Cloud Pentest
Protect your cloud environment
More and more organizations move to storing their data in clouds such as AWS, Azure or the Google Cloud. Companies do not lose their entire responsibility for the protection of this data by moving to the cloud. In fact, providers are responsible for protecting the cloud itself, but you as a user need to ensure the security of your data.
No matter how secure the underlying cloud infrastructure is: If applications are set up incorrectly in the cloud, weak passwords are used, or permissions are not set restrictively enough, attackers can exploit these vulnerabilities to potentially compromise the entire cloud infrastructure.
During our Cloud Pentest, our security analysts comprehensively analyze all relevant cloud components and identify possible entry points for attackers.
Common vulnerabilities include:
- Unauthorized access to virtual machine configuration data (Azure VMs, AWS EC2 or Google Compute Engine)
- Unauthorized reading of data (e.g., misconfigured AWS S3 buckets)
- Typical vulnerabilities in traditional IT systems and web applications, depending on the operational concept (e.g., classic rehosting after “lift and shift”)
- Disclosure of sensitive data regarding Cloud services, such as access keys
What is our approach to a Cloud Pentest?
Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for Cloud Pentests:
Our experts rely on their many years of experience in analyzing on-premise solutions when analyzing systems and applications for vulnerabilities in cloud environments. Our experts additionally examine your environment for vulnerabilities in cloud services using established cloud-specific tools. The results are integrated into our usd HeroLab Toolchain. All information obtained this way is then incorporated into the manual review of your cloud environment.
What checks are included in a Cloud Pentest?
Analyses included in a system pentest or web application pentest are an integral part of the analysis of your applications and systems in the cloud. Cloud-specific tests are also conducted as part of our Cloud Pentest, such as:
- Examining AWS S3 buckets and Azure Storage Accouts for access permission misconfigurations
- Code review of deployed Lambda functions and Azure functions
- Review of integrated login methods, such as AWS Cognito, for vulnerabilities.
- Unauthorized access to the EC2 Instances, Azure VMs or Google Compute Engine metadata service
When running infrastructures in the cloud, you need to consider further attack vectors. Your data may be compromised if cloud services are not configured securely. We therefore recommend you check the secure configuration of your cloud subscription by conducting a Cloud Security Audit.