AWS is a powerful service that helps businesses grow. They offer many amazing features, but they also have vulnerabilities – just like any other platform. When you are running your business on AWS, it is important to understand the risks associated with this type of hosting environment and take precautions accordingly. One way to do this is by performing Distributed Denial of Service (DDoS) penetration testing on AWS before you go live with your web application. This blog post will give an overview of what these tests entail and how you can request permission for them on AWS today.
Table of Contents
What is Penetration Testing?
Penetration testing is a type of security assessment that simulates an attack on your web application in order to identify potential vulnerabilities. A tester will attempt to exploit these weaknesses by using various methods, such as injection attacks, cross-site scripting (XSS), brute-forcing passwords, etc. If successful, this can give the attacker access to sensitive data on your website or on the server itself.
Does AWS Allow Penetration Testing?
Yes, AWS does allow penetration testing. In fact, they encourage it. They want to make sure their customers are running secure networks. DDoS Simulation Testing, among several other forms of online penetration testing, is permitted by AWS. Review the AWS customer agreement and AWS Customer Support Policy for Penetration Testing to know which tests require permission and which ones apply to which service.
AWS Security Requirements for Penetration Testing
As Amazon recommends, you should request permission from them before performing any type of penetration test on their servers to ensure that all security requirements are met. They will put together a list of items that they require for this process to be successful and give it to you. Here are some of the most important ones:
- You must be a verified customer of AWS and have an active account with them.
- The AWS penetration testing must be performed by a qualified individual or organisation who possesses the required skills and knowledge.
- You must agree to abide by Amazon’s terms and conditions, which include a Non-Disclosure Agreement (NDA).
- The testing must be done in a specific region; this is where your servers will be located.
- You must use a white or black list as part of your security strategy.
What is DDoS Simulation Testing?
A DDoS attack is where multiple systems flood the traffic on your web application or server to make it unavailable. DDoS Simulation Testing is the simulation of a DDoS attack allowing you to see how strong your defences are before going live with your business. This is an essential stage in assuring that your website can withstand a real-world DDoS attack.
Why Should You Perform DDoS Penetration Tests on AWS?
There are quite a few reasons for getting an AWS DDoS penetration test done. Some of the most important ones are:
- To identify and fix any vulnerabilities in your web application or server before going live.
- To make sure your site can withstand a real DDoS attack and avoid downtime in the future.
- To secure your AWS account from hackers who may use this method to slow down your network and services or completely disrupt your business’ functioning.
- To comply with legal regulations and industry standards.
Terms and Conditions for DDoS Simulation Testing on AWS:
You must comply with the AWS DDoS Simulation Testing Policy at all times. The Terms and Conditions it includes are:
- No tests performed should violate the AWS customer agreement.
- Use an approved APN Partner to perform your DDos testing.
- Test targets must be registered as protected resources.
- Restrict the DDoS simulation bit volume to 2.5GB/s.
- Restrict the packet volume to 5,000,000 packets per second for CloudFront and 50,000 packets per second for any other AWS resource.
- Use of any AWS resource to originate the simulation is prohibited. Use an external IP or IPs for your penetration tests.
- AWS holds the right to terminate the DDoS simulation test at any time.
- The DDoS testing cannot be done in a production environment or with live customer data.
- You must not perform any tests that intentionally cause unavailability of a production environment, loss or corruption of data, or any other impact to customers.
- Make sure that you read and understand the full AWS DDoS Simulation Testing Policy before proceeding with your test.
To know more about DDoS Simulation Testing Policy, head over to this page.
How to Request Permission for AWS DDoS Penetration Testing?
To request permission to perform DDoS simulation testing on AWS, submit a request via the Simulated Event form and provide all the details of the planned test.
If you wish to conduct DDoS simulation tests outside of the mentioned guidelines, an AWS DDoS Test Partner would have to submit a request by email at least 2 weeks before the date of the test.
Conclusion
AWS allows penetration testing in the form of DDoS simulation testing. This type of test is important to help identify and fix vulnerabilities before going live with your web application or server. Make sure you comply with the Terms and Conditions for this type of testing, which includes restrictions on bit volume and packet volume. You must also not perform any tests that would impact customers or their data. To request permission for a DDoS simulation test, submit a request via the Simulated Event form.