According to The State of Pentesting 2023 report, 97% of teams in the US conducted pentesting at least once in 2022.
With over a million businesses across the globe using Amazon Web Services (AWS) to build and deploy different types of applications, it's important that we talk about AWS penetration testing.
AWS pentesting is a proactive security assessment technique that involves simulating real-world attacks on computer systems, networks, applications, or other digital assets. It helps improve the overall security posture of the AWS infrastructure, validates the effectiveness of security controls, and assists in meeting compliance requirements.
Penetration testing on AWS allows organizations to proactively identify and address security vulnerabilities before they are exploited by malicious actors.
Let’s take a closer look at what AWS pentesting is, how you can perform a pentest on this popular platform, and overall AWS security..
What Is Penetration Testing on AWS?
Penetration testing on AWS is the process of evaluating the security of an AWS infrastructure by simulating practical cyber-attacks.
AWS pentesting involves authorized and controlled attempts to exploit vulnerabilities and weaknesses within the AWS environment to identify potential security risks and prevent malicious attackers from breaching the system. The outcome of an AWS pentest includes a report outlining the system's vulnerabilities and a specific list of each vulnerability's severity level.
Overview of AWS Shared Responsibility Model
When it comes to security testing on AWS, it follows a model where both Amazon and the customers have certain responsibilities. AWS operates with user-operated services or vendor operated services.
Amazon’s Responsibilities
Amazon focuses on securing the infrastructure that runs all of the services offered in the AWS Cloud Computing Suite. This infrastructure includes the physical hardware, supporting software, networking, and facilities that run AWS Cloud services.
Customer’s Responsibilities
Customers are responsible for maintaining the security of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers do not require prior approval from AWS to pentest the approved services discussed in the next section.
What Are You Allowed and Not Allowed to Test in AWS?
When performing penetration testing in AWS, it is crucial to understand what is permitted and what is not permitted to ensure compliance with the terms and conditions of AWS. While AWS encourages security testing, certain limitations and guidelines must be followed.
Allowed
- Web application scanning
- Port scanning
- Injections
- Exploitation
- Vulnerability scanning or checks
- Forgery
- Fuzzing
Not Allowed
- DNS zone walking, hijacking, or pharming
- Protocol flooding
- Port flooding
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- Simulated DoS and DDoS
- Request flooding (API request flooding, login request flooding)
Prerequisites to Testing on AWS
It’s recommended to describe the following aspects before conducting a pentest on AWS:
- The scope of the pentest, which includes the target system
- The kind of test to be carried out
- Requirements of the test, which should be mutually decided between stakeholders and the pentesting contractor
- A protocol the pentester should follow in case they discover a vulnerability
- A schedule for the pentest
- Written authorization by system owners for pentesters to conduct the test
How to Perform Penetration Testing on AWS
Performing penetration testing on AWS needs careful planning and execution to ensure effective security assessments while reducing disruptions.
Here are general steps to perform penetration testing on AWS:
Step 1: Seek Appropriate Authorization
Before conducting any testing, ensure you have explicit written authorization from the AWS account owner or organization.
This may involve submitting a request to AWS Support (if seeking to test non-approved services) or following specific procedures outlined in your organization's security policies.
Step 2: Define Scope and Goals
Identify the target systems, applications, and AWS services to be tested.
Consider any specific compliance requirements or sensitive data that must be protected. Learn more about preparing for a pentest.
Step 3: Set Up Testing Environment
Create a separate testing environment within AWS, which is different from the production environment to avoid unintentional interruptions.
This includes setting up virtual instances, networks, and security groups specifically for the pentest.
Step 4: Map the Attack Surface
Gather as much information about the AWS environment as you can.
This includes identifying services, instances, subnets, S3 buckets, Identity and Access Management (IAM) roles, and other potentially vulnerable components.
Some of the techniques that you can use are network scanning, vulnerability scanning, and social engineering.
Step 5: Perform Vulnerability Assessment
This is the main goal of an AWS penetration test.
You can find vulnerabilities in a variety of places, such as IAM policies, S3 bucket permissions, and EC2 instance configurations.
For example, you may analyze AWS CloudTrail logs to track user activity and identify potential security issues.
Step 6: Exploit Vulnerabilities
Once you identify the vulnerabilities, you need to exploit them in order to determine their impact.
This could involve exploiting misconfigurations, weak access controls, or vulnerabilities specific to certain AWS services.
However, ensure that you only target your own resources and do not affect other AWS customers.
Step 7: Report and Remediate
Compile a comprehensive report outlining the findings, identified vulnerabilities, and suggested mitigation procedures.
Share this report with the system owner or administrator, along with any necessary guidance to help remediate the identified vulnerabilities.
Key Areas of Focus
Here are a few areas pentesters should focus on during penetration testing that will help identify potential vulnerabilities and weaknesses within AWS resources:
Identity and Access Management (IAM)
During penetration testing, it is essential to assess the effectiveness of IAM controls and the overall security of user authentication and authorization. Pentesters should test whether:
- Service accounts have unrestricted permissions
- Keys exist in the root account
- Users have multiple keys
- Root account is used for routine tasks or automation
- SSH and PGP keys haven’t been refreshed
- Accounts are inactive
- Multi-factor authentication is in place
Logical Access Controls
Logical access controls are crucial for securing AWS resources and preventing unauthorized access. Penetration testing should focus on:
- Identifying if actions have been correctly assigned to resources
- Testing that credentials related to AWS accounts are safe and secure
- Testing if AWS processes and sensitive resources have controlled access
S3 Buckets
Assessing the security of Amazon S3 (Simple Storage Service) buckets is crucial to prevent data exposure or unauthorized access to stored data. Penetration testing services should focus on:
- Appropriate security features are enabled on buckets, such as authentication and encryption
- Only authorized users have permissions for operations such as GET, PUT, and DELETE
- Security auditing is enabled on buckets, such as versioning and logging
Database Services
Penetration testing should focus on identifying vulnerabilities within various database services. This includes testing whether:
- Database access is limited to known IP addresses
- Database applications are secure from potential SQL injection or command injection vulnerabilities
- Data is recurrently backed up and if backups can be securely restored
- Sensitive resources are deployed across several availability zones (multi-AZ)
Conclusion
In conclusion, conducting comprehensive penetration testing on AWS is crucial for ensuring the security of your cloud infrastructure. By following a systematic approach and using the right methodologies and tools, organizations can improve their defenses and safeguard sensitive information.
However, it is important to always ensure ethical conduct, respect legal boundaries, and prioritize collaboration with system owners to remediate identified vulnerabilities effectively. With a comprehensive and responsible approach to AWS penetration testing, businesses can strengthen their security and protect against potential threats.
To help you prepare for your penetration testing endeavors, we have created a Pentest Preparation Checklist. Download our checklist to ensure you cover all the essential steps and prerequisites, enabling you to maximize your pentest.
Explore other cybersecurity services to help you develop a world-class cloud security program. Lastly, our award winning PtaaS platform helps your team identify vulnerabilities, including complimentary review of remediation to ensure security bugs have been safely and thoroughly removed.