AWS Pen Test Form

This project is a tool to help automate filling in the AWS penetration testing form.

Before commencing penetration testing on assets in AWS, the form must be completed to request permission from Amazon. In the modern world of autoscaled instances the form appears, at first glance, to be fairly unhelpful. In these cases Amazon recommend listing all current instances as normal, btu adding a section in the comments that describes each autoscaling group and the instances current;y running therein. This helps them to apply the permission to the AS groups rather than to specific instances.

Filling in the form properly is tedious, especially when you need to exclude instance types that are not allowed to be pen tested. This tool uses the AWS SDK to generate that information for you.

Usage

In the releases section of this repo is a jar that can be executed directly.

java -jar pen-test-form.jar <AWS profile> [<aws region name>]

e.g.

java -jar pen-test-form.jar my-profile eu-west-1

The project uses the AWS credentials file so you should provide a profile to choose which account to use (just as you would when using the AWS CLI tool). More info is available in the AWS CLI documentation. Note that the credentials attached to this profile will need at least the following permissions:

• autoscaling:DescribeAutoScalingGroups
• ec2:DescribeInstances

The second argument is the AWS region to use when checking for AS groups and instances. This defaults to eu-west-1 for our (The Guardian's) convenience.

Output

The tool will output the details as text that you can copy into the pen test form. It will look a little like the following:

Instance IDs:
i-21fedcba
i-abcdef12

Instance IPs:
1.1.1.1
1.1.1.2

Comments:
Here are full details of the AS groups and current instances. The actual instances will change during routine scaling and deployments.

my-AutoscalingGroup-123456789
1.1.1.1	i-21fedcba (t2.medium)
1.1.1.2	i-abcdef12 (t2.medium)

These are the three form fields that are tedious to fill in. You'll still need to get the details for the other fields.

Invalid instances

AWS does not allow penetration testing to be performed on t1.small, t1.medium or t2.nano instance types. If you attempt to submit a request when these instance types are in use you'll be presented with a warning. This will describe which AutoScaling Groups are affected and which instances caused the problem. The affected instances will nto be included in the request and any AutoScaling Groups that have no valid instances will also be skipped.

Development / alternate usage

You can also check out the project and run it directly using sbt. Open a command line from within the project and execute the following:

./sbt "run <AWS profile> [<aws region name>]"

This will fetch all the dependencies, compile the project and execute it the same way as running the jar directly would.

Building

You can build your own jar by running the assembly command.

./sbt assembly

This will run the tests and then create a "fat jar" containing all the project's dependencies. You'll see the location the jar gets saved to near the bottom of that command's output.

[info] Packaging <path to jar>/pen-test-form.jar ...
[info] Done packaging.