AWS Penetration Testing

What is Penetration Testing in AWS?

Security is a major concern for any organization as they need to protect the data of their customers and their servers from attackers. AWS Penetration testing helps in identifying vulnerable resources in AWS infrastructure. It helps to combat any security risks and uses ethical hacking techniques to detect any weakness that can be advantageous to attackers. Usually, we need permission to carry out pen testing on AWS resources, but there are some resources on which we can carry out pen testing without permission. These resources include:

• Amazon EC2 instances
• NAT Gateways
• Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• AWS Lambda
• Lambda Edge functions
• Amazon Elastic Beanstalk
• Amazon API Gateways
• Amazon Aurora
• AWS Fargate
• Amazon Lightsail resources

User Operated Services

User Operated Services are those AWS services that the users create. The configurations are also set by the users only. AWS provides the facility to carry out penetration tests on user-operated services. For example, a business organization has the right to carry out any tests on their EC2 instances except for ones that damage the working of EC2 instances, like DDOS attacks.

Vendor Operated Services

Vendor Operated Services are created, managed, and configured by third-party vendors. The third-party vendors are authorized to work on the AWS cloud environment but cannot work on the underlying infrastructure. This can be understood regarding AWS services like Cloudfront, API Gateways, etc. Any testing can be carried out on these resources, but the infrastructure on which these services are hosted cannot be configured.

What Pen-Testing Can Be and Can’t Be Performed in AWS?

AWS allows for some levels of pen-testing and does not allow a few others. Let's discuss each of them separately.

What Pen-Testing Can Be Performed in AWS?

• AWS allows for security checks on AWS assets. Under security assessments, we have Port scanning, Vulnerability scanning or checks, Web application scanning, Exploitation, Forgery, Injections, Fuzzing, etc.
• Security tools or services that temporarily or permanently shut down a running process on an AWS asset to exploit it locally or remotely are permitted.
• Security products or services that provide clear capabilities to neutralize, disable or otherwise render harmless a DoS capability is acceptable.
• Security tools like banner grabbing that do a remote asset query on AWS to find out the name and version of the software. This test compares against a list of versions that are DoS vulnerable.

What Pen-Testing Can't Be Performed in AWS?

To continue offering high-quality services throughout the AWS ecosystem, AWS must ensure that these tests don't hurt any other AWS customers.

• Any security service or instrument that generates, exhibits, or establishes the existence of a DoS condition, whether simulated or real, is prohibited.
• Tools, services, or features of tools and services with genuine DoS capabilities are prohibited.
• Security technologies or services with DoS capabilities but lack a clear means to neutralize, disable, or otherwise neutralize the DoS capability.

Why Pentesting on AWS Matters?

The cloud infrastructure is vast and complex, managing security becomes difficult, and the common security measures might need to be revised. Let's discuss a few cases where common security practices fail and pen testing can enhance security.

Client's Part of Shared Security Model

Under the shared responsibility model, some part of the AWS infrastructure comes under security of the cloud and some under security in the cloud. Under this, an individual or an organization is responsible for securing the data across servers and workloads. Some client/organization follows poor data security measures, and AWS penetration testing helps in such cases.

Missing Authentication and Network Segmentation

Some of the AWS resources do not support multi-factor authentication, nor do they have network segmentation in the security groups. In such cases, excessive permissions are granted, which risks security. Usually, cloud infrastructures are vast, and identifying vulnerable resources among them is difficult. AWS Penetration testing comes helpful in identifying vulnerable AWS Resources.

Compliance Requirements

Some organizations follow compliance standards like HIPAA, SOX, PCI DSS, etc. They also check that their AWS resources hosted on the AWS infrastructure follow compliance standards. Thus performing internal audits becomes necessary, and the security weaknesses of the resources are dealt with using the help of pen-testing.

Types of AWS Penetration Testing

Security testing on the AWS cloud can be categorized into two major categories. Let's discuss each of them in brief.

Security of Cloud

AWS's responsibility is to take care of the security of the cloud. AWS provides a secure platform with security from vulnerabilities and cyber attacks. Under this, all the logic flaws are included that can lead to attacks or malfunctioning of the AWS servers.

Security in Cloud

Security in the cloud is the responsibility of the individual or the organization deploying their servers and application code or using AWS resources. Individuals or organizations can enhance the security of their resources if needed by following some security practices for the AWS infrastructure.

Tools Used in AWS Penetration Testing

You can use various tools to conduct penetration testing in the AWS environment. Let's discuss each of them in brief.

• Kali Linux: It is a Debian-based Linux distribution. It is open source and is used mainly to execute security tasks, including pen testing. It is popular among both white-hat and black-hat hackers. It is ideal for carrying out penetration testing on AWS infrastructure.
• Metasploit: It is a framework for conducting penetration tests in the AWS cloud environment. We can use it to list Amazon Web Services and potentially even attack them.
• Nmap: It is a Linux command-line tool that checks a network for open ports, IP addresses, and installed software. It can be used to perform network scans on AWS services.
• AWS Inspector: It helps you to detect any vulnerabilities of AWS resources. It only generates an assessment report; using other methods, you need to secure the detected vulnerability.
• CloudSaw: It is an AWS command line tool with built-in malware detection capability. It is a small package supported on mobile devices and only acquires a few system resources.
• HeadBucket: It is designed to work on S3 buckets. It checks whether a bucket has been created and do you have permission to access it. In addition, it detects any misconfigured S3 buckets.
• CloudSploit: It is used for scanning security and configuration defects on AWS accounts. Cloudspoilt also behaves like a guide to using the security tools provided by AWS.
• CloudJack: It detects any hijacking possibility due to misconfigurations of Route53 or CloudFront.
• Cloudsplaining: It evaluates the IAM policies and generates an HTML report. Based on the HTML report, you can take further action if needed.

AWS Penetration Testing Limitations

The following AWS cloud components are exempt from penetration testing due to regulatory requirements:

• Servers owned by AWS.
• Other suppliers' physical equipment, space, or underlying infrastructure that is part of AWS EC2.
• Small Relational Database Service (RDS) offered by Amazon.
• Security equipment operated by different vendors.

List of AWS Controls to Be Tested for Security

The list of Amazon Web Services controls that can and must be security evaluated is provided below. In a nutshell, it involves testing the body of governance, including asset monitoring, network management, and access policies.

• Governance
  • Define AWS boundaries and assets
  • Access Regulations
  • Identify, examine, and assess risks
  • Enhance risk assessment using AWS
  • IT security and program management
• Network Administration
  • Security measures for networks
  • Relational ties
  • Giving and taking away access
  • Environmental Isolation
  • DDoS layered protection
  • Malicious code is in charge
• Control of Encryption
  • Access to AWS Console
  • Access to AWS API
  • VPN over IPsec
  • SSL Key Administration
  • At rest, safeguard PINs.
• Tracking and Logging
  • Centralised log archiving
  • Review the "adequacy" of policies.
  • Combine data from many sources
  • Detection and reaction to intrusions

Steps to Take Before Performing AWS Penetration Testing

We need to make sure to execute the given steps before performing AWS Penetration Testing:

• Define the target systems and the penetration test's scope.
• Before performing the in-depth study, perform your preliminary investigation using vulnerability scanners such as AWS Inspector or Astra's vulnerability scanner to detect fundamental flaws.
• Specify the security test type you'll run.
• Describe the criteria for success for the penetration testing company and the stakeholders (if outsourced).
• To manage the technical evaluation, create a schedule.
• If the test finds that security has already been compromised, establish a set of protocols.
• To conduct a pen test, you must get the connected parties' written consent.

Common Mistakes to Avoid While

Performing AWS Penetration Testing

Listed below are some common mistakes which should be taken care of while performing AWS Penetration Testing:

Overlooking The Basics

Before you begin testing, ensure you have a firm grasp of the AWS platform. The shared responsibility approach underlies how the Amazon cloud operates. This implies that while you are in charge of security in your environment, AWS is in charge of security in your cloud environment. Therefore, knowing exactly how much security you're accountable for and what to anticipate from the provider before beginning the AWS pen test is essential.

Know Your AWS Limits

AWS penetration testing is distinct from conventional pen tests, as was described in the preceding section. AWS policies can only be broken with the provider's involvement. As a result, be aware of what you can test in the cloud environment and how to accomplish it.

Public S3 Buckets

Your S3 buckets can remain publicly accessible on AWS. It implies that anyone can view your bucket and all the data. Although this feature increases access to your data, it also increases the risk of data breaches. Utilize Amazon S3's "block public access function" to reduce unintended public exposure of your data.

Too Many Permissions Issues

Many organizations frequently ignore this concept when conducting testing. They grant user entities access to more resources than they require. Not specifying user groups in terms of the required level of access is another typical error. Any penetration test you wish to run in the AWS environment must successfully manage permissions to be successful.

How to Perform Penetration Testing on AWS?

Identity and Access Management (IAM)

Finding the assets of data stores and applications is the first and most crucial phase in the penetration testing procedure. When identifying assets, keep in consideration some of the following:

• Deleting the root account's keys
• Put two-factor authentication into practice
• Never automate or perform daily chores using the root account.
• Allow service accounts to use this privilege.
• Use only one key per user, and frequently replace your SSH and PGP keys.
• Eliminate unused security accounts.

Logical Access Control

After identifying your assets, the following step is to manage your cloud access control. It involves giving the resource multiple tasks to complete. Restricting access to Aws services, processes, and individuals is the primary logical access control method. The AWS accounts' credentials have to be secure and protected.

S3 Buckets

S3 is a type of cloud storage container also called a "Bucket". It serves as a storage server and provides features like access logging, version control, encrypting, and regional exceptions. To preserve the S3 buckets' security, you must make sure of the following two crucial things:

• It is best to limit access to particular users for certain rights (such as GET, PUT, DELETE, and LIST for HTTP methods).
• It is recommended to enable the bucket's logging and version control.

Database Service

The majority of web services depend on databases in some way. It's crucial to take the required actions to protect your application's database. The following are the main considerations while doing a security audit:

• Make use of the Multi-AZ deployment approach.
• Restrict access to only certain IP addresses.

Steps to Take After Performing AWS Penetration Testing

Listed below are the steps to be undertaken post-AWS penetration testing:

• A report will be generated based on the pen-testing, including some recommendations to be incorporated and shared with the organization.
• The report will contain some higher risks and some lower ones. The higher risks possess a greater threat and must be dealt with first. In other words, the threats mentioned in the report should be addressed based on priority from high to low.
• After addressing the threat, the pen-testing company should conduct a verification test to ensure the threat has been dealt with properly.
• If the AWS penetration testing report is shared with any third party or organization's clients, then the report should also include ways to resolve those bugs.
• The reports should be distributed wisely because they can be easily exploited if they go into the wrong hands.

AWS Penetration Testing VS Traditional Penetration Testing

There are many ways that traditional security infrastructure and the AWS Cloud are penetration tested using different approaches. The majority of these variations are related to who owns the systems. Since Amazon owns the essential infrastructure, classic "ethical hacking" techniques would contravene AWS's acceptable usage regulations and might trigger incident response processes by the AWS security team.

In contrast, user-owned assets, management user permissions setup, and use of the tightly integrated AWS APIs must be the main areas of attention for AWS penetration testing. As an illustration, compromising AWS IAM keys, testing S3 bucket configuration, gaining access via Lambda backdoor functions, and obscuring Cloudtrail logs can all be done.