Cloud Security - What is Recon
In cloud security, Recon (short for Reconnaissance) is the phase where an attacker gathers information about your cloud environment to identify vulnerabilities, valid entry points, and assets they can exploit.
It corresponds to TA0043 in the MITRE ATT&CK framework and is often the first step in a cloud breach.
Unlike traditional network recon (scanning IP addresses), cloud recon focuses heavily on identifying services, permissions, and misconfigurations rather than just open ports.
The Two Types of Cloud Recon
Cloud reconnaissance is generally split into two categories based on the attacker's perspective:
A. External Recon (Unauthenticated)
The attacker is on the "outside" looking in. They have no credentials yet and are trying to find public leaks or exposed assets.
- Bucket Enumeration: Guessing names of S3 buckets (AWS) or Blob Storage containers (Azure) to see if they are publicly readable.
- User Enumeration: Checking if specific email addresses are valid users in your cloud tenant (often via error messages in login portals).
- Public Service Scanning: Looking for exposed management consoles, databases (RDS, CosmosDB), or Kubernetes API endpoints left open to the internet.
- GitHub/Code Scraping: Searching public code repositories for accidentally committed API keys or hardcoded cloud credentials.
B. Internal Recon (Authenticated)
The attacker has gained some level of access (e.g., they stole a developer's API key or compromised a web server). Now they need to figure out who they are and what they can touch.
- "Who Am I?": Running commands (like
aws sts get-caller-identity) to see which user or role they have compromised. - Permission Enumeration: Brute-forcing API calls to map out what permissions they have (since there is no simple "list my permissions" command for attackers).
- Metadata Service Querying: Accessing the internal instance metadata service (IMDS) from a compromised VM to steal temporary credentials.
Common Techniques
| Technique | Description |
|---|---|
| Google Dorking | Using advanced Google searches (e.g., site:s3.amazonaws.com "confidential") to find exposed files. |
| DNS Walking | Analyzing subdomains to find cloud resources (e.g., dev-api.company.com pointing to a Load Balancer). |
| GitHub Leaks | Searching for AKIA... (AWS access key format) in public code commits. |
| Port Scanning | Traditional Nmap scans, but targeted at cloud IP ranges (though cloud providers often throttle this). |
Popular Cloud Recon Tools
Security professionals use these tools to simulate attacks and find gaps before hackers do:
- Prowler: A command-line tool that scans AWS, Azure, and GCP to check for security best practices and misconfigurations (CIS Benchmarks).
- ScoutSuite: An open-source multi-cloud auditing tool that downloads your cloud configuration and presents a navigable report of potential risks.
- Pacu: An "exploitation framework" for AWS (similar to Metasploit) that includes modules specifically for reconnaissance and enumerating permissions.
- CloudMapper: A tool for visualizing your AWS network and IAM (Identity and Access Management) relationships.
- Shodan / Censys: "Search engines for hackers" that scan the entire internet and can tell you which of your cloud assets are publicly visible.
Summary
If someone mentions "Recon" in a cloud meeting, they are talking about the discovery phase.
- Defenders want to prevent recon by reducing the attack surface (hiding public buckets, removing unused keys).
- Attackers use recon to find the "unlocked door" (a misconfigured firewall, a leaked key, or a public S3 bucket) to get inside.