What is a Cloud Service/Platform?
Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. It contrasts specifically to other hosting/service provision models such as colocation (in which companies place their servers and network equipment in a rented space within a third-party managed data center environment) and on-premise self-hosting (the classic private data infrastructure used within and directly managed by companies themselves) compute/hosting arrangements.
Large clouds often have functions distributed over multiple locations, each location being a data center. Cloud computing relies on sharing of resources to achieve economies of scale, typically using a "pay-as-you-go" model which can help in reducing capital expenditure.
Examples include Amazon AWS (including EC2), Microsoft Azure and Google Cloud Platform (GCP).
What is required from a technical perspective in order for AppCheck to scan a Cloud Service or Platform?
By default, all customers are able to use AppCheck to scan cloud-based web services where they are presented on a public IP address over the public internet. This is performed using our default "public" scan hubs. In order to scan the serving infrastructure, or any web services that are exposed only within a private cloud or VPC, it would typically be necessary for customers to deploy an AppCheck internal scan hub within their private cloud estate.
For further information on internal hubs see:
Which types of cloud service can AppCheck scan?
Cloud services such as AWS offer a suite of products in various categories, such as Compute (eg EC2, Kubernetes, ECS, Lambda), Storage (eg , Database, CDN, and Analytics (eg CloudSearch). Some of these services are applicable to vulnerability scanning, but others are not. AppCheck performs vulnerability scanning by making requests across a network connection using protocols such as HTTP - so any service to be scanned must be reachable on a network (IP) address and port. Services that are not addressable by a network (IP) address and port cannot be scanned.
The most common form of service that customers are interested in scanning are Compute services. Below we outline the offerings from AWS and whether they can be scanned by AppCheck.
|YES, Servers can be scanned using AppCheck Infra scanning.
YES, Hosted web servers can be scanned using AppCheck Web scanning.
YES, Web services presented by containers can be scanned using AppCheck Web scanning.
YES, Containers can be called using AppCheck Infra scanning only if they present one or more network ports.
|YES, Lambda functions cannot be scanned directly, but exposed HTTP/API services that trigger or use the functions can be scanned to detect vulnerabilities in them.
|Simple Storage Service (S3)
|YES, Buckets can be scanned for misconfiguration and permissions issues
|YES, Relational DBs (eg MSSQL) cannot be scanned directly but DB vulnerabilities can be detected via exposed Web and API integrations.
|YES, Document DBs cannot be scanned directly but DB vulnerabilities can be detected via exposed Web and API integrations.
|YES, NoSQL DBs cannot be scanned directly but DB vulnerabilities can be detected via exposed Web and API integrations.
|YES, GraphDBs cannot be scanned directly but DB vulnerabilities can be detected via exposed Web and API integrations.
|YES, Web services screened by CloudFront can be scanned using AppCheck Web scanning.
|YES, API services screened by API Gateway can be scanned using AppCheck Web scanning's integrated API scanning.
Although the above table relates to AWS in particular, AppCheck's cloud scanning capabilities are broadly similar across most major cloud platforms, including Microsoft Azure and Google Cloud (GCP) for equivalent product/service types.
Are there any legal or contractual limitations with scanning cloud-hosted web services?
In addition to technical requirements for scanning cloud-based platforms such as AWS and Azure, there are also terms and conditions set by the platform providers, which are outlined below.
Please note: Information contained in this article refers (and links) to conditions set by cloud platform providers including Amazon and Microsoft. These are correct at time of writing but are not controlled by AppCheck so could change without notice. As a user it is your responsibility to confirm you are adhering to the latest rules from your platform providers. This is not only a part of your agreement with providers like Microsoft and Amazon, but also your agreement as a customer of AppCheck as per our acceptable usage policy: https://scanner.appcheck-ng.com/assets/acceptable_use_policy.pdf
Additionally, for an article covering broader concerns, please see our knowledgebase article:
What are Amazon's terms of service and conditions for scanning applications in AWS / EC2?
Before scanning your Application on Amazon's AWS / EC2 platform please review their policy as outlined here: https://aws.amazon.com/security/penetration-testing/
You may find the below information helpful when planning a test in AWS:
Scanning IP addresses (Source)
Scanning traffic can come from any of our scanning hubs, which are in the IP ranges specified here: AppCheck's IP Range
Total Bandwidth (Please provide expected Gbps)
Scanning traffic usually comes entirely from one scanning hub at a time, and therefore the maximum expected traffic will be 1Gbps. Usually the throughput will be much smaller, but this depends heavily on the application itself.
Instances excluded from scanning
AWS exclude t1.micro, m1.small, t3.nano and t2.nano from being scanned so please make sure you provision an instance large enough to not fall foul of this.
Test types prohibited by Amazon
The following activities are prohibited at this time:
o DNS zone walking via Amazon Route 53 Hosted Zones
o Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
o Port flooding
o Protocol flooding
o Request flooding (login request flooding, API request flooding)
Standard AppCheck scans do not perform any of this behaviour.
What are Microsoft's terms of service and conditions for scanning applications in Azure?
Microsoft Azure Pre-Authorisation for Testing
Microsoft no longer require pre-approval to conduct pen-testing of Azure (see statement at https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing). However, users must still comply with their rules of engagement.
Microsoft Azure Rules of Engagement
Microsoft's Rules of Engagement for Azure are posted at https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement.
The following lists Microsoft's prohibited actions (at time of writing), and describes how this applies to AppCheck scanning: