Cloud Penetration Tests

Saturday, April 15, 2023   Chris Farris   AWS PenTesting
Yellowstone - Lamar Valley May 2022

Captian America saying “So you want to get a Pen Test”

This past weekend I spoke at BSides Nashville on offensive operations in AWS: Get outta my host and into my cloud. While I was finishing the talk, Nick Jones published a blog post of his own: On AWS Penetration Testing.

His views match my own on the need and value of penetration tests in AWS. When scoping a pen test, you want to focus on your outcomes. Then ask yourself, what is it you really want? Because depending on your desired outcome, a pen test may not be the best value for your scarce security budget.

Outcome Engagement needed
Check a box for PCI or SOC2 Audit Penetration Test
Understand your cloud infrastructure maturity Cloud Assessment
Discover the misconfiguration in your cloud accounts Use a CSPM tool like Prowler
Understand how an attacker sees your application or API Penetration Test from a cloud-savvy firm
Test your detection & response Purple Team exercise

When looking for a firm to conduct any engagement in the cloud, you want to know how much experience in the specific cloud providers you use. One of the motivations for my BSides talk was to spread cloud knowledge in and among infosec. Slide from the presentation Slide from the presentation

So, as part of my cloud security evangelism, I present PrimeHarbor’s first Whitepaper - Offensive Operations in AWS. We aim to help penetration testers and red teams understand the new tactics they can pursue as they dive deep into an AWS engagement. If you want this content with more memes, my slides are also available here.