Post

Penetration Testing on AWS - Part One

Posted
By Amal PK 5 min read

Part of a Series on AWS Penetration Testing

This post is the first part of a series that will cover more advanced aspects of penetration testing on AWS. Stay tuned for upcoming parts that will delve deeper into specific testing strategies and tools.

PartTopicLink
Part 1Penetration Testing on AWS - Part OneRead Now
Part 2Penetration Testing on AWS - Part Two: Flaws.Cloud WalkthroughRead Now
Part 3Penetration Testing on AWS - Part Three: Flaws.Cloud WalkthroughRead Now
Part 4Penetration Testing on AWS - Part Four: Flaws.Cloud WalkthroughRead Now

Introduction

Amazon Web Services (AWS), the world’s leading cloud platform, provides a plethora of services, from elastic computing and databases to AI-driven applications. While its versatility has revolutionized the IT landscape, migrating to AWS requires addressing inherent risks to cloud resources and sensitive data. Penetration testing is a robust strategy to identify vulnerabilities and fortify cloud security. However, as AWS operates as a third-party data center, penetration testing must adhere to specific policies and guidelines.

Why Pentesting on AWS Matters

Penetration testing is essential for uncovering security gaps in cloud environments, including:

  • Misunderstanding AWS’s shared responsibility model, where AWS secures the infrastructure, but customers must protect their workloads and data.
  • Weak authentication, permissions, or segmentation, leaving sensitive resources exposed.
  • Non-compliance with regulatory standards like HIPAA or PCI DSS, leading to legal and financial risks.

By proactively testing your AWS environment, you can discover and mitigate vulnerabilities, ensuring robust defenses.

The AWS Shared Responsibility Model

The AWS shared responsibility model outlines clear distinctions in security obligations:

  • AWS’s Responsibility: Securing the cloud infrastructure, including physical hardware, storage, and networking.
  • Customer’s Responsibility: Securing what is deployed in the cloud, such as data, workloads, configurations, and applications.

Penetration testing focuses on the customer-managed components within this model, ensuring you fulfill your part of the shared responsibility.

AWS Pentesting vs. On-Premise Pentesting

Penetration testing on AWS differs significantly from traditional on-premise testing due to AWS’s ownership of the underlying infrastructure. Testing activities must align with AWS’s Terms of Service, which prohibit actions that could disrupt or damage its ecosystem.

  • Permitted Tests: Port scanning, vulnerability scanning, banner grabbing, web application testing, and controlled exploitation (e.g., injection and fuzzing) are allowed within your assets.
  • Prohibited Activities: AWS strictly forbids:
    • Denial-of-Service (DoS) or Distributed DoS (DDoS) simulations, even in testing scenarios.
    • Use of tools or scripts that lack safeguards against uncontrolled DoS attacks.

These restrictions ensure that penetration tests do not negatively impact other customers sharing the AWS infrastructure.

What Can You Test on AWS?

To maximize the security of your AWS environment, focus on these key areas:

  1. Identity and Access Management (IAM):

    • Detect weak keys and missing two-factor authentication (2FA).
    • Identify overly broad permissions and inactive accounts.

  2. Logical Access Control:

    • Assess access assignments and validate credential security.

  3. S3 Buckets:

    • Audit permissions for public or unrestricted access.
    • Verify encryption and secure operations like GET, PUT, and DELETE.

  4. Databases:

    • Validate backup configurations and multi-AZ deployments.
    • Ensure IP restrictions are in place for controlled access.

How to Perform AWS Pentesting

  1. Define Scope and Obtain Approvals: Establish a clear testing scope and secure AWS’s permissions for activities involving their platform.
  2. Prepare for Incidents: Develop plans for scenarios like discovering active breaches or sensitive data exposures.
  3. Execute Key Testing Tasks:
    • Port and vulnerability scans.
    • Manual and automated application testing.
    • Controlled exploitation, respecting AWS’s guidelines.

Mapping AWS Account Usage

Mapping an AWS account is critical for understanding the permissions and roles associated with compromised credentials. Begin by setting up a CLI profile for your credentials, then use commands like aws sts get-caller-identity to identify the account details. Tools such as Pacu, CloudFox, and enumerate-iam are invaluable for automating the enumeration of services, roles, and permissions.

By systematically creating a list of AWS services the principal can access, you can visualize the attack surface and prioritize your efforts. For accounts linked to AWS Organizations, pay special attention to Service Control Policies (SCPs) that might restrict or permit actions across linked accounts.

Automated Configuration Scanning

Leverage tools like ScoutSuite and Prowler to streamline the assessment of your AWS environment. These tools provide detailed reports on misconfigurations and security issues. Use their output to guide manual validation, focusing on areas not covered by automation, such as nuanced IAM roles or specific service configurations.

Manual Service and Cross-Service Inspection

While automation is efficient, manual inspection remains indispensable. Conduct deep dives into individual services like Lambda, S3, or EC2, and explore their interactions. Cross-service analysis can reveal complex attack chains, such as modifying a Lambda runtime stored in S3 to escalate privileges.

Cross-Account Inspection

In multi-account setups, test cross-account interactions to uncover misconfigured trust policies, insecure cross-account roles, or improper security group rules. These misconfigurations can expose sensitive resources across accounts.

Conclusion

AWS penetration testing combines strategic planning, automation, and manual expertise to uncover vulnerabilities while respecting AWS’s strict policies. By understanding the shared responsibility model, focusing on high-risk areas, and leveraging advanced tools, you can secure your AWS environment effectively. Regular testing ensures compliance, strengthens defenses, and provides peace of mind in an increasingly cloud-driven world.

How to learn more?

To dive deeper into Cloud Security, start by connecting with passionate individuals in the field. Attend conferences, join online communities, or participate in forums and chatrooms dedicated to cloud security education, like Rhino Security Labs’ Discord. Immersing yourself in such environments accelerates learning through shared knowledge and experiences.

For structured learning, explore courses and certifications offered by AWS. While I haven’t completed these myself, I’ve heard high praise from trusted professionals in the field.

Hands-on practice is invaluable, and platforms like CloudGoat , Flaws, and Pentesting.Cloud offer excellent opportunities to develop practical skills. These resources are my personal favorites for gaining real-world experience.

Cloud, AWS
Cloud Pentest AWS
This post is licensed under CC BY 4.0 by the author.