undefined | Better HN

0 pointsdannyw6d ago0 comments

You should not be conducting unauthorized penetration tests against third party infrastructure providers without permission. They have processes and systems and usually just wants a heads up of what you plan to test and t the duration / timestamps.

Cuz otherwise you look like a threat actor.

That’s assuming your vendor was pentesting AWS systems. If you meant you hired a vendor to pentest your own systems on AWS, that’s of course a totally different matter.

0 comments

kevin_nisbet6d ago

>That’s assuming your vendor was pentesting AWS systems. If you meant you hired a vendor to pentest your own systems on AWS, that’s of course a totally different matter.

Sorry for being unclear, the vendor was attacking our organization only, and any other company was expressly forbidden in the contract. As I recall it was a fake SSO sign-in page to collect credentials that they would try and social engineer our employees with.

Shank6d ago

At a minimum you should contact AWS before you launch a phishing page as a test that targets AWS customers.

Lukas_Skywalker6d ago

I understood it as a phishing page imitating their own system, targeting their own employees. Nothing related to AWS, except for being hosted there.

j / k navigate · click thread line to collapse