Amazon Web Services (AWS) is the world’s leading cloud platform. It provides elastic computing services, cloud storage, databases, and a range of data analytics and AI applications, as well as deployment and automation services.
Before migrating to AWS, companies should consider compliance obligations, the risks of cyber attacks against cloud resources or sensitive data hosted on the cloud, and how to address them. A highly effective way of discovering security vulnerabilities in a cloud environment is via penetration testing. A penetration tester can discover critical security weaknesses in an AWS deployment and provide actionable recommendations for remediating them.
However, because AWS is a third-party data center, companies who perform penetration tests are required to follow specific instructions and comply with AWS restrictions.
In this article:
Cloud environments are highly complex, and there are several security issues that are difficult to discover using existing cloud security measures. Here are a few examples of security gaps that penetration testing can help discover and remediate.
Failure to secure the client’s part of the shared responsibility model
AWS uses a shared responsibility model, which states that the cloud customer is responsible for securing workloads and data. In many cases organizations have poor visibility over their security responsibilities in the cloud.
Missing authentication, permissions, or network segmentation
Many AWS resources do not have multi-factor authentication, do not use network segmentation (via AWS security groups), or provide excessive permissions. It can be difficult to identify these assets in a large cloud deployment.
Compliance requirements
Organizations subject to compliance standards such as HIPAA, SOX, PCI DSS, etc. need to ensure that AWS resources meet their compliance requirements. This makes it important to perform internal audits of cloud assets, identify and remediate their security weaknesses
Security testing performed on AWS follows the shared responsibility model. Amazon differentiates between two types of security:
The methodologies and methods used for AWS penetration differ from traditional penetration testing in many ways. The most important difference is ownership of the asset under test.
Amazon corporation owns all of the core infrastructure operated by AWS. Therefore, many tests and strategies used in traditional penetration testing may violate the AWS Terms of Service. If a penetration testing procedure conflicts with AWS policies, it is prohibited on AWS infrastructure, and might trigger the involvement of the AWS Incident Response Team.
AWS allows customers to perform security assessments of AWS assets. The term security assessment includes various activities performed to verify and validate security controls across AWS assets.
Here are key examples of security assessments allowed by AWS:
Here’s a summary of Amazon’s rules for security assessments that are allowed:
You can perform these tests remotely against your AWS assets, locally within your virtualized assets, and between your AWS assets.
Related content: Read our guide to pentesting tools
AWS allows you to perform security assessments to validate your security controls. However, AWS must ensure that these tests do not harm other AWS customers and that AWS can continue providing quality service across the AWS ecosystem.
AWS prohibits simulating Denial of Service (DoS) or similar attacks against any AWS assets. This restriction is explained in AWS’s DDoS Simulation Testing policy.
Here’s a summary of Amazon’s rules for prohibited security assessments:
AWS holds customers responsible for verifying and validating that any security assessment performed by the customer or on their behalf complies with the policy. Customers violating this policy will be held responsible for all damages to AWS and AWS customers caused by the offending security assessment activities.
Define the following aspects prior to conducting a penetration test on AWS:
Penetration testers should focus on the following aspects when testing IAM and identity security in AWS:
Testers should focus on:
Testers should focus on:
Testers should focus on:
In this article, we explained the basics of penetration testing on AWS and the differences between penetration testing in your own environment vs. an environment owned by a third-party provider.
We presented the rules for pentesting on AWS, which can be summarized as follows:
Finally, we showed how to approach your penetration test across different parts of the Amazon infrastructure - Identity and Access Management (IAM), logical access control, S3 buckets, and database services. In each of these, testers should be aware of risks and attack surfaces specific to the Amazon environment.
HackerOne can help you manage penetration tests against Amazon and other cloud and on-premise environments. Learn more about the HackerOne penetration testing service.