Amazon Web Services or AWS services has over a million users in around 190 countries and is an ever-growing and widely adopted platform as more and more companies tend to move toward a cloud environment.
But as with every technology, AWS is also prone to data breaches, although the number of breaches is less as compared to on-premise infrastructure because the technology is fairly new but maintaining information security is becoming a rising concern for business owners everywhere.
In this article, we will look at what AWS penetration testing is, why it is important for businesses and if you are a penetration tester then what techniques and strategies should you use to find AWS vulnerabilities or lack of AWS hardening guidelines. Should you wish to carry out penetration testing of AWS assets, please visit this AWS pentest service page:
AWS Penetration Testing
What is Amazon Web Services (AWS)?
Before diving into how the security assessments for AWS assets take place, we must first learn what AWS is. AWS services is a robust cloud computing platform that offers over 90 different cloud-based services including computing power, storage space, content delivery and other functionalities that assist businesses in scaling their online presence. AWS allows businesses to:
- Host and run dynamic web applications on AWS servers with high computing and high bandwidth.
- Store their data and files while still allowing them access from anywhere.
- The host managed databases like Oracle or MySQL on AWS cloud servers to store information processed by applications.
- Provide smooth delivery of static and dynamic files via Cloud Delivery Network (CDN).
- Sending bulk emails to their customers.
Services provided by AWS
AWS provides its users with many cloud products and services including but not limited to application services, mobile services, analytics, networking, storage, infrastructure, security and deployments services and much more. However below we will briefly cover a few of the most common services a penetration tester may come across during their engagements.
Simple Storage Service is an AWS cloud storage space provided to AWS users. Typically known as S3 buckets, this service provides the users with highly scalable storage space with an infinite capacity.
This bucket is acting as a container, and objects such as files, backups, media, documents, photos, source code etc are stored inside the bucket. This saves business owners a lot of overhead in terms of capacity management, backups and retrieval times as a company can store and retrieve any amount of data over the internet.
S3 buckets also provide security features, where the bucket owners can define ACLs or Access Control Lists to prevent unauthorised read or write access in their buckets.
EC2 or Elastic Cloud Compute is the most widely used service that AWS offers. This is a compute engine or a platform where business owners can create virtual machines (servers, GPUs, general-purpose etc.). Each EC2 instance is a separate machine that users can use to deploy their application etc.
The instances are like templates where users can choose the operating systems, disk sizes, RAM, processors etc and create a machine fit for their needs.
Identity and Access Management (IAM)
Amazon Web Services also provides users with an Identity and Access Management (IAM) service which is used to manage privileges. Administrators can assign roles, groups and policies according to the permission required and implement appropriate access controls. The AWS IAM can be configured in combination with all other Amazon services.
The AWS Lambda is a serverless computing service or FaaS (Function as a Service). Using Lambda, users can run code in response to events. The Lambda service automatically manages and takes care of the underlying computation resources leaving a hassle-free experience for its users.
Why do you need to pentest AWS assets?
For an organisation migrating their infrastructure to the cloud does not relieve them from the threats of a cyber attack or a data breach, just as with on-premise infrastructure, the cloud infrastructure is also prone to cyber-attacks. The approach towards and the types of attacks targeted on AWS assets is different but inherently these assets are also vulnerable.
It is important to treat the cloud infrastructure the same as an on-premise infrastructure when it comes to information security. Assets must be tested for vulnerabilities by penetration testers to identify all possible entry points for an attacker to compromise the company’s assets or identify cloud security risks.
Does AWS allow anyone to perform penetration testing?
Yes, AWS does allow its users to perform penetration testing on their deployed applications or systems, however, there are defined boundaries as to what AWS allows penetration testers to do. Before 2019, explicit permission needed to be taken from AWS, but now AWS has removed this requirement.
For user-operated services, which include cloud offerings that the users themselves can create and configure, such as with EC2 instances, AWS allows the users to fully test the instances excluding tests like Denial of Service (DoS) or any other type of attack that disrupt continuity and availability.
For vendor-operated services, which mean cloud offerings managed or configured by third parties, AWS only allows penetration testing of configuration and implementation of the cloud environment, all other areas including the underlying infrastructure are not allowed to be tested.
Why is it important to pentest AWS?
As discussed earlier, AWS is being adopted at a very fast pace by many organisations around the world. And it is because of this, that now more and more businesses are realising that it is important to not rely on the existing AWS security measures but also to implement their controls.
For every organisation validating their AWS configuration and implementation should be a part of their cyber security plan and policy. AWS itself also realises the need to do so in supporting the shared-responsibly model and allows its users to perform security assessments of their applications, instances and operating systems etc.
Some of the reasons why it is necessary to perform penetration testing for AWS assets are:
- AWS has the “shared responsibility model” which many users do not have a clear understanding of. This flawed understanding leads to organisations underestimating the amount of risk that they are responsible for.
- While configuring AWS controls and security checks more often than not organisations unknowingly grant excessive permissions or open-wide security groups.
- Multifactor authentication mechanisms are not implemented properly, this becomes particularly critical with social engineering attacks on the rise.
- To remain compliant with various international standards.
- Identifying and mitigating vulnerabilities found in the infrastructure to protect from various types of malware, cyber-attacks and data breaches.
- To produce secure images in line with container security best practices where docker or container images in the production environment.
AWS penetration testing vs. Traditional penetration testing?
The methodologies and approaches used in AWS penetration are different in a multitude of ways as compared to traditional pentesting. The first and most important difference comes from the ownership of the asset whose testing is done.
AWS is a subsidiary of Amazon, which owns all the core infrastructure. And it is because of this ownership difference that many of the tests and strategies involved in traditional pentest can not be replicated in an AWS infrastructure as they violate the AWS acceptable use policy. In some cases, the typical pentesting procedures clash with the AWS policies and could be prohibited altogether or, could potentially invoke the incident response team of the AWS security department.
Broadly speaking there are generally four areas that can be tested fully without any issues while conducting an AWS pentest activity;
- The external infrastructure of a company’s AWS cloud.
- The applications are owned by a company and hosted on AWS.
- The internal infrastructure of a company’s AWS cloud.
- AWS configuration review, including IAM policy reviews, S3 bucket pentest.
Types of AWS Penetration Testing
The security testing performed on an AWS environment can be categorised into different areas, one is when the testing is performed on the cloud and the second is when testing is performed on the cloud.
Security of the cloud
When we say the security of the cloud, this essentially means the security of the AWS cloud platform itself. This includes the security of all the services that AWS provides along with their cloud security. The responsibility of securing the cloud platform lies with Amazon, they can test the cloud using internal or external security engineers.
Amazon must ensure that all its products are up to date, there are no vulnerabilities or zero-days, login flaws or business flaws that can be exploited at any time, resulting in disruption of the AWS services to its millions of users.
Security in the cloud
When we say security in the cloud, it means the security of the assets and instances deployed in the AWS cloud platform. This is the responsibility of the company or resource owner to ensure that whatever application, assets, and systems they have deployed in the AWS infrastructure are secure.
Companies can employ internal or third-party security testers to test their applications or systems deployed in the cloud for vulnerabilities and fix any issues found. More often than not, pentesters will come across this category in which a company is using AWS for their virtual infrastructure.
What areas in AWS can be tested?
Amazon allows for pentesters to perform security assessments on specific areas in the AWS EC2 instances, these areas include:
- The API i.e. Application Programming Interface can be tested for API flaws and misconfigurations.
- The web applications hosted by a company on EC2 instances can be tested under AWS application security testing scope.
- The programming logic and business flows can be tested.
- The virtual machines and operating systems deployed on an EC2 instance can be tested.
How is AWS vulnerability assessment and penetration testing performed?
Whether its EC2 instances, S3 buckets configuration checks, NSG or other AWS assets, benchmarking against known standards such as CIS is a common practice amongst security consultancies. This includes performing checks or security testing across the following AWS areas:
- Identify service and IAM misconfigurations
- Identify and exploit security vulnerabilities in Lambda functions
- Enumerate EC2 ‘User Data’
- Credentials exfiltration
- AWS NSG (Network Security Group) inbound/outbound access
- Unauthenticated S3 bucket access (private cloud access)
- Assess IAM permissions for exploitable opportunities or retrieve AWS access tokens
- AWS privilege escalation attempts
- Root certs
- SSH keys manipulation
- Publicly shared AMIs
- CloudTrail, GuardDuty evasions
Some of these areas are common to AWS vulnerability assessment and penetration testing. It is important to know the difference between vulnerability scanning and penetration testing.
Common vulnerabilities to check-in AWS
While there can be potentially many vulnerabilities that are AWS-specific depending on the deployment and configurations made, a few of the most vulnerabilities a pentester may come across are described below:
- S3 buckets misconfiguration. More often than not, while testing S3 buckets, permissions and access control issues are found. Here an anonymous or unauthorised user can add, delete, modify files in the S3 buckets without the owner’s consent.
- Disclosed AWS IAM keys can be used for targeting and compromising the IAM accounts.
- AWS Cloudfront or WAF bypasses and misconfigurations.
- Using Lambda backdoor functions to create and establish private cloud access.
- Cloud trail logs can be obfuscated to hide and cover tracks when performing any malicious activities.
Controls you should test on your AWS assets
During a pentest, the security tester should focus on all controls that are within the scope. However, to streamline the process, we have compiled a list of controls in the areas of governance, network management, cryptography and logging and monitoring, that all pentesters must at least check while performing their tests.
Governance is the policies defined or the way entities or objects are controlled within the AWS infrastructure. While testing the governance areas make sure to:
- Analyse access policies.
- Understand the AWS usage and implementation.
- Analyse and identify the assets and AWS boundaries.
- Go through all documentation and inventory.
- Analyse the IT security and program policy.
When looking at the AWS infrastructure and network design and implementation, make sure to:
- Analyse and verify all network security controls.
- Identify and analyse all physical links.
- Analyse how access is granted and revoked to resources.
- Check for isolated environments.
- Go through all documentation and inventory.
- Check how the assets respond to DDoS attacks.
- Check how the assets respond in case a malicious code is introduced.
When testing the cryptographic and encryption controls, make sure to:
- Check AWS console access for misconfigurations.
- Check AWS API access for misconfigurations.
- Analyse the IPSec tunnels.
- Check the SSL key management.
- Verify that keys / PINs/secrets or any PII are protected at rest and in motion.
Logging and Monitoring
Logging and monitoring is crucial control in case any troubleshooting or investigation is required, make sure to:
- Check if centralised log storage is in place.
- Review policies to check adequate logging and monitoring is in place.
- Review IAM credential reports.
- Check if logs are being aggregated from multiple sources.
- Analyse logs to check if there is any sensitive data being logged.
How to Pentest AWS?
AWS allows its users to perform penetration testing for user-operated services, which means the cloud offering or services that users can create and configure themselves. Some of the areas that are allowed to be tested in an AWS environment include:
- AWS EC2 instances, excluding tests that can cause any form of denial of service or negatively impact business continuity.
- The implementation and configuration of AWS services being used.
- Configuration and bypasses for services like Cloudfront, API gateways, hosted web and mobile applications, APIs, programming logic etc.
- Virtual machines and operating systems hosted.
Some of the areas that should be included in pentesting AWS assets are the IAM, logical access control, S3 buckets and database services.
Identity and Access Management (IAM)
The first step in any penetration testing or ethical hacking activity is reconnaissance which means collecting data and information about the target. When talking about AWS it is important to identify the assets of data stores and applications that are being used. When a penetration tester is performing the recon stage or performing asset identification there are a few things to keep in mind:
- Check for keys in the root AWS account, these should ideally be removed.
- Check if multifactor authentication is implemented and if so review the configuration.
- Verify if root accounts are being used for daily tasks. This should be avoided at all times.
- Verify that the access to service accounts is restricted.
- Verify if multiple keys are being used per person. Ideally, one key per person should be used.
- Analyse the time period for changing SSH and PGP keys, these should be changed frequently.
- Analyse all user accounts and identify any inactive security accounts. These should be deleted.
Logical Access Control
The area to focus the security testing is how the company is managing access control on the cloud. This includes the process of assigning permissions to the resources. The logical access control manages the access to AWS resources, processes and users of AWS.
Make sure that these access control policies are configured correctly and there are no issues of broken authorisation or broken access control.
Additionally, the credentials for AWS accounts must also be stored in a secure location.
As discussed earlier, the S3 buckets are storage spaces provided to businesses. This storage server provides features like access logging, versioning, encryption and access logging.
The main area where S3 buckets become vulnerable is when permissions (GET, PUT, DELETE etc) are not configured properly, resulting in unauthorised users getting access to the bucket where they can view, add, delete or modify company-owned data. Always make sure to check if the permissions are implemented correctly and whether the logging is enabled or not.
The most common Amazon S3 vulnerabilities identified by penetration testers during cloud pen tests are:
- Insecure permissions on S3 buckets
- IAM misconfiguration allows data loss, leakage or theft
- List permissions on AWS resources
For any web service or web application, the database is the most important component. Businesses should ensure that they follow the necessary steps for securing the database of their application. While performing a security assessment, consider the following points:
- Check if regular backups are being taken.
- Verify that multi-AZ deployment methods are used.
- Verify that access to databases is only allowed for specific IP addresses.
AWS application security testing
This security testing service includes web application scope to identify vulnerabilities affecting the web app and its tech stack including integrations and AWS resources.
AWS application security testing services can help secure your applications by identifying vulnerabilities and providing recommendations for remediation. Sometimes, customers prefer to check for specific modules only given the use of AWS Cognito for authentication/authorization purposes. Get in touch for tailored scope for AWS application pen test to suit your requirements.
Things you can not pentest in AWS
As discussed earlier, there is a major difference between AWS penetration testing and traditional penetration testing due to the aspect of ownership of the assets. There are a few areas that AWS does not allow to be tested by its users, and users, in general, should not perform any test on these areas as it can result in legal implications.
The parts of AWS that should not be tested by any user include:
- Services, systems, servers or applications that belong to AWS (for example the SaaS offerings)
- The physical hardware machines, infrastructure, facilities or underlying technologies belong to AWS.
- All EC2 instances belong to any vendor or other organisation.
- The security appliances are managed by vendors or other organisations.
- Amazon’s small or micro Relational Database Service (RDS).
Which policy will provide information on performing penetration testing on your ec2 instances?
AWS Customer Support Policy for Penetration Testing. It is available here. In the recent past, AWS made changes to the customer pen testing policy by listing penetration testing under ‘permitted services’. This means customers do not need to notify or seek authorisation to carry out AWS pen testing in their environment.
Advantages of AWS pentesting
As with all other security assessments, performing a pentest on your AWS assets also has many advantages and benefits. The first is that after a pentest is conducted the company will gain a clear image of how secure their AWS environment is, and if any vulnerabilities are found, they can be fixed resulting in a much more secure infrastructure.
When a company is tested internally as well as by a third-party penetration tester, the customers gain a sense of trust and confidence that the applications or services they are using are secure.
Other than this, organisations that conduct penetration tests regularly become compliant with many international standards including GDPR, PCI-DSS, ISO-27001 etc. These compliances can help the businesses in attaining a trustworthy reputation along with other business benefits.
Challenges of AWS pentesting
AWS penetration testing is not an easy task, for starters the skills, strategy and techniques for assessing vulnerabilities in a cloud environment require specific knowledge of not just penetration testing but also of cloud security, infrastructure and environment etc. A penetration tester must be well-versed in all these areas before the actual security assessment begins.
Since this type of penetration testing demands a specific skill set, the activity can become a bit costly for the organisations. Even if a company has the budget, the timelines for this type of testing may be more than the traditional pentests.
AWS is constantly updating its services, and as with any other pentest, if changes are made during the activity or after the activity, those changes might not be tested and any security risk in those changes will not be reflected in the pentesting report.
Nevertheless, the advantages weigh more than the challenges and all companies should invest in periodic security assessments of their AWS assets.
Tools used in AWS pentesting
There are many open-source tools available for security testers to explore and try during their AWS pentest engagements. A few of these tools are described below with their functionality.
The Principle Mapper (PMapper) is a script that identifies security risks introduced by misconfigurations of AWS IAM for an associate AWS account or AWS organisation. The tool outputs a graphical representation that shows possible configuration flaws such as privilege escalation or alternate paths for cyber attacks.
This tool can be used to discover and list down all the AWS resources created in an AWS account. This can be useful when a penetration tester needs to map out the attack surface and perform reconnaissance.
Bucket_finder is a Ruby-based script that can be used to find sensitive information in Amazon S3 buckets.
Prowler is a command-line based tool that can be used to implement AWS security best practices and security audit including hardening guidelines from CIS Amazon Web Service Foundations Benchmark. This tool can be especially helpful when conducting an AWS security audit.
CloudSploit is an open-source project created by Aqua which allows pentesters to detect AWS security risks in cloud environments. The scripts return a series of potential misconfiguration flaws that the cloud infrastructure may have.
Cloudsplaining can be used to test IAM security. This tool identifies violations being made by incorrect implementation of the least privilege. After the assessment is complete, the user is given a detailed HTML based report with all the discovered vulnerabilities.
Rhino Security Labs has developed an open-source framework, Pacu, for aiding penetration testers in performing security testing for cloud environments. Using Pacu by Rhino security labs gives pentesters a wide range of modules that can be used to exploit configuration flaws in AWS accounts and expand their functionality. Attacks such as privilege escalation, creating backdoors in IAM users and attacking vulnerable Lambda functions and many more can be achieved by Pacu.
Whether you are an IT professional or business owner, you know that your company’s security is of the utmost importance. That’s why you should consider using AWS pen testing to help protect your business from malicious actors.
By conducting regular tests, you can ensure that your controls are adequate and up to date.
AWS pen testing can help identify vulnerabilities in your systems before they’re exploited. This proactive measure can help keep your business safe and secure. It is equally important that penetration testing reports are easy to digest, cater to both executive and technical audiences and help with risk remediation plans. Read here about how a good pen test report looks like.
Schedule a casual conversation to see if we are a good fit for each other!
What is AWS penetration testing?
AWS penetration testing is the process of assessing the security of an AWS environment. This can be done manually or automated, and usually involves a combination of both. It is important to note that penetration testing is different from a security audit; while an audit simply assesses the compliance of an environment with security best practices, a penetration test attempts to actually exploit vulnerabilities to gain access to sensitive data or systems.
What is penetration testing explain with an example?
An example of pen testing would be if an attacker were to try and gain access to a company’s AWS account in order to launch attacks against other resources in that account, or steal sensitive data.
Penetration testing can be used to test both physical and logical security vulnerabilities. For example, a physical penetration test may involve testing for weaknesses in security procedures, such as tailgating or social engineering attacks. A logical penetration test may involve attempting to bypass security controls, such as authentication or authorisation mechanisms.
What is penetration testing in cloud?
Cloud Penetration testing, also known as pentesting or ethical hacking, is a security testing technique used to evaluate the security of cloud based IT infrastructure or applications by simulating a cyberattack.
What is a pen testing tool?
Pen testing tools are utilities, and software that is open-source, commercial or developed in-house by pen testing companies to discover security vulnerabilities and improve pen testing tasks.
Read our blog post about the top 20 pen testing tools.
What are the 5 stages of penetration testing?
There are typically five stages in a penetration test: reconnaissance, scanning, exploitation, post-exploitation, and reporting.
What are the four types of penetration testing?
There are four types of penetration tests: black box, white box, gray box, and targeted.
Read an in-depth article on types of pen testing.