Cloud security configuration audit

When talking about the misconfiguration problem, several factors are at play. That’s why our team provides complex security checks for your cloud system against the most common security issues and misconfigurations:

  • User management, authentication, authorization, access policies
  • Component isolation, security groups, VPN settings, Ingress/Egress Routing
  • Object storage visibility, such as S3
  • Security of serverless functions, such as Lambdas
  • Hardening of metadata WebServices (which can be abused by SSRF vulnerabilities)
  • Such audit requires an access to the infrastructure with read permission.
  • Encryption of data-in-transit & data-at-rest
  • Key management & secret management (use of vaults)
  • Logging & monitoring
  • DFIR-Readiness (digital forensics & incident response)

Such audit requires an access to the infrastructure with read permission.

Cloud pentest

Apart from the cloud security audit from the inside, we also offer a cloud pentest version of this service. Such an approach does not require infrastructure access to the pentesting team and fully simulates the hacker’s activities.

Typical scenarios for such cloud pentest are:

  • Identifying cloud vulnerabilities exploitable by external attackers
  • Simulating privilege escalation in the cloud, e.g. from a basic developer’s role

Cloud platforms

No matter what platform you use, it’s important to secure your cloud workloads. Our security check expertise covers the platforms like:

AWS
Azure
Google Cloud

Our process:

At the beginning of the project, we will collect all the input and agree on the scope of the audit/pentest.

We keep clients informed in course of the project, providing regular status updates and immediate notifications for critical findings.

1

A kick-off meeting to agree on the scope, inputs and communication

2

Cloud pentest (1-3 weeks, depending on the scope)

3

The final report that highlights the identified cloud security issues

Our methodology

We employ a combination of well-recognised cloud security guidelines, automated tools and manual verifications.

Guidelines:

  • CIS Benchmarks
  • Cloud security guidelines from AWS, GCP and Azure
  • … and others

Tools

  • Inspection tools for AWS/GCP/Azure based on CIS benchmarks
  • Native tools by AWS/GCP/Azure
  • Various open source tooling used where applicable

All outputs of the tools are being triaged with false positives being removed by security experts.

Check how our cloud security audit report looks like

Please contact us and we will send you a sample report of the cloud security audit.

Contacts

Please tell us what are you looking for and we will happily support you in that.

Feel free to use our contact form or contact us directly.