Articles in this section

See more

Can I use AppCheck to scan Cloud Services such as Amazon AWS/EC2, Micorosft Azure, and Google Could Platform (GCP)?

Avatar
Daniel Adams
  • Updated
Follow

What is a Cloud Service/Platform?

Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. It contrasts specifically to other hosting/service provision models such as colocation (in which companies place their servers and network equipment in a rented space within a third-party managed data center environment) and on-premise self-hosting (the classic private data infrastructure used within and directly managed by companies themselves) compute/hosting arrangements.

Large clouds often have functions distributed over multiple locations, each location being a data center. Cloud computing relies on sharing of resources to achieve economies of scale, typically using a "pay-as-you-go" model which can help in reducing capital expenditure.

Examples include Amazon AWS (including EC2), Microsoft Azure and Google Cloud Platform (GCP).

 

What is required from a technical perspective in order for AppCheck to scan a Cloud Service or Platform?

AppCheck is able to scan cloud-based web services where they are presented on a public IP address over the public internet. In order to scan the serving infrastructure, or any web services that are exposed only within a private cloud or VPC, it would typically be necessary for customers to deploy an AppCheck internal scan hub within their private cloud estate.

For further information on internal hubs see:

 

Are there any legal or contractual limitations with scanning cloud-hosted web services?

In addition to technical requirements for scanning cloud-based platforms like Azure, there are also terms and conditions set by the platform providers, which are outlined below.

Please note: Information contained in this article refers (and links) to conditions set by cloud platform providers including Amazon and Microsoft.  These are correct at time of writing but are not controlled by AppCheck so could change without notice.  As a user it is your responsibility to confirm you are adhering to the latest rules from your platform providers.  This is not only a part of your agreement with providers like Microsoft and Amazon, but also your agreement as a customer of AppCheck as per our acceptable usage policy: https://scanner.appcheck-ng.com/assets/acceptable_use_policy.pdf 

Additionally, for an article covering broader concerns, please see our knowledgebase article:

 

What are Amazon's terms of service and conditions for scanning applications in AWS / EC2?

Before scanning your Application on Amazon's AWS / EC2 platform please review their policy as outlined here: https://aws.amazon.com/security/penetration-testing/ 

You may find the below information helpful when planning a test in AWS:

Scanning IP addresses (Source)

Scanning traffic can come from any of our scanning hubs, which are in the IP ranges specified here: AppCheck's IP Range

Total Bandwidth (Please provide expected Gbps)

Scanning traffic usually comes entirely from one scanning hub at a time, and therefore the maximum expected traffic will be 1Gbps. Usually the throughput will be much smaller, but this depends heavily on the application itself.

Instances excluded from scanning

AWS exclude t1.micro, m1.small, t3.nano and t2.nano from being scanned so please make sure you provision an instance large enough to not fall foul of this.

Test types prohibited by Amazon

The following activities are prohibited at this time:

o DNS zone walking via Amazon Route 53 Hosted Zones
o Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
o Port flooding
o Protocol flooding
o Request flooding (login request flooding, API request flooding)

Standard AppCheck scans do not perform any of this behaviour.

 

What are Microsoft's terms of service and conditions for scanning applications in Azure?

Microsoft Azure Pre-Authorisation for Testing

Microsoft no longer require pre-approval to conduct pen-testing of Azure (see statement at https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing). However, users must still comply with their rules of engagement.

Microsoft Azure Rules of Engagement

Microsoft's Rules of Engagement for Azure are posted at https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement

The following lists Microsoft's prohibited actions (at time of writing), and describes how this applies to AppCheck scanning:

"Scanning or testing assets belonging to any other Microsoft Cloud customers."
It is the responsibility of the AppCheck customer to ensure that you scan only your own assets, or assets whose owner has given you explicit permission.

"Gaining access to any data that is not wholly your own."
It is the responsibility of the AppCheck customer to ensure that you scan only your own assets, or assets whose owner has given you explicit permission.

"Performing any kind of denial of service testing."
AppCheck does not perform volumetric or Denial of Service (DoS) attacks

"Performing network intensive fuzzing against any asset except your Azure Virtual Machine"
AppCheck performs "fuzzing" of web application endpoints, by design - you can read our FAQ on this at https://appcheck.zendesk.com/hc/en-us/articles/360022904274-Why-does-AppCheck-make-so-many-HTTP-request-to-my-site-or-domain-.
It is the responsibility of the AppCheck customer to ensure that you scan only your own assets, or assets whose owner has given you explicit permission.

"Performing automated testing of services that generates significant amounts of traffic."
AppCheck scans are automated, but it is not clear what Microsoft considers a "significant" amount of traffic. AppCheck scan traffic is generally not considered to be high in terms of throughput (Gbps) but it is high in terms of protocol usage (e.g. HTTP request/sec) - however not at a level that would threaten platform service.

"Deliberately accessing any other customer’s data."
It is the responsibility of the AppCheck customer to ensure that you scan only your own assets, or assets whose owner has given you explicit permission.

"Moving beyond “proof of concept” repro steps for infrastructure execution issues (i.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not)."
AppCheck performs proof of concept testing and display the results of this in the results findings. We do not attempt to further exploit vulnerabilities discovered beyond this.

"Using our services in a way that violates the Acceptable Use Policy, as set forth in theMicrosoft Online Service Terms."
AppCheck do not monitor or observe the terms of external providers such as Microsoft.  It is the responsibility of the AppCheck customer to ensure that you accept and conform to the terms for the products you are licenced for.

"Attempting phishing or other social engineering attacks against our employees."
AppCheck does not perform phishing or other social engineering attacks.

Related articles

Comments

0 comments

Please sign in to leave a comment.