Hacker News new | ask | show | jobs
Ask HN: Is it legal to attack your own honeypot if it's hosted on AWS?
3 points by TempaTaccount 4122 days ago
I'm a security researcher and digital forensics student.

I don't want myself or my colleagues/peers to get involved in any legal troubles when launching attacks against my own honeypot on AWS for testing purposes.

Has anyone got any experience with this? I see a lot of examples on the web of honeypots running on AWS but no legal discussion about launching attacks yourself. Does anyone know what Amazon's stance on this is?

Thanks in advance.
2 comments
dsacco 4122 days ago
If I were you, I would ask Amazon directly. In my experience companies are willing to speak candidly about what they do and do not allow with regards to penetration testing on their platforms.

For example, DigitalOcean has given me explicit permission to use their VPS's for authorized penetration testing and security auditing for clients.

Amazon in particular has a policy that requires written permission when testing AWS for both peripheral and direct auditing. This means that even if you're attacking a company hosted on AWS, you need Amazon's permission (as well as that company's), not just if you're attacking Amazon's AWS infrastructure directly. Now, you could say this means you've given yourself permission for attacking the honeypot, but you still need Amazon's permission for attacking AWS hosting the honeypot.

I am not a lawyer, but I am a security engineer, and I'd say this is likely fine in this particular scenario. However, I urge you to contact them directly or find an explicitly written public policy on the matter. Hacker News is not a good place to find a definitive answer on this.

link
fragmede 4122 days ago
Define 'attack'.

Setting up vulnerable software on your VPS and then exploiting vulnerabilities on that software to allow you, the owner of the VPS, to get root access in a method you would otherwise be unable to, is fine.

Exploiting the VPS itself to exercise a bug in Xen/whatever to gain access to the hypervisor, access you would not originally be granted, is much less clear cut. Amazon has a bug-bounty program for EC2, and would very much like to hear about bugs you find in this space though.

https://aws.amazon.com/security/vulnerability-reporting/

link
TempaTaccount 4122 days ago
Definitely the former, not interested in attacking the hypervisor or AWS itself at all.

Just want to generate stuff to investigate in the honeypot.

link
mobiplayer 4121 days ago
Do not make it publicly available (e.g. put it behind a VPN). Otherwise someone might be faster than you to get root access and use your server for other illegal stuff (e.g. join a DDoS). You don't want that to happen as it could be considered you've been negligent.
link