Cloud penetration testing

December 12th, 2023 Posted in Penetration Testing

Penetration tests are simulated cyber-attacks performed by authorised cyber security experts. Any pen test aims to find security weaknesses before hackers exploit them. Cloud penetration testing takes this general idea and applies it to cloud environments such as public, private, or hybrid clouds to uncover security weaknesses.  

We give you the lowdown on what cloud pen testing involves, its benefits (such as preventing cloud ransomware), and how it differs from traditional pen testing and cloud security assessments.  

What is cloud penetration testing? 

Cloud penetration testing is an exercise specifically designed to evaluate the security of cloud-based environments. A cloud pen test simulates a cyber-attack against your cloud workloads and services to find vulnerabilities, weaknesses, and potential security gaps. You can use the findings and reports from a pen test to fix any weaknesses that the testing team finds.  

Security experts probe and test your cloud environments for insecure APIs, misconfigurations in identity and access management (IAM), data encryption flaws, and other cloud-specific issues like insecure interfaces and endpoints. The test should span all your company’s cloud workloads, such as data storage, cloud networking, virtualisation, big data analytics, or software testing and development. Take a deeper dive and download our free Guide to Cloud Security

Cloud pen testing must account for the boundaries set by cloud service providers (“CSP”) to ensure compliance with their policies. CPSs often have specific terms of service, acceptable use and security guidelines that cloud service customers (“CSC”) must follow. CSCs should keep in mind the cloud-shared responsibility model when planning a cloud penetration test. As with traditional pen tests, the end goal is to uncover and address security vulnerabilities before malicious attackers exploit them.  

What is the difference between cloud pen testing and traditional pen testing? 

While the fundamental principles of identifying and exploiting vulnerabilities remain the same, cloud pen testing calls for a specialised understanding of cloud architectures, service models, and provider-specific features and policies. Here is a brief run-through of how cloud penetration tests differ from those conducted in on-premises, traditional IT infrastructures. 

Limited infrastructure control and visibility  

In traditional IT environments, your business has complete control over physical hardware and network infrastructure, which allows for extensive testing by pen testers. In cloud environments, control and visibility are limited by the cloud service model (IaaS, PaaS, SaaS), and you never have physical access to hardware.  

The shared responsibility model

Companies are responsible for securing all aspects of their own IT infrastructures, from the physical layer to the application layer. This level of responsibility dictates a need for diverse types of pen tests. The shared responsibility model in the cloud divides security responsibilities between the cloud service provider (CSP) and the customer.  

Cloud pen testing attack surface considerations

Cloud pen testers need to consider the specific service models (IaaS, PaaS, SaaS) being used because each comes with a different attack surface. For instance, in IaaS, network configurations, storage and virtual machines are critical points to focus on, while in SaaS, the focus might be more on secure configuration, data management and localisation and identifying and access management controls. 

Cloud testing tools

While some traditional pen testing tools like Nmap and Nessus are also useful for cloud tests, there are also cloud-specific tools that are not used in standard pen tests. Tools like ScoutSuite, CloudSploit, and WeirdAAL help pen testers assess the security of cloud environments, enumerating common misconfigurations. Various other tools like Cliam specifically enumerates IAM permissions to help testers escalate privileges or probe for other weaknesses in access controls.   

Cloud provider policy and compliance

In traditional pen tests, compliance is based on internal company IT policies and industry-specific regulations. In the cloud, tests must also consider the cloud provider’s policies and any compliance agreements.  

The benefits of cloud pen testing 

  • By uncovering and mitigating vulnerabilities you might not have otherwise known about, cloud pen testing plays a vital role in preventing potential data breaches. For businesses in the UK, a data breach costs an average of £3.4 million; a sum of money that could ruin many companies. 
  • Pen tests prepare your company for real-world cloud-based cyber threats by simulating various attack scenarios and testing the effectiveness of current cloud security measures. 
  • You can develop and/or refine a tailored security strategy (such as incident response planning) that aligns with the specific needs and architecture of your cloud infrastructure based on the results and reports from cloud pen tests. 
  • Testing helps identify security risks associated with integrating various cloud services and platforms and the extra security can increase stakeholder confidence in migrating to and using cloud services. 

Is cloud pen testing different from cloud configuration reviews? 

Cloud penetration testing and cloud configuration reviews are both part of the broader scope of protecting cloud-based environments, but they differ in several ways.  

With cloud pen testing, the goal is to mimic the actions of potential attackers to find security weaknesses that could be exploited in real-world scenarios. On the other hand, reviewing cloud configuration settings aims to assess your cloud infrastructure to check that all settings and configurations are securely set up in reference to industry vendor guidance. Another way to think about the difference is that cloud pen testing is an active process that seeks to find and exploit vulnerabilities, whereas configuration reviews are about preventing vulnerabilities by ensuring correct settings and compliance with known best practices. 

An additional distinction between the two is that pen testing in the cloud has a broader scope in terms of security assessment as it can uncover a variety of vulnerabilities, including ones unrelated to configuration settings, like API flaws. Configuration reviews are specifically targeted at reviewing how securely your cloud services are set up and managed. Both are an important part of having a strong cloud security posture, but it is useful to understand the differences.  

Cloud pen testing methods 

The pen testing team—usually composed of security specialists known as ethical hackers—employ various methods to identify and exploit vulnerabilities in cloud environments such as:  

  • Scanning cloud services and applications for known vulnerabilities using automated tools. 
  • Using manual techniques like identifying the cloud services in use (like AWS EC2, S3, Azure Blob Storage), mapping out the network architecture, and enumerating resources to actively probe and exploit weaknesses  
  • Probing the security of Application Programming Interfaces (APIs), which are critical in cloud architectures, for issues like improper authentication and authorisation controls.  
  • Assessing cloud identity and access management (IAM) configurations for excessive permissions, improper role configurations, and other access control issues, and then trying to escalate privileges or access restricted resources using any identified IAM issues. 
  • Checking for secure data storage practices, including encrypting data at rest and in transit, and proper configuration of storage services like Amazon S3 buckets. 
  • Targeting applications deployed in the cloud and looking for vulnerabilities like SQL injection, cross-site scripting, etc.  

Using these methods in combination gives a more rounded approach to uncovering and addressing security vulnerabilities within a cloud environment. 

Cloud pen testing for different cloud services 

The section explaining what cloud penetration testing is alluded to different boundaries set by service providers in terms of what is allowed in a pen test. Here’s a more detailed look at these boundaries in the context of 3 popular service providers: AWS, Azure, and Google Cloud. 

AWS penetration testing

AWS permits penetration testing on a range of services like EC2 instances, RDS databases, and API gateways. However, some services are excluded from the permitted services. AWS requires no prior approval for pen testing.  

In terms of testing activities, DNS zone walking is not allowed in simulated cyber-attacks, and DDoS is only allowed by a pre-approved AWS DDoS Test Partner.  

Microsoft Azure penetration testing

For Microsoft cloud services, Microsoft allows penetration testing for eight different services, including Azure, Azure Active Directory, and Office 365. Testers can assess a client’s applications, services, and data on Azure, but Microsoft’s infrastructure and applications are off-limits. Forbidden activities include any kind of denial-of-service testing, automated testing of services that generates significant amounts of traffic, and deliberately accessing another customer’s data.  

Google Cloud Platform (GCP) penetration testing

Google is the only one of the three main cloud providers that lack specific guidelines or policies about cloud pen testing. The main thing to keep in mind is the need to abide by the company’s acceptable use policy and terms of service. You do not need to tell Google in advance that you’re carrying out a pen test on your Cloud Platform environment.  

How much does cloud penetration testing cost? 

The cost of pen testing in a cloud environment varies widely because it depends on several factors. This wide spectrum of costs can make it difficult to choose the right service for your company’s needs. Some of the key drivers behind these costs include: 

  • The size and complexity of your cloud infrastructure (e.g. a large, multi-cloud environment with several types of workloads will need more extensive, time-consuming, and therefore expensive testing).  
  • Specific needs and objectives that call for niche knowledge, such as if testing needs to meet specific compliance requirements. 
  • The skill and experience level of the professionals conducting the test also affects the price, with more experienced testers able to command higher fees due to a proven track record.  
  • Services such as detailed reporting, recommendations for remediation, and re-testing to verify fixes can also add to the overall cost. 

For a more detailed breakdown of what to expect to pay, check out a comprehensive guide to penetration testing costs 

Choosing a cloud pen test provider 

Aside from the need to know what you should expect to pay, it is also important to choose the right cloud pen test provider. This choice calls for carefully considering the provider’s cloud expertise in the specific cloud platforms your company uses. The provider must also show a deep understanding of cloud-specific vulnerabilities and attack vectors. See our detailed guide for a handy four-step process for choosing the right pen test provider.

We can help you with cloud penetration testing

Evalian’s team of security experts carry out cost-effective and in-depth penetration testing of your cloud infrastructure. You can opt for one-off testing or a more ongoing approach with a managed testing service. A detailed pen test report is peer-reviewed and includes recommendations so you can easily remediate issues before threat actors find and exploit them.

Get a fast quote

Evalian Icon PNG

Written by Evalian®