AWS Infrastructure Testing 


While Amazon’s security measures mitigate most vulnerabilities, the complexity of using a 3rd party cloud services infrastructure leaves many companies exposed without their knowledge. Prescient Security can perform both internal and external assessments of cloud-hosted applications. When testing Amazon AWS services, our security experts focus on an identification of the configuration and implementation flaws that often go unchecked in your businesses’ infrastructure configuration.

AWS testing approaches:

Our team reviews a range of common misconfigurations including but not limited to:

  1. Testing S3 bucket configuration and permission flaws

  2. EC2 instance and application exploitation

  3. Targeting and compromising AWS AMI keys

  4. Establishing private cloud access

Blackbox Engagement -  

Our security consultants take an outside-in approach and test for externally available resources with misconfigurations and verify that their implementation conforms to design standards, including but not limited to:

1) Whitelisting

2) Virtual private cloud (VPC)

3) Security groups

4) AWS admin console access

5) API authentication and authorization

Post Exploitation / Insider Threat Assessment -

Our security consultants perform an informed, audit-style engagement where the client provides a secured account on their AWS management console. The goal is to see what level of risk exists once a hacker has succeeded, and determine how to properly handle the potential threats down the road.

Methodology

  • Reconnaissance

    • Organization structure

    • Network structure

    • Hardware

    • System Category & System Sensitivity

    • General Description

    • System Interconnection, System Environment, Applicable Regulation & Policies

  • Risk Management Controls

    • Risk Assessment & Management

    • Review of security controls

    • System Planning: Initiation, Development, Implementation, Operation / Maintenance, Disposal

    • Rules of Behavior

    • Authorize Processing

  • Review Operation Controls

    • Personnel Controls

    • Physical / environment controls

    • Contingency Planning

    • Configuration Management

    • Data Integrity / Validation Controls

    • Documentation

    • Incident Response

    • Security Awareness and Training

  • Review Technical Control

    • Identification and Authentication

    • Logical Access & Controls

    • Audit Trails