Introduction to penetration testing
Start course

Launching your EC2 instance is just the first step to becoming an AWS professional: securing your cloud resources is something you just can't ignore. In this course the experienced Linux System Administrator David Clinton will share some common best practices to enhance your infrastructure security.

You'll learn how to manage access to your instances with IAM and Multi Factor Authentication, how to encrypt your storage, how to keep your Linux instance updated with security patches, how to monitor your system and your network to ensure that nobody unauthorized is using your resources, and finally, the basic principles of penetration testing and how to use nmap to ensure that your security group is properly configured.

Who should take this course

This course is aimed even at beginners with little or no experience with cloud security. Some basic knowledge about Linux system administration, TCP/IP, and security topics are recommended.

To increase your knowledge, you may want to check our many AWS courses, in particular the ones introducing EC2 and S3. And why not take the challenge and try out a quiz?


Hi, and welcome to's video series on Site Security and particularly security for Amazon Web Services instances. In this video, we're going to talk about actively testing for site vulnerabilities or as it's called, "penetration testing." It turns out there's a Linux distribution that purpose built for this function. It's called Kali Linux and it comes pre-installed with software like Nmap which is a port scanner, Wireshark which is a packet analyzer and Aircrack-ng for testing wireless networks. Let's launch an instance of Kali Linux. To do that we click on launch instance. And you're not going to find it in the regular selection of instances. It's not quite that popular. However you can get it from Amazon AWS marketplace by searching. Let's search marketplace products for Kali. And we see that Kali Linux is available. It's free. Well it's free tier eligible I should say. In other words, you can use it if you want to and if you need to on the lowest powered Amazon instances. But it itself is available for free there's no charge from Kali Linux for using this installation beyond any time charges that Amazon charges you. Click on "select," and "Continue." In our case, we're going to go with a micro instance normally not recommended because it is rather under-powered. But for our purposes that's everything we need. The one detail I might point out is that Kali Linux comes with it's own security group configuration. And that basically leaves only SSH open and nothing but SSH. You can edit that, you can choose your own, but we'll stick with Kali Linux's own default configuration. We'll review launch, click "next" and launch. We'll in our case use an existing key pair. I first have to acknowledge that I have access to the selected private key file in fact I do. And Kali Linux appears to be up and running. We log into Kali via SSH using the username Kali, not the username Ubuntu, or username Root, or any other username. But Kali by definition and by default will answer to the username Kali.

Now the AWS version of Kali is actually a very minimal installation, and doesn't include a lot of the basic software we're going to need. So let's install Nmap right now. To do that we will, because Kali is part of the Debian family, run apt-get update to update the information this installation has of all the repository packages available to it. And then sudo apt-get install nmap. Now that everything's installed we can run a trial test using "nmap -a," which will enable operating system and version detection, script scanning, trace route, and -T4 which apparently makes things run faster, and then the name of a domain we'd like to test. In our case, we're going with scanme, which is a site that the Nmap developers themselves have made available to test your installation. Hit "Enter" and wait a bit. This could actually take some time we'll skip the waiting in this video. And we now see that Nmap has reported to us this site is up. It has port 22 TCP which is of course SSH open and listening. It tells us that port 80 is open and listening and using the Apache web server. This is of course as you know port 80 is the port that most browsers will use to access data from a website.

And it tells us that port 9929 is open using TCP. This information can be extremely useful to us especially if we see there's a port open and a service available that we're not familiar with. If we didn't open the port and we didn't create this service and make it consciously available to outside users then it could be that it's been left open inadvertently or it's been opened by someone out to get into our system illegally. Being aware of what's available and what's open is a very, very important step in securing our website. I should point out that penetration testing looks and feels to the object of the test like an attack. The same tools that we can use to test the vulnerability of our system are also used by malicious hackers to break into our system. So as far as Amazon is concerned what's coming, the port tests coming at our instance could be just our own tests or it could also be a malicious attack. Therefore, in order that there shouldn't be any confusion Amazon requires that you actively request permission before beginning penetration testing. Within a day or two, Amazon says they will provide you with a limited time, a window within which you can do your penetration testing and it won't trigger any alarms. Once that window's closed, you shouldn't be doing it and if anybody is launching tests against your instance that will again be interpreted as an attack.

About the Author
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.