background image


Amazon AWS Penetration Testing


Cloud Computing has been generating a buzz for a few years now and is continuing to grow at a rapid rate. In fact, cloud computing-related skills are predicted to be the number one sought after hard skill in 2019 for businesses and employers. Amazon Web Services (AWS) is one of the largest cloud services providers and offers an extensive suite of services that appeal to businesses, hobbyists, professionals and students because of its scalability, costs, availability, and flexibility, the list goes on.

Getting a service or website online with AWS can take as little as 10-minutes by following one of the 45 million tutorials that turn up in search results. While following a tutorial to get familiar with AWS might be a handy introduction, it does not fully educate someone in properly deploying internet facing services securely.

News articles and online forums are riddled with stories of business owners and system administrators receiving a rude awakening at the end of their billing cycle with charges totaling tens of thousands of dollars, in a single month. A few weeks ago Facebook was found to have an insecure Amazon S3 bucket containing over 146GB of data affecting over 540 million Facebook users.

Currently, there are over 1.5 million search engine results for related stories affecting G7 countries, fortune 500 companies and entrepreneurs around the world.

Why Amazon AWS is unique?

AWS offers a plethora of services, and requires trained professionals to successfully design, engineer and implement in both a functional and secure manner, and the same goes for evaluating the security of an AWS hosted platform. Moving traditional websites to cloud services save on average over 30% in costs, but only if done correctly and securely.

Many of the AWS services are Software as a Service (SaaS), which uses shared hosting with multiple tenants using the same physical resources and servers and cannot be tested in the same manner as traditional applications, and services hosted on dedicated hardware. Elastic Cloud Computing (EC2) is one of Amazons most popular services, the specific areas of this service that penetration testing can be performed on include:

  • Web and mobile applications

  • Application Programming Interfaces (APIs)

  • Application server and underlying technology stack (PHP, Python, Apache, Go, Ruby, etc)

  • Virtual Machine and Operating Systems

IAM Policies and S3 Bucket Policies


Figure 1: Amazon IAM and S3 Policies

Amazon S3 Buckets are used for storing and accessing data in a secure manner, by default access to S3 buckets and their data is private and secure. Bucket policies need to be relaxed intentionally to make them accessible to the public, potentially resulting in insecure configurations, which has been the underlying cause of many breaches involving Amazon AWS.

Issues affecting Amazon S3 buckets are typically related to:

  • Buckets with list able contents, anonymous users can see the file names of data stored in a bucket

  • Word-readable buckets, any anonymous user can read all data stored in the bucket

  • World-writable buckets, any anonymous user can modify data and upload new data to a bucket.

S3 Bucket policies apply to a single bucket and the keys within that bucket. Bucket policies are the most straightforward method of managing and defining access to buckets and are best used in a scenario where you have a simple configuration such as a web application with static content that needs to be read-only to the public. Bucket policies are easy to read and are also responsible for controlling key lifecycles and versioning.

IAM policies are fine-grained policies used for controlling access to Amazon AWS resources, such as an EC2 instance, these policies can be specified on a per user basis, applied to groups, or roles. If a user or an AWS resource such as a specific EC2 instance or Lambda function needs to access one or more buckets, defining IAM policies is the best approach when multiple different resources require different permissions and help to ensure a model of least privilege is applied for each resource that requires access.

  • IAM policies specify what actions are allowed or denied on what AWS resources.

  • IAM policies are best used when you are interested in “What can this user do in AWS?”

  • An S3 bucket policy is for a specific S3 bucket only. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to.

  • S3 bucket policies are best used when you are interested in “Who can access this S3 bucket”.

S3 Access Control Lists (ACLs) are considered legacy, if you have an S3 ACL in use that suits your needs there is no need to change if looking into switching to AWS or creating new S3 objects and buckets it is recommended to go with IAM policies and S3 buckets.

Penetration Testing AWS Service

Performing a penetration test of services hosted on AWS has unique aspects and requires professionals with experience and knowledge of the platforms in order to discover vulnerabilities unique to the platform and effectively evaluate the security of the configuration and implementation of the services.

Pentesting Amazon AWS focuses on the user-owned assets and services, the key areas where attention needs to be paid to are Identity Access Management Keys (IAM), S3 buckets and Lambda functions, as they have distinct attacks and security implications. Amazon’s own documentation on IAM and S3 buckets have well over 100 web pages each, not including the dedicated training courses and certifications offered by Amazon.

Preparing for an Amazon AWS Pentest

In March of 2019, Amazon changed their policy regarding AWS penetration testing, previously any testing of AWS required permission, now most AWS security assessments can be performed without permissions. Before getting a penetration test of an AWS hosted application or service owners will need to review the penetration and vulnerability testing policy available here.

  • Define your scope, including a detailed inventory of AWS environment, IPs, and target systems

  • Determine the types of testing you would like, black box, gray box, white box

  • Define time frames, expectations, and requirements

  • Review AWS testing policy to determine if any permission is required

As part of our testing processes, a Qualys Virtual Scanner Appliance is deployed in the client’s target AWS environment, the appliance does not require approval from AWS to use, and aids in identifying vulnerabilities. An added security benefit, the Qualys appliance does not need to know your AWS security credentials, an IAM cross-account role can be configured by your AWS administrator to grant Qualys access to your EC2 instances for scanning.

Alongside Qualys, a Kali Linux AWS instance is deployed in order to perform additional scanning, manual testing and validation of scans that make the difference between a vulnerability scan and a penetration test. Penetration testing combines both manual and automated testing in a complementary manner to discover additional vulnerabilities and rule out false positives, which ultimately helps clients better focus their time and money in securing their assets and environments.

If your curious about penetration testing and assessing the security of your applications, and services hosted on AWS, Packetlabs has performed numerous assessments of AWS environments in multiple business verticals. Our selection of penetration testing and application security testing services will match your business needs. Contact us to find out how we can help!