1 - Can all Amazon services be pentested?
Generally, yes. There’s essentially two categories of cloud offerings –
A – User-Operated Services – These cloud offerings are primarily created and configured by the users themselves, with little or no interaction with the hosting provider (such as EC2). Generally speaking, these can be thoroughly tested and have few restrictions except for denial of service (DDoS) and related disruptions to business continuity.
All security checks require the proper forms and process, as mentioned above.
B – Vendor Operated Services – Cloud offerings which are owned/operated by the by the vendor, and provided ‘as a service.’ Examples would be Gmail, Dropbox, Salesforce, and AWS services like Cloudfront and API Gateway. That’s not to say implementations of these don’t have vulnerabilities, but just that the testing focuses on implementation and configuration, rather than the infrastructure testing which is owned by the provider.
As we demonstrated with the S3 buckets, there are many misconfigurations, permissions, and implementation flaws which can make an individual instance vulnerable to compromise, but penetration testing on those platforms doesn’t involve attacking the cloud provider infrastructure itself.