The 7 AWS Penetration Testing Best Practices - CYBRI
Cybri LogoCreated with Sketch.

The 7 AWS Penetration Testing Best Practices

IN

|

BY Paul Kubler

Security of the AWS Cloud

The Security of the Cloud platform is the responsibility of AWS to make sure they secure the cloud platform against any vulnerabilities and cyber attacks. The platform security needs to include all the zero days exposures and code flaws that can be exploited at any time.

Common challenges organizations face when building their applications and services on AWS are:

  • Having an agile and fluid cybersecurity plan
  • Maintaining cloud visibility of the all data and user activity
  • Lack of understanding of cloud compliance requirements
  • and consistent security policies.

Web Application Exposures Eithin AWS

Many companies use AWS to host web applications for customers, employees, or partners. Unfortunately, web applications, designed to be exposed, present attackers with the second easiest way into your systems. This makes them the second most crucial attack surface after your external infrastructure.

Examples of such attacks include the Kaseya incident, where attackers successfully compromised Kaseya and distributed ransomware to its customers in a supply chain attack. 

Whether your application is fully accessible to the public or a limited set of customers only should factor into your decision making. 

So, depending on the complexity and risk to your application, you may find a pen tester to execute a limited white hat engagement.

AWS Policy for Penetration Testing

AWS customers are welcome to execute pen tests against their provisioned VPCs.

Cloud network security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”

Ongoing cloud security posture management should include cloud security controls along with critical security controls built for a cloud environment.

The following activities below permit tenant and 3rd party pen testing within the tenant’s VPC within AWS. 

  • NAT Gateways, and Elastic Load Balancers
  • RDS
  • CloudFront
  • Aurora
  • API Gateways
  • Lambda and Lambda Edge functions
  • Elastic Beanstalk environments

The tenant is 100% responsible for all pen activities. This AWS tenant handles all arrangements with 3rd party testers. The tenant needs to ensure the testing follows AWS user policy.

What are the Off-Limits for AWS Penetration Testing?

The parts of AWS cloud are off-limits to third party testers, including:

  • Servers belonging to AWS
  • Physical hardware or AWS owned infrastructure
  • EC2 VPCs from other tenants
  • Amazon’s small Relational Database Service (RDS)
  • Security devices managed by other vendors
  • Pen testing other tenants’ S3 buckets

Top Security Vulnerabilities with AWS During a Pen Test Engagement:

  • Overused public IP ranges
  • IAM provisioning and updates
  • Misconfigured S3 storage buckets per tenants
  • Mis-configured outbound and inbound proxies 
  • Unpatched systems within the control plane of AWS
  • Faulty DNS entries 

Scanning and testing for misconfiguration within the AWS cloud services need to be configured to ensure that they follow best practices. Many clients are required to scan and test continuously for NIST-800 compliance and other security mandates.

AWS, like any service provider, will make mistakes. Leveraging a 3rd test group will help with the organization’s risk management and resilience strategy while they deploy their apps and data within AWS.

Penetration testing also helps identify vulnerabilities in the exposed web application within the tenant VPCs. The pen test helps detect issues such as SQL injection, XSS, click-jacking and other common web application related vulnerabilities. AWS offers patch management services for clients that do not have a means to patch their systems. It recommended a pen test after all major and code updates.

Vulnerability Management and Penetration Testing on AWS Cloud

Key Differences between pen testing and vulnerability scanning

The key difference between vulnerability scanning and pen testing is the amount of manual work involved. While pen testing tools can be automated, they require more input to properly be used. This can include multiple inputs based on additional details found in the enumeration. 

Beyond that, a pen test often leverages a vulnerability scan as the start of a test rather than that being the end.

It is important to understand that in a full cybersecurity program that a company will have BOTH regular vulnerability scanning and pen-testing. One does not replace the other.

AWS Security Best Practices – Preparing and Maintaining a Secure Virtual Private Cloud for Pen Testing and Vulnerability Scanning.

  • 1. Understand clearly what AWS architect is open for 3rd party pen testing.
  • 2. Submit the notification documents with AWS prior to engaging in a pen test.
  • 3. Pen testing #1 Validate data plane only Cloud Security Controls within the tenant VPC.
  • 4. Pen testing #2 Document testing results after each pen test.
  • 5. Pen testing #3 Verify the testers, white, black, or gray box teams have access to the cloud assets.
  • 6. Backup Your Data
  • 7. Create a Prevention program – post pen test

Pen Testing for Cyber Insurance 

As more companies seek cyber insurance to help off-set their risk, pen testing is a vital component in the overall security and posture. Insurance carriers evaluate client’s ability to receive, process, transmit, and data within their environment, including the cloud. With companies splitting their workloads between the on-premise and cloud environments, insurance companies look for vulnerable elements that cause a cyber event claim in the future. Adding pen testing continuously will have a positive impact on reducing the cyber events that could increase the company’s insurance premiums 

Conclusion

Maintaining cloud security should be a top-to-bottom effort with every member of the organization taking responsibility for it. Ongoing pen testing against the AWS instance is the only way to ensure continuous compliance and security adaptive control. As more cloud systems become better automated, so is the need to test, validation, deploy, remediate with additional pen testing sequences.  

The threat landscape is constantly evolving and attackers are always looking for new ways to bypass all counter security measures.

The quicker you respond to a successful attack, the easier it is to reduce the damage. You can identify where and why the breach occurred, what your security vulnerabilities are, and how you can solve the problem before it gets worse, even in the cloud.

Discuss your project now

Request A Demo

Related Content

Previous
Next

Schedule a personalized demo with CYBRI.

Don't wait, reputation damages & data breaches could be costly.

Tell us a little about your company so we can ensure your demo is as relevant as possible. We’ll take the scheduling from there!
Michael B.
Michael B.Managing Partner, Barasch & McGarry
Read More
I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
Tim O.
Tim O.CEO at Cylera
Read More
I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
Sergio V.
Sergio V.CTO at HealthCare.com
Read More
I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
L.D. Salmanson
L.D. SalmansonCEO at Cherre.com
Read More
We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
Marco Huslmann
Marco HuslmannCTO MyPostcard
Read More
CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
Alex Rothberg
Alex RothbergCTO IntusCare
Read More
I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
John Tambuting
John TambutingCTO Pangea.app
Read More
I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
Previous
Next

Discuss your Project







    Michael B.
    Michael B.Managing Partner, Barasch & McGarry
    Read More
    I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
    Tim O.
    Tim O.CEO at Cylera
    Read More
    I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
    Sergio V.
    Sergio V.CTO at HealthCare.com
    Read More
    I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
    L.D. Salmanson
    L.D. SalmansonCEO at Cherre.com
    Read More
    We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
    Marco Huslmann
    Marco HuslmannCTO MyPostcard
    Read More
    CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
    Alex Rothberg
    Alex RothbergCTO IntusCare
    Read More
    I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
    John Tambuting
    John TambutingCTO Pangea.app
    Read More
    I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
    Previous
    Next

    Find mission-critical vulnerabilities before hackers do.

    CYBRI’s manual pen tests are performed by U.S.-based highly certified Red Team experts.

    We help businesses detect & remediate catastrophic vulnerabilities in applications, cloud, and networks.

    Contact Us