If you are security testing a web application, there is a great chance that it is hosted on the cloud. And there is reason for this – cloud has gained massive popularity, and the industry is projected to grow to 800 billion by 2025. Because the AWS is dominating the market with over 32% market share, as a security researcher, you will often have to deal with applications that are running on the AWS servers. So, let’s talk does the AWS allow penetration testing.
AWS Penetration Testing Rules
Engagement rules are always important. When it comes to the bug bounty hunting, scope creep might end in a lost time and resources, without getting any reward. It is no fun to find a critical vulnerability, to only realize that this is not in the scope of the program.
Rules are especially important when it comes to the penetration testing on cloud platforms. Not knowing of the engagement rules on such cloud platforms as AWS, might end bad. You might face legal consequences from the Amazon. And having a lawsuit from a trillion-dollar giant is not something you should be looking for.
Of course, this might be a little bit of exageration, as you won’t go to prison just for running a scan. But different situation is when you perform massive DDoS attack on the AWS services.
Without further ado, let’s see what are the AWS pentesting engagement rules. AWS has an official penetration testing page that explains it all. But let’s dive deeper into these rules.
AWS customers are allowed to perform penetration testing against these 8 services:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
We will talk later about what activities are forbidden by the AWS. But let’s grasp the previously mentioned fact – AWS does allow penetration testing. However, not all activities are allowed.
If you are performing vulnerability assessment of a simple application, there is chance that it is running on a AWS EC2 instance. And that is allowed by the AWS. If the application is using an elastic load balancer, there is also no problem. Also, if the EC2 has a NAT gateway (which is usually a case), you can be tranquil that you won’t violate any rules.
AWS relational database service (RDS) is also in the scope. This is a great news, as it is one of the most popular database service on AWS.
Usage of the CDNs are common nowadays. For a global business functionality of the content delivery network is a true lifesaver, as it serves the content of a website from the location that is closest to the user. Users do not like waiting for too long for the website to be displayed. Because CDN is on the list of allowed services of the AWS penetration testing rules, you can perform your tests without worries.
Amazon Aurora is another service of relational databases, that is allowed to be security tested.
Many modern applications utilize APIs. You can be sure, that running a fuzzing tool against a public API won’t get you into any trouble.
Serverless computing is definitely gaining traction year after year. And because the testing of the AWS Lambda, that focuses on it, is allowed by the Amazon, you can prevent security issues from occurring with penetration tests.
AWS Lightsail provides you a server that can be used for various purposes. Flexibility also extends to the penetration testing, as there are no limitations (except from the obviously harmful ones, like DDoS attacks) for testing of the Lightsail services.
And lastly, you can be sure that web applications on AWS Elastic Beanstalk can be security tested.
Keep in mind that if you found a major zero-day vulnerability, related to the AWS services, you must report to the AWS.
What Is Strictly Prohibited From Security Testing on AWS?
Even though Amazon is pretty loose with the penetration testing, and it allows you to test your own applications, there are some limitations:
- You are not allowed to perform DNS zone walking attacks. This is applicable to the Amazon Route 53.
- DoS (Denial of Servie) and DDoS (DIstributed Denial of Service) attacks are out of the conversation. As these do not provide that much of a value, and exhausts system resources, by default they are not allowed. But if you are interested in performing DDoS attacks, you should get a a permission from the AWS, and should follow the given rules.
- Port and protocol flooding is also not allowed. As this is more related to the denial of service, than actual specialized security tests, AWS insures itself and prohibits these testing types from happening.
- Request flooding. This one is aimed for preventing unnecessary brute force attacks. Even thought AWS does not explicitly mention this, but in major of the cases, large number of requests is sent to brute for a password or existing directories. Even though it might help to investigate what users are using weak passwords, or what private directories are publicly accessible, this penetration testing attack generates a significant amount of requests and is not wished.
In conclusion, attacks, that will be generating a big number of request, are not preferable by the Amazon. Nevertheless, these attacks provide very less value, and is not a big loss for someone performing AWS penetration testing.
If you do want to perform network stress testing, or DDoS simulation, you must contact AWS and get a permission. You should fill the Simulated Events form and with information such as involved accounts, and assets, time of the event, and your contact information. It will take about 2 business days to get the answer.
There is a clear policy about network stress testing.
However, in a usual situation, you won’t need to get a permission. The reason for this, is that you won’t reach the limit of allowed network traffic, which at the moment is 1 Gbps.
If you want to perform DDoS simulation, it should be conducted by a AWS Partner Network Partner, that has a permission for such activity. There are strict rules what is tolerable traffic for the AWS. No more than 50 000 request can be send per second, and the network volume shouldn’t overstep 20 Gbps.
How About Testing the AWS Infrastructure of a Client?
The AWS clearly states:
“AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.””
The part of this statement you should pay attention to, is “their infrastructure”. If you are performing a penetration test on the client’s AWS infrastructure, the client is responsible for the actions you will make, and a potential harm you could make. Even though if you have a contract that states that you take full responsibility for any consequences. As the infrastructure is in the client’s name, he will be contacted as a first person in any situation.
In case you want to get a permission for simulated events from the Amazon, your client must contact them.
Best Books for AWS Penetration Testing
If you are willing to become a master in AWS pentesting, you should gain the needed skills. Online courses is one of the ways how you can become good at it. Another way to pick up the pace is by reading books. Both knowledge sources have their own pros and cons, but today we are going to check the best books for AWS penetration testing.
AWS Penetration Testing: Beginner’s guide to hacking AWS with tools such as Kali Linux, Metasploit, and Nmap
Some quick facts about the book:
- Published in 2020-12-04
- Written by a penetration tester and adjunct professor, OSCP holder, with over 10 years of experience
- Has 330 pages
This book is perfect if you are a beginner and have no clue what tools and methodologies to use for the AWS penetration testing. Not only that, the AWS Penetration Testing book explains the most common vulnerabilities found in the AWS infrastructure.
It does cover the main tools used in pentesting, such as Metasploit, and Nmap, also shows how to use Kali Linux – cybersecurity Linux distribution. If you are an experienced security tester, these tools are probably not new for you. But if you are just getting started in pentesting, getting the basics of them is very important. However, keep in mind that these are not AWS specific tools. They are multipurpose and are frequently used by the pentesters in different types of security assessments.
The book covers different types of testing and focuses on providing grounds for testing permission flaws, weak policies, and vulnerabilities in applications.
By reading the book you will get familiar how to check the security of AWS S3 buckets, AWS Aurora RDS, Lambda Services, AWS API gateway, and other common popular services of the Amazon cloud.
However, there are some things to consider about the book:
- This is a beginner level book that talks about penetration testing overall, it is not solely based on the AWS testing methodologies
- It does not talk about how to use AWS specific tools (that we covered in this article)
If you are just a beginner in pentesting, you will surely find value in this book. However, if you are a cyber security professional, keep in mind that this book is very beginner friendly.
Some quick facts about the book:
- Published in 2019-04-30
- Written by a security researcher Karl Gilbert, and Mr. Benjamin Caudill – penetration tester, security researcher, and the founder of Rhino Security Labs
- Has 508 pages
Just like any other book from our list of the best books for AWS penetration testing, this one shows the best ways to perform security testing on AWS environment. Topics that are covered in the book includes instructions how to use the relevant operating system (spoiler alert: it’s Kali Linux), specialized automatic tools, and shows common yet effective methodologies.
Even though the book explains the main concepts for a complete beginner, experienced pentesters will also find value in it. By following the examples of the book, you will be able to spin your own AWS environment. This will allow you to have an environment where you will be able to practice AWS security testing.
Hands-On AWS Penetration Testing with Kali Linux covers main steps how you can set up penetration testing lab and Kali Linux attacking box in the cloud. The book also covers configuration of some AWS services. By knowing how does the configurations looks like under the hood, you will be able to better understand potentially vulnerable places. Topics of the book includes setting and testing EC2 instances, S3 buckets, AWS Lambda, AWS RDS, AWS IAM (Identity Access Management), privilege escalation.
What is great about the book, is that it shows you how to use some of the most popular AWS pentesting tools: Pacu, Scout Suite. In fact, Pacu is developed by the company of one of the book authors.
This book surely provides value even for the experienced pentesters.
AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS
Some quick facts about the book:
- Published in 2020-02-27
- Written by an architect with over 12 years of IT experience
- Has 440 pages
This book focuses more on the defensive side of the AWS. However, knowing how to secure Amazon cloud services, will only help you to become better at the offensive side.
AWS Security Cookbook covers topics such as permission policies, key management, the book explains how you can implement best cloud security practices, and take care of the network security. When it comes to AWS services, you will get familiar with the security of S3, EC2 will learn how to properly implement IAM, and much more.
AWS has good security tools, so the book explains how you can utilize logging, monitoring, and auditing solutions to make sure your have the visibility of what is happening in your environment.
When it comes to the web security, ELBs (elastic load balancers), CloudFront, and Web Application Firewalls (WAF), is something you will face often. This book makes a perfect job by explaining how it can be utilized to increase the security posture of AWS web applications.
Some quick facts about the book:
- Published in 2020-01-21
- Independently published
- Has 396 pages
This is the second edition of the book that was originally written by the Richard Knowell. The book focuses on AWS pentesting basics:
- Reconnaissance of the AWS services: EC3, S3, APi gateways, ELBs, CloudFront. The book explains how you can utilize the search engines, such as Shodan, or Censys to find them.
- Subdomain takeover with the relevant tools. The book covers examples how you can takeover the subdomain by using a S3 bucket, it also shows to use Sublist3r and HostileSubBruteForcer tools.
- Finding the AWS secrets. Publicly exposed secrets is a big threat. For this reason it should be one of the first things you check when you perform AWS penetration testing.
- Getting persistence to the AWS infrastructure. There is nothing worse than being hacked. But when the attacker gains long term access to the environment, it might have devastating consequences.
- … and many more that you will find in the book.
As this is the second edition of the book, it greatly improved in its quality. People found the images of the first edition Advanced Penetration Testing: Hacking AWS blurry, but everything improved with the newest version.
AWS Pentesting Tools
As now we know that the penetration testing on AWS is allowed, we have another dilemma – what tools to use for AWS security assessment?
This is probably the most popular tool for testing AWS security. Prowler is a command line tool that can be used for security testing of different AWS aspects. Prowler can be considered as a swiss knife (a popular expression when it comes to cyber security tools) of the AWS testing. It covers 49 checks of the CIS Amazon Web Services Foundations Benchmark, and overall has over 200 checks. The tool can check for most of the best practices of the AWS.
It checks best security practices, related to:
- Various directives and laws, such as: GDRP, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2, ENS
- Secrets of various AWS services
- Internet exposed resources
- AWS Foundational Technical Review checks
- AWS trust boundaries
- EKS-CIS (Amazon Elastic Kubernetes Service Center for Internet Security)
- CIS Level 1 and 2
- Logging, networking, monitoring
Scoutsuite is a very popular tool when it comes to penetration testing of AWS or any other cloud services. It is a great tool to assess if there are any security flaws, that can be exploited in order to gain access to the data. As the penetration testing starts from utilization of various tools, Scoutsuite should definitely be on your toolbox. At the moment, tool supports auditing of different cloud providers:
AWS, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and Oracle Cloud Infrastructure.
This is a perfect tool for understanding the scope of AWS environment. CloudMapper is originally built to draw the network diagrams, however, over the time tool evolved. Nowadays it is a multi purpose tool that is able to audit for security flaws and misconfigurations.
It can be used as a standalone installation on your machine. You can clone tool from the GitHub repository, install the dependencies, and run as a Python application. Or, you can use as a Docker container. Both installation methods are explained in the official repository.
Pacu is another tool that is very popular when it comes to the AWS penetration testing. It’s an AWS exploitation framework, that can be used for offensive testing. If the other tools are just searching for misconfigurations, this one can be used for direct attacks.
The tool has various plugins, that are effective in enumeration, privilege escalation, data exfiltration, log manipulation, and service exploitation. There are over 36 modules effective against AWS.
As it works with specialized modules, you can easily extend its functionality by writing your own modules.
Cloudsplaining is a perfect tool for performing IAM security assessments. It focuses on identifying security issues when the user is able to access resources that he shouldn’t be able to. Such security flaws can cause serious problems, such as data exfiltration, resource exposure, infrastructure modification, or even privilege escalation.
Cloudsplaining comes as invaluable tool in situations where the AWS IAM policy security audit is the main goal. You can use it for scanning entire AWS account, or you may even perform multi account scanning. When the credentials of the account are provided, Cloudsplaining will be able to check security of users, groups, roles, and various policies.
As a final result, the tool provides HTML report with all the details of AWS IAM implementation flaws.
This is really a powerful tool that saves a lot of effort when it comes to the IAM policy auditing on AWS environment.
After an investigation of the official rules, we can clearly state that AWS does allow penetration testing. Although, there are some restrictions that we had also covered in our article.
And for someone who is looking how to start in this area, we have covered the best books for AWS penetration testing. At the same time, we had checked the tools that irreplaceable for an AWS security specialist.
Now you know where to start, so if you are willing to become good at cloud pentesting, you should start grinding. Good luck!
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector. Currently holder of CompTIA Security+, CEH, CEH Practical, and CEH Master certificates.