Q
Manage Learn to apply best practices and optimize your operations.

How is cloud penetration testing different for AWS, Google, Azure?

Penetration tests help organizations spot vulnerabilities in their public cloud environments. But how are the testing requirements different for AWS, Google and Azure?

Many enterprise IT shops use cloud penetration testing to identify and address potential security weaknesses in...

their cloud computing environment. But, before performing a penetration test on a public cloud platform, it's important to understand your cloud provider's unique testing requirements.

Penetration tests simulate an actual attack, so coordinate with cloud providers before performing one. Here's what to know before performing a cloud penetration test on Amazon Web Services (AWS), Google Compute Engine and Microsoft Azure.

For AWS, customers have to submit a request form prior to conducting the test. The approval form collects information about who will conduct the test, third-party contact information, IP addresses of servers scanned, as well as the scanning source and the proposed date and time of the test. Customers cannot perform penetration tests or other scans on m1.small or t1.micro instances. This is to avoid adverse impacts on other customers sharing the same server.

Users of Google Compute Engine and App Engine should consult with the Terms of Service and Acceptable Use Policy before conducting cloud penetration testing. Google explicitly states that tests should only affect the tester's application, not other users or services. Google also has a Vulnerability Rewards Program to recognize the help of security researchers and professionals who find weaknesses in Google applications or services; it does not, however, apply to third-party applications.

Microsoft has a formal procedure for approving cloud penetration testing requests. The cloud provider asks customers to submit their request at least seven days in advance of the penetration test. If you find a potential vulnerability in Azure, you should report it to Microsoft. Microsoft offers expedited approvals for three common types of vulnerability tests: testing for OWASP top 10 Web vulnerabilities, fuzz testing endpoints and port scanning. Microsoft does not allow denial-of-service tests.

Cloud penetration testing is a valuable tool that has its place in cloud computing. The shared security model of cloud introduces some additional coordination challenges, but it is worth the effort.

Next Steps

Comparing penetration testing for cloud vs. on-premises systems

How to perform a penetration test for cloud

Strategies for AWS penetration testing

A penetration testing plan remains critical for cloud

This was last published in October 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has your experience been with cloud penetration testing for AWS, Google or Azure?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchCRM

Close