Cybersecurity News
Cybersecurity

Cloud Penetration Testing: The Complete AWS, Azure, and GCP Security Assessment Guide

Cloud Penetration Testing: The Complete AWS, Azure, and GCP Security Assessment Guide

Cloud penetration testing: AWS, Azure, and GCP

Cloud security testing differs from traditional infrastructure assessments. You're not testing physical servers - you're testing configurations, IAM policies, and services you don't fully control.

The shared responsibility model

Cloud providers secure the infrastructure (physical data centers, hypervisors, network fabric). You secure everything you deploy on top: IAM policies, storage permissions, network configurations, encryption settings, and application code.

Don't test provider infrastructure - that's out of scope and potentially illegal. Focus on what you control.

Where things go wrong

IAM

Identity and access management is the most common source of cloud vulnerabilities. Problems include:

  • Overprivileged policies granting more access than needed
  • Access keys committed to Git repos
  • Service accounts with admin permissions
  • Missing MFA on privileged accounts
  • Long-lived credentials that never rotate
  • Roles that can be assumed by anyone

Storage

  • S3 buckets / Azure blobs / GCS buckets set to public
  • Overly permissive bucket policies
  • Missing encryption
  • Sensitive data in backups without access controls

Compute

  • EC2 metadata service (IMDS) accessible via SSRF, leaking credentials
  • Exposed management interfaces (SSH, RDP)
  • Outdated AMIs with known vulnerabilities
  • Container escape paths
  • Lambda/Functions with excessive permissions

Network

  • Security groups allowing 0.0.0.0/0 on sensitive ports
  • Lack of network segmentation
  • VPC peering that enables lateral movement

AWS-specific testing

IAM: Enumerate users, roles, and policies. Look for overprivileged policies, privilege escalation paths (like iam:PassRole combined with other permissions), and exposed access keys.

S3: Check bucket ACLs and policies. Test both unauthenticated and authenticated access. Look for sensitive data.

IMDS: Test for SSRF vulnerabilities that can reach 169.254.169.254. Check if IMDSv2 (requiring session tokens) is enforced.

Tools: Pacu, Prowler, ScoutSuite, Principal Mapper

Common findings: Public S3 buckets, IAM privilege escalation via PassRole, IMDS v1 credential theft, Lambda roles with admin access, security groups open to the internet.

Azure-specific testing

Azure AD: Enumerate users, groups, service principals. Look for overprivileged role assignments and app registrations with dangerous permissions.

Storage: Check blob container access levels and SAS token exposure.

Tools: AzureHound, ROADtools, MicroBurst

Common findings: Overprivileged app registrations, public blob containers, SAS tokens in code, automation account credentials exposed, missing conditional access policies.

GCP-specific testing

IAM: GCP has primitive roles (Owner, Editor, Viewer), predefined roles, and custom roles. Check for overpermissive primitive roles across the resource hierarchy. Test service account impersonation controls.

Common findings: Editor role granted too broadly, public Cloud Storage buckets, exposed service account keys, insecure Firebase rules.

Multi-cloud

If you're testing across multiple providers, tools like ScoutSuite, Prowler, CloudSploit, and Steampipe work across AWS, Azure, and GCP with consistent output formats.