.svg){kind=icon}
.svg){kind=icon}
AWS pentesting has become mandatory for Amazon cloud users in the wake of recent security breaches and tightening regulatory requirements. For example, last August, the Nemesis and ShinyHunters hacking groups compromised thousands of accounts and proprietary source code by exploiting AWS misconfigurations and vulnerabilities. Previous AWS customer security incidents and data breaches have affected hundreds of millions of customers and cost companies such as Capital One as much as $270 million.
AWS pentesting seeks to mitigate these risks through authorized, simulated attacks that identify vulnerabilities and weaknesses within the AWS environment and generate reports outlining vulnerability risk severity level. Pentesting can identify vulnerabilities such as Simple Storage Service (S3) and Elastic Compute Cloud (EC2) misconfigurations, weak identity and access management (IAM) and logical access controls, and database exposure.
In this guide, we'll provide an overview of what you need to know about AWS pentesting to keep your cloud and meet your regulatory obligations. We'll cover:
- AWS pentesting policies
- AWS pentesting processes and key focus areas
- AWS pentesting tools and service selection criteria
- AWS pentesting FAQs
AWS Pentesting Policies
AWS pentesting policies are governed by Amazon's shared responsibility model, which divides security duties between Amazon and its customers. AWS policies also specify what you're allowed and not allowed to test on AWS.
AWS Shared Responsibility Model
When it comes to security testing on AWS, it follows a model where both Amazon and the customers have certain responsibilities. AWS operates with user-operated services or vendor operated services.
Amazon’s Responsibilities
Amazon focuses on securing the infrastructure that runs all of the services offered in the AWS Cloud Computing Suite. This infrastructure includes the physical hardware, supporting software, networking, and facilities that run AWS Cloud services.
Customer’s Responsibilities
Customers are responsible for maintaining the security of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers do not require prior approval from AWS to pentest the approved services discussed in the next section.
What Are You Allowed and Not Allowed to Test in AWS?
When performing penetration testing in AWS, it is crucial to understand what is permitted and what is not permitted to ensure compliance with the terms and conditions of AWS. While AWS encourages security testing, certain limitations and guidelines must be followed.
Allowed Services
- Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS AppSync
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
- Amazon Elastic Container Service
- AWS Fargate
- Amazon Elasticsearch
- Amazon FSx
- Amazon Transit Gateway
- S3 hosted applications (targeting S3 buckets is strictly prohibited)
Allowed Processes
- Web application scanning
- Port scanning
- Injections
- Exploitation
- Vulnerability scanning or checks
- Forgery
- Fuzzing
Disallowed Processes
- DNS zone walking, hijacking, or pharming
- Protocol flooding
- Port flooding
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) (subject to Amazon's DDoS Simulation Testing policy)
- Simulated DoS and DDoS (subject to Amazon's DDoS Simulation Testing policy)
- Request flooding (API request flooding, login request flooding)
If you want to test any disallowed processes or services, you must reach out to an AWS representative. Amazon has special policies and in some cases permission request forms for testing the following types of simulated events:
- Red/blue/purple team testing
- Network stress testing
- iPerf testing
- DDoS simulated testing
- Simulated phishing
- Malware testing
- Other simulated requests
AWS Pentesting Processes and Focus Areas
AWS pentesting includes testing processes on the cloud, in the cloud, and for cloud consoles. Key focus areas include IAM, logical access controls, S3 buckets, database services, and EC2.
AWS Pentesting Processes
Three Main Types of AWS Testing
1. Testing on the Cloud
An example of this type of test would be a virtualized system that has been moved from on premise to the cloud.
2. Testing in the Cloud
Testing systems within the cloud that are not exposed publicly. An example would be testing the server hosting an application.
3. Testing the Cloud Console
A configuration test of the cloud console. Examples would be looking at user accounts, their permissions, access management which have been configured.
Performing these types of Amazon cloud security tests gives business owners clear, definitive answers to how their systems and environment components are performing risk-wise and whether or not there are any urgent remedial actions that should be urgently prioritized.
But before investing the time and manpower required to complete an AWS pentest, it’s imperative that business owners have a full understanding of what these AWS cloud security tests entail, and how they are different from other forms of penetration testing.
AWS Pentesting Key Areas of Focus
Here are a few areas pentesters should focus on during penetration testing that will help identify potential vulnerabilities and weaknesses within AWS resources:
Identity and Access Management (IAM)
During penetration testing, it is essential to assess the effectiveness of IAM controls and the overall security of user authentication and authorization. Pentesters should test whether:
- Service accounts have unrestricted permissions
- Keys exist in the root account
- Users have multiple keys
- Root account is used for routine tasks or automation
- SSH and PGP keys haven’t been refreshed
- Accounts are inactive
- Multi-factor authentication is in place
Logical Access Controls
Logical access controls are crucial for securing AWS resources and preventing unauthorized access. Penetration testing should focus on:
- Identifying if actions have been correctly assigned to resources
- Testing that credentials related to AWS accounts are safe and secure
- Testing if AWS processes and sensitive resources have controlled access
S3 Buckets
Assessing the security of Amazon S3 (Simple Storage Service) buckets is crucial to prevent data exposure or unauthorized access to stored data. Penetration testing services should focus on:
- Appropriate security features are enabled on buckets, such as authentication and encryption
- Only authorized users have permissions for operations such as GET, PUT, and DELETE
- Security auditing is enabled on buckets, such as versioning and logging
Database Services
Penetration testing should focus on identifying vulnerabilities within various database services. This includes testing whether:
- Database access is limited to known IP addresses
- Database applications are secure from potential SQL injection or command injection vulnerabilities
- Data is recurrently backed up and if backups can be securely restored
- Sensitive resources are deployed across several availability zones (multi-AZ)
EC 2
EC2 testing should focus on identifying misconfigured security groups and insecure credentials. This includes testing whether:
- Security group best practices have been followed when configuring EC2 instances.
- Only designated IAM principals are allowed to create or edit security groups.
- You're only using as many security groups as you actually need, with your groups organized by tags and labels.
- Your security group rules are current and regularly updated.
- Your inbound rules only authorize specified ranges.
- You've avoided opening large port ranges and limited access to required sources and destinations.
- You've added a security layer by creating access-control lists with rules paralleling your security groups, if applicable.
- You've followed credentials management best practices.
- You're using strong, unique usernames and passwords.
- You rotate credentials regularly.
- You're using secure storage and transmission methods for handling credentials.
- Your pentesting results should be recorded in AWS penetration testing reports. These should include a detailed list of scanned vulnerabilities, ranked by severity and impact, with recommended mitigations.
AWS Pentesting Tools and Services
Effective AWS pentesting depends on good tool selection as well as effective pentesting services. When selecting services, look for attack surface coverage, speed, scale, resilience, expertise, and compliance.
Top AWS Pentesting Tools
Today's top AWS pentesting tools include:
- Cobalt
- WeirdAAL
- Cred Scanner
- CloudFrunt
- Amazon GuardDuty
Cobalt
Cobalt provides cloud security penetration testing services for AWS and other leading environments such as Azure and GCP. Our services identify vulnerabilities and weaknesses and recommend actionable remediations. We help assess your cloud security posture using real-world, dynamic scenarios for all of your as-a-service solutions, including infrastructure, platforms, and software. Our unique PtaaS platform lets you tap into our community of over 400 skilled and certified security experts, delivering results 50% faster than traditional pentesting at 25% less cost.
WeirdAAL
WeirdAAL provides an AWS attack library to support black box pentesting. It supplies recon modules and modules for attacking major AWS service offerings undetected. It also includes multiple functions keyed to AWS services for both offensive and defensive testing. WeirdAAL is an open-source tool available free from GitHub.
Cred Scanner
Cred Scanner offers a simplified command-line tool for discovering AWS credentials in files. It integrates with the Jenkins open source automation server and other continuous integration tools to support CI pipelines. Cred Scanner is open source and can be downloaded free from GitHub.
CloudFrunt
CloudFrunt provides a tool to identify misconfigured domains on the AWS CloudFront content delivery network. Without proper Host header configuration, CloudFront domains are vulnerable to domain hijacking. CloudFrunt mitigates this threat by checking Host headers for misconfigurations. The CloudFrunt tool is open source and can be downloaded free through GitHub.
Amazon GuardDuty
While not strictly a pentesting tool, Amazon GuardDuty includes features that can support pentesting to a limited degree. GuardDuty provides intelligent threat detection for AWS accounts, workloads, and data. It delivers continuous monitoring, AI/ML-powered threat detection, threat response recommendations, scalability, and end-to-end workload visibility. It can detect suspicious activity, including unauthorized pentests that may indicate threat actors probing your network, providing information useful for identifying security coverage gaps.
It also can be useful to pentesters for implementing mitigations, providing MITRE ATT&CK mappings and remediation recommendations. Pricing follows a pay-as-you-go model that starts at $4.00 per million events for AWS CloudTrail Management Event Analysis and $1.00 per GB for the first 500 GB a month for VPC Flow Logs and DNS Query Log Analysis.
Choosing an AWS Penetration Testing Service
To use AWS pentesting tools effectively, you need support from a good pentesting service. When choosing an AWS pentesting service, consider factors such as:
- Attack surface coverage: Does the service cover all vectors of your AWS attack surface, including IAM, logical access controls, S3 buckets, database services, and EC 2 vulnerabilities?
- Speed: How quickly and easily does your service allow you to schedule pentests?
- Scale: Can your service handle the type of testing you need at the scale you require?
- Resilience: Beyond detecting vulnerabilities, does your service prove mitigation recommendations to promote resilience?
- Expertise: Is your service experienced with the type of AWS pentesting you require?
- Compliance: Does your service customize tests for any compliance standards you need to meet?
Use this list of criteria to develop your own customized list and rank your most important requirements.
Secure Your Cloud with Cobalt AWS Pentesting
In conclusion, conducting comprehensive penetration testing on AWS is crucial for ensuring the security of your cloud infrastructure. By following a systematic approach and using the right methodologies and tools within Amazon's policy guidelines, your can improve your defenses, safeguard sensitive information, and meet compliance obligations.
Cloud security services by Cobalt can help you secure your AWS infrastructure by leveraging our team's pentesting expertise and our user-friendly platform. Start testing quickly and see measurable risk reduction fast at lower cost than traditional pentesting. Contact us today to discuss how we can help you secure your AWS cloud infrastructure.
AWS Pentesting FAQ
Can I perform penetration testing on my own instance?
Yes, you can pentest your own AWS instance within the bounds of Amazon's permitted services and prohibited activities.
Do I need to submit a request to AWS to perform a penetration test?
No, not in general, but Amazon requires exceptions for specific cases, such as red/blue/purple team testing, iPerf testing, DDoS simulation testing, simulated phishing, and malware testing.
Does AWS do penetration testing for me?
Yes and no. The shared responsibility model means they are responsible for their services, not your application. Additionally, you must work directly with AWS to test non-approved services.
Do I need to whitelist IP addresses to perform penetration testing?
Yes, whitelisting enables you to access needed resources, reduce false positives, and conduct faster pentests.
Do I need root access to perform pentests on AWS?
No, you generally don't need root access for AWS pentests, and Amazon recommends not accessing root accounts unnecessarily, except when performing specific tasks that require root access, such as changing account settings.
