How is Cloud Web Application Penetration Test Different from Conventional testing

Question

As above topic?

For normal web application testing we are only given a URL and normal web user account.
What other things can we exploit from a cloud based url?
For example?
Misconfigured S3 Bucket
I only have come across the following so far:
https://github.com/VirtueSecurity/aws-extender
When I run this do I need to have other parameter in place?

2ndly, is it necessary to do a ScoutSuite on a top of a typical testing:
https://github.com/nccgroup/ScoutSuite

Lastly, give a URL how to get the s3:// details?

Answer

For a standard penetration test where the tester is given a user login and the public URL of the web app, it does not matter where/how that app is hosted. The actions required to mitigate/remediate any findings might be different for an app running on AWS, but the test process itself should be the same.

For assessing the security of your AWS account more generally, there are a number of tools available:
* [AWS Trusted Advisor](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/) provides a number of [security checks](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html) including for public Snapshots and S3 Objects, potential IAM misconfiguration, and unrestricted security group rules.
* The [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) of the [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc), which provides guidance and recommendations to design and operate secure AWS workloads. You can also self-assess your current workloads by conducting a [Well-Architected Framework Review](https://aws.amazon.com/well-architected-tool/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc) from the AWS console.
* Other [Security, Identity and Compliance](https://aws.amazon.com/products/security/) services that can help you address your data protection, logging, monitoring, and incident response needs on AWS.
* Third party tools, such as the ones you identified in your post.

For further assistance you might also consider engaging with a [AWS Security Competency Partner](https://aws.amazon.com/security/partner-solutions/?blog-posts-cards.sort-by=item.additionalFields.createdDate&blog-posts-cards.sort-order=desc&partner-solutions-cards.sort-by=item.additionalFields.partnerNameLower&partner-solutions-cards.sort-order=asc&awsf.partner-solutions-filter-partner-type=*all&awsf.Filter%20Name%3A%20partner-solutions-filter-partner-categories=*all&awsf.partner-solutions-filter-partner-location=*all&partner-case-studies-cards.sort-by=item.additionalFields.sortDate&partner-case-studies-cards.sort-order=desc&events-master-partner-webinars.sort-by=item.additionalFields.startDateTime&events-master-partner-webinars.sort-order=asc) - these partners are vetted by AWS and have a proven track-record of helping customers improve their cloud security posture.

Answer

As JamesB mentioned, from a pure "Web-application" penetration testing point of view, the cloud itself is irrelevant.

One of the questions a lot struggle with is the following: what do we call validating any misconfigurations in the Cloud as Penetration testing, or rather, Security auditing of/for/in the cloud?  One could be part of the other, or not at all.

In any case, to suggest specific tools, could you provide more info: 
1. Do you have access to the AWS accounts hosting the Web Application (such as ReadOnlyAccess)? 
2. Is the Web application hosted purely on S3, or EC2, ECS, EKS, etc? 
3. Or are you simply given a URL and a web-based user account and you are asked to perform a security pentest or audit purely from an attacker perspective on the internet?

How is Cloud Web Application Penetration Test Different from Conventional testing

Relevant content