AWS Penetration Testing

AWS is powerful, large and complex and provides many ways to shoot yourself in the foot – from a security point of view. In many ways, you are just a few clicks away from publishing your private database to the world. Amazon has a shared responsibility model for security. They protect the services they provide, but it is up to the consumer to protect the operating system images and use them securely. Our security review aims to search for and identify common misconfigurations and poor design practices that can expose more than you intended.

We will review your AWS account using a combination of automated tools and manual testing, assessing the configuration against the security best practices from the Center for Information Security, and the NCSC. We will also check whether good security hygiene practices, such as managing user accounts, are in place.

All testing we will perform falls within the penetration testing activities AWS permits without prior notification to AWS.

AWS Pen-Test Checklist

  1. Protection of roles and user accounts in AWS:
    1. Password policies
    2. Appropriate onboarding and offboarding of employees
    3. Authentication controls in place
    4. Appropriate use of least-privilege
    5. Check for the existence of shared accounts
  2. Review of AWS Configuration to include:
    1. Identity and Access Management
    2. Audit logging
    3. Monitoring alerts
    4. Networking and Security group configuration
    5. Encryption of data at rest
    6. Use of appropriate TLS/SSL encryption
    7. S3 bucket configuration
    8. Elastic Search configuration
    9. EKS configuration
    10. RDS Configuration
    11. SNS Configuration
    12. Configuration of AWS Security monitoring features
    13. Review of trust boundaries with other AWS accounts
    14. Inadvertent public access to resources
    15. Inactive EC2 instances

Before we start any testing, we’ll agree on a formal testing Scope document with you. In this, we’ll agree on the AWS accounts that are in-scope and how we will access your accounts’ configuration.

Due to the complex and varied nature of people’s usage of AWS, following the testing, we will explore some of the findings with you in a meeting to provide us with the situational awareness to provide recommendations relevant to your specific use of AWS.

Once our testing is complete, we’ll provide you with a report with detailed findings, their impact and how to fix them. We can also provide consultancy to help fix these if that is useful to you.