Understanding AWS Penetration Testing: AWS Security Part I

Understanding AWS Penetration Testing: AWS Security Part I

AWS Cloud

Amazon Web Services is a cloud platform provided by Amazon, providing on-demand cloud computing platforms and APIs on a metered pay-as-you-go model.

AWS provides services like compute and storage, content delivery, security management, network infrastructure, and physical hosting facility for tenant organizations falling into Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS).

Pentesting and AWS Pentesting

Pentesting, also known as penetration testing, is the practice of testing a computer system, network, or web application to identify vulnerabilities that an attacker could exploit. In the context of AWS (Amazon Web Services), pentesting refers to the practice of identifying vulnerabilities in the security of AWS resources, such as Amazon EC2 instances, Amazon S3 buckets, and Amazon RDS databases.

There are a few different approaches you can take to perform pentesting in AWS:

  1. Manual pentesting: This involves manually testing the security of AWS resources by manually attempting to exploit vulnerabilities. This can be time-consuming, but it can be effective for identifying subtle or complex vulnerabilities.

  2. Automated pentesting: There are a number of tools available that can automate the process of identifying vulnerabilities in AWS resources. These tools can be faster than manual pentesting, but they may not be as thorough.

Need of Cloud Pentesting

Cloud Pentesting is designed to assess the strengths and weaknesses of a cloud system to improve its overall security posture by:

  • Identifying risks, and vulnerabilities in configurations and applications

  • Understanding the impact of exploitable vulnerabilities

  • Providing best practices with clear and actionable remediation information

Area of focus during AWS Pentesting

The below-listed areas are focused on when performing the pentesting of the AWS Cloud environment:

  • Internal and External Infrastructure of AWS cloud

  • Applications hosted on the platform

  • AWS configuration review

Types of AWS Penetration Testing

Security of Cloud

The security of cloud services of the AWS cloud is the responsibility of AWS as they should be secured against any attacks at the infrastructure/ platform/ service level. This mainly includes the flaws related to AWS services, 0-days, (D)DOS, and any disruption against performance.

Security in Cloud

The applications and services deployed in the AWS cloud infrastructure should be secured against any attacks by following best security practices and regular penetration testing such that the security of the applications deployed in the AWS cloud.

AWS Services Pentesting without pre-approval

  • Amazon EC2 instances

  • Amazon RDS

  • Amazon CloudFront

  • Amazon Aurora

  • Amazon API Gateways

  • AWS Fargate

  • AWS Lambda

  • AWS LightSail resources

  • Amazon Elastic Beanstalk environments

Prohibited actions during Penetration Testing

  • DNS zone walking via Amazon Route 53 Hosted Zones

  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (Refer to DDoS Simulation Testing policy for more)

  • Port flooding

  • Protocol flooding

  • Request flooding (login request flooding, API request flooding)

Part II: Understanding AWS Penetration Testing: AWS Security Part-II