If you are hosting applications on Amazon Web Services (AWS), it is important to consider the impact to AWS from your penetration testing. A key aspect of this consideration is determining whether what penetration testing can be safely conducted on the AWS platform without advanced permission and which testing should be abstained from without prior agreement.
Penetration testing involves attempting to breach an application. By “breach,” we mean:
The goal of penetration testing is to definitively determine when and how an application breaks and what consequences occurs. Every application will eventually break, whether due to overwhelming traffic or other factors. Understanding how the application behaves under these conditions is crucial.
AWS offers both hardware and software services. Some services such as internet gateways, routing, and IP addressing would traditionally be provided through dedicated physical hardware, but instead are vitalised and supported by a substantial software stack.
Penetration testing of applications hosted on AWS can inadvertently affect AWS’s own cloud software. In the early days of AWS, penetration testing needed to be coordinated with AWS to ensure that the testing methods did not inadvertently disrupt the services AWS provides — not only to the customer conducting the testing but also to other customers.
As AWS’s software stack has been tested over the years, most penetration testing can now be performed on applications hosted on AWS without notifying AWS. This includes software level testing such as:
Any testing which governs the integrity of the application is able to be penetration tested on AWS without prior permission.
Any testing which utilises brute force overwhelming is not allowed without prior agreement and organisation with AWS. This includes activities such as:
The reasoning for this is simple, brute force attacks of this manner are more an attack on the platform rather than an attack on the application and thus reduce the capability of AWS services to operate for customer benefit
It’s important to understand the ownership responsibilities between AWS as an infrastructure and cloud services supplier and AWS’s customers regarding appropriate security testing and management.
From our perspective, any application manipulation testing is fair game for testing on any cloud provider - as long as the cloud provider is not being forcefully overwhelmed then their service to other customers is unaffected. Testing application manipulation tactics on hosted applications in a controlled and throttled manner is always acceptable in our opinion. This approach mimics real-world scenarios and ensures your application can handle malicious traffic.
Our testing focuses on manipulative and scanning methodologies rather than overwhelming attacks. Overwhelming attacks target the infrastructure provider’s defences rather than the software and configuration controlled by customers. Therefore, such tests are irrelevant and inappropriate, as they do not reflect the unique configuration and software that individual customers control but rather the common underlying services provided by the infrastructure.
AWS allows for most penetration testing activities without notice. They do not allow for penetration testing that utilises brute force attacks such as DDoS simulations. If you’re setting off tests that are planning substantial transactions per second (TPS) it’s best to open a ticket to AWS to co-ordinate the testing.
More details on Amazon's policies are available in their documentation.
If you are hosting applications on Amazon Web Services (AWS), it is important to consider the impact to AWS from your penetration testing. A key aspect of this consideration is determining whether what penetration testing can be safely conducted on the AWS platform without advanced permission and which testing should be abstained from without prior agreement.
penetration testing cloud aws
