PCI Compliance on AWS: Penetration Testing in AWS
Establishing a Penetration Testing Methodology
Vulnerability scans are often confused with penetration tests, however they serve different purposes in your information security program. Penetration testing is much more through, detailed, and manual than vulnerability scanning. PCI Requirement 11.3 calls out the need to implement a methodology for penetration testing that includes the following:
- Based on industry-accepted penetration testing approaches like NIST SP 800-115 or PTES
- Includes coverage for the entire CDE perimeter and critical systems
- Includes internal and external network testing
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include your pre-determined vulnerabilities and risks
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results
In an AWS environment, it’s incredibly important to understand what a penetration test will be addressing. We recommend AWS Penetration Testing: Beginner's Guide to Hacking AWS with Tools such as Kali Linux, Metasploit, and Nmap as a resource to begin learning more about penetration testing specifically in AWS.
AWS customers can carry out security assessments and penetration testing against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace and the AWS Customer Support Policy for Penetration Testing.
PCI Requirement 11.3 deals with penetration testing requirements. One of the things that you will be asked by your PCI assessor is if you have documented a penetration testing methodology. A lot of the time, you will work with your pen testing firm or the individual that’s performing your pen test to understand what their methodology is, but you want to ensure that there is a documented methodology so that you can evaluate if the testing that you did followed those methodologies. There are penetration testing standards that are published from NIST and the Penetration Testing Engagement Standard that you might considering using as baselines to put together your methodology. One of the most critical things today is that you are following a prescribed approach and that you are addressing your information security challenges in a way that reflects the seriousness of the threats today.
A lot of people, during a PCI assessment, will try to pass off a vulnerability scan as a pen test, and that is just not what is needed today. We need active exploitation. We need experts who are testing your systems both externally and internally to determine if you have any vulnerabilities or potential holes that could happen whenever a very trained and experience hacker was trying to access your environment. So, look for that expertise.
For your AWS environment, I would refer you to this publication called AWS Penetration Testing. It’s an excellent resource by Jonathan Helmus. As you walk through it, you see the types of issues that you need to be addressing in your environment. How do you enumerate and understand the AWS services that you’ve put into place? How do you perform reconnaissance and create attack paths that appropriate to the environment that’s being tested? How do you exploit S3 buckets? What are the common and modern techniques that are being performed in exploiting those data repositories? Understanding vulnerable RDS services, accessing your database, and using logic in order to follow these vulnerabilities through. Having access to valuable system data that we shouldn’t have access to should be thoroughly tested so that you are protecting yourself against injection attacks and other techniques that hackers are using now. As you walk through this resource, you’ll find all kinds of great materials that you could include into your methodology. It’s something that you could take to a pen testing firm and ask: do you follow these techniques? Do you have people who are trained in performing these types of penetration tests for AWS environments? The threats today demand that you address these issues head-on and have a very thorough, very complete penetration test of your AWS environment.