AWS Penetration Testing cheat sheet

AWS Penetration Testing cheat sheet

With over 90 different services in its name, AWS offers a huge range of services, bringing with itself more security concerns. As AWS gets increasingly adopted by organizations, finding and addressing security challenges becomes much more important. From ecommerce sites to data storage services, an AWS penetration testing can fix flaws that put all these data at risk.

As a fellow security researcher and AWS user, it always helps to have a cheat sheet around for a quick reference. Amazon, the parent company of AWS, administers several limits via different policies for AWS penetration testing. Here an AWS penetration testing cheat sheet can guide us through the process without tripping on any legal concerns or policy non-compliance. This guide will help you understand the grey areas and how to navigate through them for a successful AWS penetration testing.

The boundaries in AWS penetration testing

What’s allowed?

AWS services can be categorized as – user operated services and vendor operated services.

User operated services are instances of users creating and configuring their cloud services. An example would be an organization using AWS, and thus are allowed to fully test their AWS environment including attacks such as DDoS.

Vendor-operated services are those that are owned and operated by third parties. In this case, AWS penetration testing can only be done on the configuration and implementation of the cloud services, while the infrastructure is out of bounds.

AWS EC2 is common target of penetration testing and in this instance the following are allowed:

  • API (Application Programming Interface). Example: HTTPS/HTTP
  • The mobile and web applications that your organization has hosted
  • Associated stack in the application server
  • All operating systems and virtual machines

What’s not permitted?

Most of the AWS services are SaaS and thus the environment is out of scope of a pen test as it does not belong to the user. But, for those SaaS services, you can test the identity and configuration. Below are some more areas that do not come under the scope of AWS penetration testing:

  • Any applications or services that belong to AWS
  • Facility, hardware or infrastructure of AWS
  • EC2 environments that are owned by vendors or third parties
  • Vendor-owned security applications without authorization

Prerequisites for AWS penetration testing

Before beginning with AWS penetration testing, we need to have a plan and sufficient expertise. Below are some general guidelines and steps to begin with the pen test:

  • State the objective, scope and the target systems, as per AWS rules
  • Run reconnaissance and preliminary tests on the target
  • Based on above tests, decide the type of penetration testing to be used, i.e., black box, grey box or white box
  • Clearly state the expectations of all concerned parties including timelines of all stages
  • Develop protocols and engagement rules in case the client is under attack or their security is already breached
  • Obtain all relevant permissions and authorizations from all involved parties

Top 5 vulnerabilities to test for in AWS

There are a few security flaws that appear quite commonly and serves as a good place to begin with the testing:

  • Permission flaws and bucket configuration of S3 buckets
  • Compromising targeted AWS IAM keys
  • Misconfiguration bypass of Cloudfront or WAF
  • Covering tracks by hiding logs of Cloudtrail
  • Using lambda backdoors to establish access to private cloud

Basic tools to identify security flaws

You can find several tools that are used in AWS penetration testing, out of which some are listed below:

  • Nmap: This free tool is used for analyzing the network and finding security flaws such as open and unsecured network connections.

Nmap (Source:

  • AWS Inspector: This tool by AWS is an automated security scanner that detects flaws in the services and applications deployed on AWS

AWS Inspector (Source: AWS)

  • CloudMapper: This tool lets you scan the AWS environment and has features such as generating visualization for networks, among others

CloudMapper (Source: GitHub)

  • SkyArk: This tool is generally used to find the users with the highest permissions within the AWS environment. Once revealed, these users can be protected from attackers who might exploit the privileges of these users

SkyArk (Source: ISOEH)

Follow up after AWS penetration testing

Once the pen-test is done, a complete and detailed report of all findings and observations need to be prepared and handed over to the stakeholders. The report is expected to contain the details of all security flaws ranked on the basis of their severity and likelihood of being exploited. The report should also be accompanied with a remediation document.

Once remediation has been implemented, a retest is necessary to ensure that the security gaps have been plugged. Also, safe handling of these documents is necessary to keep all information safe from attackers who might exploit these details to launch an attack. You can check the pentesting and VAPT pricing, here by Astra.

AWS penetration testing service – Astra Security

AWS penetration testing has become a necessity to protect the numerous organizations adopting AWS. Pentesting in general can be a bit tricky let alone when it comes with hundreds of policies and restrictions as we see in the case of AWS. That is why Astra Security is a great choice. Astra Security conducts a comprehensive pen-test using the latest tools and expertise to detect all security flaws in your AWS environment. As evident by the glowing testimonials by satisfied clients, you cannot go wrong with them. Check out their awesome features here.

Astra VAPT Dashboard



Leave a Comment