How do I Pentest AWS cloud?
AWS customers are permitted to carry out security assessments and penetration tests against their AWS infrastructure without prior approval against the following:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
This must only be against your deployments and on your side of the Shared Responsibility Model. Certain types of cyber attack such as port flooding and denial of service are prohibited.
More information can be found here: https://aws.amazon.com/security/penetration-testing/
AWS pentesting tools
For pentesting tools specific to ‘testing’ the security of the deployment onto AWS consider the following:
ScoutSuite
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
Prowler
Prowler is a command-line tool that helps you with AWS security assessment, auditing, hardening and incident response.
AWS Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
If you like this blog post, find more content in our Glossary.