I tried to resume very shortly what services in AWS can be assessed for security under which conditions. Security assessments cover application and infrastructure penetration tests, DDoS tests and other network stress tests.
Pentesting is only allowed for below given 8 AWS services:
- EC2 instances, NAT Gateways, ELBs
- RDS
- CloudFront
- Aurora
- API Gateways
- Lambda and Lambda Edge
- Lightsail
- Elastic Beanstalk
Following activities are prohibited:
- DNS zone walking via Route53 Hosted Zones
- DoS, Simulated DoS and DDoS
- Port Flooding
- Protocol Flooding
- Request Flooding
Scans are suggested to be limited to 1 Gbps or 10K Requests per Second.
Below given instance types are recommended to be excluded from security assessments.
- T3.nano
- T2.nano
- T1.micro
- M1.small
Following events are considered as simulated events:
- Security simulations or security game days
- Support simulations or support game days
- War game simulations
- White cards
- Red team and blue team testing
- Disaster recovery simulations.
- Other simulated events
AWS must be informed about these events through aws-security-simulated-event@amazon.com and a detailed examination takes place before approval.
For Network stress testing such as DDoS tests, customers are supported via pre-approved vendors noted below.
