Has anyone implemented Kali Linux AMI for pen-testing and if I’m using it to only pen-test applications or resources back in my data center, do I have to inform AWS?
I have created an AMI with Kali in the past (when there wasn’t an AMI available in the AWS Marketplace), but it’s much easier to do nowadays and you have several options available; please see my notes below as well as the answer to your question about penetration testing.
Option One: Use the Kali Linux AMI from Offensive Security in the AWS Marketplace. Please see here: https://aws.amazon.com/marketplace/pp/B01M26MMTT
Option Two: Create an Ubuntu EC2 instance and install Kali using “apt-get install kali-linux-full”, the complete set of instructions can be found here: https://www.alienvault.com/blogs/security-essentials/configuring-kali-linux-on-amazon-aws-cloud-for-free
Option Three: Build your own AMI using a bootstrap script (I wouldn’t recommend this option). You can find details regarding this on the Internet.
Penetration Testing AWS Resources
The answer to your other question is “yes”, AWS does require express authorization before performing any type of penetration test or vulnerability assessment scanning of any cloud based assets (regardless of whether you own them or not). AWS refers to this as “Simulated Event Testing” and you can find the form that you need to complete along with additional information here: https://aws.amazon.com/security/penetration-testing/
PERFORM THE FOLLOWING STEPS IF YOU CAN’T RUN “apt-get install Kali-linux-full” FROM ABOVE:
root@ubuntu-vm:~# cp /etc/apt/sources.list /etc/apt/sources.list.bak
Now, append the following to the bottom of your “/etc/apt/sources.list” file:
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
deb http://old.kali.org/kali moto main non-free contrib
[email protected]:~# apt-get update && apt-cache search kali-linux
[email protected]:~# apt-get -y install kali-linux-full
Thanks for your reply dwhitfield! Do you have to inform AWS even if you are not testing any of AWS services, but only using the AMI to test on-premise applications or systems?
It says that yoy need authorisation, even for outgoing tests : "Please complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization for penetration testing to or originating from any AWS resources. There are several important things to note about penetration testing requests