current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
up vote 8 down vote favorite

I want to pentest websites and services programmed by our company, which is fine as long as we test it on our own infrastructure. What are the (legal) implications when pentesting our services once they have been deployed to other platforms like AWS, Azure etc? Since we technically do not own the target system (we just rented a share of it), would I have to get clearance from the hosters? Obviously their implementation of a hosted service greatly affects security, so I'd like to compare the differences to our own intranet hosting.

share|improve this question
1  
You need to stick to your IPs. As long as you are not trying to hack anything outside your own range should be OK. Regarding testing cloud storage, in this option you do not have your own IP address, therefore you should not perform brute-force attacks. That's the common sense approach and it's the same as their policy, you can't pen-test services you do not own. – Aria 3 hours ago
up vote 17 down vote accepted

In general, you're correct you'll need the permission of the hosting company where you are scanning services deployed on their infrastructure. This is partially so that their Intrusion Detection Systems are aware that it's an authorised scan.

Both AWS and Azure have policies detailing the process and what's acceptable to test. The AWS one is here and the Azure one is here . If a hosting company doesn't have a published policy, it's worth contacting them to check.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.