Home Cyber Security Penetration Testing Cloud Pentest
Cloud Pentest

Cloud Penetration Testing Service (AWS, Azure, GCP)

Digital Roxy runs cloud penetration tests against AWS, Azure, and Google Cloud environments. Every engagement covers IAM policy abuse, compute service exploitation, storage exposure, and the Kubernetes clusters running on top. Notification-compliant with AWS and Azure rules of engagement.

Get a Scoped Quote Full Pentest Service

Cloud pentest is IAM policy attack simulation.

A cloud penetration test measures whether your cloud identity architecture, network topology, and compute configuration resist attacker techniques. The dominant attack vector in modern cloud breaches is IAM abuse, not software vulnerabilities. An over-permissive IAM role attached to an EC2 instance, a Lambda with pass-role rights to production, a Kubernetes service account with cluster-admin bindings. These findings do not show up on vulnerability scanners because they are not vulnerabilities. They are configurations.

Digital Roxy cloud pentests cover AWS, Azure, and Google Cloud environments against CIS Benchmarks and provider-specific security best practices. We review IAM policies with tools like Pacu, ScoutSuite, and Prowler, then manually exploit the over-permissions we find. Storage exposure testing, metadata service abuse testing (IMDSv1 vs IMDSv2), serverless function privilege escalation, and Kubernetes cluster penetration testing are all included where relevant. Every engagement complies with AWS and Azure penetration testing rules of engagement; provider notification is handled where required.

Cloud Pentest Findings

Cloud Vulnerability Classes We Exploit

Cloud pentest findings are mostly configuration findings. These are the patterns that show up in production AWS, Azure, and GCP environments.

Critical

Over-permissive IAM Policies

IAM roles with *:* permissions. Roles with iam:PassRole to production-capable services. Cross-account trust policies with overly broad Principal fields. AssumeRole chains that lead to admin. This is the #1 cloud attack vector for a reason.

Critical

Publicly Exposed Storage

S3 buckets with public-read. Azure Blob containers with anonymous access. GCS buckets with allUsers permissions. Even when the bucket ACL is private, the object ACLs can be public. We test both layers plus the bucket policy layer.

High

EC2/VM Metadata Service Abuse

IMDSv1 still enabled on EC2 instances, allowing SSRF-to-credentials chains. Azure IMDS exposure through misconfigured networking. GCP metadata service token abuse. Metadata service hardening is non-negotiable in modern cloud environments.

Critical

Kubernetes Cluster Weaknesses

Service accounts with default cluster-admin ClusterRoleBindings. Exposed Kubernetes API servers without proper authentication. Container escape through privileged pods or hostPath mounts. RBAC misconfigurations enabling privilege escalation. EKS, AKS, GKE all have their own patterns.

High

Lambda / Azure Function Privilege Abuse

Serverless functions with attached roles far exceeding their operational needs. Lambda functions able to write to production S3 buckets when they only need to read from a staging queue. Function secrets stored in environment variables visible through function inspection.

Medium

CloudTrail / Audit Log Gaps

CloudTrail disabled in specific regions. Azure Activity Log retention too short. GCP Audit Logs not enabled for data access. Attacker actions leave no trail. Essential finding for incident response readiness assessments.

High

Security Group / NSG Misconfigurations

Security Groups with 0.0.0.0/0 access on 22, 3389, 5432, 3306, or other management/database ports. Azure NSGs with "Any" source on internal management. GCP VPC firewall rules that allow far more than needed. Network exposure that IAM controls cannot protect against.

High

Secrets Manager / Key Vault Weaknesses

Secrets Manager with broad read permissions granted to application roles. Key Vault with admin-level Access Policies on roles that only need read. Secrets rotated but old versions never revoked. KMS keys without rotation enabled. Secrets management is often where the attack chain resolves.

Methodology

Our Cloud Pentest Methodology

Methodology aligned with CIS AWS / Azure / GCP Benchmarks and MITRE ATT&CK for Cloud. IAM-first, because IAM is the control plane.

SCOPING

Account Scoping & Read-Only Access

Read-only audit access to the cloud account(s) in scope. For AWS, a SecurityAudit-equivalent IAM role. For Azure, a Reader + Security Reader role. For GCP, Security Reviewer. Provider-notification scope is identified; notifications are submitted where required by AWS/Azure pentest rules.

INVENTORY

Asset Inventory & Configuration Baseline

Scout Suite, Prowler, and ScubaGear baseline the entire cloud environment against CIS Benchmarks. Resource counts, regional spread, service inventory, and initial finding list. Baseline becomes the starting point, not the full report.

IAM

IAM Graph Mapping

Build the full IAM trust graph. Every role, every policy, every cross-account trust, every federated identity. Pacu and custom tooling map privilege escalation paths. Every iam:PassRole and sts:AssumeRole edge is walked for reachability.

STORAGE

Storage & Data Exposure

S3, Azure Blob, GCS, RDS snapshots, EBS volumes, and all storage surfaces tested for public exposure. Object-level ACLs tested alongside bucket/container policies. Cross-account access paths to data are mapped. Public exposure findings are time-sensitive and get disclosed same-day.

COMPUTE

Compute & Serverless

EC2, Azure VMs, and GCE instances tested for IMDS configuration, missing SSM agent posture, and SSH/RDP exposure. Lambda, Azure Functions, and Cloud Functions tested for privilege escalation paths and secret leakage. Container workloads tested for escape and image supply chain.

K8S

Kubernetes Cluster Testing (if applicable)

EKS, AKS, GKE, or self-managed clusters tested for API server exposure, RBAC misconfig, privileged pod patterns, hostPath mounts, and service account over-permissions. Tools like kube-hunter and Peirates for active enumeration. Every ServiceAccount with cluster-admin is a finding.

REPORT

Report & Remediation Roadmap

Findings mapped to CIS Benchmark controls and MITRE ATT&CK for Cloud techniques. IAM graph visualization as a report appendix. Prioritized remediation roadmap with Terraform/CloudFormation/Bicep code snippets for the top findings. Free retest after remediation.

Toolset

Our Cloud Pentest Toolset

Cloud tooling spans provider-native auditing, community frameworks, and custom attack tooling. The providers give you visibility; the offensive tools test whether that visibility matters.

Prowler + Scout Suite

Multi-cloud security auditing frameworks. CIS Benchmark alignment across AWS, Azure, and GCP. Baseline every engagement starts from.

Pacu

AWS offensive framework for privilege escalation and post-exploitation. IAM graph walking, Lambda backdoor testing, and credential extraction modules.

MicroBurst + ROADtools

Azure offensive tooling. Access token abuse, Key Vault enumeration, Azure AD enumeration, and service principal manipulation.

kube-hunter + Peirates

Kubernetes cluster attack frameworks. API server discovery, pod escape testing, service account abuse.

PMapper + IAM Access Analyzer

IAM privilege escalation analysis. PMapper builds a graph of who can become who and identifies reachable privilege escalation edges.

Terraformer + Custom SDK Tools

Environment reconstruction for offline analysis. Custom Python tooling on AWS, Azure, and Google SDKs for bespoke testing needs.

Pricing

Cloud Pentest Engagement Tiers

Three engagement sizes. Every quote is fixed-price after a 15-minute scoping call. No hourly billing.

Single Cloud

Single AWS, Azure, or GCP account. Right for startups and single-cloud deployments.

From $5,500 · flat fee
  • Single cloud provider
  • IAM graph review
  • Storage exposure testing
  • Compute baseline testing
  • 1-2 week engagement
  • CIS Benchmark report
  • One free retest
Get Scoped Quote
Most Popular

Multi-Account

Multi-account AWS Organization or multi-subscription Azure tenant. Right for companies with mature cloud footprints.

From $9,500 · flat fee
  • Everything in Single Cloud
  • Multi-account IAM testing
  • Cross-account trust path analysis
  • Kubernetes cluster testing
  • Lambda / Function privilege testing
  • 2-3 week engagement
  • Two free retests
  • Developer debrief with cloud team
Get Scoped Quote

Multi-Cloud

Combined AWS + Azure + GCP environment. Cross-cloud federation and hybrid trust testing.

From $14,500 · flat fee
  • Everything in Multi-Account
  • All three major clouds
  • Cross-cloud federation review
  • Hybrid AD-to-cloud trust testing
  • SOC 2 / ISO 27001 cloud package
  • MITRE ATT&CK for Cloud mapping
  • 90-day remediation Slack support
Get Scoped Quote
FAQ

Cloud Pentest Questions, Answered Directly

AWS removed formal penetration testing notification in 2019 for most services; testing within your account is permitted without prior approval against the allowed services list. Azure requires no formal notification for testing your own resources. GCP requires no notification for testing your own projects. Exceptions exist: testing certain managed services, physical infrastructure, or other tenants always requires provider involvement. We handle the scoping and notifications during engagement kickoff.
Read-only audit access is sufficient for the majority of findings. In AWS, SecurityAudit-equivalent permissions. In Azure, Reader + Security Reader roles. In GCP, Security Reviewer. For engagements that include active exploitation of discovered privilege escalation paths, temporary expanded access is granted and revoked at engagement end. Everything is logged.
No. Read-only reconnaissance is the default mode. Active exploitation of discovered privilege escalation paths happens only against confirmed test accounts and scoped resources. Production workload testing is scoped explicitly with pre-agreed boundaries. We do not create persistent cloud changes, do not exfiltrate data, and do not leave artifacts behind. Every action is logged.
Yes. EKS, AKS, GKE, and self-managed Kubernetes clusters running on cloud VMs are all in scope. Kubernetes cluster testing covers API server exposure, RBAC configuration, privileged pod patterns, service account permissions, and container escape paths. For organizations running significant K8s workloads, a dedicated Kubernetes-focused cloud pentest is often the right scope.
Yes. Infrastructure-as-code security review is available as a preventive complement to cloud pentest. We review Terraform, CloudFormation, CDK, Bicep, and Pulumi code for patterns that would create insecure cloud resources at deployment. This is cheaper than finding the same issues in the deployed environment and is increasingly common in SOC 2 Type II preparation.
Lambda, Azure Functions, and Cloud Functions are standard scope items. We test execution role permissions, environment variable secret exposure, trigger misconfiguration (unauthenticated public invocation), and privilege escalation paths through pass-role chains. Serverless environments often have more IAM surface than equivalent container environments.
Yes. IAM policy review is the highest-value part of any cloud pentest. We use PMapper, Access Analyzer, and manual review to identify over-permissive policies, unused permissions, and privilege escalation paths. Reports include specific Terraform/CloudFormation snippets showing recommended tightened policies for top findings.
AWS Organizations, Azure management group hierarchies, and GCP organizations are mapped at engagement start. Every account in scope is audited. Cross-account trust paths are walked explicitly, because privilege escalation in multi-account environments typically happens through trust chains, not within single accounts. Reporting aggregates at both account and organization level.
Other Testing Types

Explore Related Penetration Tests

Web Application Penetration Testing Web App Pentest Network Penetration Testing Network Pentest Mobile Application Penetration Testing Mobile Pentest API Penetration Testing API Pentest Penetration Testing as a Service (PTaaS) PTaaS

Ready to scope your Cloud Pentest?

Book a 15-minute scoping call. You get a fixed-price quote within one business day.

Book Scoping Call See Full Pentest Service