See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.
See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.

A Comprehensive Guide to AWS Pentesting

According to The State of Pentesting 2023 report, 97% of teams in the US conducted pentesting at least once in 2022.

With over a million businesses across the globe using Amazon Web Services (AWS) to build and deploy different types of applications, it's important that we talk about AWS penetration testing.

AWS pentesting is a proactive security assessment technique that involves simulating real-world attacks on computer systems, networks, applications, or other digital assets. It helps improve the overall security posture of the AWS infrastructure, validates the effectiveness of security controls, and assists in meeting compliance requirements.

Penetration testing on AWS allows organizations to proactively identify and address security vulnerabilities before they are exploited by malicious actors.

Let’s take a closer look at what AWS pentesting is, how you can perform a pentest on this popular platform, and overall AWS security..

What Is Penetration Testing on AWS?

Penetration testing on AWS is the process of evaluating the security of an AWS infrastructure by simulating practical cyber-attacks.

AWS pentesting involves authorized and controlled attempts to exploit vulnerabilities and weaknesses within the AWS environment to identify potential security risks and prevent malicious attackers from breaching the system. The outcome of an AWS pentest includes a report outlining the system's vulnerabilities and a specific list of each vulnerability's severity level.

Overview of AWS Shared Responsibility Model

When it comes to security testing on AWS, it follows a model where both Amazon and the customers have certain responsibilities. AWS operates with user-operated services or vendor operated services.

Amazon’s Responsibilities

Amazon focuses on securing the infrastructure that runs all of the services offered in the AWS Cloud Computing Suite. This infrastructure includes the physical hardware, supporting software, networking, and facilities that run AWS Cloud services.

Customer’s Responsibilities

Customers are responsible for maintaining the security of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers do not require prior approval from AWS to pentest the approved services discussed in the next section.

What Are You Allowed and Not Allowed to Test in AWS?

When performing penetration testing in AWS, it is crucial to understand what is permitted and what is not permitted to ensure compliance with the terms and conditions of AWS. While AWS encourages security testing, certain limitations and guidelines must be followed.


  • Web application scanning
  • Port scanning
  • Injections
  • Exploitation
  • Vulnerability scanning or checks
  • Forgery
  • Fuzzing

Not Allowed

  • DNS zone walking, hijacking, or pharming
  • Protocol flooding
  • Port flooding
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)
  • Simulated DoS and DDoS
  • Request flooding (API request flooding, login request flooding)

Prerequisites to Testing on AWS

It’s recommended to describe the following aspects before conducting a pentest on AWS:

  • The scope of the pentest, which includes the target system
  • The kind of test to be carried out
  • Requirements of the test, which should be mutually decided between stakeholders and the pentesting contractor
  • A protocol the pentester should follow in case they discover a vulnerability
  • A schedule for the pentest
  • Written authorization by system owners for pentesters to conduct the test

Three Main Types of AWS Testing

1. Testing on the Cloud

An example of this type of test would be a virtualized system that has been moved from on premise to the cloud.

2. Testing in the Cloud

Testing systems within the cloud that are not exposed publicly. An example would be testing the server hosting an application.

3. Testing the Cloud Console

A configuration test of the cloud console. Examples would be looking at user accounts, their permissions, access mangement which have been configured.

Performing these types of Amazon cloud security tests gives business owners clear, definitive answers to how their systems and environment components are performing risk-wise and whether or not there are any urgent remedial actions that should be urgently prioritized.

But before investing the time and manpower required to complete an AWS pentest, it’s imperative that business owners have a full understanding of what these AWS cloud security tests entail, and how they are different from other forms of penetration testing.

How to Perform Penetration Testing on AWS

Performing penetration testing on AWS needs careful planning and execution to ensure effective security assessments while reducing disruptions.

Here are general steps to perform penetration testing on AWS:

Step 1: Seek Appropriate Authorization

Before conducting any testing, ensure you have explicit written authorization from the AWS account owner or organization.

This may involve submitting a request to AWS Support (if seeking to test non-approved services) or following specific procedures outlined in your organization's security policies.

Step 2: Define Scope and Goals

Identify the target systems, applications, and AWS services to be tested.

Consider any specific compliance requirements or sensitive data that must be protected. Learn more about preparing for a pentest.

Step 3: Set Up Testing Environment

Create a separate testing environment within AWS, which is different from the production environment to avoid unintentional interruptions.

This includes setting up virtual instances, networks, and security groups specifically for the pentest.

Step 4: Map the Attack Surface

Gather as much information about the AWS environment as you can.

This includes identifying services, instances, subnets, S3 buckets, Identity and Access Management (IAM) roles, and other potentially vulnerable components.

Some of the techniques that you can use are network scanning, vulnerability scanning, and social engineering. 

Step 5: Perform Vulnerability Assessment

This is the main goal of an AWS penetration test.

You can find vulnerabilities in a variety of places, such as IAM policies, S3 bucket permissions, and EC2 instance configurations.

For example, you may analyze AWS CloudTrail logs to track user activity and identify potential security issues.

Step 6: Exploit Vulnerabilities

Once you identify the vulnerabilities, you need to exploit them in order to determine their impact. 

This could involve exploiting misconfigurations, weak access controls, or vulnerabilities specific to certain AWS services.

However, ensure that you only target your own resources and do not affect other AWS customers.

Step 7: Report and Remediate

Compile a comprehensive report outlining the findings, identified vulnerabilities, and suggested mitigation procedures.

Share this report with the system owner or administrator, along with any necessary guidance to help remediate the identified vulnerabilities.

Key Areas of Focus

Here are a few areas pentesters should focus on during penetration testing that will help identify potential vulnerabilities and weaknesses within AWS resources:

Identity and Access Management (IAM)

During penetration testing, it is essential to assess the effectiveness of IAM controls and the overall security of user authentication and authorization. Pentesters should test whether:

  • Service accounts have unrestricted permissions
  • Keys exist in the root account
  • Users have multiple keys
  • Root account is used for routine tasks or automation
  • SSH and PGP keys haven’t been refreshed
  • Accounts are inactive
  • Multi-factor authentication is in place

Logical Access Controls

Logical access controls are crucial for securing AWS resources and preventing unauthorized access. Penetration testing should focus on:

  • Identifying if actions have been correctly assigned to resources
  • Testing that credentials related to AWS accounts are safe and secure
  • Testing if AWS processes and sensitive resources have controlled access

S3 Buckets

Assessing the security of Amazon S3 (Simple Storage Service) buckets is crucial to prevent data exposure or unauthorized access to stored data. Penetration testing services should focus on:

  • Appropriate security features are enabled on buckets, such as authentication and encryption
  • Only authorized users have permissions for operations such as GET, PUT, and DELETE
  • Security auditing is enabled on buckets, such as versioning and logging

Database Services

Penetration testing should focus on identifying vulnerabilities within various database services. This includes testing whether:

  • Database access is limited to known IP addresses
  • Database applications are secure from potential SQL injection or command injection vulnerabilities
  • Data is recurrently backed up and if backups can be securely restored
  • Sensitive resources are deployed across several availability zones (multi-AZ)


In conclusion, conducting comprehensive penetration testing on AWS is crucial for ensuring the security of your cloud infrastructure. By following a systematic approach and using the right methodologies and tools, organizations can improve their defenses and safeguard sensitive information.

However, it is important to always ensure ethical conduct, respect legal boundaries, and prioritize collaboration with system owners to remediate identified vulnerabilities effectively. With a comprehensive and responsible approach to AWS penetration testing, businesses can strengthen their security and protect against potential threats.

To help you prepare for your penetration testing endeavors, we have created a Pentest Preparation Checklist. Download our checklist to ensure you cover all the essential steps and prerequisites, enabling you to maximize your pentest.

Explore other cybersecurity services to help you develop a world-class cloud security program. Lastly, our award winning PtaaS platform helps your team identify vulnerabilities, including complimentary review of remediation to ensure security bugs have been safely and thoroughly removed.

New call-to-action

Back to Blog
About Luke Doherty
Luke Doherty is the Senior Manager of Sales Engineering at Cobalt. He graduated from the ECPI University with a Bachelor's Degree in Computer and Information Systems Security. With nearly 10 years of technical experience, he helps bring to life Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. More By Luke Doherty
Then & Now: One Year Pentesting at Cobalt with Arif
Arif (@payloadartist) joined the Core last April and shared his experience of how things have been for him at Cobalt for the past year.
Apr 17, 2022