What Is AWS Penetration Testing?
Amazon Web Services (AWS) penetration testing requires a different approach than on-premise testing. When you're testing on Amazon's cloud server, you're bound by their shared responsibility policies and restrictions, limiting the scope of your tests and determining the cloud-specific techniques and methods you need to use. Having an experienced AWS pentesting partner can be invaluable for navigating the nuances of testing in Amazon's cloud environment. Here's a guide to the essentials of AWS pentesting and some tips on testing your Amazon cloud and how to select an AWS pentest provider.
What Is AWS Pentesting?
Amazon Web Services pentesting simulates hacking attacks on your AWS cloud infrastructure in order to identify certain types of vulnerabilities that require mitigations. AWS pentesting focuses on vulnerabilities in your Amazon cloud infrastructure, such as storage, virtual server, relational database, and identity and access management services. Under Amazon's shared responsibility model and policies, AWS pentesting excludes testing of Amazon's own services or infrastructure used by other Amazon customers.
Within this scope, AWS pentests yield reports that detail discovered vulnerabilities, their severity, and their recommended fixes. To achieve this, AWS pentesters use specialized testing techniques and methods that probe vulnerabilities unique to Amazon's cloud-based attack surface.
Shared Responsibility Model: Why Pentesting is Necessary
Some AWS users may not realize that just because they're using Amazon's cloud services, Amazon isn't responsible for protecting everything they do with those services. Like other cloud providers, Amazon requires AWS clients to agree to a shared responsibility model dividing specific security and compliance responsibilities between Amazon and AWS users.
Under this division of duties, Amazon takes responsibility for securing components from their host operating system and virtualization layer down to the physical facilities where these services reside. Customers must secure their own guest operating system, application software, and AWS-supplied firewall configuration. In short, Amazon secures the infrastructure they provide, while you secure your own AWS cloud space.
To further elaborate, Amazon assumes responsibility for the security of:
- Hardware and AWS global infrastructure, including regions, availability zones, and edge locations.
- Software and services provided by Amazon, including compute, storage, database, and networking software and services.
Amazon customers assume responsibility for securing:
- Customer data.
- Platforms, applications, and identity and access management (IAM).
- Operating system, network, and firewall configuration.
- Client-side data encryption and data integrity authentication.
- Server-side encryption, including file systems and/or data.
- Networking traffic, including encryption, integrity, and identity management.
This division of responsibility requires you to take ownership of securing critical features of your AWS cloud such as your data, apps, traffic, and user access. Neglecting these on the assumption that Amazon is protecting you leaves you vulnerable to many attack vectors.
AWS Penetration Testing Policy: What You Need to Know
Before running pentests on AWS, you need to be aware of what Amazon's pentesting policies allow you to test and what they prohibit. Essentially, Amazon allows you to run tests that only affect your own AWS infrastructure and not Amazon's own infrastructure or services, or that of other Amazon customers.
To ensure this, Amazon specifies a list of permitted services you may pentest without prior approval. You also can host your security assessment tools within the AWS IP space or other cloud provider for on-premise, AWS, or third-party contracted testing. Any security testing which involves remote command and control (C2) of your AWS environment requires prior approval, obtained by filling out a "Simulated Event" form accessible via the AWS Management Console.
Permitted pentesting services include:
- Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS AppSync
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
- Amazon Elastic Container Service
- AWS Fargate
- Amazon OpenSearch Service
- Amazon FSx
- Amazon Transit Gateway
In addition, Amazon prohibits specific testing activities unless you're working with AWS staff or your account representative. These prohibited activities include:
- DNS zone walking via Amazon Route 53 Hosted Zones.
- DNS hijacking via Route 53.
- DNS Pharming via Route 53.
- Denial of Service (DoS), Distributed Denial of Service (DDoS).
- Simulated DoS, Simulated DDoS (except under terms specified by Amazon's DDoS Simulation testing policy).
- Port flooding.
- Protocol flooding.
- Request flooding (login request flooding, API request flooding).
- S3 bucket takeover.
- Subdomain takeover.
Amazon also prohibits outbound pentesting on the Amazon API Gateway.
Key Areas and Techniques of AWS Pentests
Under the scope of Amazon's policies and cloud-based services, AWS pentests focus on a number of key areas which fall under the responsibility of AWS customers. These include:
- Storage (Amazon S3, EBS)
- Virtual server compute clouds (Amazon EC2)
- Relational databases (Amazon RDS)
- Identity and access management (AWS IAM)
AWS Storage Pentesting: Amazon S3, EBS
Amazon S3 (Simple Storage Service) and Amazon Elastic Block Store (EBS) are two of Amazon's popular cloud storage services. S3 provides object storage buckets using a flat architecture which facilitates scaling and faster queries. EBS provides block-level storage for EC2 instances, serving as a virtual hard drive that delivers low latency, high availability, easy backups, and managed encryption.
Pentesting for these services may check configurations such as:
- Enablement of security features such as authentication and encryption.
- Permission restrictions that only let authorized users access operations such as GET, PUT, and DELETE.
- Enablement of security auditing features such as versioning and logging.
AWS Virtual Server Compute Cloud Pentesting: Amazon EC2
Amazon's EC2 service allows customers to use virtual machines for compute power. EC2 pentesting probes for security group misconfigurations and insecure credentials, testing issues such as:
- Configuration of EC2 instances in conformity with security group best practices.
- Restriction of ability to create or edit security groups to designated IAM principals.
- Limitation of security groups to those actually required, with groups organized by tags and labels.
- Security group rules consistency with current policies and update status.
- Restriction of inbound rule authorization to designated ranges.
- Avoidance of large port ranges and limitation of access to required sources and destinations.
- Addition of security layers defined by access-control lists with rules paralleling your security groups, when applicable.
- Credentials management consistency with best practices.
- Strong, unique username and password policies.
- Regular credential rotation.
- Secure storage and transmission methods when handling credentials.
- Reporting of pentesting results in AWS penetration testing reports with detailed lists of scanned vulnerabilities, ranked by severity and impact, with recommended mitigations.
AWS Relational Database Pentesting: Amazon RDS
Amazon Relational Database Service (RDS) provides user-friendly, scalable cloud-based relational databases. RDS pentesting checks issues such as:
- Limiting of database access to known IP addresses.
- Protection of database applications from potential SQL injection or command injection vulnerabilities.
- Backup frequency and secure restoration capability.
- Deployment of sensitive resources across multiple availability zones (multi-AZ).
AWS Identity and Access Management Pentesting: AWS IAM
AWS Identity and Access Management (IAM) allows users to securely control access to AWS resources. AWS IAM pentesting tests authentication and authorization procedures, testing issues such as:
- Presence of service accounts with unrestricted permissions.
- Storage of access keys for root accounts.
- Users possessing multiple keys.
- Use of root accounts for routine tasks or automation.
- Failure to refresh SSH and PGP keys.
- Inactive accounts.
- Multi-factor authentication enforcement.
AWS Penetration Testing Methodology
The process of conducting AWS pentests can be broken down into eight steps:
- Define your AWS pentest goals and scope
- Obtain any necessary authorization from Amazon
- Create a testing environment in AWS
- Map reconnaissance on your attack surface
- Analyze vulnerabilities
- Exploit vulnerabilities
- Report findings
- Recommend remediations
1. Define your AWS pentest goals and scope
Your pentest goals define the purpose of your test, while your scope limits your test to what you need to achieve your purpose. For instance, you may be testing for compliance, risk assessment, or specific vulnerabilities. Specifying your goals may require your scope to cover particular AWS services, designated apps you're running on AWS, or specific accounts.
2. Obtain any necessary authorization from Amazon
If your scope requires you to run any kind of pentests that fall outside Amazon's permitted services, be sure to obtain permission from Amazon by submitting a Simulated Event form through your AWS Management Console.
3. Create a testing environment in AWS
Creating a separate AWS environment to run your pentests helps prevent disruptions to your AWS cloud infrastructure and applications and can ensure that you have enough resources to conduct your tests. Setting up your testing environment may involve creating virtual machines, networks, and security groups.
4. Map reconnaissance on your attack surface
Mapping your AWS attack surface provides you with a basis for analyzing your vulnerabilities. Identify all relevant attack surfaces in your AWS cloud. Correlate these with the potential tactics, techniques, and procedures an attacker might use to exploit your vulnerabilities.
5. Analyze vulnerabilities
After mapping potential vulnerabilities, the next step is to assess the extent to which these pose actual risks. This step involves tasks such as reviewing permissions, checking configurations, and reviewing IAM procedures.
6. Exploit vulnerabilities
Once vulnerabilities have been identified, pentests can be run to attempt exploits. Within the bounds set by your testing goals and scope and Amazon's policies, you can probe the vulnerabilities you've prioritized.
7. Report findings
After conducting your pentest, the next step is to generate a report on your findings. This should detail the vulnerabilities you've discovered, rank their severity, and identify fixes.
8. Recommend remediations
To make your pentest report actionable, the final step is to recommend remediations based on your results. Use severity or other criteria such as business impact to prioritize which fixes need to be implemented first.
How to Choose an AWS Pentesting Partner
Performing an effective AWS pentest requires considerable knowledge of AWS services, cloud vulnerabilities, testing methods and tools, and mitigations. Partnering with an experienced pentesting service can make managing these challenges easier. When selecting an AWS pentesting partner, weigh criteria such as:
- Attack surface coverage: Does your pentesting provider cover all the AWS services you need to test for comprehensive coverage of your attack surface?
- Speed: How rapidly can your provider schedule pentests?
- Scale: Can your pentesting provider handle your required testing scale?
- Resilience: Does your pentesting service provide or implement mitigation recommendations to strengthen your AWS security posture?
- Expertise: Is your pentester experienced with the type of AWS testing you need?
- Compliance: Can your pentester provide customized tests that meet your compliance standard requirements?
Use these types of discovery questions to help you identify your own customized criteria for selecting an appropriate provider.
Secure Your AWS Cloud with Cobalt
Whatever your pentesting criteria, Cobalt's pentesting as a service (PTaaS) platform is designed to meet your requirements. Our platform enables you to quickly connect with our pool of 450+ expert pentesters, known as the Cobalt Core, to find testers with experience matching your exact needs. We make it simple for you to set up customized tests within as little as 24 hours at any scale you require. Contact us about our pentesting services to discuss how we can help you meet your testing goals and secure your AWS cloud.