AWSで脆弱性診断を行うときには「ちゃんと意図してやってますよ、sourceもdestinationも特定してますよ」ということを申請する必要があります。
今回同一VPCで完結した侵入テストを行う申請をしましたが、外部からの侵入テストとはすこし違う申請方法が必要でしたのでまとめます。
注意点はsource IPとdestination IPはプライベートアドレスで届け出をすることです。
同一VPC(更に今回は同一subnet)で完結する場合、プライベートアドレスで届け出をする必要があります。
申請後しばらく時間が経過して、許可された場合以下のようなフォーマットでメールが届きます。
Hello,
Thank you for contacting us. We have received your request for authorization for penetration testing.
Your request as detailed below has been approved.
Your authorization number is: XXXXXXXXXX
As a reminder,
- you have agreed to abide by the Terms and Conditions and AWS’s Procedures Regarding the Use of Security Assessment Tools and Services. You can review what you have agreed to at https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSSecurityPenTestRequest
- you have agreed to abide by Amazon Web Services Customer Agreement available at http://aws.amazon.com/agreement/
- if you discover any vulnerabilities or other issues that are the direct result of AWS, you have agreed to contact aws-security@amazon.com within 24 hours of completion of your testing.
Best regards,
AWS CUSTOMER SERVICER NAME
http://aws.amazon.com
---- Original message: ----
AWS AccountId XXXXYYYYZZZZ
Name YOUR NAME
CompanyName
Email EMAIL@YOUR.DOMAIN
AccountNumber XXXXYYYYZZZZ
AdditionalEmail
ThirdPartyContact THIRD PARTY CONTACT
ScannedIPAddrs 172.31.BBB.BBB
InstancesAre source<br>target
InstanceIDs i-XXXXXXXX
i-YYYYYYYY
SourceIPAddrs 172.31.AAB.AAA
Region TOK
Timezone gmt+9
StartDateandTime YYYY-MM-DD hh:mm
EndDateandTime YYYY-MM-DD hh:mm
Comments
TermsAndConditions i-agree
ScanPolicyAgreement i-agree
残念ながら許可されなかった場合には以下のようなメールが届きますので内容を再確認して再申請しましょう。
Hello,
Thank you for your email. While verifying your request we found that the provided source IPs do not conform to our policies for testing. You are welcome to have that company contact us so that we can remedy this directly with them in order for your testing to proceed.
We apologize for any inconvenience this may cause.Please feel free to contact us with any questions.
Best regards,
AWS CUSTOMER SERVICER NAME
http://aws.amazon.com
---- Original message: ----