Amazon Web Services (AWS) penetration testing requires a different approach than on-premise testing. When you're testing on Amazon's cloud server, you're bound by their shared responsibility policies and restrictions, limiting the scope of your tests and determining the cloud-specific techniques and methods you need to use. Having an experienced AWS pentesting partner can be invaluable for navigating the nuances of testing in Amazon's cloud environment. Here's a guide to the essentials of AWS pentesting and some tips on testing your Amazon cloud and how to select an AWS pentest provider.
Amazon Web Services pentesting simulates hacking attacks on your AWS cloud infrastructure in order to identify certain types of vulnerabilities that require mitigations. AWS pentesting focuses on vulnerabilities in your Amazon cloud infrastructure, such as storage, virtual server, relational database, and identity and access management services. Under Amazon's shared responsibility model and policies, AWS pentesting excludes testing of Amazon's own services or infrastructure used by other Amazon customers.
Within this scope, AWS pentests yield reports that detail discovered vulnerabilities, their severity, and their recommended fixes. To achieve this, AWS pentesters use specialized testing techniques and methods that probe vulnerabilities unique to Amazon's cloud-based attack surface.
Some AWS users may not realize that just because they're using Amazon's cloud services, Amazon isn't responsible for protecting everything they do with those services. Like other cloud providers, Amazon requires AWS clients to agree to a shared responsibility model dividing specific security and compliance responsibilities between Amazon and AWS users.
Under this division of duties, Amazon takes responsibility for securing components from their host operating system and virtualization layer down to the physical facilities where these services reside. Customers must secure their own guest operating system, application software, and AWS-supplied firewall configuration. In short, Amazon secures the infrastructure they provide, while you secure your own AWS cloud space.
To further elaborate, Amazon assumes responsibility for the security of:
Amazon customers assume responsibility for securing:
This division of responsibility requires you to take ownership of securing critical features of your AWS cloud such as your data, apps, traffic, and user access. Neglecting these on the assumption that Amazon is protecting you leaves you vulnerable to many attack vectors.
Before running pentests on AWS, you need to be aware of what Amazon's pentesting policies allow you to test and what they prohibit. Essentially, Amazon allows you to run tests that only affect your own AWS infrastructure and not Amazon's own infrastructure or services, or that of other Amazon customers.
To ensure this, Amazon specifies a list of permitted services you may pentest without prior approval. You also can host your security assessment tools within the AWS IP space or other cloud provider for on-premise, AWS, or third-party contracted testing. Any security testing which involves remote command and control (C2) of your AWS environment requires prior approval, obtained by filling out a "Simulated Event" form accessible via the AWS Management Console.
Permitted pentesting services include:
In addition, Amazon prohibits specific testing activities unless you're working with AWS staff or your account representative. These prohibited activities include:
Amazon also prohibits outbound pentesting on the Amazon API Gateway.
Under the scope of Amazon's policies and cloud-based services, AWS pentests focus on a number of key areas which fall under the responsibility of AWS customers. These include:
Amazon S3 (Simple Storage Service) and Amazon Elastic Block Store (EBS) are two of Amazon's popular cloud storage services. S3 provides object storage buckets using a flat architecture which facilitates scaling and faster queries. EBS provides block-level storage for EC2 instances, serving as a virtual hard drive that delivers low latency, high availability, easy backups, and managed encryption.
Pentesting for these services may check configurations such as:
Amazon's EC2 service allows customers to use virtual machines for compute power. EC2 pentesting probes for security group misconfigurations and insecure credentials, testing issues such as:
Amazon Relational Database Service (RDS) provides user-friendly, scalable cloud-based relational databases. RDS pentesting checks issues such as:
AWS Identity and Access Management (IAM) allows users to securely control access to AWS resources. AWS IAM pentesting tests authentication and authorization procedures, testing issues such as:
The process of conducting AWS pentests can be broken down into eight steps:
Your pentest goals define the purpose of your test, while your scope limits your test to what you need to achieve your purpose. For instance, you may be testing for compliance, risk assessment, or specific vulnerabilities. Specifying your goals may require your scope to cover particular AWS services, designated apps you're running on AWS, or specific accounts.
If your scope requires you to run any kind of pentests that fall outside Amazon's permitted services, be sure to obtain permission from Amazon by submitting a Simulated Event form through your AWS Management Console.
Creating a separate AWS environment to run your pentests helps prevent disruptions to your AWS cloud infrastructure and applications and can ensure that you have enough resources to conduct your tests. Setting up your testing environment may involve creating virtual machines, networks, and security groups.
Mapping your AWS attack surface provides you with a basis for analyzing your vulnerabilities. Identify all relevant attack surfaces in your AWS cloud. Correlate these with the potential tactics, techniques, and procedures an attacker might use to exploit your vulnerabilities.
After mapping potential vulnerabilities, the next step is to assess the extent to which these pose actual risks. This step involves tasks such as reviewing permissions, checking configurations, and reviewing IAM procedures.
Once vulnerabilities have been identified, pentests can be run to attempt exploits. Within the bounds set by your testing goals and scope and Amazon's policies, you can probe the vulnerabilities you've prioritized.
After conducting your pentest, the next step is to generate a report on your findings. This should detail the vulnerabilities you've discovered, rank their severity, and identify fixes.
To make your pentest report actionable, the final step is to recommend remediations based on your results. Use severity or other criteria such as business impact to prioritize which fixes need to be implemented first.
Performing an effective AWS pentest requires considerable knowledge of AWS services, cloud vulnerabilities, testing methods and tools, and mitigations. Partnering with an experienced pentesting service can make managing these challenges easier. When selecting an AWS pentesting partner, weigh criteria such as:
Use these types of discovery questions to help you identify your own customized criteria for selecting an appropriate provider.
Whatever your pentesting criteria, Cobalt's pentesting as a service (PTaaS) platform is designed to meet your requirements. Our platform enables you to quickly connect with our pool of 450+ expert pentesters, known as the Cobalt Core, to find testers with experience matching your exact needs. We make it simple for you to set up customized tests within as little as 24 hours at any scale you require. Contact us about our pentesting services to discuss how we can help you meet your testing goals and secure your AWS cloud.