Total Tests:

AWS Penetration Testing

Read Time: 4 min.

AWS is the largest cloud infrastructure company in the world. At the end of 2018, Amazon
Web Services accounted for about 32% of the global cloud market. This popularity of the
service makes AWS penetration testing so important, the relevance of which is difficult to

AWS Penetration Testing
AWS Penetration Testing

What Is AWS Security?

AWS security really matters nowadays since more and more companies are choosing cloud infrastructure, some for reasons of optimization of costs for maintenance and personnel, others believe that the cloud is better protected from attacks and secure by default. Indeed, large cloud providers, for instance, such as Amazon Web Services (AWS) can afford to maintain a staff of cyber security professionals, conduct their own research, regular cloud penetration testing, and constantly improve the level of technology.

Want to have an in-depth understanding of all modern aspects of AWS Penetration Testing?
Read carefully this article and bookmark it to get back later, we regularly update this page.

Experts believe that the multi-cloud model is the most promising way to use cloud services in the business. As the largest cloud infrastructure company in the world, AWS offers over 165 fully-featured services for all your needs. On the platform, you can create your own infrastructure from scratch or use ready-made solutions and reduce IT costs.

The platform provides mobile, web, and business applications, data processing and storage, backup, and other workloads. AWS is launching new regions faster than other vendors and is the world's most requested hyperscaler. Large companies like Netflix, LinkedIn, and Facebook choose AWS solutions.

As an AWS client, you will enjoy all the benefits of the data hub and net architecture designed for safety-conscious companies. AWS security follows the same principles as your own datacenter, with the difference that you do not need to pay for maintenance of premises and equipment. When working in the cloud, there is no need to control physical servers or storage devices.

As an alternative, you can use security tools to control and defend the inbound and outbound data streams of cloud resources. One of the benefits of the AWS Cloud is your capability to scale and bring innovations at the time you maintain a highly secure environment and pay only for the services you use. This means that the required level of security can be achieved at a lower cost than in an on-premises environment.

The AWS Cloud enables the shared responsibility model. While AWS manages cloud security, cloud security is your responsibility. This means that you are to determine which level of security you need to protect your own content, platform, applications, systems, and networks in the cloud.

However, while cloud security is a top priority for AWS, it will not protect against trivial administration errors, incorrect or default configuration settings for cloud services leaked access keys and credentials, as well as vulnerable applications. So how can you identify potential misconfigurations in an Amazon Web Services (AWS) infrastructure in a timely manner?

How AWS Penetration Testing Works?

Many IT practices have emerged as adaptations of approaches that date back to the industrial era. For example, safe makers hired bugbears to find weaknesses in their locks, and now companies are turning to hackers to identify vulnerabilities in their corporate networks. This is how a whole area appeared - ethical hacking, when penetration testing is performed by third-party specialists.

White hackers are conducting a series of cloud penetration testing, simulating various attacks. The result is a report containing detailed information about the detected vulnerabilities and recommendations for their elimination.

Specifically, AWS penetration testing most often reveals such AWS weaknesses that allow attackers to gain access to confidential data:

  1. AWS S3 Buckets - Open S3 Buckets configuration errors. Amazon Simple Storage Service (S3) is a service that allows you to store and receive data of any size, at any time, from anywhere in the network. Safe by default until the administrator has enabled public access.
  2. AWS S3 Buckets Objects configuration errors. Objects that are stored in S3 buckets can also be made public, even if the bucket itself is closed. To do this, it is enough to know the S3 URL and the names of the attached objects. S3 addresses can often be found in the source code of applications.
  3. AWS S3 Buckets - Code Injection configuration errors. S3 service is also often used for hosting static web applications, HTML pages, objects, JavaScript, images, videos, etc. In case of incorrect configuration of the recording rights, malicious JavaScript code can be injected into a web application:
    • XSS attacks
    • Beef Hooks
    • JavaScript cryptocurrency miners
    • JavaScript Key logger
  4. AWS S3 Buckets - S3 Domain Hijacking configuration errors. The chances of domain hijacking arise if the application references S3 buckets that were removed and no longer exist. Subdomains are also quite common, which have an up-to-date CNAME DNS record pointing to the S3 bucket that was deleted. To capture such domains and subdomains, you must just create a new S3 bucket with the same name and in the same AWS Region. Therefore, it is extremely important to pay attention to 404 pages on * when brute-force subdomains of the organization under test.
  5. Search for vulnerable AWS S3 Buckets - S3 Buckets Recon. Manually search and analyze web applications, check the applications for requests:
    • [bucketname]
    • s3- [region] / [target-name]
  6. Search for content objects of closed S3 buckets that were previously opened and indexed by search engines using Google dorks. You can also use the index of archives of the WayBackMachine service for this purpose - free online service for finding S3 buckets and their contents.
  7. Errors in administering Docker containers on AWS. Containers are at the heart of modern DevOps. Used to create, integrate and run applications and services in the cloud infrastructure. Incorrect configuration of the Docker Remote API on tcp / 2375 and 2376 ports on a publicly accessible interface can lead to a compromised host. Shodan data as of May 2020: 739 hosts out of 6371 are vulnerable and are actively used for cryptocurrency mining. Moreover, attackers are actively using the DockerHub service to host images of mining software.
  8. Errors in administering Kubernetes clusters on AWS - Containers (Kubernetes). A publicly available Kubernetes Management API may lead to disclosure of cluster configuration information. A publicly available Kubernetes etcd API can leak AWS Keys, certificates, encryption keys, and other sensitive information from the etcd repository.
  9. Web Application Vulnerabilities on AWS - SSRF Vulnerability. In March 2019, the personal and financial data of more than 100 million Capital One bank clients were leaked. An attacker gained access to AWS S3 storage by exploiting an SSRF vulnerability on the bank's public website. The vulnerable web server allowed a request to be made to the AWS Instance Meta Data Service to obtain AWS Keys applications with access rights to the S3 data buckets of bank customers. In December 2019, AWS announced IMDSv2, protected from such attacks. But according to statistics as of April 2020, only less than 5% of customers are using IMDSv2.
  10. Local File Inclusion (LFI) is the ability to read and execute local files on the server side. The vulnerability allows access to files containing environment variables of AWS credentials on a Linux server and Windows Symfony PHP Framework, in dev mode allows access to a debug component - a web profiler that exposes sensitive information (routes, cookies, credentials, files, etc.).

AWS Security Best Practices

Measures that include confidentiality, integrity, and availability should be taken to minimize cloud security issues. And AWS security testing should be seen as a key mechanism used during the secure infrastructure building phase. General safety guidelines are as follows:

Advice 1: Cloud applications should ensure data security and privacy in a cost-effective manner. Security in the cloud is not limited to application components and includes security at the network and data level. In addition, don't forget about regular backups and emergency recovery options.

Advice 2: Consideration should be given to configuring security policies and applying global best practices in this area. Discover all your assets using ImmuniWeb Discovery. Successful audit allows you to verify the security of the provider's cloud infrastructure.

Advice 3: Interoperability between individual infrastructure components should be maintained to potentially reduce manual testing tasks, minimize overhead and save time.

More specifically:

  • Never use Root account keys;
  • Use multi-factor authentication (MFA) for Web Console and AWS Access keys;
  • Strong passwords or passphrases where MFA is impossible;
  • Auditing and monitoring IAM access using AWS IAM Access Analyzer or Security Monkey;
  • IAM Roles (short-term temporary credentials) instead of IAM Users;
  • Git-hooks for monitoring and automatically blocking secrets leaks;
  • Use regular rotation of AWS IAM Users Access keys, where it is impossible to use IAM Roles;
  • Zero trust and the principle of least privileged access;
  • Strong Application Security and regular Penetration Testing.

To minimize security issues in the cloud, adhere to the AWS penetration testing model, which includes identifying weaknesses in the infrastructure by performing continuous penetration testing.

Additional Resources

Free Demo Share on Twitter Share on LinkedIn

Reduce Your Cyber Risks Now

ImmuniWeb® AI Platform

I’d like to get a free:*

I’m interested in:*
How can we contact you:
Please fill in the fields
highlighted in red above

Requests with fake data
will be ignored

Private and ConfidentialYour data will stay private and confidential
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential