Cloud Penetration Testing Services
Identify Hidden Cloud Security Risks and How It Impacts Your Organization
Performing penetration testing against cloud services is becoming one of the most sought-after services at Artifice Security. Each type of cloud service, such as Google Cloud Platform, Amazon Web Services, and Microsoft Azure, has unique configurations and, therefore, has unique vulnerabilities that could be present.
At Artifice Security, our expert engineers hold the latest certifications in cloud security. Our engineers also have experience working with cloud environments as cloud architects, developers, and administrators. This experience translates to not only knowing the security side of your cloud environment but understanding your cloud environment on a deeper level.
AWS Cloud Penetration Testing
- User-Operated Services – These cloud instances are primarily created and configured by the end-user, with the user in charge of the service instead of the hosting provider (E.g., EC2 services). These services allow complete testing with few restrictions, such as Denial-of-Service (DOS/DDOS) attacks or related disruptions to traffic flow.
- Vendor Operated Services – These are cloud offerings owned or operated by the vendor and used “as a service .” Some examples of these services would be AWS CloudFront, Gmail, O365, or Salesforce. Testing against these services focuses on your implementation and configuration instead of the provider’s infrastructure.
Your organization would provide us with a secured account to access the AWS management console. The permissions needed for the AWS Managed Policies would be ReadOnlyAccess and SecurityAudit. By enabling these permissions, Artifice Security can perform an audit-style assessment that allows our security engineers to view specific implementations that are not always accessible by an attacker.
This white-box approach allows our team to fully pentest your AWS architecture while giving you a clear understanding of best practices. Our consultants test for a range of AWS-specific misconfigurations in the following areas:
- AWS Certificate Manager (ACM)
- AWS Lambda
- AWS CloudFormation
- AWS CloudTrail
- AWS CloudWatch
- AWS Config
- AWS Direct Connect
- AWS DynamoDB
- AWS Elastic Compute Cloud (EC2)
- AWS Elastic File System (EFS)
- AWS ElastiCache
- AWS Elastic Load Balancer (ELB)
- AWS Elastic Load Balancer V2 (ELBv2)
- AWS Elastic MapReduce (EMR)
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Relational Database Service (RDS)
- AWS Redshift
- AWS Route 53
- AWS Simple Storage Service (S3)
- AWS Secrets Manager
- AWS Simple Email Service (SES)
- AWS Simple Notification Service (SNS)
- AWS Message Queuing Service (SQS)
- AWS Virtual Private Cloud (VPC)
Google Cloud Platform (GCP) Penetration Testing
This white-box approach allows our team to fully pentest your Google Cloud Platform architecture while giving you a clear understanding of best practices. Our consultants test for a range of GCP-specific misconfigurations in the following areas:
- Cloud Resource Manager
- Cloud SQL
- Cloud Storage
- Compute Engine
- Identity and Access Management (IAM)
- Key Management Service (KMS)
- Kubernetes Engine
- Stackdriver Logging
Microsoft Azure Penetration Testing
Microsoft limits testing for Denial-of-Service (DOS/DDOS), accessing any other customer’s data, and intensive fuzzing against any asset other than your Azure virtual machine, among different rules listed in its Pentest Rules of Engagement (https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement). Areas that allow testing include the following:
- Azure Active Directory
- Microsoft Intune
- Microsoft Azure
- Microsoft Dynamics 365
- Microsoft Power Platform
- Microsoft Account
- Office 365
- Azure DevOps
- Manual penetration testing against your application to find flaws
- Port scanning all of your endpoints to find vulnerable ports and services
- Fuzz testing against all of your endpoints
- Exploitation against misconfigurations in Azure Active Directory
- Perform lateral movement within your Azure environment
- Perform brute force attacks to find weak credentials
- Exploit tokens from Managed Identity
- Enumerate Azure Storage Blob
- Exploit misconfigurations in Azure AD Connect
- Bypassing conditional access
- Exploit misconfigurations against databases and encryption
Cloud Penetration Test Methodology
Define the Scope
- Determine which cloud type service you have
- Outline which services or applications, if any, are excluded from testing
- Determine testing dates and times for the penetration test
- Exchange key personnel and emergency contact information for any critical findings found
Information Gathering / Recon Phase
- Gather domain information and URLs for your cloud services
- Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer data without your knowledge
- Searches on the Internet and Darkweb for leaked credentials within password breach databases
- Checks to find similar domain names as yours to determine your risk to phishing (threats to domain spoofing)
Enumeration and Vulnerability Scanning Phase
- Scan all 65K possible ports for TCP and UDP to determine which ports are open and which services are in use
- Check for potential misconfigurations for systems that are in the cloud
- Determine the types of services you use for your cloud environment and how they are configured and used for your setup
- Correlate public and proprietary vulnerabilities against your cloud services
Attack and Exploitation Phase
- Exploit application security flaws on cloud platforms
- Exploit network security flaws on cloud platforms
- Exploit vulnerabilities in the Azure portal such as role-based access, Azure Key Vault, Azure App Service, Azure
- Automation, and any other service your organization uses
- Escalate privileges and access sensitive data
- Show proofs-of-concept for exfiltrating data (if approved by your organization)
Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your cloud environment and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
- Executive Summary that easily conveys risk
- Vulnerabilities rated by criticality
- Detailed walkthrough showing how we chain together attacks
- Detailed proofs-of-concept that are repeatable for each vulnerability
- Best practice remediation steps that are customized and realistic based on your current environment
As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your cloud environment after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your cloud environment.
Frequently Asked Questions
Do I need a penetration test if my resources are in the cloud?
Do I need to alert AWS, Google Cloud Platform, or Microsoft Azure to penetration testing?
Amazon Web Services (AWS)
As of early 2019, Amazon does not require any clearance to conduct a penetration test.
Google Cloud Platform (GCP)
For GCP pentesting, Google does not require any prior notification, but we must adhere to Google’s Acceptable Use Policy and cannot target resources that do not belong to you.
To avoid breaching Google’s Acceptable Use Policy and disrupting any of your activities during our pentest, no company is allowed to test for vulnerabilities for “Denial-of-Service” (DoS). Before any potentially disruptive action is carried out, clients are usually alerted.
As of June 2017, conducting penetration testing on Azure services does not require prior authorization. Microsoft Azure does not allow DoS (Denial-of-Service) attacks on the server, scan out-of-scope services, or run automated scanners that generate excessive traffic.
These rules of engagement exist to prevent other Azure clients from being impacted by a previously scheduled security test.
Does your team provide cloud security reviews?
What are the most common vulnerabilities you find for cloud services?
We find the most common issues are the following:
- Insecure APIs
- Outdated and exploitable software
- Misconfigurations (e.g., open/public buckets)
- Leaked credentials
- Flaws in access privileges
- Lambda command injection
- Misconfigurations that fail to separate multiple tenants.