CLOUD PENETRATION TESTING
What is Cloud Penetration Testing?
Like Penetration Testing, Cloud Penetration Testing is an authorized simulated cyber-attack against a system that is hosted on a Cloud provider, e.g. Amazon’s AWS or Microsoft’s Azure. The main goal of a cloud pentest is to find the weaknesses and strengths of a system, so that its security posture can be accurately assessed.
How can you Benefit?
The benefits of cloud pentesting are increased technical assurance, and better understanding of the attack surface that your systems are exposed to. Cloud systems, whether they are infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), are prone to security misconfigurations, weaknesses, and security threats just as traditional systems are.
By performing cloud security testing you will get:
a) A better understanding of your cloud estate. What services do you have in the cloud? What systems do you expose to the public?
b) A detailed report on any common security misconfigurations along with our recommendations for how to secure your cloud configuration.
The increased assurance will come from the fact that that you will gain visibility of the security weaknesses of your cloud estate. You will be able to verify what services and data are publicly accessible, what cloud security controls are in effect, and how effectively these are mitigating your security risk.
The Cloud Security Problem
Although cloud providers offer increasingly robust security controls, you are ultimately responsible for securing your company’s workloads in the cloud. According to the 2019 Cloud Security Report, the top cloud security challenges highlighted are about data loss and data privacy. This is followed by compliance concerns, tied with concerns about accidental exposure of credentials.
Operational Security Headaches
- 34% Compliance
- 33% Lack of Visibility into infrastructure security
- 31% Lack of qualified staff
Biggest Cloud Security Threats
- Unauthorized Access
- Insecure Interfaces/APIs
- Misconfiguration of the cloud platform
- Hijacking of accounts services or traffic
- External sharing of data
- Malicious insiders
Cloud Penetration Testing and Configuration Review services
Cloud Configuration Review is an assessment of your Cloud configuration against the accepted best practice of industry benchmarks. A report is produced with a summary table showing the benchmarks and whether you are following the best practice, with individual technical findings breaking the findings down in more detail, as well as detailed explanations and remediation advice.
Cloud Penetration Testing involves a mixture of external and internal penetration testing techniques to examine the external posture of the organisation. Examples of vulnerabilities determined by this type of active testing can include unprotected storage blobs and S3 buckets, servers with management ports open to the internet and poor egress controls.
Cloud Testing, whether a configuration review, a penetration test, or both, focuses primarily around examining the protection on these key areas:
- Enumeration of external attack surface – Identify all possible entry points into the environment – O365, Web Applications, Storage Blobs, S3 Buckets, SQL/RDS Databases, Azure Automation APIs, AWS APIs, Remote Desktops, VPNs, etc.
- Authentication and Authorization Testing – Ensure the users within the environment operate on a Principle of Least Privilege, are protected by robust multi factor authentication policies, as well as ensuring that known ‘bad passwords’ are prohibited from being used.
- Virtual Machines / EC2 – Azure supports two types of virtual machines – Classic and v2. Testing will ensure that these virtual machines are protected via Network Security Groups (NSGs – analogous to firewalls) and their data is encrypted at rest. Where possible, audits of missing patches and their effects are included. Where virtual machines are publicly accessible, this will lead on to the examination of their external interfaces.
- Storage and Databases – This area of testing will examine storage blob permissions and those of subfolders, ensuring that only authenticated and authorized users can access the data within. Examination of databases (either on virtual machines running SQL Server, or running via Azure SQL) for security best practices is also covered.
Cloud Penetration Testing Authorisation and Policies
Microsoft (Azure) and Amazon (AWS) used to require testing authorisation before commencing a penetration test. This is no longer the case, and barring a few exceptions within AWS, you are no longer required to request authorisation for a cloud pentest for Azure, AWS, or GCP.
• AWS Pen Testing Policy: https://aws.amazon.com/security/penetration-testing/
• Azure Rules of Engagement: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
Our team consists of AWS Security and Microsoft certified experts. Our experienced consultants frequently publish white papers and research on Cloud security and Cloud Penetration Testing:
Do I need permission from my cloud provider in order to perform a penetration test?
In most cases (AWS/Azure/GCP) the answer is no. There are some exceptions, but for the majority of testing authorisation is not required.
Get a free quote