Blessed are the Geeks, for they shall internet the earth

Pen Testing in AWS

by Joe Ritchey


Posted on Sat 10 November 2018 in Security



Pen testing is an authorized simulated attack on a computer system, performed to evaluate the security of the system. 1 In human words, it's you (or someone you hire to) testing your own systems for security problems. When you are running in a brick and mortar DC2. This is usually scheduled a time range with your teams and letting OpenVAS loose. When its not your hardware and you are in the cloud things change. Your cloud provider should be watch for these scans and running a un-annouced pen tested is a great way to get your IP blocked.

AWS3 is the leading cloud provider. AWS like other cloud providers, are going to be doing some monitoriing of things happening in thier cloud. Pen tests are often indistinguishable from traffic that would be consider malicious or would violate AWS' terms of service. To stay off the AWS naughty list you will need to submit a Vulnerability a Penetration Testing Request Form to them. You will have to do this through your root account (your root account is proctected by MFA right!). Gather up info about the resources you want to test before filling out the form. Be prepared with the Instance IDs, IP destination address (to be tested), IP source addresses (where you are testing from).

The AWS policy only permits the testing of the following reources:

  • EC2
  • RDS
  • Aurora
  • CloudFront
  • API Gateway
  • Lambda
  • Lightsail
  • DNS Zone Walking

The AWS policy also does not permit testing against small or micro RDS and EC2 instance types. Your testing could squish these little guys. This sounds like the penetration testing dilemma doesn't it. The first thing a company does when starting pen testing is make a list of things to not test.

Once your request form has been submitted allow two business days for your request to be reviewed.


1 https://en.wikipedia.org/wiki/Penetration_test

2 Data Center

3 That's Amazon Web Services in case you have been in a Network Admin cave for the last 10 years and only have to support COBOL running on a AIX platform. You can go back to your RS-232 terminal now.