Many companies think because their infrastructure is hosted in the cloud that penetration testing does not need...
to be done. This is incorrect; vulnerability management and security testing has just as much value in a cloud environment as it does in a traditional infrastructure architecture.
However, when it comes to penetration testing in an Amazon Web Services (AWS) environment, there are a number of things enterprises must keep in mind to comply with industry regulations, but also meet Amazon's pen testing parameters.
AWS penetration testing steps
After the AWS vulnerability management stage is complete, it is time to conduct penetration testing of the enterprise servers hosted in AWS. This will ensure an organization's vulnerability management program has successfully increased security. While this process should be done as part of any mature security model, it is also required for some regulations (e.g., PCI DSS version 3).
The process of AWS penetration testing follows the same steps as any normal penetration test would: reconnaissance, vulnerability assessment, vulnerability exploitation and post-exploitation.
The true value in penetration testing over vulnerability management is in the last two steps; only by exploiting vulnerabilities and conducting post-exploitation analysis can the real impact of a threat be ascertained. For example, it may be that by exploiting a vulnerability on a server that passwords can be extracted, which could then be used elsewhere to gain access to other servers; this information can be discovered through penetration testing.
Pen testing should be conducted at both the application and infrastructure level to ensure enterprise servers hosted in AWS are hardened against real-world threats.
Pen testing traditional vs. AWS environments
One area where AWS pen testing differs from other infrastructure is that Amazon requires express permission for the test and dictates that tests can only be carried out on specific dates and times.
The reasoning behind Amazon's rule is because the testing will inevitably interact with Amazon-owned infrastructure. In normal cases, this would violate the acceptable use policy. And as Amazon would be unable to distinguish between hacking attacks and legitimate penetration testing, it requires permission to be sought in advance.
Be sure permission is received in advance of any testing to avoid delays. In my experience, Amazon has never declined penetration testing activities. The permission form can be obtained here.
Evaluating AWS pen testing providers
When choosing a provider for AWS penetration testing, it's best to avoid internal resources as they tend to be biased. Use a trusted third party, but be sure to check that they have tested Amazon and other IaaS-hosted servers.
When selecting a trusted penetration test provider, look for a company with a proven history, with qualifications from respected industry bodies, and one that responds to your initial inquiry quickly and professionally. How it responds to that initial inquiry is a great indicator of how well it will communicate throughout the project. Also ask to see sample reports and descriptions of the methods it will use in the test, and be sure to find out how much of the work is manual testing as opposed to fully automated. Penetration testing should be a primarily manual exercise, supported by automated tools where required.
An additional step providers should offer their clients is a review of how they have implemented AWS. Note that this would involve giving the provider access to an account on the AWS management console so they can assess areas such as identity and access management and security policies. This would also form part of a more informed exercise, and is distinct from a blind, black box-style penetration test.
To conclude, penetration testing should be part of any organization's secure development process -- even when servers are deployed as part of AWS (or any other IaaS platform). The security of servers hosted in AWS should be treated in exactly the same way as any other device in an enterprise's own infrastructure.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.