Over a million people across 190 countries use Amazon Web Services (AWS) to build and deploy websites and applications, store and manage valuable data, and use a wide range of other services. As the leading cloud service provider AWS has rid its customers of a lot of hardships – the need for on-premise data warehouses, distributed computing systems, and cumbersome hardware management – but cyber security threats are not among them. Hence, it is important that we discuss AWS penetration testing.
AWS has its own automated as well as manual security controls for applications and platforms. However, it is hard to get around the lack of security visibility given the number of cloud applications businesses often use on top of AWS. Add to that the increasing complexity of compliance mandates, data processing, and use cases while migrating to (or while scaling on) AWS, and the struggle for companies trying to strengthen data security for themselves and their customers intensifies.
A detailed vulnerability assessment and penetration testing (pen-testing) for their implemented AWS infrastructure solutions can help companies identify and tackle the security vulnerabilities, and ensure a robust security framework for protecting their online assets from cyber-criminals.
What is Penetration Testing in AWS?
A typical penetration test involves ethical hackers who test your network for vulnerabilities that hackers might exploit. They inform you about the points of weakness and in some cases recommend a course of action to fix them.
However, the traditional practices of ethical hacking are little likely to comply with the policies of AWS. AWS’s core infrastructure is owned by Amazon and the methodologies used for AWS pentesting are subject to their policies.
There are broadly four key areas to focus on for penetration testing of AWS:
- External Infrastructure of your AWS cloud
- Application(s) you are hosting/building on your platform
- Internal Infrastructure of your AWS cloud
- AWS configuration review
Does AWS allow penetration testing?
Yes, AWS allows penetration testing, however, there are specific boundaries to what an ethical hacker can play with while the rest remains out of bounds for pen-testing.
For User-Operated services that include cloud offerings and are configured by users, AWS permits an organization to fully test their AWS EC2 instance while excluding tasks related to disruption of continuity.
For Vendor Operated services (cloud offerings that are managed and configured by 1 third-party), AWS restricts the pentesting to configuration and implementation of cloud environment excluding the underlying infrastructure.
Let us talk some more about it.
What Pen-Testing can be performed in AWS?
AWS allows the pen testing of specific areas of EC2 (Elastic Cloud Computing), they are:
- API, i.e; Application Programming Interface
- Web applications hosted by your organization
- Programming languages
- Virtual machines and Operating systems
What are the off-limits for AWS penetration testing?
The parts of AWS cloud that can not undergo pentest because of legal restrictions are as follows:
- Servers belonging to AWS
- Physical hardware, facility, or underlying infrastructure that belongs to AWS
- EC2 belonging to other vendors
- Amazon’s small Relational Database Service (RDS)
- Security appliances managed by other vendors
Related blog – Detailed Sample Penetration Testing Report
By now you are familiar with the conditions governing AWS penetration testing, and ready to jump deeper. Well done!
Types of AWS Penetration Testing
We can categorize the security testing of an AWS platform into two parts:
1. Security of Cloud
The Security of the Cloud is the security responsibility of Amazon (AWS) to make sure their cloud platform is secured against any possible vulnerabilities and cyber attacks for the companies that are using any AWS services. The security of the cloud includes all the zero days and logic flaws that can be exploited at any step to disrupt the performance of an AWS server/s.
2. Security in Cloud
Security in the cloud is the responsibility of the user/company to make sure their deployed applications/assets on AWS infrastructure are secured against any kind of cyberattacks. A user/company can enhance the security of their applications on the AWS cloud by implementing necessary security practices.
Read Also: A Complete Guide to Cloud Security Testing
Difference between traditional penetration testing and AWS penetration testing
We have already established that pentesting in AWS differs from traditional pentesting in terms of approach and methodologies. How about a closer look?
In a traditional pentest for a web application that you own, you can have a free hand. When it comes to AWS penetration testing the internal and external infrastructure of the AWS cloud, Identity, and access management, and AWS configuration and permissions become governing factors.
List of AWS controls to be tested for security
- Understand AWS usage/implementation
- Identify assets & define AWS boundaries
- Access policies
- Identify, review & evaluate risks
- Documentation and Inventory
- Add AWS to risk assessment
- IT security & program policy
b. Network Management
- Network Security Controls
- Physical links
- Granting & revoking accesses
- Environment Isolation
- Documentation and Inventory
- DDoS layered defence
- Malicious code controls
c. Encryption Control
- AWS Console access
- AWS API access
- IPSec Tunnels
- SSL Key Mangement
- Protect PINs at rest
d. Logging and Monitoring
- Centralized log storage
- Review policies for ‘adequacy’
- Review Identity and Access Management (IAM) credentials report
- Aggregate from multiple sources
- Intrusion detection & response
Related Guide – How to conduct Website Penetration testing
Steps to take before performing AWS Penetration Testing
- Define the scope of the penetration test including the target systems.
- Run your own preliminary.
- Define the type of security test you will conduct.
- Outline the expectations for both the stakeholders and the penetration testing company (if outsourced).
- Establish a timeline to manage the technical assessment.
- Define a set of protocols in case the test reveals that security has already been breached.
- Obtain the written approval of the related parties to perform a pen test.
Now, you are ready to jump right into the thick of things.
How to perform Penetration Testing on AWS?
1. Identity and Access Management (IAM)
The first and most important step in the process of penetration testing is to identify the assets of data stores and applications. Some important points to keep in mind during asset identification are:
- Removal of keys from the root account
- Implement two-factor authentication
- Do not use the root account for daily task or automation
- Restrict the permission to service accounts
- Limit the use of one key per user
- Regularly change SSH and PGP keys
- Delete inactive security accounts
2. Logical Access Control
The next step to follow after the identification of assets is to manage the access control on the cloud. It is a process of assigning different actions to the resource. The main process of Logical Access Control involves controlling access to resources, processes, and users of AWS. Credentials related to the AWS accounts must be safe and secure.
3. S3 Buckets
S3 is a cloud folder generally known as a “Bucket”. It is a storage server that delivers region exceptions, access logging, versioning, encryption, access logging, etc. Here are two important things you must ensure to maintain the security of the S3 buckets:
- Permissions (such as GET, PUT, DELETE, LIST for HTTP methods) should be restricted to certain users
- The logging and versioning of the bucket should be enabled.
4. Database Service
The database is an important part of most web services. It is important to follow the necessary steps to secure the database of your application. The key points to keep in mind while performing a security audit are:
- Regularly backup your data.
- Set the time for automatic backup for less than a week.
- Use the Multi-AZ deployment method.
- Limit the access to specified IP addresses.
Tools used in AWS Testing
There are many tools that you can use to pen test your AWS integrated services. Different sets of tools are available to carry out different types of tests. Here are some of them:
- Prowler: It is an open-source security testing tool that allows you to scan your AWS account for potential vulnerabilities, IAM permissions and compliance on the basis of a set of standard benchmarks such as AWS Foundations Benchmark.
- CloudSploit: It is a cloud security auditing and monitoring tool that allows you to audit the configuration state of services in your AWS account. It checks for publicly exposed servers, unencrypted data storage, lack of least-privilege policies, misconfigured backup, restore settings and data exposure, and privilege escalation.
- Cloudsplaining: It is an open-source tool for AWS IAM security assessment that allows you to identify violations of least-privilege and generate a risk-prioritized report for evaluation.
- CloudJack: It is also an open source Route53/CloudFront/S3 vulnerability assessment utility that checks for subdomain hijacking vulnerabilities in your AWS services.
- Astra Security Scan: It is a cloud infrastructure security testing tool that allows you to pentest your AWS services and look for potential vulnerabilities. It offers a interactive dashboard where you can monitor the audit trail and see detailed analysis for each discovered vulnerability along with the recommended steps to fix those vulnerabilities. This dynamic dashboard thing sets this particular tool aside, as you can see and fix the vulnerabilities as they are found, instead of waiting for the audit to end. You can also integrate your pentest project with GitHub, GitLab, and Jira. It also allows you to start automatic pentest with every feature update.
AWS Penetration Testing Provider – Astra Security
As you would have gathered by now, AWS penetration testing is a serious undertaking involving complex processes and requiring specific knowledge. Performing a complete security audit by yourself for the first time can be difficult. But you don’t have to worry. Astra is here to help you out. Astra Security is a cyber-security company that performs a complete security audit of your application at a nominal cost. We are a group of security experts that can provide an in-depth analysis of your AWS system. See our AWS Security Audit Program.
Also Read: Penetration Testing Services
Amazon Web Services (AWS) offers various integration opportunities to your application with some in-built security features for the security of the cloud. But the security in the cloud resides completely in your hands. Henceforth, performing penetration testing becomes more and more important every day for your business. You can go through the above guide to do it yourself. Or you can also take professional help from Astra Security.
If you have further queries on AWS penetration testing by Astra Security, chat with us with the chat widget. You can also contact us by dropping comments in the comment box and we will be happy to help you!
1. What is AWS Security Audit?
Security audit methodologies for AWS are completely different from traditional pentesting procedures. The first and most important difference is system ownership. AWS is a subsidiary of Amazon who is the owner of AWS’s core infrastructure. Since the traditional ‘ethical hacking’ used in the process of pentesting would violate the acceptable policies of AWS, the security response team of AWS involves specific procedures.
2. Does AWS allow Security testing?
Yes, AWS allows penetration testing, however, there are specific boundaries to what an ethical hacker can play with while the rest remains out of bounds for pen-testing
3. What security testing can be performed in AWS?
API, i.e; Application Programming Interface
Web applications hosted by your organization
Virtual machines and Operating systems
4. How to perform security audit on AWS?
Identity and Access Management (IAM)
Logical Access Control