Can You Pentest AWS?

Updated: Oct 22, 2021

Unless you are working directly with AWS then you will not be able to run a pentest against the AWS cloud environment directly. You are only permitted to test against 'your' deployments of specific AWS services as detailed within the following guidance from Amazon.

aws logo on wall inside conference bulding

How do I Pentest AWS cloud?

AWS customers are permitted to carry out security assessments and penetration tests against their AWS infrastructure without prior approval against the following:

  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers

  • Amazon RDS

  • Amazon CloudFront

  • Amazon Aurora

  • Amazon API Gateways

  • AWS Lambda and Lambda Edge functions

  • Amazon Lightsail resources

  • Amazon Elastic Beanstalk environments

This must only be against your deployments and on your side of the Shared Responsibility Model. Certain types of cyber attack such as port flooding and denial of service are prohibited.


More information can be found here: https://aws.amazon.com/security/penetration-testing/


AWS pentesting tools

For pentesting tools specific to 'testing' the security of the deployment onto AWS consider the following:


ScoutSuite

Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.


Prowler

Prowler is a command-line tool that helps you with AWS security assessment, auditing, hardening and incident response.


AWS Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.


If you like this blog post, find more content in our Glossary.