As a cloud pentester, the likelihood of being asked to pentest AWS applications and services is very high. AWS has played a central role in the cloud computing boom of the past 20 years. So, in this chapter, I’ll introduce you to AWS. You’ll learn about the most popular AWS services, applications, and features and why they’re used. We’ll also talk about AWS’s SaaS, IaaS, and PaaS features, and explore Amazon’s own AWS security tools and third-party security tools.

In this chapter, we’ll cover the following topics:

• Introduction to AWS
• Frequently used AWS SaaS features
• AWS IaaS features
• AWS PaaS features
• AWS security controls and tools

Let’s get started!

AWS stands for Amazon Web Services. It’s one of the most popular cloud platforms. Amazon started as an online book retailer in 1994, but even in those early days, Amazon founder Jeff Bezos said that Amazon.com was a tech company with an objective to simplify online transactions for consumers. The parts of the business akin to traditional retailers, such as maintaining warehouses of inventory and customer service, were just some of the necessary components. The infrastructure that Bezos truly values has always been Amazon’s data centers.

As the 1990s went on, Amazon expanded its inventory well beyond books. It started selling music, movies, apparel, home accessories, and so on. In the 21st century, Amazon sells almost everything that can be properly stored at room temperature and legally sold to consumers. They also provide a lot of different internet services for consumers, such as streaming entertainment from Amazon Prime and Kindle eBooks.

AWS features, applications, and services fall into a lot of different categories. Some services are offered free of charge or with limited free trials. Most services, especially the ones that businesses are most likely to use, are provided for fees that vary depending on the service and how much a business needs to use it. For example, a cloud application that needs a small amount of bandwidth and serves a few hundred users per month will generally be a lot less expensive than a cloud application that needs a large amount of bandwidth and serves tens of thousands of users per month.

Of course, managing AWS service fees is your organization’s responsibility, not yours. So, I’ll explain what a pentester needs to understand: the AWS services that businesses frequently use and why they use them.

I’ll start with some SaaS features and applications. These applications use AWS’s infrastructure, platform, and its own software...

IaaS or infrastructure-as-a-service features are the parts of AWS where enterprises have the most control and the most responsibility. There’s more that pentesters are allowed to do with these components than with PaaS and SaaS. But you are still on Amazon’s infrastructure, therefore they still have rules of engagement to abide by. Refer to AWS’s pentesting policies in Chapters 2 and 3, or you can find them on their website (https://aws.amazon.com/security/penetration-testing/).

AWS IaaS can be divided into two general categories: compute and storage.

Compute services

Amazon EC2 is AWS’s debut compute service. It stands for Amazon Elastic Compute Cloud. EC2 is largely used by enterprises that develop their own software but need tons and tons of computer processing power to process their databases, conduct scientific research, and so on.

I’ll summarize some company testimonials.

Orangetheory Fitness is a popular gym...

PaaS or platform-as-a-service is in the middle between IaaS and SaaS as far as security responsibilities are concerned. AWS provides the infrastructure and a platform, but it doesn’t provide all of the software as it would in SaaS. PaaS services are software developer tools most of the time. As a pentester, you generally can only pentest PaaS services under very limited conditions. A lot of what you’re permitted to do in IaaS is forbidden in PaaS. When in doubt, assume by default that you’re not allowed to do something, and consult the AWS penetration testing policy (https://aws.amazon.com/security/penetration-testing/). In some situations, such as network stress testing, you may submit a form to AWS to request permission to do something. Only proceed with your plans for your red team engagement when you’ve verified that AWS will permit you to do everything you plan to do. You may have to tweak or adjust your plans according to AWS’...

One of the most important things that you need to become familiar with as an AWS pentester is the various security controls AWS uses, and the tools you can use to conduct your pentesting. The details on how to use those tools will be explained in Chapters 5 and 6, but I’ll introduce the tools here.

Security controls

First, what are security controls, and what security controls does AWS have?

Security controls are components that can help to prevent or mitigate cyberattacks or other possible threats to your organization’s data. All security threats are related to the CIA (confidentiality, integrity, and availability) Triad. So, a security control is designed to help prevent breaching data confidentiality and the integrity of data, and may also be designed to help maintain the availability of data. A security control can help with one or any combination of these three components.

Examples of security controls include antivirus...

AWS is one of the most popular cloud platforms around. You will almost certainly be expected to work with AWS applications and services as a cloud pentester.

AWS includes a lot of its own security controls and tools that your organization may or may not be using. It really ought to be using them, as implementing Amazon’s own security controls is a crucial cybersecurity baseline that can prevent a lot of cyberattacks.

Some of the many first-party AWS security applications include Amazon Inspector, AWS Security Hub, and Amazon GuardDuty.

There are also third-party scripts and tools that you can use to conduct vulnerability scans and pentests while abiding by Amazon’s policies. They include Prowler, Pacu, CloudFront, and many others.

It’s important to understand Amazon’s pentesting policies and rules and abide by them. Amazon owns all AWS infrastructure. So, even when you’re working with your organization’s AWS network, you...

To learn more on the topics covered in this chapter, you can visit the following links:

• CLI (command line interface) in AWS: https://aws.amazon.com/cli/
• AWS security products and services: https://aws.amazon.com/products/security/
• Prowler documentation: https://docs.prowler.cloud