Luiz - Fotolia

How is cloud penetration testing different for AWS, Google, Azure?

Penetration tests help organizations spot vulnerabilities in their public cloud environments. But how are the testing requirements different for AWS, Google and Azure?

Many enterprise IT shops use cloud penetration testing to identify and address potential security weaknesses in their cloud computing environment. But, before performing a penetration test on a public cloud platform, it's important to understand your cloud provider's unique testing requirements.

Penetration tests simulate an actual attack, so coordinate with cloud providers before performing one. Here's what to know before performing a cloud penetration test on Amazon Web Services (AWS), Google Compute Engine and Microsoft Azure.

For AWS, customers have to submit a request form prior to conducting the test. The approval form collects information about who will conduct the test, third-party contact information, IP addresses of servers scanned, as well as the scanning source and the proposed date and time of the test. Customers cannot perform penetration tests or other scans on m1.small or t1.micro instances. This is to avoid adverse impacts on other customers sharing the same server.

Users of Google Compute Engine and App Engine should consult with the Terms of Service and Acceptable Use Policy before conducting cloud penetration testing. Google explicitly states that tests should only affect the tester's application, not other users or services. Google also has a Vulnerability Rewards Program to recognize the help of security researchers and professionals who find weaknesses in Google applications or services; it does not, however, apply to third-party applications.

Microsoft has a formal procedure for approving cloud penetration testing requests. The cloud provider asks customers to submit their request at least seven days in advance of the penetration test. If you find a potential vulnerability in Azure, you should report it to Microsoft. Microsoft offers expedited approvals for three common types of vulnerability tests: testing for OWASP top 10 Web vulnerabilities, fuzz testing endpoints and port scanning. Microsoft does not allow denial-of-service tests.

Cloud penetration testing is a valuable tool that has its place in cloud computing. The shared security model of cloud introduces some additional coordination challenges, but it is worth the effort.

Next Steps

Comparing penetration testing for cloud vs. on-premises systems

How to perform a penetration test for cloud

Strategies for AWS penetration testing

A penetration testing plan remains critical for cloud

Dig Deeper on Cloud app development and management