AWS penetration testing is a necessity to protect your cloud infrastructure. The benefits vastly outweigh the cost in the long run. Penetration testing your AWS will help ensure that your data is secure and you also get a comprehensive understanding of the risks associated with using AWS. This blog post will break down what you’re allowed to pentest in AWS, some tools that you can use, and a checklist to get started.
Why Should You Perform Penetration Tests on AWS?
AWS is a massive cloud infrastructure provider and assists businesses of all sizes worldwide. However, the power of the cloud also brings along a lot of risks. AWS customers are responsible for the security and privacy of their own data. Penetration testing your AWS environment is one way to ensure that your data is safe and secure.
How is Penetration Testing on AWS Different from Conventional Penetration Testing?
The approach to online penetration testing traditional security architecture and the AWS cloud infrastructure varies significantly. Since the cloud infrastructure is still owned by, traditional ethical hacking tactics would result in a violation of the AWS Acceptable Use Policy. Hence, while penetration testing your AWS cloud infrastructure, focus on the user-owned assets.
What Can You Penetration Test in AWS?
The scope of your penetration test will be largely dependent on the services that you are using in AWS as well as what is allowed by the customer agreement. Not all services are eligible for testing.
Below is a list of services that can be assessed for vulnerabilities:
Permitted Services:
- Amazon CloudFront
- Amazon Elastic Compute Cloud (Amazon EC2) instances
- Amazon Aurora
- Amazon API Gateways
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
- AWS Lambda and Lambda Edge functions
- Amazon RDS
Before you begin testing, make sure you have gone over the customer agreement, Amazon Web Services Acceptable Use Policy, and only perform those penetration tests that are allowed based on the services you use.
Prohibited Activities:
The following activities are generally not permitted:
- Accessing or modifying data that does not belong to you
- DNS zone walking
- Port flooding
- Request flooding such as login requests and API requests
- Attacking or penetrating the infrastructure of another AWS customer or a third party
- Protocol flooding
- Attempting to circumvent security measures or access data that does not belong to you
- Introducing malware into AWS
- Perform Denial of Service attacks (DoS) or Simulate one
- Perform Distributed Denial of Service attacks (DDoS) or Simulate one
- Use of automated tools, scripts, or other methods that could potentially automate prohibited activities in the testing process
Tools for Penetration Testing AWS
There are many different tools that can be used for penetration testing in AWS.
- Astra Security Scan – Astra is a web application security scanner that can be used to identify vulnerabilities in your AWS environment. It scans for over 3000 known vulnerabilities and goes on to recommend solutions to fix them.
- AWS Security Monkey – This tool is used for AWS security audit for changes and security issues. It can be used to detect unauthorised activity, vulnerabilities, and compliance issues.
- Pacu – Pacu is a tool that helps with the assessment of security controls in AWS. It can be used to identify misconfigurations and vulnerabilities.
- AWS PWN – AWS PWN is a tool that can be used to pentest Amazon EC-series instances. It includes exploits for vulnerabilities in web applications, operating systems, and databases.
- Prowler – Prowler is a tool that can be used to assess the security of AWS environments. It includes features such as reconnaissance, scanning, and exploitation.
- CloudMapper – CloudMapper is a tool that can be used to map out your AWS environment. It uses the configuration items found in CloudTrail logs and correlates them to the AWS infrastructure. This allows you to see how your resources are interconnected and identify potential security risks.
AWS Penetration Testing Checklist
The following is a checklist of things to consider when performing penetration tests in AWS:
- Begin by going over the customer agreement and determine which penetration tests are permitted and prohibited.
- Identify the AWS services you’re using and determine what kind of pen tests can be performed on them.
- Determine the tools you will need for your testing.
- Perform reconnaissance of your environment to discover which devices and services are exposed in the cloud.
- Scan for vulnerabilities using automated tools such as Astra, AWS Security Monkey, and CloudMapper.
- Use manual testing techniques to exploit vulnerabilities, misconfigurations, and other security issues discovered in the previous step.
- Conduct a penetration test using automated tools such as AWS PWN and CloudSploit.
- Test your environment again after making changes to ensure the security fixes are effective.
- Monitor your environment for new or changed vulnerabilities with Security Monkey and other tools.
- Repeat as needed.
Once you are done with your assessment, make sure to document everything found including issues identified as well as potential solutions – this will help out during remediation efforts later on. Consider providing a summary of findings to management so they are aware of the security posture of their environments and where improvement is needed.
Conclusion
Penetration tests are a great way to identify vulnerabilities in your AWS environment. Just as new tools and techniques are being developed for securing cloud services, hackers are also developing new ways to exploit them. It is therefore important that you take the necessary precautions and perform penetration tests on your AWS infrastructure on a regular basis.
The tools and checklist mentioned in this article can serve as a good start but is by no means an exhaustive list. These are just a few among the many that can be used for penetration testing AWS. Be sure to research what’s available and use the right tool for the job. Additionally, always follow the customer agreement and only perform tests that are permitted by Amazon.