Vulnerability Assessment and Penetration Testing in AWS for SOC 2 Compliance

SaaS providers are increasingly going for SOC-2 compliance to demonstrate strong security controls that have been audited by a third-party. The System and Organization Controls (SOC) for Service Organizations have a standardized set of Trust Services Criteria that report on controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need an independent assessment of the maturity of an outsourced service provider’s systems and the operating effectiveness of their controls. SaaS providers are increasingly using cloud-hosting services provided by Amazon Web Services (AWS) to deliver such outsourced services. Conducting a vulnerability assessment and penetration scan is an important activity that is increasingly sought after by SOC 2 auditors. stackArmor has developed a AWS specific solution to help SaaS providers rapidly detect and remediate vulnerabilities in their systems while staying within the bounds of the AWS terms of service.

Security Review Report  (SRR)

stackArmor has years of experience in security assessment and authorizations in compliance with NIST, FISMA, FedRAMP and HIPAA standards and has developed the Security Review Report (SRR) artifact as a first step for organizations to assess their risk posture. The SRR rapidly and cost-effectively detects and helps remediate issues commonly found in AWS cloud based workloads and applications. The Security Review Report includes the following components:

The infographic shows how a full-stack architecture review typically consists of the environment, application(s), data, operating system and the cloud platform that must be protected.  The actual current state of the security state is assessed by reviewing the structure, evaluating the software on the platform and the external exposure and threat surface available for attacks from the outside. The stackArmor Security Review Report (SRR) is a great light-weight starting point for organizations trying to assess their security posture.

Architecture Review

Creating a robust and secure architecture on AWS EC2 requires understanding core principles that ensure that the hosting environment is secure and robust to meet business and security standards for online systems. The architecture review consists of the following key elements:

Misconfigurations Scan

AWS cloud services need to be configured to ensure that security best practices are followed. Given that a lot of organizations may not be familiar with some of these best practices, stackArmor performs a scan of the configuration and setup using the EC2 API’s and covers key services to detect potential misconfigurations. The stackArmor ThreatAlert scan reviews the various settings and configurations of AWS components and services.  A sample of the services and their misconfigurations are illustrated in the table below.



Severity Score Cloud-specific Sub- category
Non-VPC RDS Security Group contains private RFC-1918 CIDR  



Security Group

RDS Security Group network larger than





Security Group

RDS Security Group subnet mask is /0 10 Security Group
RDS Security Group contains 5 Security Group
ELB is Internet accessible. 1 Elastic Load Balancer
SSL listener is not using the ELBSecurity Policy-2014-10 policy  



Elastic Load Balancer

Custom listener policies are discouraged. 8 Elastic Load Balancer
ELBSecurityPolicy-2011-08 is vulnerable and deprecated  



Elastic Load Balancer

ELBSecurityPolicy-2014-01 is vulnerable to poodle bleed  



Elastic Load Balancer

Unknown reference policy. 10 Elastic Load Balancer
SSLv2 is enabled 10 Elastic Load Balancer
SSLv3 is enabled 10 Elastic Load Balancer
Server Defined Cipher Order is Disabled.  



Elastic Load Balancer

Deprecated Cipher Used. 10 Elastic Load Balancer


Vulnerability Scan

The internal vulnerability scan is performed using tools to help identify presence of vulnerabilities as reported to the NIST’s CVE database by various vendors. Tools such as Amazon Inspector, Tenable Nessus or OpenSCAP are commonly used to detect such vulnerabilities. The findings are grouped into Critical, High, Medium and Low’s. The best practice is to remediate Critical and High. With a plan of action to remediate Medium’s and Low’s. It is very common for such vulnerabilities to show up in the system due to delays in applying patches that typically includes a yum update for Linux systems or a WSUS update for Windows. AWS services such as Amazon Systems Manager provides a native patching solution that provide a systematic solution.

Penetration Scan

An external penetration scan helps identify vulnerabilities in the exposed web application. Typically, this scan is performed in anonymous mode and authenticated mode. The penetration scan helps detect issues such as SQL injection, XSS, click-jacking and other common web application related vulnerabilities. The penetration scan is typically performed using tools such as Tenable Nessus or Metasploit amongst others.

Prior to beginning any scanning activity, it is important to follow the prescribed protocol and procedures mandated by AWS that includes submitting a request form and getting approvals.

All of the results from the architecture review, internal vulnerability scan, external penetration scan and remediation information are provided in a formal report along with an attestation letter. Typically 2 scans are included – one is a preliminary scan to assess the current state to allow the SaaS provider to remediate the findings and a second remediation scan is done to confirm that the findings have been remediated.

If you a SaaS provider going for a SOC 2 audit, ask us for more information and a sample of a Security Review Report (SRR). Send us an email at solutions @ stackArmor dot com or contact us by filling this form.