Ask HN: Is it legal to attack your own honeypot if it's hosted on AWS?
I'm a security researcher and digital forensics student.
I don't want myself or my colleagues/peers to get involved in any legal troubles when launching attacks against my own honeypot on AWS for testing purposes.
Has anyone got any experience with this? I see a lot of examples on the web of honeypots running on AWS but no legal discussion about launching attacks yourself. Does anyone know what Amazon's stance on this is?
Thanks in advance.
4 comments
[ 3.1 ms ] story [ 14.9 ms ] threadSetting up vulnerable software on your VPS and then exploiting vulnerabilities on that software to allow you, the owner of the VPS, to get root access in a method you would otherwise be unable to, is fine.
Exploiting the VPS itself to exercise a bug in Xen/whatever to gain access to the hypervisor, access you would not originally be granted, is much less clear cut. Amazon has a bug-bounty program for EC2, and would very much like to hear about bugs you find in this space though.
https://aws.amazon.com/security/vulnerability-reporting/
Just want to generate stuff to investigate in the honeypot.
For example, DigitalOcean has given me explicit permission to use their VPS's for authorized penetration testing and security auditing for clients.
Amazon in particular has a policy that requires written permission when testing AWS for both peripheral and direct auditing. This means that even if you're attacking a company hosted on AWS, you need Amazon's permission (as well as that company's), not just if you're attacking Amazon's AWS infrastructure directly. Now, you could say this means you've given yourself permission for attacking the honeypot, but you still need Amazon's permission for attacking AWS hosting the honeypot.
I am not a lawyer, but I am a security engineer, and I'd say this is likely fine in this particular scenario. However, I urge you to contact them directly or find an explicitly written public policy on the matter. Hacker News is not a good place to find a definitive answer on this.