AWS Cloud Penetration Testing – What you should know about it?

Basics of AWS Pen Testing

Usually, the process of penetration testing involves the exploitation of the system by ethical hackers to find out vulnerabilities. However, the traditional ways of penetration testing are not applicable to AWS infrastructure. AWS clouds have a shared responsibility model where the core infrastructure is owned by Amazon. Hence, the methodologies you are using for AWS Pen Testing should coincide with the AWS policies.

AWS allows penetration testing with certain specific boundaries. You can run the test fully over the AWS EC2 but make sure to exclude the tasks that might cause a disruption in continuity. The specific areas of EC2 (Elastic Cloud Computing) you can perform pen testing upon are:

• Application Programming Interface (API)
• Web Applications that your organization is hosting
• Programming languages
• Operating Systems and Virtual Machines

Four key areas to focus on while pen testing on AWS Cloud

• External Infrastructure of the AWS Cloud
• Your applications built or hosted on the platform
• Internal Infrastructure of the AWS Cloud
• Configuration of the AWS Cloud infrastructure

Types of AWS Pen Testing

As already discussed, AWS has a shared responsibility model. This divides the responsibility of the security procedure such as Pen Testing as well.

1. Security of Cloud: This responsibility falls in the bucket of AWS. It involves making the cloud platform safe and secure for the users of the AWS services. The logic flaws and all zero days hackers can exploit to AWS server performance must be addressed.
2. Security in the Cloud: This is the aspect of AWS cloud security where the user is responsible. Here, the company or individual using the AWS cloud must ensure the safety of the data, applications, and other assets stored on the cloud. Users can make double sure by deploying professional security protocols on the AWS cloud assets.

List of AWS Controls You can Test for Security

Governance:

• Identify assets & define AWS boundaries
• Identify, review & evaluate risks
• Understand AWS usage/implementation
• Access policies
• Add AWS to risk assessment
• IT security & program policy
• Documentation and Inventory

Network Management:

• Environment Isolation
• Granting & revoking accesses
• Network Security Controls
• Documentation and Inventory
• Physical links
• Malicious code controls
• DDoS layered defense

Encryption Control:

• IPSec Tunnels
• AWS API access
• SSL Key Management
• AWS Console access
• Protect PINs at rest

Logging and Monitoring:

• Review policies for ‘adequacy’
• Aggregate from multiple sources
• Review Identity and Access Management (IAM) credentials report
• Centralized log storage
• Intrusion detection & response

The areas of AWS Cloud where you cannot perform Pen Testing

• The physical hardware that belongs to AWS
• AWS-controlled servers
• Relational Database Service (RDS) of Amazon
• Other vendors’ EC2
• Security appliances managed by other vendors

Steps you need to take before AWS Pen Testing

• Decide your target systems for the test and define the scope.
• Run preliminary operations on your own.
• Select the type of security test you are going to conduct.
• Prepare an outline of expectations of stakeholders from the penetration test.
• Set a definite timeline for the test procedure.
• Get written approval from all the concerned parties involved with the cloud

Some popular tools for AWS Penetration Testing

• Prowler: An open-source tool to scan the AWS cloud infrastructure for potential vulnerabilities. It also checks for IAM permissions and compliance as per standard benchmarks.
• CloudSploit: A cybersecurity tool that audits the configuration of services in your AWS Cloud. It covers areas like the publicly exposed servers, unencrypted data storage, lack of least-privilege policies, misconfigured backup, restore settings and data exposure, and privilege escalation.
• CloudJack: It is an open-source assessment tool that checks for Route53/CloudFront/S3 vulnerabilities in your AWS Cloud Services.

Before You Go!

• AWS Cloud pen testing is quite different from regular penetration testing procedures. It requires knowledge of Amazon Cloud Security Policies and experience in handling critical cloud infrastructure.
• RSK is among the few Cyber Security Services Dubai that can provide you with seamless AWS penetration testing.