As organizations continue to move towards cloud computing technology and services, we get this question often. The good news is it’s become much clearer in recent times as both AWS and Microsoft Azure have both relaxed their policies and posted easy to understand guidelines. In short, for the majority of your penetration testing needs are covered without the need to contact the cloud provider.
AWS
First up we’ll discuss the penetration testing policy for AWS which you can find here. In 2019 AWS changed their policy of prior approval for penetration testing and no longer require it for most testing use cases. To be brief, normal penetration testing activities are permitted with items such as denial of service (DoS), DNS zone walking, and flooding activities are prohibited without prior approval. These types of attacks are not generally conducted by penetration testing teams in the first place so there shouldn’t be much impact to your assessment. Of course, you must only test on assets and services that you particularly own and if a vulnerability within AWS’s is discovered it should be conveyed to the AWS security team within 24 hours of completion of testing.
Microsoft Azure
Our next cloud provider is Microsoft Azure and their penetration testing policy can be found here and the rules of engagement can be found here. Their policy is similar to AWS’s new stance which has drastically reduced the confusion for clients. You’re able to conduct standard penetration testing without prior approval for most testing, with activities such as DoS attacks being excluded. It’s worth noting that Microsoft does have a custom interface for simulating DoS attacks against the public cloud, more information can be found here.
Conclusion
We highly encourage that you test your cloud assets and services just as often as you would any other technology that you employ. The process may have been confusing in the past but now it’s easy and flexible to ensure you’re protected. Contact us to learn how we can help secure your cloud services.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com