Cloud Penetration Testing Services

Identify Hidden Cloud Security Risks and How It Impacts Your Organization

Performing penetration testing against cloud services is becoming one of the most sought-after services at Artifice Security. Each type of cloud service, such as Google Cloud Platform, Amazon Web Services, and Microsoft Azure, has unique configurations and, therefore, has unique vulnerabilities that could be present.

At Artifice Security, our expert engineers hold the latest certifications in cloud security. Our engineers also have experience working with cloud environments as cloud architects, developers, and administrators. This experience translates to not only knowing the security side of your cloud environment but understanding your cloud environment on a deeper level.

testing types

AWS Cloud Penetration Testing

Artifice Security offers penetration testing for two types of cloud offerings:
  • User-Operated Services – These cloud instances are primarily created and configured by the end-user, with the user in charge of the service instead of the hosting provider (E.g., EC2 services). These services allow complete testing with few restrictions, such as Denial-of-Service (DOS/DDOS) attacks or related disruptions to traffic flow.
  • Vendor Operated Services – These are cloud offerings owned or operated by the vendor and used “as a service .” Some examples of these services would be AWS CloudFront, Gmail, O365, or Salesforce. Testing against these services focuses on your implementation and configuration instead of the provider’s infrastructure.

Your organization would provide us with a secured account to access the AWS management console. The permissions needed for the AWS Managed Policies would be ReadOnlyAccess and SecurityAudit. By enabling these permissions, Artifice Security can perform an audit-style assessment that allows our security engineers to view specific implementations that are not always accessible by an attacker.

This white-box approach allows our team to fully pentest your AWS architecture while giving you a clear understanding of best practices. Our consultants test for a range of AWS-specific misconfigurations in the following areas:

  • AWS Certificate Manager (ACM)
  • AWS Lambda
  • AWS CloudFormation
  • AWS CloudTrail
See All
  • AWS CloudWatch
  • AWS Config
  • AWS Direct Connect
  • AWS DynamoDB
  • AWS Elastic Compute Cloud (EC2)
  • AWS Elastic File System (EFS)
  • AWS ElastiCache
  • AWS Elastic Load Balancer (ELB)
  • AWS Elastic Load Balancer V2 (ELBv2)
  • AWS Elastic MapReduce (EMR)
  • AWS Identity and Access Management (IAM)
  • AWS Key Management Service (KMS)
  • AWS Relational Database Service (RDS)
  • AWS Redshift
  • AWS Route 53
  • AWS Simple Storage Service (S3)
  • AWS Secrets Manager
  • AWS Simple Email Service (SES)
  • AWS Simple Notification Service (SNS)
  • AWS Message Queuing Service (SQS)
  • AWS Virtual Private Cloud (VPC)

google cloud

Google Cloud Platform (GCP) Penetration Testing

The Google Cloud Platform (GCP) typically follows a shared-responsibility model, meaning the cloud provider is responsible for the hardware and security of the backend infrastructure. The remaining security configuration is placed on you to include the structure of your servers, access, and privileges within your environment.

This white-box approach allows our team to fully pentest your Google Cloud Platform architecture while giving you a clear understanding of best practices. Our consultants test for a range of GCP-specific misconfigurations in the following areas:

  • Cloud Resource Manager
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • Identity and Access Management (IAM)
  • Key Management Service (KMS)
  • Kubernetes Engine
  • Stackdriver Logging

Microsoft Azure

Microsoft Azure Penetration Testing

Microsoft Azure includes numerous security protections that help protect itself from attacks such as SQLi and XSS. Additionally, Microsoft undergoes regular audits from third-party vendors but still relies on the end-user to provide security for networks, applications, and virtual machines.

Microsoft limits testing for Denial-of-Service (DOS/DDOS), accessing any other customer’s data, and intensive fuzzing against any asset other than your Azure virtual machine, among different rules listed in its Pentest Rules of Engagement ( Areas that allow testing include the following:

  • Azure Active Directory
  • Microsoft Intune
  • Microsoft Azure
  • Microsoft Dynamics 365
  • Microsoft Power Platform
  • Microsoft Account
  • Office 365
  • Azure DevOps
At Artifice Security, we provide a cloud service configuration review and manual penetration testing performing the following:
  • Manual penetration testing against your application to find flaws
  • Port scanning all of your endpoints to find vulnerable ports and services
  • Fuzz testing against all of your endpoints
  • Exploitation against misconfigurations in Azure Active Directory
  • Perform lateral movement within your Azure environment
  • Perform brute force attacks to find weak credentials
  • Exploit tokens from Managed Identity
  • Enumerate Azure Storage Blob
  • Exploit misconfigurations in Azure AD Connect
  • Bypassing conditional access
  • Exploit misconfigurations against databases and encryption


Cloud Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:

Define the Scope

Before starting the cloud penetration test, Artifice Security will collaborate with your team to determine the cloud type, services, and applications needed for testing. We will work with your team to understand the services within your cloud and the time necessary to complete the penetration test.
  • Determine which cloud type service you have
  • Outline which services or applications, if any, are excluded from testing
  • Determine testing dates and times for the penetration test
  • Exchange key personnel and emergency contact information for any critical findings found

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:
  • Gather domain information and URLs for your cloud services
  • Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer data without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials within password breach databases
  • Checks to find similar domain names as yours to determine your risk to phishing (threats to domain spoofing)

Enumeration and Vulnerability Scanning Phase

Artifice Security will use active information-gathering tools and techniques to determine all possible attack vectors during the enumeration phase. We will assemble data gathered from this phase and the previous phase as the foundation for our attack and exploitation phase.
  • Scan all 65K possible ports for TCP and UDP to determine which ports are open and which services are in use
  • Check for potential misconfigurations for systems that are in the cloud
  • Determine the types of services you use for your cloud environment and how they are configured and used for your setup
  • Correlate public and proprietary vulnerabilities against your cloud services

Attack and Exploitation Phase

Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your cloud environment during the attack and exploitation phase. We perform this exploitation using professional tools and techniques while being cautious about protecting your data, not interrupting normal business functions, and not violating cloud security rules. At this phase, we will perform the following tasks against your cloud environment:
  • Exploit application security flaws on cloud platforms
  • Exploit network security flaws on cloud platforms
  • Exploit vulnerabilities in the Azure portal such as role-based access, Azure Key Vault, Azure App Service, Azure
  • Automation, and any other service your organization uses
  • Escalate privileges and access sensitive data
  • Show proofs-of-concept for exfiltrating data (if approved by your organization)

Reporting Phase

Artifice Security will put together all the information about your organization and vulnerabilities discovered for your cloud environment during the reporting phase. We guarantee that each discovered vulnerability will be present with no false positives in the report as we use manual penetration testing.

Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your cloud environment and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.

In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.

  • Executive Summary that easily conveys risk
  • Vulnerabilities rated by criticality
  • Detailed walkthrough showing how we chain together attacks
  • Detailed proofs-of-concept that are repeatable for each vulnerability
  • Best practice remediation steps that are customized and realistic based on your current environment

Remediation Testing

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your cloud environment after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your cloud environment.


Frequently Asked Questions

Do I need a penetration test if my resources are in the cloud?

As more organizations move their infrastructure and services to the cloud, it is critical to stay on top of your cloud infrastructure to detect vulnerabilities and deter threats. While the physical cloud infrastructure is updated and maintained by the cloud provider, the resources you own are still managed by you. Therefore, these resources can be vulnerable to numerous flaws. The most common issues we find are insecure APIs, outdated and exploitable software, misconfigurations such as open buckets, leaked credentials, vulnerabilities in access privileges, Lambda command injection, and more.

Do I need to alert AWS, Google Cloud Platform, or Microsoft Azure to penetration testing?

Amazon Web Services (AWS)

As of early 2019, Amazon does not require any clearance to conduct a penetration test.

Google Cloud Platform (GCP)

For GCP pentesting, Google does not require any prior notification, but we must adhere to Google’s Acceptable Use Policy and cannot target resources that do not belong to you.

To avoid breaching Google’s Acceptable Use Policy and disrupting any of your activities during our pentest, no company is allowed to test for vulnerabilities for “Denial-of-Service” (DoS). Before any potentially disruptive action is carried out, clients are usually alerted.

Microsoft Azure

As of June 2017, conducting penetration testing on Azure services does not require prior authorization. Microsoft Azure does not allow DoS (Denial-of-Service) attacks on the server, scan out-of-scope services, or run automated scanners that generate excessive traffic.

These rules of engagement exist to prevent other Azure clients from being impacted by a previously scheduled security test.

Does your team provide cloud security reviews?

Our team will do a full cloud service configuration review to look at every area of your cloud setup and highlight which areas are not configured to best practices. We will then show you the exact steps to fix each area according to each cloud service’s best practices.

What are the most common vulnerabilities you find for cloud services?

We find the most common issues are the following:

  • Insecure APIs
  • Outdated and exploitable software
  • Misconfigurations (e.g., open/public buckets)
  • Leaked credentials
  • Flaws in access privileges
  • Lambda command injection
  • Misconfigurations that fail to separate multiple tenants.

Leading-Edge Cybersecurity