How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

AWS Pen Test: A Practical End-to-End Guide (2026)

Your team has shipped fast. The product works. Customers are logging in, files are landing in S3, background jobs are running, and someone has finally asked the uncomfortable question: have we tested the AWS estate like an attacker would?

That question usually arrives late. A CTO sees a growing list of services in the console. A startup moves from one EC2 box to Lambda, ECS, RDS, and managed queues. Someone enabled public access during a launch week and forgot to roll it back. An aws pen test becomes urgent not because the team suddenly cares about security, but because the stack is now complex enough that nobody can hold the whole threat model in their head.

That is the right time to do it.

A useful AWS penetration test is not a box-ticking exercise. It is a controlled attempt to answer three practical questions. What can an outsider see? What can a low-privileged insider reach? What chains together in ways your architecture diagram does not show? If you approach it with that mindset, the test produces decisions, not just findings.

Laying the Groundwork for a Safe AWS Pen Test

The first mistake teams make is treating AWS like a normal network perimeter. It is not. In a live cloud estate, one weak IAM trust policy can matter more than five patched servers. One public bucket can do more damage than a noisy port scan.

In the UK, cloud misconfigurations have been a leading cause of data breaches, with many companies reporting at least one cloud security incident in the past year, and server security misconfigurations made up 38% of vulnerability categories in 2022 pentests, which maps directly to AWS issues such as public S3 buckets and over-permissive IAM policies, as noted in this AWS penetration testing guide.

A hand holding a pen drawing a diagram on paper connecting AWS to scope, rules and goals.

Read the AWS policy before you touch production

AWS allows customers to test their own infrastructure on approved services without prior approval, but that does not mean anything goes. You still need to stay inside the services and activities AWS permits, and you need to avoid prohibited actions such as S3 bucket takeover attempts.

That matters for two reasons:

Safety. A sloppy test can degrade production or trigger rate limits.
Evidence quality. If the method is reckless, the result is hard to trust.

A mature Rules of Engagement document is usually short. It names the AWS accounts in scope, the regions, the environments, the external domains, the test windows, and the hard stops. It also states what counts as proof. For example, many teams permit read-only validation of exposed data but prohibit modification, deletion, or persistence.

Tip: If you cannot explain in one page what the tester may access, exploit, and stop short of, the scope is not ready.

Scope the attack paths, not just the assets

A weak scope lists services. A better scope lists business-critical paths.

If I am guiding a first aws pen test, I usually ask the team to define scope in layers:

Customer entry points. Public web apps, API Gateway routes, mobile backends, static sites, CloudFront origins.
Identity layer. IAM users, roles, trust relationships, federated access, CI/CD identities, break-glass accounts.
Data layer. S3 buckets, RDS, secrets stores, queues, snapshots, backups.
Compute layer. EC2, Lambda, ECS tasks, build agents, admin bastions.
Control plane paths. Anything that lets one compromise turn into wider access.

Such situations require trade-offs.

A very broad scope creates noise. You spend days cataloguing low-value assets while missing how one CI role can write to a production bucket. A very narrow scope misses cross-service chains. You test the app, but not the role attached to the worker that processes uploads from that app.

Write Rules of Engagement that match how your stack runs

For startups and agile teams, production is often the only environment that resembles production. That creates tension. You need realism, but you cannot afford downtime.

A workable RoE usually includes:

| Area | What to define | | :-------------------------- | :---------------------------------------------------------- | | Accounts and environments | Which AWS accounts are in scope, and whether production is included | | Permitted methods | External recon, authenticated review, limited exploitation, post-exploit validation | | Forbidden actions | Data destruction, persistence, lateral movement outside scope, service exhaustion | | Logging and comms | Slack or Teams war room, named incident contact, tester check-ins | | Proof standard | Screenshots, CLI evidence, role assumption proof, controlled file access |

Avoid the three planning failures

Teams new to AWS testing often fall into the same traps.

Testing only the web tier. In AWS, the web tier is often just the front door. The primary weakness sits in a role, bucket policy, or task definition.
Ignoring shared responsibility boundaries. AWS secures the platform. You secure configuration, access, and data handling.
Starting without rollback thinking. If a test action succeeds, your team should already know how to reverse the condition and validate the fix.

A good aws pen test starts before a single command runs. It starts when the team agrees what risk they are trying to surface, what evidence they need, and how far they are willing to go to prove it.

Mapping Your AWS Attack Surface Like an Attacker

Teams often underestimate how much they expose accidentally.

They know the main app domain. They know the production VPC. They often do not know about the old admin subdomain pointing at an AWS-hosted service, the forgotten bucket tied to a marketing upload flow, or the test EC2 instance that still accepts remote access because nobody cleaned up a security group.

Infographic

A serious attack surface review starts with restraint. Good testers do not rush to exploit. They build a map first.

Start with passive and semi-passive recon

For internet-facing discovery, tools like amass and subfinder are practical because they help you assemble a list of subdomains and AWS-linked assets without charging into active exploitation. Then Nmap can tell you which services are reachable on exposed hosts.

This stage is often more productive than teams expect. A rigorous reconnaissance and discovery phase using tools like amass and CloudMapper can achieve high success in detecting public exposures, and overlooking security group rules that allow remote access is a known problem. 62% of UK financial sector breaches stemmed from unpatched EC2 exposures tied to this kind of weakness, according to the figures discussed in Vaadata’s AWS penetration testing methodology.

Build the map in two views

Attackers care about two different pictures.

The outside-in view

This view asks:

What public hostnames resolve to AWS-managed services?
Which EC2 instances expose services directly?
Are any API Gateway endpoints discoverable but undocumented?
Do any S3 buckets disclose content, object names, or policy details?
Are there old staging services still reachable from the internet?

At this stage, teams discover drift. The architecture diagram says “single public app”. DNS, certificates, and cloud resources say otherwise.

The inside-out view

Once you have credentials for a scoped assessment, switch perspective. Use AWS-native visibility tools such as CloudMapper to understand how resources relate to each other.

Now the questions change:

Which roles can assume other roles?
Which subnets host workloads that can reach data stores?
Which buckets are shared across environments?
Which Lambda functions or ECS tasks have broad permissions?
Which accounts trust identities from somewhere else?

The outside-in view finds doors. The inside-out view finds routes.

Key takeaway: In AWS, the most dangerous path is often not the public endpoint itself. It is what that endpoint can reach after one small mistake.

What to look for before exploitation

When I review early recon notes, I look for asymmetry. That is usually where the risk sits.

Here is a practical checklist for that phase:

Unexpected exposure. A service exists in production but not in the asset register.
Boundary mismatch. A dev resource can reach prod data, or a front-end identity can call an internal backend.
Role sprawl. Many similar IAM roles with slightly different policies, often copied over time.
Shared storage. Buckets or snapshots used by multiple systems with unclear ownership.
Admin shortcuts. Bastions, support tools, debug routes, or manual upload paths left exposed.

Recon for modern stacks needs extra context

Static websites and single EC2 apps are easier to map. Modern AWS estates are not.

Serverless and container-heavy stacks create a moving target. You may find one public API route that fans into Lambda, SQS, Step Functions, and a data store. Or a web app on ECS that hands work to background tasks with a different role and broader access than the web tier.

A checklist alone misses this. Threat modelling helps more. Ask:

By the end of recon, you should have something more useful than an inventory. You should have a rough attacker narrative. “A public app reaches this function, the function can read this secret, the secret unlocks this database, and that database contains production data.” That is the map active testing follows.

Core AWS Penetration Testing Techniques

Once the map is clear, active testing becomes less random and far more valuable. You are no longer poking services to see what happens. You are validating specific attack paths.

A diagram illustrating cybersecurity testing phases including scanning, enumeration, exploitation, and testing for EC2, S3, and IAM.

I prefer to handle this part as a set of short scenarios. That is how issues appear in real engagements. Rarely as isolated flaws. Usually as small, believable mistakes.

IAM is where many AWS compromises become real

A common first scenario looks harmless. A low-privileged identity can list roles and inspect policies. Nothing obviously administrative appears. Then you inspect trust relationships and find a role that accepts assumptions too broadly.

That is why IAM sits at the centre of an aws pen test. Enumerating users can reveal root key usage, which was often flagged in UK audits, and exploiting misconfigured trust policies with sts:AssumeRole succeeds in 82% of cases, enabling token escalation, according to Cobalt’s guide to AWS penetration testing.

What to test in IAM

Focus less on “can I read IAM” and more on “can I become something else”.

Role trust relationships. Check who can assume what, including service principals and external identities.
Privilege escalation edges. Policy attachment, pass-role abuse, access key creation, or indirect escalation through automation roles.
Root and break-glass hygiene. Long-lived credentials and old admin paths matter because they bypass normal controls.
Cross-account assumptions. Startups with separate prod, staging, and shared services accounts often forget how much trust exists between them.

A good mini-test is to enumerate the current principal, inspect accessible roles, and attempt controlled assumptions where the Rules of Engagement permit it. If one low-privileged identity can become an admin-adjacent role, that is usually a high-value finding even if no exploit “looks dramatic”.

S3 flaws are often simple and still costly

Another common scenario starts with a bucket the team knows exists. They think it is private. It is not fully private.

Sometimes the bucket policy allows object reads. Sometimes listing is blocked but specific object names are predictable. Sometimes an old static asset upload path still grants write access. In practice, S3 testing is less about the service itself and more about business consequences.

Useful S3 checks

The trade-off here is proof. Reading a harmless sample file is often enough to prove exposure. Downloading a customer export usually is not necessary and may breach your own test boundaries.

EC2 remains important, even in cloud-native estates

Traditional compute is not gone. It has just moved into supporting roles. Bastions, self-hosted runners, internal tooling, legacy APIs, and admin utilities still sit on EC2.

A realistic scenario is an old instance with a permissive security group and stale software. You get access to the host or app, then discover the instance role is stronger than expected. At that point, the host is just a stepping stone into the control plane.

What pays off on EC2

Security groups. Review inbound access with the same care as internet firewall rules.
Metadata exposure. If application flaws expose instance metadata or credentials, the issue becomes an AWS compromise, not just a server issue.
User data and bootstrap artefacts. Teams often leave secrets, tokens, or internal URLs in launch scripts.
SSM pathways. Session Manager permissions can create backdoor-like administrative routes if scoped badly.

One practical way to think about EC2 is this. The box matters less than the role attached to the box.

RDS testing should stay tightly controlled

Database testing in AWS can get messy fast if the scope is vague.

A typical issue is not some cinematic database exploit. It is a database reachable from the wrong network path, using weak access assumptions, or fed by an application endpoint with injection flaws. The primary finding is usually exposure plus privilege, not exposure alone.

Strong RDS test habits

Confirm whether the database is externally reachable or only accessible from expected hosts.
Test application inputs that interact with database-backed features.
Review credential handling in app config, secrets stores, and environment variables.
Check whether read replicas, snapshots, or old instances expand the attack surface.

For startup teams, this is also where cloud and app testing merge. A bug in an API route can become a cloud finding if the route exposes credentials, reaches a public database path, or lets an attacker pivot into a role-backed service account.

Chaining matters more than isolated checks

A standalone finding is useful. A chain is what gets fixed quickly because everyone understands the risk.

The highest-value aws pen test reports usually describe paths like this:

Public endpoint exposes sensitive behaviour.
That behaviour reveals credentials or temporary access.
The identity can assume a broader role.
The broader role can read data or modify infrastructure.

If you want a deeper view of how cloud assessments differ from older perimeter-heavy testing, this overview of cloud-based pen testing is a useful companion.

Tip: Prioritise findings by blast radius and ease of chaining, not by how technically clever they look.

Testing Modern Architectures with Lambda and ECS

Traditional host-based thinking breaks down quickly in modern AWS stacks. Lambda and ECS change where code runs, how identities are attached, and how long anything exists. That shifts the testing method.

The mistake I see most often is applying server logic from EC2 directly to serverless or containers. The test becomes host-centric when risk primarily sits in event flow, execution role scope, image hygiene, and secret handling.

Lambda changes the attack surface

With AWS Lambda, the function is rarely the whole story. The event source matters just as much as the handler code.

A practical Lambda review asks four questions:

What can trigger the function?
What input reaches the function unsanitised?
Which secrets, environment variables, or downstream services can it access?
If the function is compromised, what else can its execution role do?

Understanding this requires threat modeling over checklists. A file upload Lambda triggered from S3 has a different risk profile from a Lambda behind API Gateway handling account changes. The first may expose parsing and file-processing flaws. The second may expose authorisation mistakes, insecure direct object references, or excessive access to account data.

There is also a trade-off around invocation. In a live environment, you should not invoke functions casually just because permissions allow it. Some functions process payments, mutate records, or send notifications. In those cases, static inspection, configuration review, and safe replay in a test environment are better than direct triggering.

What matters most in Lambda tests

Execution role blast radius

A single weak function with broad permissions can become an account-level problem. If that function can read secrets, write to queues, access data stores, or assume another role, the issue is not “vulnerable Lambda code”. The issue is over-broad privilege in an event-driven path.

Event trust

Serverless teams often trust their triggers too much. Data from API Gateway, S3 events, queues, webhooks, and internal event buses can all become attacker-controlled under the right conditions. If the function logic assumes “AWS generated the event, so the data is safe”, the trust boundary has already been misunderstood.

Dependency risk

Lambda packages often inherit a long chain of libraries because packaging is easy and review is rushed. A first aws pen test should include dependency inspection and permission review together. Either one alone gives an incomplete picture.

Key takeaway: In Lambda, the shortest path to a serious finding is often small code weakness plus oversized permissions.

ECS introduces identity and image questions at the same time

With Amazon ECS, a tester has to think at two levels. One is container security. The other is AWS integration.

A container can be perfectly ordinary from a Linux perspective and still be dangerous because the task role is too broad, the task definition leaks secrets, or the service sits in a network segment that reaches more than it should.

ECS and ECR checks that produce real findings

| Area | What to examine | | :---------------- | :---------------------------------------------------------- | | Task roles | Whether the running task can access secrets, buckets, queues, or admin APIs it does not need | | Task definitions | Environment variables, secret injection methods, mounted values, debug flags | | Image contents | Vulnerable packages, embedded keys, build artefacts, admin tools left in the image | | Service exposure | Load balancer paths, internal-only services that became reachable, weak segmentation | | Runtime paths | Metadata access, credentials exposed to the container, lateral movement opportunities |

The practical gotcha in ECS is that teams often secure the application but forget the delivery path. Build systems push images, deployment roles launch tasks, and task definitions inherit old patterns. A tester should review all three, not just the running service.

Serverless versus containers in a live aws pen test

This comparison helps when deciding where to spend manual effort first:

For startup teams, the biggest lesson is simple. Modern architecture does not remove attack paths. It redistributes them. You have fewer boxes to patch, but far more relationships to secure.

Effective Reporting and Actionable Remediation

A penetration test is only as useful as the report your team can act on next Monday morning.

Too many reports still fail at the final step. They prove a flaw exists, then stop. The engineering team gets screenshots, severity labels, and a recommendation that reads like “apply least privilege”. That is not remediation guidance. That is homework.

A diagram illustrating the process of turning raw data into actionable cybersecurity findings and an action plan.

Good reports reduce decision time

A strong aws pen test report should help three groups at once:

Executives need to understand exposure and business impact.
Engineering leads need to prioritise fixes.
Hands-on engineers need exact reproduction steps and precise remediation.

If any one of those audiences is left guessing, the finding stalls.

What every finding should contain

I push for a simple standard. Every finding needs five elements.

Clear statement of the issue

Identify the core problem, not just the vulnerable resource.

Bad: “S3 bucket misconfiguration”

Better: “Public object access on customer document bucket allowed unauthenticated retrieval of uploaded files”

Evidence that another engineer can trust

Use concise proof. Screenshots help, but command output, policy excerpts, affected paths, and role names are usually stronger. The proof should show what was tested, what succeeded, and where you stopped.

Reproducible steps

If your team cannot reproduce the issue safely, the report creates doubt. Keep the proof-of-concept narrow and deterministic. This often causes reports to fail.

Business impact in plain English

Tie the issue to what the system does. Can an attacker read customer data? Modify deployment artefacts? Gain broader AWS access? Move from a low-privileged app path into infrastructure control?

Root-cause remediation

Do not stop at “remove public access”. Explain whether the cause was a bucket policy, ACL drift, bad trust relationship, inherited IAM policy, insecure deployment default, or broken segmentation assumption.

Prioritisation should match exploit chains

Teams often sort findings by severity score and fix them in order. That is tidy, but not always smart.

A medium-severity issue that enables lateral movement into a high-value role may deserve faster attention than an isolated high-severity issue trapped in a low-impact path. Reports should explain those chains directly.

Here is a practical remediation format that works well:

Actionable remediation beats generic advice

A good finding does not say “restrict IAM permissions”. It says which permissions were unnecessary, which principal held them, what least-privilege alternative should replace them, and how to validate the new policy without breaking production.

The same applies across AWS:

For IAM, rewrite the trust relationship or reduce actions and resources.
For S3, update policy and block public access settings, then verify object-level access is also corrected.
For EC2, tighten security groups and remove metadata exposure paths.
For Lambda and ECS, reduce role scope and remove secrets from environment handling where possible.

If your team wants examples of how to structure findings so engineers use them, these notes on pen test reports are worth reviewing.

Tip: Write remediation so the assignee knows what to change before they open the AWS console.

The best report ends with retest criteria

Do not leave closure ambiguous.

Each major finding should say what successful remediation looks like. Maybe a role assumption now fails. Maybe the bucket no longer exposes objects. Maybe the task role cannot read a secret it previously could. This turns the retest into a precise validation exercise instead of a second investigation.

A report earns trust when it helps the team move from “we found a problem” to “we changed the system and proved the risk is gone”.

Embedding Security into Your CI/CD Pipeline

A one-off aws pen test is valuable. It is still a snapshot.

Cloud environments change too quickly for snapshots to carry the full burden. New functions ship, task roles drift, Terraform changes expand permissions, mobile builds leak keys into bundles, and temporary launch settings become permanent. If the test only happens once a year, your team is defending a moving target with stale evidence.

That is why the key maturity step is not “do more pen tests”. It is connect pen testing lessons to delivery controls.

UK-specific compliance gaps make that even more urgent. 42% of cloud breaches in a 2025 ICO report involved untested AWS configs failing UK GDPR data localisation tests, highlighting the need for continuous and automated checks that reflect regional compliance needs, as discussed in Hack The Box’s AWS pentesting guide.

Turn recurring findings into pipeline checks

The pattern is straightforward. If a human tester found the same category of problem twice, part of that category probably belongs in CI/CD.

Examples:

IAM policies that are consistently too broad should trigger policy linting or review gates.
Public storage misconfigurations should be caught by IaC scanning before deployment.
Dependency issues in Lambda packages or containers should be surfaced by SCA tooling during build.
Hardcoded secrets in front-end bundles and mobile apps should be checked before release.
App-layer access control flaws should feed into integration tests and security assertions, not sit only in a PDF.

Often, teams overcorrect here. They try to automate everything and call it equivalent to a pen test. It is not. Automation is best at catching repeatable classes of mistakes. Manual testing remains best at chaining context, logic, and architecture assumptions.

A practical pipeline shape for cloud teams

Before build

Scan source code and infrastructure definitions.

Use SAST for obvious code issues, SCA for dependency risk, and IaC scanners for Terraform or CloudFormation. The goal is fast feedback before anything deploys.

During build

Inspect what is being packaged.

For Lambda, that means dependencies, config defaults, and any embedded secrets. For ECS, inspect the image, not just the Dockerfile. What is inside the final artefact matters more than what was intended.

Before deploy

Run policy and configuration checks against the release candidate.

Here, one can block public exposure, dangerous IAM changes, missing encryption settings, or role expansions that violate your baseline.

After deploy

Use runtime assurance.

That can include cloud posture tools, alerting on permission drift, anomaly detection around sensitive actions, and periodic targeted tests against production paths.

What startups often miss

Smaller teams usually think they need heavyweight security programmes to do this well. They do not. They need a short list of controls tied to how they ship.

A lean but effective pattern looks like this:

The key is consistency. A narrow set of checks that always runs is better than an ambitious framework nobody maintains.

Modern app stacks need cloud-aware checks

This matters even more for teams building on platforms that sit on AWS underneath, such as backend-as-a-service products, serverless data layers, and mobile backends. The associated risk often appears in translated form. Exposed row-level access, public RPC paths, leaked API keys, and weak function access all map back to the same principle: shipping without verifying the effective access model.

That is why CI/CD security should blend cloud and application thinking. The pipeline should ask not only “is this service configured safely?” but also “does this release expose data or actions to the wrong actor?”

If you are building that feedback loop now, this guide to CI/CD security is a useful reference point.

Key takeaway: The best use of an aws pen test is to identify what humans should keep testing manually and what machines should prevent from recurring.

Frequently Asked Questions about AWS Pen Testing

Do I need AWS approval before running an aws pen test?

Usually, AWS customers can test their own infrastructure on approved services without prior approval. You still need to follow AWS policy and avoid prohibited activities. Read the current AWS penetration testing rules before any engagement, especially if production is in scope.

Should the first test be black-box or authenticated?

For a first engagement, a hybrid approach is usually best.

Pure black-box testing is useful for seeing what an outsider can discover, but AWS environments often hide the highest-risk paths behind low-privileged access. A limited authenticated view usually produces better findings around IAM, trust relationships, S3 access, Lambda roles, ECS task permissions, and internal attack paths.

Is production in scope or should we test staging only?

If staging meaningfully mirrors production, start there. If it does not, you may need carefully controlled production testing.

The right answer depends on how your team deploys. Many startups have security controls, integrations, and data paths in production that do not exist elsewhere. In that case, test production with strict Rules of Engagement, named contacts, and agreed proof boundaries.

What is the biggest mistake in a first AWS penetration test?

Scoping by service list instead of attack path.

“Test EC2, S3, Lambda, RDS” sounds thorough, but it misses the question that matters most: how does one small weakness turn into wider access? AWS risk often lives in relationships between services, identities, and data flows.

How often should we run an aws pen test?

Run one when the architecture changes materially, when a sensitive product launches, after major IAM or platform redesigns, and on a regular schedule that matches your risk profile. Between those points, use automation and monitoring to catch recurring issues.

Can automated tools replace a human tester?

No. They are different tools for different jobs.

Automation is excellent for broad coverage, regressions, dependency checks, and common misconfigurations. Human testing is better at chaining findings, spotting trust-boundary mistakes, and understanding the business logic behind serverless, containers, and modern application flows.

What should we expect as an output?

Expect more than a vulnerability list. A strong outcome includes an executive summary, technical findings with evidence, clear reproduction steps, business impact, exact remediation advice, and retest criteria.

If your team ships on Supabase, Firebase, or mobile backends and wants faster feedback before a full manual assessment, AuditYour.App helps surface exposed RLS rules, public RPCs, leaked keys, hardcoded secrets, and related cloud-facing misconfigurations early. It is a practical way to catch the obvious and the dangerous before they turn into the next urgent aws pen test.