Since its initial offering, Amazon Web Services (AWS) has provided a relatively simple and reliable way for companies to reduce the need to purchase additional hardware to host their services. But with new infrastructure and network dynamics come unknown risks and attack paths. Testing the assumptions made about a company’s AWS security and overall cybersecurity posture of their cloud environment are essential components of maintaining good security hygiene and are, in many cases, also required by law.
Our AWS penetration testing services include checking for publicly available resources like open S3 buckets and searching for unsecured AWS credentials in public code repositories or in any available internal documentation to ensure they are being managed stored safely throughout the environment.
Because threat actors have direct access to all the resources exposed to the Internet, the barrier they would have to overcome to begin attacking any site is as little as a passing curiosity. An attacker could spend their time searching the web for improperly stored AWS access keys, API keys, or session tokens to attempt a cloud takeover. Alternatively, an attacker could exploit traditional web application security vulnerabilities to access sensitive AWS infrastructure and roles. Opportunistic attackers now have many ideal routes to penetrate and move laterally through modern, cloud-based networks and web applications.
An attacker can potentially access sensitive data or user credentials through insufficiently secured APIs or by exploiting flaws in code running on AWS Lambda. Privileged roles and associated access keys can often provide a bad actor with access to features requiring remote or even physical access to a machine or access to the local network on-premise.
RedTeam Security's web application penetration testing methodology includes searching for vulnerabilities in Amazon Web Services (AWS) environments in addition to on-premise environments. When reviewing AWS cloud security, many foundational techniques involving reconnaissance and information gathering will look the same as those performed against non-cloud platforms. Still, additional tools and methods may be employed to conduct a rigorous review of appropriate controls.
For example, we will look at assets (applications, APIs) and the supporting systems and cloud infrastructure that those applications are running in (operating systems, containers, networks, devices, and servers) during a typical pentest engagement. The methodology for testing AWS infrastructure is similar. Still, in addition to testing your cloud environment’s network security, we will also analyze configurations’ security affecting access to the AWS account and its resources.
At its most basic level, investigation of a cloud environment usually involves looking for publicly accessible resources and credentials related to AWS services (I.e., S3, RDS, Lambda, EC2, CloudTrail, SG, CloudWatch) and testing their information security. A more in-depth option could involve provisioning a test user of the AWS account and providing that to our testers. This additional access allows for a deeper look at IAM users, groups, roles, and policies in place in the environment and aids in hunting for dangerous misconfigurations.
RedTeam Security's network penetration testing methodology includes searching for vulnerabilities in Amazon Web Services (AWS) environments in addition to on-premise ones. When reviewing AWS cloud security, the techniques we use will look a little different, and we will often use special tools designed for testing AWS cloud environments.
For example, during a typical pentesting engagement, we will look at assets (applications, API) and the supporting systems/infrastructure they are running in (OS, containers, networks). The methodology for testing AWS infrastructure is similar. Still, in addition to testing your cloud environment’s network-level security, we will also want to analyze configurations’ security affecting access to the AWS account and its resources.
At its most basic level, this usually involves looking for publicly accessible resources and credentials related to AWS services (i.e., S3, RDS, Lambda, EC2, Cloudtrail, SG, CloudWatch) and testing their security. An even better option involves provisioning a test user of the AWS account. This allows for a deeper look at IAM users, groups, roles, and policies in the hunt for dangerous misconfigurations.
Our comprehensive AWS security testing includes:
Our information gathering process remains the same whether we are testing your network or your web application in AWS. The first difference you will notice is that for internal network testing, rather than using a RedTeam Security provided device (a NUK) to gain access to the network, we might use a virtual machine, VPN, SSH, and appropriately provisioned IAM user. To review IAM policy misconfigurations and other services’ security, an IAM user will be necessary.
Threat modeling is a multi-step process. Initial threat modeling will be done through discussions with the client to identify their most important assets to protect. For some companies, this could be financial data; for others, Intellectual Property. A nonprofit organization, in contrast, may see the most critical asset as something as fundamental as donor trust. RedTeam Security looks out for ways these “crown jewels” could be compromised and other assets that might get overlooked but is vital to the business.
Then, as additional information is collected, the threat model is continually refined. Security testing can then transition to identifying vulnerabilities affecting internally facing systems and those “crown jewels.” This begins with automated scans and is followed by using manual testing techniques to dig deeper, uncover, and validate potential vulnerabilities. During the threat-modeling step, assets are identified and categorized into threat categories. These may involve sensitive documents, trade secrets, or financial information but more commonly apply technical details found during the previous phase.
Because there are more role-based access capabilities in the AWS environment than in a typical Active Directory environment, misconfigured roles and policies for users, groups, and services can become a significant liability. Our knowledgeable testers understand the risks associated with overly permissive or misconfigured policies and recommend best practices to maintain a secure identity and access management services. This includes checks to ensure that your organization’s IAM policies follow principles of least privilege.
The vulnerability analysis step involves documentation and risk analysis of vulnerabilities discovered during the previous stages. This includes analyzing results from the output of various automated and manual testing techniques.
Categories of vulnerabilities found on-premises and in the cloud can be similar. As part of our testing process, we attempt to connect seemingly low-risk vulnerabilities into a more dangerous attack chain to provide better leverage within both the cloud and on-premises networks. However, some vulnerabilities that may be considered a lower risk in an on-premises network could be viewed as a high or critical impact, depending on the system in AWS. Our teams know how to classify risks appropriately while considering the unique differences between AWS and on-premises environments.
Unlike a vulnerability assessment, a pentest dives deeper by seeking to validate vulnerabilities through active exploitation, employing a real-world threat actor’s mindset. Exploitation involves establishing access to a system through the bypassing/exploitation of security controls to determine their real-world risk. During a RedTeam Security penetration test, this phase consists of concerted manual testing efforts that are often quite time intensive.
Within the AWS account, RedTeam Security will evaluate S3 bucket configurations. Since access to S3 buckets can be controlled in many ways, RedTeam Security will carefully review both IAM policies and S3 bucket policies. When reviewing S3 buckets, we’ll check for listable buckets, world-readable buckets, and world-writable buckets to prevent unintended disclosure of sensitive information.
We will also examine EC2 instances, APIs, and Lambda functions during web application penetration tests, looking for opportunities to exploit vulnerabilities throughout the full stack of offerings in the AWS ecosystem.
At RedTeam Security, we consider the reporting phase to be the most important. We take great care to ensure we've thoroughly communicated the total value of our service and findings to our Clients. Our AWS penetration testing services will verify that your cloud services and infrastructure are designed and configured according to industry-recognized best practices. Your report will provide a clear and actionable analysis of the current state of your AWS environment. Our reports are focused on delivering enough information that you can prioritize what vulnerabilities must be addressed first and guidance on how best to use your budget to maintain and improve your security posture in the cloud.
At RedTeam Security, we understand your cloud security is an essential piece of maintaining your organization’s overall security strategy. When it comes to AWS pentesting, we will rigorously test all known exploits to identify other vulnerabilities. From information gathering to the exploitation of potential cybersecurity threats, we are ready and committed to helping you take the next step to ensure your AWS security is the strongest it can be. To learn more about how we can meet your unique information security needs, contact RedTeam Security online or call 612-234-7848 today.