There is no doubt that AWS has strong security that protects its customer accounts. However, the software you install on your AWS server space might create vulnerabilities by opening connections to the outside world. You need to perform security checks on your cloud-based assets and penetration testing is one of the strategies that you could adopt.
Here is our list of the best AWS penetration testing tools:
- Invicti A vulnerability testing system that can be used for on-demand testing sweeps or a full vulnerability scanner. This system is also available for continuous testing. Available as a SaaS package or as a software package for installation on Windows.
- Acunetix This is a vulnerability scanner that can perform both external and internal tests. It is offered on the AWS marketplace and is also available as a SaaS platform or for installation on Windows, macOS, and Linux.
- Amazon Inspector This is a vulnerability manager that is offered by Amazon and so 100 percent allowed for use on the platform.
- Awspx A free attack path grapher that explores your AWS identity and access management system to plot all relationships expressed within. Runs on macOS, and Linux.
- Rhino Security Labs Buckethead This free utility is offered as a program that you can cut and paste from its page on GitHub. Runs on Python.
- Prowler This security auditing tool focuses on identity and access management features in AWS and is particularly well-geared for businesses that need to comply with data privacy standards. It will run on Linux, macOS, or Windows.
You can read more about each of these tools in the following sections.
Penetration testing is a largely manual process. The basic idea behind this strategy is that you get a hacker to attack your system and tell you what’s wrong with your security system. Of course, no system administrator would want to draw the attention of a bunch of hackers, but the people who operate penetration testing teams are certified and traceable. We are talking about “white hat hackers” – technicians who are excited by the challenges of trying to break into a system but aren’t interested in engaging in criminal activities.
Many of the methods that penetration testers use are laborious and repetitive. For example, trying to crack passwords requires a lot of login attempts. Hackers want to move quickly so a tool that can cycle through thousands of character combinations has a higher rate of success than an individual manually typing in all of those combinations.
There are several known attack strategies that hackers use and so penetration testers are always going to try those methods. As many of those attempts require a degree of automation, it makes sense to string that series of different strategies together in a batch file. Step up the automation a little further, and you arrive at a full package of system security tests. One launch command gets many tests carried out by these systems that are called vulnerability managers.
Does AWS allow penetration testing?
AWS performs its regular security checks and appreciates the efforts of its customers to finance their contributions to this effort. There are channels that customers can use to convey discovered vulnerabilities that require system adjustments to resolve.
You are allowed to perform penetration testing on the following services:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
Some problems might relate to platform security, which is beyond the control of the customer. However, you shouldn’t direct your penetration testing project towards the platform – that is not allowed. Instead, if, during testing your applications installed on the AWS platform you discover lower-level problems, you should get in touch with the AWS Security Department immediately and they will take it from there.
There are security testing strategies that AWS doesn’t allow. In some instances, you can negotiate with the team to get permission to perform a test that is listed in the regulations as not permitted. This leeway is probably only given to very large organizations from which Amazon makes a lot of money or businesses in the partner program that are developing and testing a new security tool. However, it doesn’t hurt to ask and there are contact forms for this purpose linked to in the AWS penetration testing advisory page (see below).
When your level of automation arrives at the vulnerability testing category, you could be dealing with a service that generates a lot of transactions, putting a load on the AWS system.
Penetration testers, thinking like real hackers, could try tricks that many jurisdictions classify as illegal. For example, if a hacker gets into a system by tricking administrator credentials out of technicians, shouldn’t the white hat hacker try the same tactic to properly model the activities of hackers? Getting AWS technician credentials would be very useful. However, such an approach could get you into trouble.
Other strategies that are banned are:
- DNS zone walking via Amazon Route 53 Hosted Zones
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- Port flooding
- Protocol flooding
- Request flooding
To get the full policy of AWS toward penetrating testing, see the company’s Penetration Testing page.
Above all, to avoid legal problems as well as the risk of having your AWS account suspended, never perform penetration testing exercises on an account you do not own unless you have the account holder’s permission.
The best AWS penetration testing tools
You might be put off running a vulnerability scanner or a penetration testing exercise on your AWS-based assets. However, don’t worry. The main thing is that you shouldn’t try to break into someone else’s account or trick AWS technicians. In addition, don’t do anything that can create excessive traffic. If you avoid those actions, you should be fine.
Our methodology for selecting an AWS penetration testing tool:
We reviewed the market for AWS penetration testing systems and analyzed tools based on the following criteria:
- An external penetration platform that fully emulates the remote attack strategies of hackers
- Test automation for repetitive tasks
- Checks for the OWASP Top 10
- Systems that can run on-site
- Options to use SaaS platforms
- A free tool or a paid service that has a free trial for a cost-free assessment opportunity
- Value for money from a reliable tool or a free tool that is worth using
You will notice that one of the requirements listed above is for a tool that can be used on-site and another is for a SaaS platform. This doesn’t mean that we expect to find one tool that has both deployment options; we are saying that the final list of recommended tools should include some for on-premises hosting and some that are offered on cloud platforms.
Invicti is a Web application vulnerability scanner. It can be hosted on AWS and some versions run on Windows. Wherever you host the package, it can be run against AWS packages.
The Invicti system is available in three versions and the top edition is a fully automated vulnerability scanner. All versions can be limited in the settings to just running specific tests against specific assets. For example, the package includes a password cracker, which you might want to run by itself. A full vulnerability scan of a system can take from 8 to 10 hours.
- Can be hosted on AWS
- Individual tests or full scan
- Option for use as a continuous tester
- Integrates with project management tools
- Can launch attacks
The facilities in the Invicti menu include those for research and those for the attack. It is also possible to integrate other hacker tools into the interface and expand its repertoire. The system uses AI methods to identify possible attack paths.
- Full scan or individual probes
- Can route discovered weaknesses to a human pen tester for investigation
- Good for teams
- Takes care of repetitive tasks
- Automatically documents a system under examination
- A full scan takes a long time
Invicti is offered in three versions: Standard, Team, and Enterprise. You have to go up to the Teams or Enterprise versions to host on AWS. The Standard and Enterprise versions can be installed on Windows Server. You can get a look at the Invicti package by accessing a demo system.
Acunetix is a vulnerability scanner and also a package of penetration testing tools. Use it as a fully automated scanner or limit it to running each test individually. The Acunetix system can be expanded by integrating the free OpenVAS system. This gives you external scans and also internal scans to see what a hacker could do once he gets into your network.
The package can test any system anywhere, including cloud platforms, such as AWS.
- Both external and internal scans
- Tests AWS WAF
- Integrates OpenVAS
- Project management system integration
You can set off your pen testing project by running a vulnerability scan and then routing issues through a team management tool to human pen testers for investigation.
- Can be used for continuous testing in DevOps
- Automated or manual tools
- Checks for OWASP Top 10
- Parallel scanning
Acunetix is available as a SaaS platform, called Acunetix Online, or as a package for installation on Windows, macOS, and Linux. Examine the demo system to assess Acunetix.
The Amazon Inspector vulnerability scanner is a product of the AWS team and so there is no doubt that you can use it without breaking the rules. The scanner runs continuously on your EC2 and ECR accounts.
- Fully compliant with AWS rules
- Runs continuously
- Spots security weaknesses
The scanner looks for out-of-date software and also network exposure. The system reports can be accessed directly from within your AWS dashboard and it can also be set up to send you an alert if a problem is encountered. Results are ordered by severity so you can tackle the biggest security weaknesses first.
- Automated testing
- Checks on the network exposure
- Intended for system hardening
Although this package doesn’t qualify for the title of penetration testing tool, it is a useful service to have in place for defense. You can’t launch attacks with this package but you can make sure that you have done all you can to protect your AWS account by keeping it up to date.
Awspx is an on-premises system but it is designed to explore AWS accounts. You need to give this utility access credentials, so it is not an attack tool. It can be used to harden defenses against attack.
This package is an attack path mapper and it creates a visualization of all of the objects and user access rights in your AWS accounts.
- Graphical representation of access rights
- GUI front end
- Used for system hardening
The awspx system makes it much easier to see the attack paths that a hacker could use to gain access to your AWS services and move laterally to explore and steal the data within.
- Easy to use
- Creates a clear representation of access rights
- Free to use
- Used for research, not for attack
The software for awspx installs on Docker over Linux and macOS and you can install it at the command line with the commands:
git clone https://github.com/FSecureLABS/awspx.git cd awspx && ./INSTALL
Not to be confused with Apache Buckethead, Rhino Security Labs Buckethead is a python script that checks through Amazon S3 buckets. The tool searches the Web for sites that use Amazon S3 and then probes that space to see whether files can be uploaded to them. This research could then lead you to formulate an attack by uploading and executing a script.
- Written for Python
- Command-line utility
- Stealthy tool
Buckethead is a Python script, so you need to have the Python environment to run it. You also need to make sure that the computer you run it on has an internet connection.
- Doesn’t leave a trace
- Reveals serious security weaknesses
- Identifies easy attack victims
- Output not very attractive
Buckethead is just a script. You can copy and paste it from the GitHub repository that stores it, which just displays the code. This is a research tool that will make an attack very easy to formulate. It looks for vulnerable S3 accounts and doesn’t require credentials to get into targets – it’s either blocked or it’s in.
Prowler is an open-source command-line utility that implements authorized searches through an AWS account, looking for vulnerabilities. It can be used to identify weaknesses that need to be fixed for data protection standards compliance.
- Tailored for HIPAA, GDPR, and PCI-DSS
- Requires permission
- Fast mapping
The tool searches through the identity and access management systems of an AWS account and ensures that they don’t provide access paths for hackers. You can’t use this tool on an account that you don’t own because it requires login credentials before it can operate.
The tool performs more than 200 security tests, including the 49 checks specified in the CIS Amazon Web Services Foundations Benchmark.
- Compliance verification
- Free to use
- Fast execution
- Native output not very presentable
Prowler is free to use. You can get some impressive output from the tool but you would need to feed it into a third-party front end to get the best visualizations because the command line output by itself is not so hot. Try Quicksight for a good GUI front end for this tool.
Prowler runs on Linux or macOS. It can be uploaded to an Amazon account (Amazon Linux) and run there. It can run on Windows, but only through the mediation of Cygwin. You can also run it over Docker.