Penetration Testing in AWS: Can You Test Your Cloud?

Oliver Moradov

What Is AWS Penetration Testing?

Penetration testing typically involves an ethical hacker looking for network vulnerabilities that a malicious hacker could exploit. These tests provide insights into a network’s points of weakness, informing security teams on how to repair them.

However, Amazon Web Services (AWS) doesn’t always support standard ethical hacking practices, because they may conflict with Amazon policies. Amazon owns the core infrastructure of AWS, so any penetration testing methodologies used on AWS systems are subject to Amazon’s policies.

Pentesting in AWS generally has to address these main areas:

  • The external AWS cloud infrastructure 
  • The internal AWS cloud infrastructure
  • Any applications built or hosted on the platform
  • Review of the AWS configuration

In this article:

The Importance of AWS Pentesting

As AWS continues to deploy more services and serve millions of additional users, the system becomes exponentially more complex. This added complexity could allow attackers to exploit undiscovered vulnerabilities. The problem only increases if the human factor is also taken into account—any user or administrator who has an identity and access management (IAM) account can be the target of a social engineering attack.

Regular AWS penetration testing is critical for cybersecurity professionals to address these challenges. Penetration testing can help discover misconfigured security groups and excessive privileges, known vulnerabilities in cloud systems, misunderstandings regarding the shared responsibility model which can lead to unintentional risk exposure, failure to implement strong authentication for cloud resources, and lack of employee education with regard to social engineering.

Another aspect of penetration testing is that it can help achieve compliance with regulations such as HIPAA, PCI DSS, and FedRAMP. These and other compliance standards require regular penetration testing to identify, address, and remediate compliance gaps.

Amazon supports penetration testing against its systems, but requires special approval for certain types of tests. Organizations should rely on security experts with the expertise to perform Amazon penetration testing. AWS security partners know what to test and which simulations require Amazon approval.

Penetration Testing Methodologies for AWS

The security testing methodologies of an AWS platform fall into these two categories:

  • Security of the cloud—Amazon is responsible for ensuring that the AWS cloud infrastructure is secure. This category includes any vulnerabilities, logic flaws, or zero-day threats on AWS servers that may impact their performance or damage users.
  • Security in the cloud—the customers are responsible for ensuring that the assets and applications they deploy on the AWS platform are secure. Organizations must follow the required security procedures to enhance the security of their applications in the AWS cloud.

AWS allows security testing for user-operated services, including cloud offerings that the user creates and configures. Organizations can test their AWS EC2 instances, for example, without incorporating tactics that might disrupt business continuity (e.g., launching a DoS attack).

AWS restricted security testing for vendor-operated services, including any cloud offering that a third-party vendor owns or manages. AWS allows users to pentest the cloud environment configuration and implementation, but not the hosting infrastructure. For example, customers can perform penetration tests for the configuration of AWS services like API Gateway and Cloudfront, but they can’t touch the underlying infrastructure.

One AWS service that supports penetration testing is Elastic Cloud Computing (EC2). The following areas of AWS EC2 instances are open to pentesting:

  • The API 
  • Customer-hosted mobile and web applications
  • The application server 
  • The stack associated with an application 
  • Virtual machines (VMs) 
  • Operating systems

Organizations traditionally use pentesting in on-premise environments or infrastructure-as-a-service (IaaS) offerings. AWS has many software-as-a-service (SaaS) offerings that don’t allow the customer to perform penetration tests because Amazon owns the environment. However, customers can use a black box or security audit to test the identity and configuration of a SaaS service. 

Other areas of the AWS cloud that don’t allow pentesting for legal or technological reasons include:

  • Applications and services owned by AWS (including SaaS offerings)
  • Third-party EC2 environments owned by another vendor or partner
  • Any underlying infrastructure or physical hardware owned by AWS
  • Micro or small AWS Relational Database Service (RDS)
  • Third-party security appliances managed by another vendor (unless the customer has permission)

AWS Vulnerabilities and Pentest Tools

Several vulnerabilities specifically affect AWS systems, although some are more common than others. Some of the top vulnerabilities of the AWS architecture include:

  •   Permissions and configuration flaws—for example, in S3 bucket policies.
  •   Compromised credentials—for example, identity access management (IAM) keys.
  •   Cloudfront or WAF misconfigurations—enable attackers to bypass security measures.
  •   Lambda backdoor functions—enable private cloud access.
  •   Cloudtrail log obfuscation—covers an attacker’s tracks. 

It is important to understand the approach and capabilities of a pentest provider. Choosing the right provider allows organizations to leverage end deliverables to identify and prioritize business risks so their teams can take action. 

Related content: Read our guide to penetration testing services

Many independent and off-the-shelf tools are uniquely developed for cloud environments and help organizations understand AWS flaws and misconfigurations. Basic tools for identifying basic vulnerabilities include:

The following basic tools can also help identify basic flaws:

  • AWS Inspector—designed to secure applications deployed on AWS.
  • BucketHead—from Rhino Security Lab, identifies misconfigured S3 Buckets.
  • Nmap—discovers networks and enumerates services.

Basic tests using free tools can be a good start for addressing low-hanging fruit, but they don’t provide extensive protection against vulnerabilities and other business risks. Third-party security providers can offer the expertise and experience necessary to conduct comprehensive AWS security assessments and strengthen an organization’s security posture.

Related content: Read our guide to penetration testing tools 

Complementing Penetration Testing with Dynamic Application Security Testing (DAST)

Penetration testing is valuable to ensure your applications and network are secure, however a large proportion of each is conducted manually by specialist penetration testers. The penetration process takes time, is not scalable and the costs can spiral.

With more companies now apopting DevOps and CICD, further automation of security testing is required that removes security related bottlenecks and provides a direct and immediate feedback loop to developers.

Bright Security’s developer focused Dynamic Application Security Testing scanner is used by penetration testing companies to carry out preliminary scans on their client applications and APIs. You can integrate Bright into your development pipelines to benefit from continual, scalable security testing early and often, on every build / commit. 

Bright automatically validates every security issue, so has NO false positives. This removes the need for you to manually validate security issues (one of the services performed by PT / PTaaS). Coupled with the ability to detect Business Logic Vulnerabilities with Bright, this reduces your reliance on and cost of your manual penetration testing or PTaaS.

Sign up for a FREE Bright account and start automating your application and API security testing

Secure your app with every build

Sign up for a FREE Bright account.
Related Articles
Categories