Cloud Penetration Tests
This past weekend I spoke at BSides Nashville on offensive operations in AWS: Get outta my host and into my cloud. While I was finishing the talk, Nick Jones published a blog post of his own: On AWS Penetration Testing.
His views match my own on the need and value of penetration tests in AWS. When scoping a pen test, you want to focus on your outcomes. Then ask yourself, what is it you really want? Because depending on your desired outcome, a pen test may not be the best value for your scarce security budget.
| Outcome | Engagement needed |
|---|---|
| Check a box for PCI or SOC2 Audit | Penetration Test |
| Understand your cloud infrastructure maturity | Cloud Assessment |
| Discover the misconfiguration in your cloud accounts | Use a CSPM tool like Prowler |
| Understand how an attacker sees your application or API | Penetration Test from a cloud-savvy firm |
| Test your detection & response | Purple Team exercise |
When looking for a firm to conduct any engagement in the cloud, you want to know how much experience in the specific cloud providers you use. One of the motivations for my BSides talk was to spread cloud knowledge in and among infosec.
So, as part of my cloud security evangelism, I present PrimeHarbor’s first Whitepaper - Offensive Operations in AWS. We aim to help penetration testers and red teams understand the new tactics they can pursue as they dive deep into an AWS engagement. If you want this content with more memes, my slides are also available here.