Security of the AWS Cloud
The Security of the Cloud platform is the responsibility of AWS to make sure they secure the cloud platform against any vulnerabilities and cyber attacks. The platform security needs to include all the zero days exposures and code flaws that can be exploited at any time.
Common challenges organizations face when building their applications and services on AWS are:
- Having an agile and fluid cybersecurity plan
- Maintaining cloud visibility of the all data and user activity
- Lack of understanding of cloud compliance requirements
- and consistent security policies.
Web Application Exposures Eithin AWS
Many companies use AWS to host web applications for customers, employees, or partners. Unfortunately, web applications, designed to be exposed, present attackers with the second easiest way into your systems. This makes them the second most crucial attack surface after your external infrastructure.
Examples of such attacks include the Kaseya incident, where attackers successfully compromised Kaseya and distributed ransomware to its customers in a supply chain attack.
Whether your application is fully accessible to the public or a limited set of customers only should factor into your decision making.
So, depending on the complexity and risk to your application, you may find a pen tester to execute a limited white hat engagement.
AWS Policy for Penetration Testing
AWS customers are welcome to execute pen tests against their provisioned VPCs.
Cloud network security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”
The following activities below permit tenant and 3rd party pen testing within the tenant’s VPC within AWS.
- NAT Gateways, and Elastic Load Balancers
- RDS
- CloudFront
- Aurora
- API Gateways
- Lambda and Lambda Edge functions
- Elastic Beanstalk environments
The tenant is 100% responsible for all pen activities. This AWS tenant handles all arrangements with 3rd party testers. The tenant needs to ensure the testing follows AWS user policy.
What are the Off-Limits for AWS Penetration Testing?
The parts of AWS cloud are off-limits to third party testers, including:
- Servers belonging to AWS
- Physical hardware or AWS owned infrastructure
- EC2 VPCs from other tenants
- Amazon’s small Relational Database Service (RDS)
- Security devices managed by other vendors
- Pen testing other tenants’ S3 buckets
Top Security Vulnerabilities with AWS During a Pen Test Engagement:
- Overused public IP ranges
- IAM provisioning and updates
- Misconfigured S3 storage buckets per tenants
- Mis-configured outbound and inbound proxies
- Unpatched systems within the control plane of AWS
- Faulty DNS entries
Scanning and testing for misconfiguration within the AWS cloud services need to be configured to ensure that they follow best practices. Many clients are required to scan and test continuously for NIST-800 compliance and other security mandates.
AWS, like any service provider, will make mistakes. Leveraging a 3rd test group will help with the organization’s risk management and resilience strategy while they deploy their apps and data within AWS.
Penetration testing also helps identify vulnerabilities in the exposed web application within the tenant VPCs. The pen test helps detect issues such as SQL injection, XSS, click-jacking and other common web application related vulnerabilities. AWS offers patch management services for clients that do not have a means to patch their systems. It recommended a pen test after all major and code updates.
Vulnerability Management and Penetration Testing on AWS Cloud
Key Differences between pen testing and vulnerability scanning
The key difference between vulnerability scanning and pen testing is the amount of manual work involved. While pen testing tools can be automated, they require more input to properly be used. This can include multiple inputs based on additional details found in the enumeration.
Beyond that, a pen test often leverages a vulnerability scan as the start of a test rather than that being the end.
It is important to understand that in a full cybersecurity program that a company will have BOTH regular vulnerability scanning and pen-testing. One does not replace the other.
AWS Security Best Practices – Preparing and Maintaining a Secure Virtual Private Cloud for Pen Testing and Vulnerability Scanning.
- 1. Understand clearly what AWS architect is open for 3rd party pen testing.
- 2. Submit the notification documents with AWS prior to engaging in a pen test.
- 3. Pen testing #1 Validate data plane only Cloud Security Controls within the tenant VPC.
- 4. Pen testing #2 Document testing results after each pen test.
- 5. Pen testing #3 Verify the testers, white, black, or gray box teams have access to the cloud assets.
- 6. Backup Your Data
- 7. Create a Prevention program – post pen test
Pen Testing for Cyber Insurance
As more companies seek cyber insurance to help off-set their risk, pen testing is a vital component in the overall security and posture. Insurance carriers evaluate client’s ability to receive, process, transmit, and data within their environment, including the cloud. With companies splitting their workloads between the on-premise and cloud environments, insurance companies look for vulnerable elements that cause a cyber event claim in the future. Adding pen testing continuously will have a positive impact on reducing the cyber events that could increase the company’s insurance premiums
Conclusion
Maintaining cloud security should be a top-to-bottom effort with every member of the organization taking responsibility for it. Ongoing pen testing against the AWS instance is the only way to ensure continuous compliance and security adaptive control. As more cloud systems become better automated, so is the need to test, validation, deploy, remediate with additional pen testing sequences.
The threat landscape is constantly evolving and attackers are always looking for new ways to bypass all counter security measures.
The quicker you respond to a successful attack, the easier it is to reduce the damage. You can identify where and why the breach occurred, what your security vulnerabilities are, and how you can solve the problem before it gets worse, even in the cloud.