Skip to content

AWS Pentest

Design Partners Only

This feature is currently only available to select Design Partners. For more information, please reach out to your Customer Success or Sales contact.

The NodeZero AWS Pentest is a white-box style pentest that utilizes a role with read only permissions to comprehensively assess the security of your AWS accounts.

Why should I run a NodeZero AWS Pentest?
How to Run an AWS Pentest

Why should I run a NodeZero AWS Pentest?

An AWS pentest is a security test focused on determining the exploitable weaknesses that exist in an AWS account that an attacker could utilize to negatively impact the organization.

The NodeZero AWS Pentest is a white-box style pentest because without being able to see what exists in an AWS account it is impossible to assess the security of it. With read-only permissions NodeZero gains a comprehensive view of your AWS account and is able to determine the exploitable weaknesses that could most negatively impact your organization.

While a black-box pentest is the most realistic, a white-box approach is often necessary to find the most critical weaknesses that given enough time an attacker will find.

How to Run an AWS Pentest

To conduct an AWS Pentest you must first set up an AWS cloud connection. An AWS cloud connection is what enables NodeZero to assume a role in your AWS account. These cloud connections are long-lived meaning you only need to set up one cloud connection for each of your AWS accounts. An AWS Pentest can utilize more than one connection.

Create an AWS Cloud Connection

1. Navigate to Cloud Connections

Navigate to the Cloud Connections page, you will need to create a cloud connection for each of your AWS accounts you would like to test.


2. Click create Cloud Connection

On the Cloud Connections page, click + Connection to open the connection creation form.


3. Configure the Cloud Connection

Name the Cloud Connection and provide an AWS account ID. Click Submit.


4. Launch the CloudFormation Stack

What permissions are needed to deploy the CloudFormation stack?

  • cloudformation:CreateStack
  • iam:GetRole
  • iam:CreateRole
  • iam:PutRole
  • iam:AttachRolePolicy

Log in to the AWS account you specified in the previous step.

Click the CloudFormation Launch Stack button.


You will be re-directed to a pre-populated AWS "Quick create stack" form. Select the acknowledge check-box and click create stack.



Instead of using the Launch Stack button, you can use the AWS CLI and the CloudFormation CLI command provided in the Create Connection form.

5. Verify that the Connection was created properly

After the CloudFormation stack has successfully been created, click the Verify button to confirm that the role was created properly. Cloud connections will be automatically re-verified once every 24 hours. You can manually re-verify a connection by using the action menu in the connection table.


Start an AWS Pentest

1. Navigate to Pentests to Run an AWS Pentest

Once a Cloud Connection is created and verified, you may navigate to the Pentests page to start an AWS pentest. Click + Run Pentest to open the Pentest Configuration and select AWS Pentest.


2. Configure the AWS Pentest

2.1 Select the Cloud Connections

Name the AWS Pentest, select a pentest template, and select the cloud connections you would like to use.


Only verified connections will appear when running a pentest.


2.2 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit. Click Next.

2.3 Review the AWS Pentest Configuration

Once satisfied with your pentest selections, check the box to indicate you represent and have the legal authority to conduct's AWS Penetration Testing. Then click Run Pentest.