upvote

points

by tjpnz3 hours ago |
comments
upvoteby kevin_nisbet3 hours ago|
next
[-]
Do they?

The only anecdotal thing I've seen is we hired a vendor to do a pentest a few years ago, and they setup some stuff in an AWS account and that account got totally yeeted out of existence by AWS if memory serves.

reply
upvoteby dannyw3 hours ago|
parent|
next
[-]
You should not be conducting unauthorized penetration tests against third party infrastructure providers without permission. They have processes and systems and usually just wants a heads up of what you plan to test and t the duration / timestamps.

Cuz otherwise you look like a threat actor.

That’s assuming your vendor was pentesting AWS systems. If you meant you hired a vendor to pentest your own systems on AWS, that’s of course a totally different matter.

reply
upvoteby kevin_nisbet2 hours ago|
parent|
[-]
>That’s assuming your vendor was pentesting AWS systems. If you meant you hired a vendor to pentest your own systems on AWS, that’s of course a totally different matter.

Sorry for being unclear, the vendor was attacking our organization only, and any other company was expressly forbidden in the contract. As I recall it was a fake SSO sign-in page to collect credentials that they would try and social engineer our employees with.

reply
upvoteby Shank1 hours ago|
parent|
[-]
At a minimum you should contact AWS before you launch a phishing page as a test that targets AWS customers.
reply
upvoteby Lukas_Skywalker6 minutes ago|
parent|
[-]
I understood it as a phishing page imitating their own system, targeting their own employees. Nothing related to AWS, except for being hosted there.
reply
upvoteby alchemism3 hours ago|
parent|
prev|
next
[-]
I’m fairly certain you are supposed to contact any vendor before attempting to penetrate hosts with authorization, not the other way around.
reply
upvoteby coredog643 hours ago|
parent|
[-]
Having done this for both Azure and AWS, there's a specific ticket that needs to be filed with each provider that documents the scope of your pen test, where you're coming from, and a time frame over which you're doing it (which ISTR was "not more than 24 hours")
reply
upvoteby mixdup3 hours ago|
parent|
prev|
next
[-]
Responding to an unknown security tester like that is a selling point, not a cautionary tale
reply
upvoteby kevin_nisbet2 hours ago|
parent|
[-]
Yup, I thought it was great. Although one concern I always had in the back of my mind was where is the line drawn. Such as if an adversary gains access to one of my orgs accounts and does something similar, do we get 100% taken out.
reply
upvoteby 2 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby cherioo3 hours ago|
prev|
[-]
They better do. What is google doing?
reply
upvoteby Gigachad3 hours ago|
parent|
[-]
It's all AI powered
reply