Realizing Security Assessments in AWS

I tried to resume very shortly what services in AWS can be assessed for security under which conditions. Security assessments cover application and infrastructure penetration tests, DDoS tests and other network stress tests.

Pentesting is only allowed for below given 8 AWS services:

• EC2 instances, NAT Gateways, ELBs
• RDS
• CloudFront
• Aurora
• API Gateways
• Lambda and Lambda Edge
• Lightsail
• Elastic Beanstalk

Prior to the pentest pen-test-nda@amazon.com shoud be contacted for a private preview and NDA.

Following activities are prohibited:

• DNS  zone walking via Route53 Hosted Zones
• DoS, Simulated DoS and DDoS
• Port Flooding
• Protocol Flooding
• Request Flooding

Scans are suggested to be limited to 1 Gbps or 10K Requests per Second.

Below given instance types are recommended to be excluded from security assessments.

• T3.nano
• T2.nano
• T1.micro
• M1.small

IP addresses to be used during the security assessment should be sent to aws-security-simulated-event@amazon.com

Following events are considered as simulated events:

• Security simulations or security game days
• Support simulations or support game days
• War game simulations
• White cards
• Red team and blue team testing
• Disaster recovery simulations.
• Other simulated events

AWS must be informed about these events through aws-security-simulated-event@amazon.com and a detailed examination takes place before approval.

For Network stress testing such as DDoS tests, customers are  supported via pre-approved vendors noted below.

For more information, you can consult https://aws.amazon.com/security/penetration-testing page.