Cloud services, e.g. AWS, offers RDS (Relational Database Service) which is a managed service for databases. Using a managed service makes it easier to install and maintain a database. However, security assessment can be more challenging in such databases, since they are sealed by the vendor.
For example it might not be possible to access a system schema to determine if a database is vulnerable or not.
Cloud services can be provided as-a-service which might mean that no IP nor web app URL is available, only a host name and port is available.
- The associated IPs are dynamic and can change, hence you can’t scan it.
- Even though you can find an IP, it is not accurate to scan it because it might change the other minute and your RDS instance is also spread out over several IP’s.
It is in this case more relevant to do an Audit for the cloud service.
Each cloud provider have their recommendations on how to do so, like for AWS (external links):