Skip to main content
Amazon Web Services (AWS) Penetration Testing Methodology Hero

RedTeam Security's AWS Penetration Testing Methodology

Information Gathering

Our information gathering process remains the same whether we are testing your network or your web application in AWS. The first difference you will notice is that for internal network testing, rather than using a RedTeam Security provided device (a NUK) to gain access to the network, we might use a virtual machine, VPN, SSH, and appropriately provisioned IAM user. To review IAM policy misconfigurations and other services' security, an IAM user will be necessary.

Threat Modeling

Threat modeling is a multi-step process. Initial threat modeling will be done through discussions with the client to identify their most important assets to protect. For some companies, this could be financial data; for others, Intellectual Property. A nonprofit organization, in contrast, may see the most critical asset as something as fundamental as donor trust. RedTeam Security looks out for ways these "crown jewels" could be compromised and other assets that might get overlooked but is vital to the business.

Then, as additional information is collected, the threat model is continually refined. Security testing can then transition to identifying vulnerabilities affecting internally facing systems and those "crown jewels." This begins with automated scans and is followed by using manual testing techniques to dig deeper, uncover, and validate potential vulnerabilities. During the threat-modeling step, assets are identified and categorized into threat categories. These may involve sensitive documents, trade secrets, or financial information but more commonly apply technical details found during the previous phase.

Because there are more role-based access capabilities in the AWS environment than in a typical Active Directory environment, misconfigured roles and policies for users, groups, and services can become a significant liability. Our knowledgeable testers understand the risks associated with overly permissive or misconfigured policies and recommend best practices to maintain a secure identity and access management services. This includes checks to ensure that your organization's IAM policies follow principles of least privilege.

Vulnerability Analysis

The vulnerability analysis step involves documentation and risk analysis of vulnerabilities discovered during the previous stages. This includes analyzing results from the output of various automated and manual testing techniques.

Categories of vulnerabilities found on-premises and in the cloud can be similar. As part of our testing process, we attempt to connect seemingly low-risk vulnerabilities into a more dangerous attack chain to provide better leverage within both the cloud and on-premises networks. However, some vulnerabilities that may be considered a lower risk in an on-premises network could be viewed as a high or critical impact, depending on the system in AWS. Our teams know how to classify risks appropriately while considering the unique differences between AWS and on-premises environments. 


Unlike a vulnerability assessment, a pentest dives deeper by seeking to validate vulnerabilities through active exploitation, employing a real-world threat actor's mindset. Exploitation involves establishing access to a system through the bypassing/exploitation of security controls to determine their real-world risk. During a RedTeam Security penetration test, this phase consists of concerted manual testing efforts that are often quite time intensive.

Within the AWS account, RedTeam Security will evaluate S3 bucket configurations. Since access to S3 buckets can be controlled in many ways, RedTeam Security will carefully review both IAM policies and S3 bucket policies. When reviewing S3 buckets, we'll check for listable buckets, world-readable buckets, and world-writable buckets to prevent unintended disclosure of sensitive information.

We will also examine EC2 instances, APIs, and Lambda functions during web application penetration tests, looking for opportunities to exploit vulnerabilities throughout the full stack of offerings in the AWS ecosystem.


At RedTeam Security, we consider the reporting phase to be the most important. We take great care to ensure we've thoroughly communicated the total value of our service and findings to our Clients.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.