Amazon Web Services (AWS) supports a shared responsibility model when it comes to security, this means that Amazon will look after the infrastructure which makes up the cloud such as the hardware, software and networking. The customer is responsible for ensuring any services and applications are fully up-to-date and configured securely.
Amazon allows customers to perform penetration and security testing against their AWS infrastructure without any prior permission. However, any testing must only be performed on “permitted services”. You can find a full list of permitted services on the official AWS Penetration Testing guide.
Prohibited testing methods
Amazon details prohibited testing and attack methods on their testing guide, this includes the following.
- DNS zone walking via Amazon Route 53 Hosted Zones
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
- DNS hijacking via Route 53
- DNS Pharming via Route 53
- Protocol flooding
- Request flooding (login request flooding, API request flooding)
It’s worth keeping in mind, that although Denial of Service methods are prohibited, there are policies and forms which you’re able to submit to Amazon to get permission to conduct further tests. For more information, you can check out their DDoS Simulation Testing Policy.
Should you be unsure if your testing methodology is not in compliance with the testing guide then you would need to contact the Amazon support team.
Lastly, and most importantly, any penetration tests which are conducted must be fully authorised by the account holder. Not having prior permission is against the law and can come with several consequences.
Scoping the target
During the initial phase of scoping, you’ll have the opportunity to detail the services which the customer is using, this is a great chance to confirm any tests would comply with the testing guide.
AWS offer over 200 different services, so it’s important to identify which services are within scope for the penetration test. Furthermore, it could also be advantageous to enquire about any users and policies which are in place to streamline the enumeration and information-gathering stages.
