Whether you are using AWS, Microsoft AZURE, Google Cloud or another cloud provider, we will test your implementation of your cloud service environment. The reality is that most organisations do not have good visibility into the security configurations of their cloud service environment, leading to some missed vulnerabilities. In a 2019 McAfee study, just 26% of companies had the ability to audit their use of the cloud. McAfee estimated that 99% of exposed instances go unnoticed by the enterprises running them.
What is AWS pen testing?
To secure you from these risks, DarkSkopes' team of expert and certified testers will perform manual and automated tests on your cloud environment against established criteria. We will act as both authenticated and anonymous users.
Our robust tests will identify aspects including:
- Poorly secured storage buckets
- User configuration
- Password usage
- Use of multi-factor authentication
- Key rotation
- Misconfigured roles and groups
- Database usage
- Server and instance configuration
- Security group configuration
- Deviation from industry best practice
All other cloud providers can be serviced, too. We don’t just work with AWS infrastructure - systems from all cloud providers can be tested - be they Google, Microsoft, IBM or others.
Process
In traditional penetration testing, an organization is the sole owner of physical as well as virtual assets. However, this status quo changes once an organization starts using a Cloud Service Environment, such as AWS services.
Lets use AWS as an example of the process. When AWS services are used, Amazon is the owner of the whole AWS infrastructure and conducting a traditional penetration test will violate the Acceptable Usage Policy of AWS and in turn, the AWS Security Team will also initiate incident response procedures. In order to avoid this situation, the focus of penetration testing should be only on the assets owned by the organisation using AWS services.
DarkSkope will seamlessly manage the entire process for you.
Learn More About AWS
AWS offers over 90 different cloud hosting services that include offerings such as compute and storage, content delivery, security management, network infrastructure, and physical hosting facility for tenant organizations. The wide range of these services typically falls into Infrastructure (IaaS), Platform (PaaS), or Software as a service (SaaS). Uses for these virtual environments include internal organizational, a service to consumers, or a mixture of both. The most common purposes include networking, data storage, web application services, and code development.
Amazon Web Services (AWS) Policy for Penetration Testing
Through our partner, Vertical Structure, DarkSkope is an AWS Select Consulting Partner with a security speciality.
DarkSkope can carry out security assessments or penetration tests against your AWS infrastructure in the following areas:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
AWS permits security testing for User-Operated Services, which includes cloud offerings created and configured by the user. For example, an organization can fully test their AWS EC2 instance excluding tactics related to disruption of business continuity such as launching Denial of Service (DOS) attacks.
Pentests involving Vendor Operated Services, which are those cloud offerings that are owned and managed by a third-party vendor, are restricted to the implementation and configuration of the cloud environment and not the underlying infrastructure. For example, AWS services such as Cloudfront and the API Gateway configuration may be pentested but the hosting infrastructure is off limits.
Elastic Cloud Computing (EC2) is an AWS service which is commonly penetration tested. In an AWS EC2 instance, specific areas that allow penetration testing include:
- Application Programming Interface (API) (e.g. HTTP/HTTPS)
- Web and mobile applications that hosted by your organization
- The application server and associated stack (e.g. programming languages such Python, React)
- Virtual machines and operating systems.
These areas are not the limits of what can be penetration tested, but are commonly included during an AWS pentest.