that contains the Access Key ID and Secret Access Key
Note: You will not be able to view the secret access key again after this step, so make sure to download and store it securely.
6. Set Permissions
Ensure the user has the necessary permissions to perform actions required for your pentest. This may involve assigning specific I AM
policies or roles.
If you encounter issues, ensure the user has the correct permissions and that the keys are properly configured in your tools.
Enable a virtual MFA device for an IAM user (console)
You can use IAM in the AWS Management Console to enable and manage a virtual MFA device for an IAM user in your account
Note: You must have physical access to the hardware that will host the user's virtual MFA device in order to configure MFA.
To enable a virtual MFA device for an IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Users.
In the Users list, choose the name of the IAM user.
Choose the Security Credentials tab. Under Multi-factor authentication (MFA), choose Assign MFA device.
In the wizard, type a Device name, choose Authenticator app, and then choose Next.
Open your virtual MFA app. For a list of apps that you can use for hosting virtual MFA devices, see Multi-Factor Authenticatio If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.
Determine whether the MFA app supports QR codes, and then do one of the following:
From the wizard, choose Show QR code, and then use the app to scan the QR code. This might be a camera icon or Scan code option that the
device's camera to scan the code.
From the wizard, choose Show secret key, and then type the secret key into your MFA app.
When you are finished, the virtual MFA device starts generating one-time passwords.
On the Set up device page, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA code 2 box. Choose Add MFA.
Important: Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
Updated on: 12/09/2024
Thank you!