jaime_lion Posted September 5, 2016 Posted September 5, 2016 So I am curious how this works lets say I am a company that has all their servers in AWS or such. How would one go about pen testing that? Would one try and get access in the company or directly attack amazon? Quote
Rainman_34 Posted September 14, 2016 Posted September 14, 2016 Directly attacking Amazon would be illegal. If your company doesn't own the server attacking it is illegal. Quote
pentestgeek Posted October 4, 2016 Posted October 4, 2016 Companies host IT infrastructure in AWS all the time. Its quite common. When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from. Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology. Quote
IDNeon Posted February 19, 2017 Posted February 19, 2017 I think this is an interesting question that was not answered. The question wasnt well asked so let me ask it another way. How do you pentest a company's infrastructure that is hosted by another company such as AWS? If the company is hosted by a cloud then it is not that company that owns the infrastructure and you can't pentest that. The company should declare to you that there is this hosting service hosting their infrastructure and that's all you can do is note its existence. Quote
IDNeon Posted February 19, 2017 Posted February 19, 2017 On 10/4/2016 at 0:46 PM, pentestgeek said: Companies host IT infrastructure in AWS all the time. Its quite common. When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from. Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology. Uh no. Can you show me the documented communication channels to legally notify you're going to hack Amazon's cloud infrastructure on behalf of pentesting some company's random crap virtual servers? I want to see the place that says "send this department a 1 page letter that says you're going to pentest within our infrastructure and how and when." First of all that just means to LEGALLY hack Amazon all I'd have to do is create a company...buy some AWS services...then legally pentest myself. I think your advice is just flat out WRONG. Quote
jaime_lion Posted February 22, 2017 Author Posted February 22, 2017 On 2/19/2017 at 10:38 AM, IDNeon said: I think this is an interesting question that was not answered. The question wasnt well asked so let me ask it another way. How do you pentest a company's infrastructure that is hosted by another company such as AWS? If the company is hosted by a cloud then it is not that company that owns the infrastructure and you can't pentest that. The company should declare to you that there is this hosting service hosting their infrastructure and that's all you can do is note its existence. So my original question was similar to what IDNeon said. But also I was wondering if I went to a company and they said something like "All of our servers are in AWS and every employee here basically has laptops that they just use to get to the servers on AWS." Would I even need to sneak into the company to plant wifi pineapples and such or could I just stay in my lab and attack amazon over the internet? On 2/19/2017 at 10:42 AM, IDNeon said: Uh no. Can you show me the documented communication channels to legally notify you're going to hack Amazon's cloud infrastructure on behalf of pentesting some company's random crap virtual servers? I want to see the place that says "send this department a 1 page letter that says you're going to pentest within our infrastructure and how and when." First of all that just means to LEGALLY hack Amazon all I'd have to do is create a company...buy some AWS services...then legally pentest myself. I think your advice is just flat out WRONG. https://aws.amazon.com/security/penetration-testing/ I believe that is what you would fill out. Quote
IDNeon Posted February 23, 2017 Posted February 23, 2017 16 hours ago, jaime_lion said: So my original question was similar to what IDNeon said. But also I was wondering if I went to a company and they said something like "All of our servers are in AWS and every employee here basically has laptops that they just use to get to the servers on AWS." Would I even need to sneak into the company to plant wifi pineapples and such or could I just stay in my lab and attack amazon over the internet? https://aws.amazon.com/security/penetration-testing/ I believe that is what you would fill out. Thanks for providing me some of the nuts-and-bolts. A cursory glance at the AWS site shows that they have a procedure to pentest a company's ENTIRE environment that they own (with restrictions to EC2/RDS for instance). Which is good for you as a pentester. Just request permission and follow their restrictions to the letter and you'd be good. Furthermore there is a qualifier "to prevent adverse impact of services shared by others". So be mindful of that no matter if you are within the scope or not, because legally that qualifier takes precedence over any other. If you inadvertently damage a car it may be an accident but you may still be liable :) This is the world we've created so you gotta learn it. AWS is probably forgiving but still...it'll only get more controlled and procedural over time. Quote
barry99705 Posted March 1, 2017 Posted March 1, 2017 Okay, which one of your assholes killed Amazon's E2 environment? Quote
IDNeon Posted March 2, 2017 Posted March 2, 2017 22 hours ago, barry99705 said: Okay, which one of your assholes killed Amazon's E2 environment? Still waiting for Google Chrome to say Amazon.com is a known malware distributor and redirect you to their security page lol Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.