Traditional security infrastructure and AWS clouds differ in various ways. From setup and configuration to identity and user permissions, the technology stacks could not be more distinct.

The AWS architecture is comprised of a set of powerful APIs. Deeply integrated into the AWS ecosystem, our security engineers test for a range of AWS-specific misconfigurations, including the following:

• EC2 instance and application exploitation
• Targeting and compromising AWS IAM keys
• Testing S3 bucket configuration and permission flaws
• Establishing private cloud access through Lambda backdoor functions
• Covering tracks by obfuscating CloudTrail logs

In an AWS cloud assessment, the client provides a secured account on the AWS management console to the Securseed assessment team. By enabling this view into specific implementation details, our AWS experts can provide guidance on security details otherwise inaccessible to attackers.

This approach is designed as an informed, audit-style engagement. If you’re looking for an in-depth security assessment of your AWS infrastructure, we recommend this approach.

Can I get Pentesting on any Amazon Service?
Generally, yes. There are essentially two categories of cloud offerings:

• User-Operated Services – These cloud offerings are primarily created and configured by the users themselves, with little or no interaction with the hosting provider (such as EC2). Generally speaking, these can be thoroughly tested and have few restrictions except for denial of service (DDoS) and related disruptions to business continuity.
• Vendor Operated Services – Cloud offerings which are owned/operated by the by the vendor, and provided ‘as a service.’ Examples would be Gmail, Dropbox, Salesforce, and AWS services like Cloudfront. That’s not to say implementations of these don’t have vulnerabilities, but just that the testing focuses on implementation and configuration, rather than the infrastructure testing which is owned by the provider.

As we demonstrated with the S3 buckets, there are many misconfigurations, permissions, and implementation flaws that can make an individual instance vulnerable to compromise, but penetration testing on those platforms doesn’t involve attacking the cloud provider infrastructure itself.

Do I need to Alert Amazon of Pentesting?

No, as of early 2019 Amazon no longer requires prior approval of a pentest.