Amazon Web Services (AWS) platform supports a wide variety of business activities that include data storage, web application services, networking and code development. Unfortunately, it has recently become all too clear that these platforms can be vulnerable to serious data breaches. If you use AWS, it is important to understand how AWS penetration testing can help to minimize these threats. At the same time, you as a customer are only allowed to use AWS testing tools to perform assessments of client-side applications. Reviewing an introduction to the different types of AWS penetration testing can help you to determine the best strategies to employ to improve the security of your business.
Why Should You Conduct AWS Pentesting?
No matter how robust your physical, web and cloud security policy may be, your data and other resources are still vulnerable to different sources of attack. Penetration testing involves utilizing the services of an outside vendor who does their best to hack into your infrastructure just as a threat actor would: by exploiting your AWS vulnerabilities. Why should your organization invest time and money in an AWS penetration test? The answer lies in several traps that many businesses fall into, including the following:
- Putting the responsibility for mitigating internal risks onto others
- Lax security protocols and open permissions
- Failure to implement and/or enforce user multi-factor authentication requirements
- A lax approach toward compliance to industry-specific regulations such as HIPAA, FedRAMP, PCI DSS, etc. that affect the data center and/or storage of cloud-based data
- Failing to address previously unknown and unplanned-for “zero-day” vulnerabilities in a timely fashion in order to protect the cloud environment.
Amazon Penetration Testing VS Standard Pentests
There are several distinctions between these types of penetration testing. The most important thing to recognize is that Amazon owns the AWS infrastructure, which limits the cloud security testing you can conduct. For instance, AWS offers customers a wide array of cloud hosting services for storage, security management, content delivery and physical hosting. These solutions are well-protected from attack vectors and give organizations the benefits without the need to maintain them or pay the total implementation and management costs.
While Amazon is responsible for maintaining and testing the underlying AWS infrastructure, client organizations like yours should test your own AWS platform configuration and any code or apps you possess on your systems.
What You Can Assess in An AWS Pentest
While the AWS environment restricts you from much of the leeway you would find with traditional penetration testing, you are encouraged to conduct security testing for services that you have created, including user permissions and configurations. Some of these include the following:
- Penetration testing of ec2 instances except distributed denial of service attacks and others that relate to disruption of business continuity
- Services provided by vendors
- The API Gateway, CloudFront and other AWS support services
- Virtual machines.
By performing penetration tests on these areas, organizations can minimize the likelihood that vulnerabilities will turn into an all-out data breach.
Details to Cover Before Running an AWS Pentest
Penetration testing is a complex operation that you should approach with planning and expert assistance. Before you conduct yours, your organization should address the following issues:
- Define the scope
- Run a “dummy” test
- Decide which type of penetration test to conduct (black box, white box, gray box)
- Specify expectations that you require of all stakeholders, including internal management and the testing vendor
- Make a timeline covering all tasks, deadlines and who is accountable
- Determine your action plan if a breach is discovered, including whom to contact and when
- Request and obtain written approval for the penetration test (including completing a request form, notifying AWS of the dates and the IP address range from which the test will originate as well as the IP address range that will be tested)
- Run AWS testing tools such as AWS Inspector and Nmap to assess the security of your AWS applications and physical networks.
In addition to these strategies, continuing to update your knowledge of threats as they evolve will enable you to implement a system of ongoing security best practices. These protocols will complement the robust AWS penetration test procedures you conduct as part of your wider threat prevention, detection and mitigation infrastructure.