28

I want to pentest websites and services programmed by our company, which is fine as long as we test it on our own infrastructure. What are the (legal) implications when pentesting our services once they have been deployed to other platforms like AWS, Azure etc? Since we technically do not own the target system (we just rented a share of it), would I have to get clearance from the hosters? Obviously their implementation of a hosted service greatly affects security, so I'd like to compare the differences to our own intranet hosting.

knipp
  • 589
  • 5
  • 14
  • 5
    You need to stick to your IPs. As long as you are not trying to hack anything outside your own range should be OK. Regarding testing cloud storage, in this option you do not have your own IP address, therefore you should not perform brute-force attacks. That's the common sense approach and it's the same as their policy, you can't pen-test services you do not own. – Aria Dec 23 '16 at 16:03
  • Even if you do not own the ip "space", it is still your ip if you are reserving it. Terms and conditions should be followed, but the cloud is routinely used as a sand pit in this way. Move to a heavyweight provider, not a "hosting" provider. A hosting provider may argue that your traffic affects their other clients. – mckenzm Dec 25 '16 at 01:05

3 Answers3

43

In general, you're correct you'll need the permission of the hosting company where you are scanning services deployed on their infrastructure. This is partially so that their Intrusion Detection Systems are aware that it's an authorised scan.

Both AWS and Azure have policies detailing the process and what's acceptable to test. The AWS one is here and the Azure one is here . If a hosting company doesn't have a published policy, it's worth contacting them to check.

Also it can depend on the exact service that you're using from the cloud hosting provider. So for example for AWS, they allow you to test IAAS style offerings such as AWS EC2 where the customer is responsible for the operating system and not SAAS offerings like AWS S3 where Amazon are responsible for the operating system and associated software. However Azure appears to have a more wide ranging policy where you can test any services you own.

Also test types can be restricted, for example DoS testing may well not be allowed as obviously that can have an affect on the cloud provider.

For "traditional" hosting it generally depends on the type of service you have. If you're using shared hosting where you just have access to the webroot you may well be restricted from testing, as obviously there's a risk of affecting other users on the same server, however where you have a full OS image (e.g. Digital Ocean Droplets) you tend to be ok as long as you've notified them (in the case of digital Ocean, via a support ticket).

There's also a longer list of where to go for different companies here

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I went ahead and checked back with one hoster where we have a managed server to host a few websites, and they put my company IP address on a whitelist, so thanks for mentioning that. I don't want to test DoS attacks and rather focus on those that only affect the sites themselves, like SQLi. – knipp Dec 25 '16 at 18:24
7

You should also check with your ISP. Depending on government regulations and their own operating policies, they could be required to block your pentest actions if detected, or cancel your service completely. They may even be required to report you to law enforcement agencies.

Mike Lane
  • 71
  • 2
2

Additional to the ISP consideration as per the answer of "Mike Lane", put in mind that also you are going to pentest over networks that are properties of a different entities that belong to the state in general; so you are not automatically granted permission for such kind of activity.

If you could rent another share or VPS within the same infrastructure as your services, from there you are safe to pentest under one single entity's policies.

elsadek
  • 1,782
  • 2
  • 17
  • 53
  • I'm not sure what you mean by "over networks that are properties of a different entities"... Are you saying that to send a packet from A (your home) to B (your ec2 instance) you need explicit permission from all the intermediate infrastructure's owners? – GnP Dec 27 '16 at 18:07
  • you need to check with the local regulation, if there is none you still need to be careful, sending packet during pentest could be suspicious. – elsadek Dec 27 '16 at 19:21
  • I'm still not sure what you mean. "Pentesting" is not a specific action that can be identified as such out of context. A GET request to a webserver could be part of a pentest or a "normal" user browsing the page. Would it be possible for you to expand your answer with a specific example of what kind of situation you have in mind? Thanks! – GnP Dec 27 '16 at 19:27
  • I'm not an expert on regulation but all boil down to it what ever the action you run. – elsadek Dec 27 '16 at 19:37
  • Sorry, -1, this answer is [not even wrong](https://en.wikipedia.org/wiki/Not_even_wrong) – GnP Dec 27 '16 at 19:45
  • I believe my answer brings a valuable insight, kindly don't mind for the downvote. – elsadek Dec 27 '16 at 20:23