Assessing Vulnerabilities in the Cloud
- SaaS and PaaS don’t usually allow vulnerability scanning at all
- IaaS may have restrictions on scanning
- Cloud services often provide their own vulnerability scanning tools
- Amazon Inspector
- assesses known vulns and gaps from best practices
- Amazon Inspector
- Vuln scanning tools also provide virtual appliances in cloud marketplaces
- Scanning considerations
- consider architecture and security controls in place
- segments and security zones can stop scans
- design architecture to account for scanning abilities
Example: Amazon Scanning Policies 2022
- Amazon policies describe what can and can’t be scanned
- permitted list for pen testing without prior approval:
- Amazon EC2 instances, NAT gateways, and Elastic Load Balancers
- RDS
- CloudFront
- Aurora
- API Gateway
- Lambda and Lambda Edge functions
- Lightsail resources
- Elastic Beanstalk environments
- Amazon prohibits activities that may result in DoS :
- DNS zone walking via Amazon Route 53 hosted zones
- DoS, DDoS, simulated DosS, simulated DDoS
- Port flooding
- Protocol flooding
- Request flooding
- Amazon prohibits testing AWS infrastructure and underlying services
- provides a request process to receive authorization to simulate other events
- provides policies on stress testing and DDoS simulation