AWS Penetration Testing
What is AWS Penetration Testing?
Penetration testing methods and policies differ based on the organization that you’re in. Some organizations allow more freedoms while others have more protocols built in.
When you are doing pen testing in AWS, you have to work within the policies that AWS allows you to because they are the owners of the infrastructure.
Most of what you can test is your configuration to the AWS platform as well as application code inside your environment.
So… you’re probably wondering what tests are allowed to be performed in AWS.
User Operated Services
Any security testing that involves cloud configurations that are built by the user is acceptable under AWS policy. It’s even possible to run certain types of attacks on instances of your creation.
Vendor Operated Services
Any cloud service that is provided by a third-party service provider is closed off to the configuration and implementation of the cloud environment, however, the infrastructure underneath the third-party vendor is safe to test.
What am I allowed to test in AWS?
Here is a list of things that you’re allowed to test in AWS:
- Different types of programming languages
- Applications that are hosted by the organization that you belong to
- Application Programming Interfaces (APIs)
- Operating systems and virtual machines
What Am I Not Allowed To Pentest in AWS?
Here is a list of some of the things that can’t be tested on AWS:
- Saas applications that belong to AWS
- Third-party Saas applications
- Physical hardware, infrastructure, or anything that belongs to AWS
- RDS
- Anything belonging to another vendor
How Should I Prepare Before Pentesting?
Here is a list of steps that you should follow before pentesting:
- Define the project scope including the AWS environments and your target systems
- Establish what type of reporting you will include in your findings
- Create processes for your team to follow when doing pentesting
- If you are working with a client, make sure to prepare a timeline for different phases of testing
- Always get written approval from your client or superiors when doing pentesting. This may include contracts, forms, scopes, and timelines.
