Cloud Penetration Testing — AWS, Azure & Google Cloud

Configuration review, identity and access analysis, and adversarial testing of AWS, Microsoft Azure, and Google Cloud Platform environments — aligned with cloud-provider penetration testing policies, CIS Benchmarks, and the MITRE ATT&CK Cloud Matrix.

The Cloud Threat Model Is Different

Cloud security failures rarely begin with an exploited software vulnerability. They begin with identity, configuration, and trust-boundary errors: an over-permissive IAM role, a public storage bucket, a hardcoded access key, an unrotated service principal, a permissive trust policy. Cloud penetration testing is the disciplined search for those errors and the demonstration of their impact.

Amazon Web Services (AWS)

  • IAM — roles, policies, trust relationships, privilege escalation paths
  • S3 — public access, presigned URLs, bucket policies, encryption
  • EC2 — IMDSv1/v2 abuse, security groups, AMI permissions
  • Lambda — function URLs, layers, environment variables, event triggers
  • RDS, DynamoDB — public access, encryption, snapshot exposure
  • KMS — key policies, grants, cross-account use
  • Cross-account access & multi-account organisation analysis

Microsoft Azure

  • Entra ID (Azure AD) — application registrations, service principals, conditional access
  • RBAC — role assignments, custom roles, scope hierarchy
  • Storage accounts — anonymous access, shared keys, SAS tokens
  • Key Vault — access policies, RBAC, soft delete
  • Virtual machines — managed identities, extension abuse
  • Azure Functions, Logic Apps, App Service
  • Microsoft 365 surfaces where integrated

Google Cloud Platform (GCP)

  • IAM — primitive vs. predefined vs. custom roles, service-account impersonation
  • Cloud Storage — bucket and object IAM, ACLs, signed URLs
  • Cloud Functions, Cloud Run, App Engine
  • Compute Engine — metadata service, service-account scopes, OS Login
  • VPC, firewall rules, Cloud NAT
  • Organisation policy and hierarchy review

Methodology & Authorisation

Cloud penetration tests are scoped against the provider’s published acceptable-use policy. AWS, Azure, and GCP each permit specified categories of customer-initiated testing without prior notification; activities outside those categories (denial-of-service, regulated services, infrastructure-level attacks) require explicit advance authorisation. We document the authorisation envelope before execution.

Request a Cloud Pentest Proposal