Amazon Web Services or AWS services has over a million users in around 190 countries and is an ever-growing and widely adopted platform as more and more companies tend to move toward a cloud environment.

But as with every technology, AWS is also prone to data breaches, although the number of breaches is less as compared to on-premise infrastructure because the technology is fairly new but maintaining information security is becoming a rising concern for business owners everywhere.

In this article, we will look at what AWS penetration testing is, why it is important for businesses and if you are a penetration tester then what techniques and strategies should you use to find AWS vulnerabilities. 

What is Amazon Web Services (AWS)?

Before diving into how the security assessments for AWS assets take place, we must first learn what AWS is. AWS services is a robust cloud computing platform that offers over 90 different cloud-based services including computing power, storage space, content delivery and other functionalities that assist businesses in scaling their online presence. AWS allows businesses to:

• Host and run dynamic web applications on AWS servers with high computing and high bandwidth.
• Store their data and files while still allowing them access from anywhere.
• The host managed databases like Oracle or MySQL on AWS cloud servers to store information processed by applications.
• Provide smooth delivery of static and dynamic files via Cloud Delivery Network (CDN).
• Sending bulk emails to their customers.

Services provided by AWS

AWS provides its users with many services including but not limited to application services, mobile services, analytics, networking, storage, infrastructure, security and deployments services and much more. However below we will briefly cover a few of the most common services a penetration tester may come across during their engagements.

S3 Bucket

Simple Storage Service is an AWS cloud storage space provided to AWS users. Typically known as S3 buckets, this service provides the users with highly scalable storage space with an infinite capacity.

This bucket is acting as a container, and objects such as files, backups, media, documents, photos, source code etc are stored inside the bucket. This saves business owners a lot of overhead in terms of capacity management, backups and retrieval times as a company can store and retrieve any amount of data over the internet. 

S3 buckets also provide security features, where the bucket owners can define ACLs or Access Control Lists to prevent unauthorised read or write access in their buckets. 

EC2

EC2 or Elastic Cloud Compute is the most widely used service that AWS offers. This is a compute engine or a platform where business owners can create virtual machines (servers, GPUs, general-purpose etc.). Each EC2 instance is a separate machine that users can use to deploy their application etc.

The instances are like templates where users can choose the operating systems, disk sizes, RAM, processors etc and create a machine fit for their needs.

Identity and Access Management (IAM)

Amazon Web Services also provides users with an Identity and Access Management (IAM) service which is used to manage privileges. Administrators can assign roles, groups and policies according to the permission required and implement appropriate access controls. The AWS IAM can be configured in combination with all other Amazon services.

AWS Lambda

The AWS Lambda is a serverless computing service or FaaS (Function as a Service). Using Lambda, users can run code in response to events. The Lambda service automatically manages and takes care of the underlying computation resources leaving a hassle-free experience for its users.

What is the need to pentest AWS assets?

For an organisation migrating their infrastructure to the cloud does not relieve them from the threats of a cyber attack or a data breach, just as with on-premise infrastructure, the cloud infrastructure is also prone to cyber-attacks. The approach towards and the types of attacks targeted on AWS assets is different but inherently these assets are also vulnerable. 

It is important to treat the cloud infrastructure the same as an on-premise infrastructure when it comes to information security. Assets must be tested for vulnerabilities by penetration testers to identify all possible entry points for an attacker to compromise the company’s assets. 

Does AWS allow anyone to perform penetration testing?

Yes, AWS does allow its users to perform penetration testing on their deployed applications or systems, however, there are defined boundaries as to what AWS allows penetration testers to do. Before 2019, explicit permission needed to be taken from AWS, but now AWS has removed this requirement. 

For user-operated services, which include cloud offerings that the users themselves can create and configure, such as with EC2 instances, AWS allows the users to fully test the instances excluding tests like Denial of Service (DoS) or any other type of attack that disrupt continuity and availability.

For vendor-operated services, which mean cloud offering managed or configured by third parties, AWS only allows penetration testing of configuration and implementation of the cloud environment, all other areas including the underlying infrastructure are not allowed to be tested.

Why is it important to pentest AWS?

As discussed earlier, AWS is being adopted at a very fast pace by many organisations around the world. And it is because of this, that now more and more businesses are realising that it is important to not rely on the existing AWS security measures but also implement their controls. 

For every organisation validating their AWS configuration and implementation should be a part of their cyber security plan and policy. AWS itself also realises the need to do so in supporting the shared-responsibly model and allows its users to perform security assessments of their applications, instances and operating systems etc.

Some of the reasons why it is necessary to perform penetration testing for AWS assets are:

• AWS has the “shared responsibility model” which many users do not have a clear understanding of. This flawed understanding leads to organisations underestimating the amount of risk that they are responsible for.
• While configuring AWS controls and security checks more often than not organisations unknowingly grant excessive permissions or open-wide security groups.
• Multifactor authentication mechanisms are not implemented properly, this becomes particularly critical with social engineering attacks on the rise.
• To remain compliant with various international standards.
• Identifying and mitigating vulnerabilities found in the infrastructure to protect from cyber-attacks and data breaches.

AWS penetration testing vs. Traditional penetration testing?

The methodologies and approaches used in AWS penetration are different in a multitude of ways as compared to traditional pentesting. The first and most important difference comes from the ownership of the asset whose testing is done.

AWS is a subsidiary of Amazon, which owns all the core infrastructure. And it is because of this ownership difference that many of the tests and strategies involved in traditional pentest can not be replicated in an AWS infrastructure as they violate the AWS acceptable use policy. In some cases, the typical pentesting procedures clash with the AWS policies and could be prohibited altogether or, could potentially invoke the incident response team of the AWS security department.

 Broadly speaking there are generally four areas that can be tested fully without any issues while conducting an AWS pentest activity; 

1. The external infrastructure of a company’s AWS cloud.
2. The applications are owned by a company and hosted on AWS.
3. The internal infrastructure of a company’s AWS cloud.
4. AWS configuration review, including IAM policy reviews.

Types of AWS Penetration Testing

The security testing performed on an AWS environment can be categorised into different areas, one is when the testing is performed on the cloud and the second is when testing is performed on the cloud. 

Security of the cloud

When we say the security of the cloud, this essentially means that the security of the AWS cloud platform itself. This includes the security of all the services that AWS provides along with their cloud security. The responsibility of securing the cloud platform lies with Amazon, they can test the cloud using internal or external security engineers. 

Amazon must ensure that all their products are up to date, there are no vulnerabilities or zero-days, login flaws or business flaws that can be exploited at any time, resulting in disruption of the AWS services to its millions of users.

Security in the cloud

When we say security in the cloud, it means the security of the assets and instances deployed in the AWS cloud platform. This is the responsibility of the company or resource owner to ensure that whatever application, assets, systems they have deployed in the AWS infrastructure are secure. 

Companies can employ internal or third-party security testers to test their applications or systems deployed in the cloud for vulnerabilities and fix any issues found. More often than not, pentesters will come across this category in which a company is using AWS for their virtual infrastructure.

What areas in AWS can be tested?

Amazon allows for pentesters to perform security assessments on specific areas in the AWS EC2 instances, these areas include:

• The API i.e. Application Programming Interface can be tested for API flaws and misconfigurations.
• The web applications hosted by a company on EC2 instances can be tested.
• The programming logic and business flows can be tested.
• The virtual machines and operating systems deployed on an EC2 instance can be tested. 

Common vulnerabilities to check-in AWS

While there can be potentially many vulnerabilities that are AWS-specific depending on the deployment and configurations made, a few of the most vulnerabilities a pentester may come across are described below:

1. S3 buckets misconfiguration. More often than not, while testing S3 buckets, permissions and access control issues are found. Here an anonymous or unauthorised user can add, delete, modify files in the S3 buckets without the owner’s consent.
2. Disclosed AWS IAM keys can be used for targeting and compromising the IAM accounts.
3. AWS Cloudfront or WAF bypasses and misconfigurations.
4. Using Lambda backdoor functions to create and establish private cloud access.
5. Cloud trail logs can be obfuscated to hide and cover tracks when performing any malicious activities.

Controls you should test on your AWS assets

During a pentest, the security tester should focus on all controls that are within the scope. However, to streamline the process, we have compiled a list of controls in the areas of governance, network management, cryptography and logging and monitoring, that all pentesters must at least check while performing their tests.

Governance

Governance is the policies defined or the way entities or objects are controlled within the AWS infrastructure. While testing the governance areas make sure to:

• Analyse access policies.
• Understand the AWS usage and implementation.
• Analyse and identify the assets and AWS boundaries.
• Go through all documentation and inventory.
• Analyse the IT security and program policy.

Network Management

When looking at the AWS infrastructure and network design and implementation, make sure to:

• Analyse and verify all network security controls.
• Identify and analyse all physical links.
• Analyse how access is granted and revoked to resources.
• Check for isolated environments.
• Go through all documentation and inventory.
• Check how the assets respond to DDoS attacks.
• Check how the assets respond in case a malicious code is introduced.

Encryption Control

When testing the cryptographic and encryption controls, make sure to:

• Check AWS console access for misconfigurations.
• Check AWS API access for misconfigurations.
• Analyse the IPSec tunnels.
• Check the SSL key management.
• Verify that keys / PINs/secrets are protected at rest and in motion.

Logging and Monitoring

Logging and monitoring is crucial control in case any troubleshooting or investigation is required, make sure to:

• Check if centralised log storage is in place.
• Review policies to check adequate logging and monitoring is in place.
• Review IAM credential reports.
• Check if logs are being aggregated from multiple sources.
• Analyse logs to check if there is any sensitive data being logged.

How to Pentest AWS?

AWS allows its users to perform penetration testing for user-operated services, which means the cloud offering or services that users can create and configure themselves. Some of the areas that are allowed to be tested in an AWS environment include:

• AWS EC2 instances, excluding tests that can cause any form of denial of service or negatively impact business continuity. 
• The implementation and configuration of AWS services being used.
• Configuration and bypasses for services like Cloudfront, API gateways, hosted web and mobile applications, APIs, programming logic etc.
• Virtual machines and operating systems hosted.

Some of the areas that should be included in pentesting AWS assets are the IAM, logical access control, S3 buckets and database services. 

Identity and Access Management (IAM)

The first step in any penetration testing or ethical hacking activity is reconnaissance which means collecting data and information about the target. When talking about AWS it is important to identify the assets of data stores and applications that are being used. When a penetration tester is performing the recon stage or performing asset identification there are a few things to keep in mind:

• Check for keys in the root AWS account, these should ideally be removed.
• Check if multifactor authentication is implemented and if so review the configuration.
• Verify if root accounts are being used for daily tasks. This should be avoided at all times.
• Verify that the access to service accounts is restricted.
• Verify if multiple keys are being used per person. Ideally, one key per person should be used.
• Analyse the time period for changing SSH and PGP keys, these should be changed frequently.
• Analyse all user accounts and identify any inactive security accounts. These should be deleted.

Logical Access Control

The area to focus the security testing is how the company is managing access control on the cloud. This includes the process of assigning permissions to the resources. The logical access control manages the access to AWS resources, processes and users of AWS. 

Make sure that these access control policies are configured correctly and there are no issues of broken authorisation or broken access control.

Additionally, the credentials for AWS accounts must also be stored in a secure location.

S3 Buckets

As discussed earlier, the S3 buckets are storage spaces provided to businesses. This storage server provides features like access logging, versioning, encryption and access logging. 

The main area where S3 buckets become vulnerable is when permissions (GET, PUT, DELETE etc) are not configured properly, resulting in unauthorised users getting access to the bucket where they can view, add, delete or modify company-owned data.

Always make sure to check if the permissions are implemented correctly and whether the logging is enabled or not. 

Database Service

For any web service or web application, the database is the most important component. Businesses should ensure that they follow the necessary steps for securing the database of their application. While performing a security assessment, consider the following points:

• Check if regular backups are being taken.
• Verify that multi-AZ deployment methods are used.
• Verify that access to databases is only allowed for specific IP addresses. 

Things you can not pentest in AWS

As discussed earlier, there is a major difference between AWS penetration testing and traditional penetration testing due to the aspect of ownership of the assets. There are a few areas that AWS does not allow to be tested by its users, and users, in general, should not perform any test on these areas as it can result in legal implications.

The parts of AWS that should not be tested by any user include:

• Services, systems, servers or applications that belong to AWS (for example the SaaS offerings)
• The physical hardware machines, infrastructure, facilities or underlying technologies belong to AWS.
• All EC2 instances belong to any vendor or other organisation.
• The security appliances are managed by vendors or other organisations.
• Amazon’s small or micro Relational Database Service (RDS).

Advantages of AWS pentesting

As with all other security assessments, performing a pentest on your AWS assets also has many advantages and benefits. The first is that after a pentest is conducted the company will gain a clear image of how secure their AWS environment is, and if any vulnerabilities are found, they can be fixed resulting in a much more secure infrastructure. 

When a company is tested internally as well as by a third-party penetration tester, the customers gain a sense of trust and confidence that the applications or services they are using are secure.

Other than this, organisations that conduct penetration tests regularly become compliant with many international standards including GDPR, PCI-DSS, ISO-27001 etc. These compliances can help the businesses in attaining a trustworthy reputation along with other business benefits.

Challenges of AWS pentesting

AWS penetration testing is not an easy task, for starters the skills, strategy and techniques for assessing vulnerabilities in a cloud environment require specific knowledge of not just penetration testing but also of cloud security, infrastructure and environment etc. A penetration tester must be well-versed in all these areas before the actual security assessment begins. 

Since this type of penetration testing demands a specific skill set, the activity can become a bit costly for the organisations. Even if a company has the budget, the timelines for this type of testing may be more than the traditional pentests.

AWS is constantly updating its services, and as with any other pentest, if changes are made during the activity or after the activity, those changes might not be tested and any security risk in those changes will not be reflected in the pentesting report.

Nevertheless, the advantages weigh more than the challenges and all companies should invest in periodic security assessments of their AWS assets.

Tools used in AWS pentesting 

There are many open-source tools available for security testers to explore and try during their AWS pentest engagements. A few of these tools are described below with their functionality.

Pmapper

The Principle Mapper (PMapper) is a script that identifies security risks introduced by misconfigurations of AWS IAM for an associate AWS account or AWS organisation. The tool outputs a graphical representation that shows possible configuration flaws such as privilege escalation or alternate paths for cyber attacks.

AWS-inventory

This tool can be used to discover and list down all the AWS resources created in an AWS account. This can be useful when a penetration tester needs to map out the attack surface and perform reconnaissance.

Bucket_finder

Bucket_finder is a Ruby-based script that can be used to find sensitive information in Amazon S3 buckets.

Prowler

Prowler is a command-line based tool that can be used to implement AWS security best practices and security audit including hardening guidelines from CIS Amazon Web Service Foundations Benchmark. This tool can be especially helpful when conducting an AWS security audit.

CloudSploit

CloudSploit is an open-source project created by Aqua which allows pentesters to detect AWS security risks in cloud environments. The scripts return a series of potential misconfiguration flaws that the cloud infrastructure may have.

Cloudsplaining

Cloudsplaining can be used to test IAM security. This tool identifies violations being made by incorrect implementation of the least privilege. After the assessment is complete, the user is given a detailed HTML based report with all the discovered vulnerabilities.

Pacu

Rhino Security Labs has developed an open-source framework, Pacu, for aiding penetration testers in performing security testing for cloud environments. Using Pacu by Rhino security labs gives pentesters a wide range of modules that can be used to exploit configuration flaws in AWS accounts and expand their functionality. Attacks such as privilege escalation, creating backdoors in IAM users and attacking vulnerable Lambda functions and many more can be achieved by Pacu.