Guide to AWS Penetration Testing

Published in

Nerd For Tech

6 min readMay 10, 2021

The popularity of cloud computing is undeniably on the rise and some of the factors contributing to it include scalability, efficiency, flexibility, and reduced IT costs. As the popularity rises, however, there is a worrying Cyber Security Trend that has emerged for organisations and individuals alike.

According to the 2020 Trustwave Global Security Report, the volume of attacks on cloud services have doubled in 2020 as compared to the last year. Cloud environments are now the third most targeted environment for cyber-attacks after corporate and internal networks.

With advanced cloud computing technology, many organisations are adopting or are diving into services provided by cloud computing. The statistics presented in the report are a warning for how cloud security and protection is of utmost importance and should be a priority for all using these services.

What is AWS

Amazon Web Services or AWS is a cloud platform offered by Amazon.com. AWS comprises of many cloud computing products and services. It has an active user base of over 1 million and a global presence in more than 190 countries.

Its cloud infrastructure platform offers an extensive range of cloud solutions and services to organisations across all sectors.

Its solution offerings include global computing, online storage, data analytics, database, support of different applications, and deployment services that help companies scale their business and reduce IT costs.

AWS provides inherent automated and manual security measures for applications and platforms that are running on the AWS infrastructure. Before a company decides to scale to AWS, however, it must consider aspects like compliance and regulation mandates, data processing, and the threat of attacks, and how these can be addressed by the default security of the cloud platform and additional measures.

To counter these challenges, the company can undertake vulnerability assessment and penetration testing of their infrastructure in AWS to develop a vigorous and robust security system that deflects cyber-attacks and helps to protect the data and assets of the company from cybercriminals.

Read Also: Best Penetration Testing Tools

AWS Penetration Testing

Penetration testing for AWS is different from traditional penetration testing mainly in terms of ownership, as AWS’ platform is owned by Amazon.com and hence, their policies and procedures need to be followed.

The traditional method of ethical hacking primarily used in a web application or network pen testing is not admissible for testing AWS infrastructure because it violates AWS’ acceptable policies. AWS infrastructure pen-testing involves specific procedures which are compliant to AWS’ policies and are as follows:

External infrastructure of your AWS cloud

Inherently, AWS provides a company with a secure cloud computing environment, but it has its vulnerabilities if inbound access is allowed. Typically, external infrastructure being the most exposed surface is the first point of attack.

That is why external infrastructure should be included in the scope of the penetration test, but a large proportion of the budget should not be allocated to this as AWS already provides some security measures.

Applications you are hosting/building on your platform

They are the second easiest way into your systems after external infrastructure and can be vulnerable to attacks if not developed properly.

Application penetration testing should be included in the scope of AWS pen testing based on the risk profile and budget of the organisation.

Internal infrastructure of your AWS cloud

This is the second layer of attack and gets exposed if the external infrastructure is compromised. The default AWS environment differs from traditional infrastructure services and allows tighter control between servers and limited lateral movement, which present a sturdy challenge to the attacker.

However, if the company has a more complex private network system and, have provided access and free lateral internal movement among EC2's* or free data flow, a pen test will add value.

If they are simply running a handful of EC2’s, a penetration test won’t help much as EC2’s come equipped with security measures.

EC2 Amazon’s Elastic Compute Cloud virtual computers which users can rent to run their applications.

AWS configuration

Penetration testing of the AWS configuration is the final component of testing and basically tells you how robust your security system is.

Penetration tests performed in AWS

For user-operated services including cloud offerings created and configured by the user, organisations can fully test their AWS EC2, excluding testing that affects AWS’ business continuity like Denial of Service (DoS) attacks.

For vendor-operated services wherein the cloud components and offerings are owned and managed by a third-party vendor, the testing is restricted to the implementation and configuration of the cloud environment and not the internal Infrastructure.

The EC2 is an AWS service which is commonly penetration tested. In an AWS EC2 instance, specific areas that allow penetration testing include:

· Application Programming Interface (API), for e.g., HTTP/HTTPS.

· Web and mobile applications hosted by the organisation.

· The application server and associated stack, for e.g., programming languages such Python, React.

· Virtual machines and operating systems.

Most of the offerings within AWS are based on the Software as a Service (SaaS) model compared to Infrastructure as a Service (IaaS) model, which means the user does not own the environment and it cannot be pen tested due to legal and technological restrictions.

These include:

· Services or applications that belong to AWS,

· The physical hardware, underlying infrastructure, or facilities that belong to AWS,

· EC2 environments that belong to other organisations (such as partners or vendors),

· Security appliances that other vendors manage but without their permission,

· Amazon’s small or micro–Relational Database Service (RDS).

Steps to be taken before a penetration test

SaaS components can be pen-tested through a Blackbox engagement or a security audit.
Performing a pen test on the cloud infrastructure requires planning and expertise. The preparation steps before starting a pen test are:

Defining the scope of the penetration testing engagement on the AWS environment in general, and, on the target systems.
Determining the type of pen test to be conducted (for ex: black box, white box)
Defining the expectations and risks involved for both stakeholders — customer and the penetration testing company.
Establishing a timeline for the technical assessment, preparing formal reports, and potential remediation and follow-up testing.
Developing protocols and rules of engagement if the pen test reveals the client is already under attack or if the data is breached.
Obtaining written approval of the related parties to conduct the test, which includes filling the test approval form, informing AWS regarding the dates, informing AWS about the IP address range that the test will come from and the range being tested.

Clearly defining the pen test’s scope objectives and rules will result in efficient time management and resources not being wasted.

Conclusion:

Amazon Web Services offer hosting of various systems and applications in its cloud infrastructure, which helps to scale the business. It also provides some in-built security features for the external infrastructure, but the security provisions for internal infrastructure depend completely on the company using AWS.

Adequate planning, properly defining the objectives and rules, and selecting a suitable penetration testing method are important steps for a successful test. Organisations should be aware of their capabilities, resources, and limitations to avoid time and resource wastage.

SecureTriad offers a comprehensive AWS penetration testing service. Get in touch to discuss your needs and to receive a quote.

Originally published here https://securetriad.io/essential-guide-to-aws-penetration-testing/ on May 03, 2021.