As a lot of you may know, or have seen in my past posts, I am a fan of Amazon Web Services. Yeah, they are a bit more expensive than others, but the amount of features they offer and the size of their network is unparalleled. (Man, I really wished they paid me for talking the up. If you’re listening Amazon, it’s me TriForceCode.)
When you spin up services with Amazon, one thing you need to realize, is that while you may pay for the service, you don’t own it. Meaning, the virtual servers and applications you pay for are yours to do what you will (legally) but the physical machines these services run on, belong to Amazon.
Okay.. cool.. so? As every admin will tell you, locking down your network is important, you want to protect your preciouseses, so you implement your Firewalls, IDSs, Anti-virus and the lot, in compliance with whatever laws or regulations you are bound to. But, only Penetration Testing will tell you that your protection mechanisms are working.
Here is where we run into a snag. You are NOT allowed to perform penetrations testing on AWS without express permission, I mean, not even a freaking basic Nmap scan, without running into some butthurt from Amazon.
Good news, here is where you get said Permission: AWS Penetration Testing
After receiving the go ahead here are the services you are allowed to PenTest (assuming you are paying for and running them).
- API Gateway
- DNS Zone Walking
Sadly, it doesn’t include all the services AWS has to offer, but these are some primary ways a hacker would be able to get into your network.
One thing I would have like to have seen on this list are Amazon’s Storage Services like S3, EBS, EFS. If I am managing a Hybrid Cloud and I use one these, and someone is able to comprise it, because I wasn’t able to test it, I sure hope Amazon would be fitting the bill for all of my lost goodies.
This is why I don’t like to put all of my eggs in one basket. I am a fan of AWS, and for certain, Cloud Services are the future but being able to rely on third-party services like Acronis for Disaster Recovery just gives the inner Storage Admin in me all the warmth and feels.