The Amazon customer policy for AWS penetration testing is a highly encouraged service since security is a shared responsibility between the user and the cloud service provider. Amazon prioritizes the protection of certain sensitive services and minimal disruption in operations. Therefore, there are specific aspects within the cloud infrastructure that can be tested by the user without gaining prior approval.
Any security issues discovered within the AWS services or the infrastructure itself are ideally reported to the Amazon team for resolution. If the user tests these aspects, AWS immediately receives a report of abuse and forwards it to the user, temporarily suspending all the services till the cause is identified.
Permitted/Non-permitted Services under AWS Penetration Testing
Here are the services that are allowed to be tested by the user:
- Amazon Relational Database Service (RDS)
- Amazon API gateways
- Amazon Lambda and Lambda Edge functions
- Amazon CloudFront
- Amazon EC2 instances, Elastic Load Balancers, and NAT gateways
- Amazon Aurora
- Amazon Elastic Beanstalk environments
- Amazon Lightsail resources
Some of the services that are restricted under user testing are:
- Port and protocol flooding
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS/DDoS attacks
- DNS zone walking using the Amazon Route 53 Hosted zones
- Request flooding such as login requests, API requests, etc.
For any other simulated events, the ‘Simulated Events’ form must be submitted to Amazon with details such as dates of testing, accounts, contact details, and a detailed description of the testing procedure. If the user obtains permission, they’re free to conduct the testing within the specified time period and conditions as mentioned. Any network stress testing and DDoS simulation testing procedures also require pre-approval if they go beyond certain limitations.
With respect to the use of security assessment tools and services, the user is not allowed to choose those that perform DoS attacks/simulations against any AWS assets, including the users. If any tool has inherent DoS capabilities, they should also have the ability to disable or disarm these. Users should also confirm that the security tools used are properly configured and operate successfully, independently verify that the tool doesn’t perform DoS attacks, and ensure that third-parties conduct security assessments without violating the policy.
7 Steps Before Conducting AWS Penetration Testing
As we’ve seen above, there are quite a few restrictions to conducting an AWS penetration testing procedure. In this context, the testing team should be adequately prepared with expertise, knowledge, and skills. Other steps that can be taken in preparation include:
- Understand the testing scope – The tester will need to define the AWS environment and choose the systems to be tested for an efficient testing process. This will make sure that the chosen area is well-tested and there is a proper focus on the vulnerabilities discovered. Clients can also specify their expectations and preferred goals from the penetration testing methodology.
- Running the preliminary procedure – This step can be used to prepare the AWS environment with a test run as well as collect information about the system to prepare the attack methods.
- Use basic tools to identify the common vulnerabilities – There are many tools that are specifically developed to test the cloud environment for misconfigurations and flaws in the AWS.
Some of these tools are Buckethead (accounts for all AWS S3 buckets), Nmap (network discovery and service enumeration), and AWS Inspector (evaluate the security of the apps used on AWS).
- Testing methods – Testers also need to decide upon the kind of testing method they’ll use such as the black, white, or grey box penetration testing. Manual testing methods should also be used simultaneously to capture the security issues that may miss the purview of the best penetration testing tools. Performing periodic reviews of the configurations, limiting permissions for users, limiting root account activity unless absolutely needed, and multi-factor authentication methods are some of the steps that can be taken to improve security.
- Decide a timeline – Pentesters should specify milestones throughout the entire testing process for the assessment stage, formal reporting, the remediation phase, and retesting.
- Define the protocol – Keep a defined procedure and/or rules of engagement if the client’s system is already breached or is under the threat of a severe vulnerability/live attack.
- Approval from AWS – Once the testing parameters are decided, testers need to obtain approval from AWS and other third parties that are involved. This will involve filling out the testing form, specifying the dates, the IP address/range from where the scan or pen-testing procedure will take place, and the IP address being tested.
AWS penetration testing is significantly different from traditional pentesting procedures and these differences should be clear to both the firm and the pentesting service provider. The latter must display the experience and skills required for conducting AWS security testing due to the extensive preparation required. After the testing procedure, they should also look into retesting in order to ensure that the discovered vulnerabilities have been resolved properly.