Dummies guide to AWS Penetration Testing
Last year, there have been many AWS breaches exposing various types of vulnerabilities including leaking S3 buckets, compromised AWS environments and misconfigurations. Now more and more organizations are moving to the cloud and adapting modern technologies into their development operation. Organizations are trying to improve their security and decrease the chance of a cybersecurity breach so this post will help them understand AWS security and penetration testing.
Why pen testing AWS is important for an organization
The following scenarios give an overview of why penetration testing in and on AWS environments is essential for an organization to maintain security and build the trust of the users:
- Organization misunderstands the ‘shared responsibility model’ which leads them to underestimate the risk that they are responsible for.
- Not doing proper and time-to-time security configuration assessment of the AWS console after setting up their web application.
- Not implementing multi-factor authentication.
AWS security implementation in the cloud should be part of a complete security plan. AWS also understands the requirement of pen testing the application, instance and an operating system so that’s why AWS established a program to permit penetration testing.
Traditional pen testing versus AWS pen testing
Traditional pen testing and AWS pen testing is very different because of the AWS ownership of the infrastructure. Pen testing on the AWS infrastructure or hosted application without permission is a violation of the AWS acceptable use policy. When pen testing AWS environments there are various perspectives we should consider while security assessment like web application, external infrastructure and some specific to the cloud environment.
Let’s see how cloud pen testing is different from traditional pen testing. Below are the different types of testing we can do according to various scenarios.
- Testing on the Cloud: testing the web application that is hosted merely on the cloud environment which is publicly accessible.
- Testing in the Cloud: in this scenario testing the environment that is hosted on the cloud like Amazon Virtual Private Cloud (VPC) or equivalent and not directly accessible from outside. Testing web application running on the private cloud and the supporting infrastructure setup including different AWS services in the structure.
- Testing the Cloud Console: this scenario is very different from the traditional pentesting, examining the whole cloud console configurations like user accounts, permissions, e.g., IAM policies, security groups which is already configured in the AWS console.
Some vulnerabilities to test for in AWS
Below are vulnerabilities we see while AWS penetration testing:
- S3 bucket configuration and S3 bucket permission defects
- Compromising AWS IAM keys and permission
- Establishing private-cloud access through Lambda backdoor functions
- Cloudfront Misconfiguration Bypasses
- An IAM privilege escalation pathfinder and abuser
- Cover tracks by obfuscating Cloudtrail logs
Performing AWS pen test
Security testing for User-Operated Services is authorized by AWS, which is created and configured by the user. Pen tests involving Vendor Operated Services, which are owned and offered by the third-party vendor, are prohibited.
EC2 and S3 bucket is an AWS service which is usually pen tested.
Performing a pen test inside the cloud needs adequate planning and skilled information. General steps and preparation that ought to be taken before the pen test begins to include:
- The most crucial initial step is defining the scope, as well as the AWS environment and target systems
- Determine the type of pen test you would like conducted (e.g., black box, white box, gray box)
- Setting a timeline for the technical assessment to occur
- Obtaining approval to perform the pen test from AWS
- Sign in to your AWS account using root credentials
- Fill out the Vulnerability / Penetration Testing Request Form
- Inform AWS about the dates that testing will take place
- Inform AWS about the IP Address range the scan or penetration testing will come from
- Inform AWS about the scope you will test like IP Address range
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019