Some interesting insights on how to get the most of your pentest: from selecting the right vendor to proper project management.
Cloud security configuration audit
When talking about the misconfiguration problem, several factors are at play. That’s why our team provides complex security checks for your cloud system against the most common security issues and misconfigurations:
- User management, authentication, authorization, access policies
- Component isolation, security groups, VPN settings, Ingress/Egress Routing
- Object storage visibility, such as S3
- Security of serverless functions, such as Lambdas
- Hardening of metadata WebServices (which can be abused by SSRF vulnerabilities)
- Such audit requires an access to the infrastructure with read permission.
- Encryption of data-in-transit & data-at-rest
- Key management & secret management (use of vaults)
- Logging & monitoring
- DFIR-Readiness (digital forensics & incident response)
Such audit requires an access to the infrastructure with read permission.
Apart from the cloud security audit from the inside, we also offer a cloud pentest version of this service. Such an approach does not require infrastructure access to the pentesting team and fully simulates the hacker’s activities.
Typical scenarios for such cloud pentest are:
- Identifying cloud vulnerabilities exploitable by external attackers
- Simulating privilege escalation in the cloud, e.g. from a basic developer’s role
No matter what platform you use, it’s important to secure your cloud workloads. Our security check expertise covers the platforms like:
At the beginning of the project, we will collect all the input and agree on the scope of the audit/pentest.
We keep clients informed in course of the project, providing regular status updates and immediate notifications for critical findings.
A kick-off meeting to agree on the scope, inputs and communication
Cloud pentest (1-3 weeks, depending on the scope)
The final report that highlights the identified cloud security issues
We employ a combination of well-recognised cloud security guidelines, automated tools and manual verifications.
- CIS Benchmarks
- Cloud security guidelines from AWS, GCP and Azure
- … and others
- Inspection tools for AWS/GCP/Azure based on CIS benchmarks
- Native tools by AWS/GCP/Azure
- Various open source tooling used where applicable
All outputs of the tools are being triaged with false positives being removed by security experts.
Check how our cloud security audit report looks like
Please contact us and we will send you a sample report of the cloud security audit.
Please tell us what you are looking for, and we will happily support you in that. Feel free to use our contact form or contact us directly.