

Ask HN: Is it legal to attack your own honeypot if it's hosted on AWS? - TempaTaccount

I&#x27;m a security researcher and digital forensics student.<p>I don&#x27;t want myself or my colleagues&#x2F;peers to get involved in any legal troubles when launching attacks against my own honeypot on AWS for testing purposes.<p>Has anyone got any experience with this? I see a lot of examples on the web of honeypots running on AWS but no legal discussion about launching attacks yourself. Does anyone know what Amazon&#x27;s stance on this is?<p>Thanks in advance.
======
dsacco
If I were you, I would ask Amazon directly. In my experience companies are
willing to speak candidly about what they do and do not allow with regards to
penetration testing on their platforms.

For example, DigitalOcean has given me explicit permission to use their VPS's
for authorized penetration testing and security auditing for clients.

Amazon in particular has a policy that requires written permission when
testing AWS for both peripheral and direct auditing. This means that even if
you're attacking a company hosted on AWS, you need Amazon's permission (as
well as that company's), not just if you're attacking Amazon's AWS
infrastructure directly. Now, you could say this means you've given yourself
permission for attacking the honeypot, but you still need Amazon's permission
for attacking AWS hosting the honeypot.

I am not a lawyer, but I am a security engineer, and I'd say this is likely
fine in this particular scenario. However, I urge you to contact them directly
or find an explicitly written public policy on the matter. Hacker News is not
a good place to find a definitive answer on this.

------
fragmede
Define 'attack'.

Setting up vulnerable software on your VPS and then exploiting vulnerabilities
on that software to allow you, the owner of the VPS, to get root access in a
method you would otherwise be unable to, is fine.

Exploiting the VPS itself to exercise a bug in Xen/whatever to gain access to
the hypervisor, access you would not originally be granted, is much less clear
cut. Amazon has a bug-bounty program for EC2, and would very much like to hear
about bugs you find in this space though.

[https://aws.amazon.com/security/vulnerability-
reporting/](https://aws.amazon.com/security/vulnerability-reporting/)

~~~
TempaTaccount
Definitely the former, not interested in attacking the hypervisor or AWS
itself at all.

Just want to generate stuff to investigate in the honeypot.

~~~
mobiplayer
Do not make it publicly available (e.g. put it behind a VPN). Otherwise
someone might be faster than you to get root access and use your server for
other illegal stuff (e.g. join a DDoS). You don't want that to happen as it
could be considered you've been negligent.

