Certified Security - Specialty

Sign Up Free or Log In to participate!

Kali Linux AMI for Pentesting

Has anyone implemented Kali Linux AMI for pen-testing and if I’m using it to only pen-test applications or resources back in my data center, do I have to inform AWS?

1 Answers

I have created an AMI with Kali in the past (when there wasn’t an AMI available in the AWS Marketplace), but it’s much easier to do nowadays and you have several options available; please see my notes below as well as the answer to your question about penetration testing.

Option One: Use the Kali Linux AMI from Offensive Security in the AWS Marketplace. Please see here: https://aws.amazon.com/marketplace/pp/B01M26MMTT

Option Two: Create an Ubuntu EC2 instance and install Kali using “apt-get install kali-linux-full”, the complete set of instructions can be found here: https://www.alienvault.com/blogs/security-essentials/configuring-kali-linux-on-amazon-aws-cloud-for-free

Option Three: Build your own AMI using a bootstrap script (I wouldn’t recommend this option). You can find details regarding this on the Internet.

Penetration Testing AWS Resources

The answer to your other question is “yes”, AWS does require express authorization before performing any type of penetration test or vulnerability assessment scanning of any cloud based assets (regardless of whether you own them or not). AWS refers to this as “Simulated Event Testing” and you can find the form that you need to complete along with additional information here: https://aws.amazon.com/security/penetration-testing/

PERFORM THE FOLLOWING STEPS IF YOU CAN’T RUN “apt-get install Kali-linux-full” FROM ABOVE:

root@ubuntu-vm:~# cp /etc/apt/sources.list /etc/apt/sources.list.bak

Now, append the following to the bottom of your “/etc/apt/sources.list” file:

deb http://http.kali.org/kali kali-rolling main contrib non-free

deb http://http.kali.org/kali sana main non-free contrib

deb http://security.kali.org/kali-security sana/updates main contrib non-free

deb http://old.kali.org/kali moto main non-free contrib

root@ubuntu-vm:~# apt-get update && apt-cache search kali-linux

root@ubuntu-vm:~# apt-get -y install kali-linux-full

Moz

Thanks for your reply dwhitfield! Do you have to inform AWS even if you are not testing any of AWS services, but only using the AMI to test on-premise applications or systems?

jlalcazar

It says that yoy need authorisation, even for outgoing tests : "Please complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization for penetration testing to or originating from any AWS resources. There are several important things to note about penetration testing requests

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?