Cloud penetration testing is a practice of simulating cyberattacks on a cloud environment to detect vulnerabilities (misconfigured IAM roles, exposed APIs) while assessing the overall security posture of a cloud-based system.
The process of cloud penetration testing comprises scope definition, information gathering, reconnaissance, vulnerability assessment, exploitation, post-exploitation activities, and reporting, along with remediation suggestions.
Cloud penetration testing improves security by identifying vulnerabilities, flaws, and mistakes in cloud-based web applications, according to a 2023 study by R. Al-Khannak, titled “Penetration Testing for the Cloud-Based Web Application”.
Tools used for cloud penetration are AWS CLI, Nmap, gcloud CLI, Prowler, and Azure CLI. The main standards for cloud penetration include the OWASP Top 10, PTES (Penetration Testing Execution Standard), OSSTMM (Open Source Security Testing Methodology Manual), and MITRE ATT&CK for Cloud.
The cost of a cloud penetration test is around £4,000 to £30,000+, depending on the complexity of the cloud environment and services.
What is cloud penetration testing?
Cloud penetration testing is a systematic process of simulating controlled cyberattacks on cloud environments, including cloud-native systems, platforms, and services, to assess security weaknesses such as misconfigured APIs and insufficient encryption. It also determines resistance levels, including network segmentation and access controls, and identifies vulnerabilities like unpatched software or insecure network architecture that malicious actors could exploit.
The evolution of cloud penetration began during the 2000s and continued into the 2010s, with the adoption of cloud-based infrastructures (such as AWS and Azure) and services including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), by businesses. The adoption of cloud environments raised security concerns due to shared infrastructure, multi-tenancy, and the loss of direct control over data. In 2006, Amazon EC2 (Elastic Compute Cloud), the first major commercial cloud service by Amazon Web Services, was launched.
Traditional penetration testing methods were implemented in cloud environments during the 2000s and 2010s. Researchers and pentesters found conventional pentesting methodologies ineffective for a dynamic cloud environment with the recognition of cloud-specific vulnerabilities (insecure APIs, misconfigurations, weak credentials, unauthorised access).
In 2011, the need for a specialised approach to pentesting for cloud environments led to the establishment of the National Institute of Standards and Technology (NIST) Special Publication 800-144, outlining cloud-specific frameworks and initial security and privacy considerations for public cloud computing.
A series of penetration tests (fuzzing, session hijacking, credential theft) was performed on OpenStack Essex Cloud Management software, according to a 2012 study by Ralph LaBarge, titled ‘Cloud Penetration Testing’. In the early 2020s, testing tools and frameworks started adding cloud-specific attack vectors (APIs, IAM misconfigurations, infrastructure‑as‑code, containerised workloads, serverless functions).
In 2025, cloud penetration testing combines automation (Utilising Artificial intelligence and machine learning for assisted discovery) with expert manual testing, covering hybrid-cloud environments, multi-cloud continuous testing, and validation and exploitation of vulnerabilities (privilege escalation, insufficient logging, and monitoring) rather than just detection.
How does cloud penetration testing work?
Cloud penetration testing works by simulating a real-world cyber attack on cloud infrastructure to detect vulnerabilities (misconfigured cloud storage, weak encryption).
Cloud penetration testing begins with reviewing the cloud security provider’s policies and continues with defining the scope and objectives of a cloud penetration test. Security professionals gather information, perform a vulnerability scan, and exploit discovered weaknesses to understand their potential impact, creating a detailed report that highlights identified vulnerabilities, their impacts, and recommended fixes.
The final phase of cloud penetration testing, following remediation, involves retesting to ensure that cloud environments are fully secured against the vulnerabilities discovered during the test.
The goal of Cloud penetration testing is to identify vulnerabilities, reinforce the shared responsibility for security, and ensure robust data protection in cloud environments. It is a proactive measure that complements existing security features provided by cloud service providers, according to a 2023 study by Denisa-Nicoleta Mihalache, titled “Cloud Penetration Testing”.
The shared responsibility model defines the division of security obligations between the cloud service provider (CSP) and the customer. Cloud providers are responsible for securing the underlying infrastructure, including physical data centres, network hardware, and hypervisors (security ‘of’ the cloud). Customers are responsible for securing their data, applications, identity management, operating system configurations, and network controls (security ‘in’ the cloud).
The division varies by service model:
- IaaS (Infrastructure as a Service): Customer organisation manages operating systems, applications, and data; providers manage virtualisation, servers, storage, and networking.
- PaaS (Platform as a Service): Customer organisation manages applications and data; providers manage runtime, middleware, operating systems, and infrastructure.
- SaaS (Software as a Service): Customer organisation manages data and user access; providers manage applications, runtime, middleware, operating systems, and infrastructure.
The purpose of cloud penetration testing is to proactively identify and address weaknesses and vulnerabilities, such as insecure APIs and insufficient Identity and Access Management (IAM), in the cloud environment before malicious actors can exploit them.
Why is cloud penetration testing important?
Cloud penetration testing is important because it identifies and fixes security vulnerabilities, such as misconfigurations, malware, and unauthorised access, in the native cloud environment. It also helps maintain cloud data protection and regulatory compliance.
Cloud penetration testing services are highly important for businesses using cloud services, as it prevents data breaches and support compliance and ongoing security. Integrating cloud penetration testing with audits, configuration management, and continuous monitoring creates a strong defence against evolving cyber threats, according to a 2020 study by Narendar Kumar Ale, titled “Enhancing Business Operations: Importance and Methodologies of Cloud Computing Security Testing”.
UK organisations using cloud services must consider several regulatory frameworks when planning cloud penetration testing. These include UK GDPR, NIS regulations, FCA requirements, NHS Data Security and Protection Toolkit, NCSC CAF (Cyber Assessment Framework), and Cyber Essentials Plus certification.
Cloud service provider policies vary regarding penetration testing authorisation. AWS, Azure, and GCP each have specific terms of service and notification requirements that must be followed to avoid service disruption or account suspension.”
Cloud penetration testing identifies vulnerabilities, reduces incidents, and strengthens organisational resilience. It forms a critical part of a comprehensive defence strategy to help organisations stay secure, when combined with other security measures in an evolving digital landscape, according to a 2024 study by Abidemi Salami, Udochukwu Igwenagu and four additional authors, titled “Securing the Digital Frontier: Strategies for Cloud Computing Security, Database Protection, and Comprehensive Penetration Testing”.
Cloud penetration testing identifies vulnerabilities by simulating cyberattacks on cloud infrastructure, networks, and applications. Detecting these vulnerabilities allows businesses to take corrective actions to secure sensitive data, maintain regulatory compliance, prevent unauthorised access, and reduce the risk of data breaches, ensuring a secure cloud environment.
What is cloud penetration testing methodology?
Cloud penetration testing is a security assessment methodology that involves identifying vulnerabilities in the cloud-native environment, followed by evaluation, exploitation, and verification of remediation.
Listed below are 11 steps of the cloud penetration testing methodology.
1. Review Cloud Provider Security Policies
Pentesters review cloud provider security policies during cloud penetration testing to understand the shared responsibility model. They also obtain explicit written consent from both the client and cloud service provider (CSP), clarify the scope and rules for testing, and ensure the test plan aligns with the CSP’s Service Level Agreement and guidelines.
Pentesters review cloud service providers’ security policies by reading complete security documentation covering data protection, encryption, compliance, and access control. They also analyse the shared responsibility model to understand which security obligations fall on the organisation and which fall on the provider. Security professionals then obtain written consent from both the cloud service provider (CSP) and the client, ensuring that all activities align with compliance requirements set by regulatory standards such as GDPR UK and PCI-DSS.
Each major cloud provider has specific policies governing penetration testing activities:
Amazon Web Services (AWS): AWS no longer requires pre-approval for penetration testing of most services. Customers can test EC2 instances, NAT Gateways, Elastic Load Balancers, RDS, CloudFront, Aurora, API Gateways, Lambda, Lightsail, and Elastic Beanstalk without notification. However, testing of AWS infrastructure itself, DNS zone walking, denial-of-service attacks, and port flooding remain prohibited.
Microsoft Azure: Azure permits penetration testing without pre-approval for customer-owned resources. Microsoft provides rules of engagement that prohibit testing Azure infrastructure, denial-of-service testing, and any testing that affects other Azure customers. Testers must follow Azure’s penetration testing rules of engagement.
Google Cloud Platform (GCP): GCP permits penetration testing of customer resources without pre-approval, provided testing complies with the Acceptable Use Policy. Testing must not target Google infrastructure, attempt denial-of-service, or affect other GCP customers.
Pentesters must review current provider policies before each engagement, as terms may change. Testing third-party SaaS applications hosted on cloud platforms requires separate authorisation from the SaaS provider.”
Tools used for reviewing policies include specific documents from Cloud Security Providers (AWS, GCP, Azure), security whitepapers, Cloud Security Alliance (CSA) resources, and regulatory standards and policy documents. Pentesters gain a comprehensive understanding of both the client and the cloud service provider and identify areas of vulnerability during the testing process.
The testing team easily defines the scope and boundaries of cloud penetration testing after understanding security policies and responsibilities.
2. Define Testing Scope and Boundaries
Pentesters define the testing scope and boundaries in cloud penetration testing to ensure that all approved systems are tested without violating any legal, ethical, or operational obligations.
Security professionals define testing scope by identifying testable cloud services (IaaS, PaaS, SaaS) and assets (virtual machines, storage buckets, APIs), excluding areas that can not be tested due to operational risk, Service Level Agreement (SLA) or compliance risk.
Tools used for defining cloud penetration testing scope include OWASP Threat Dragon for modelling potential threats and Prism Cloud for identifying scope configuration. Pentesters get a formal document highlighting the testing areas and exclusions for cloud penetration testing.
The testing team continues to enumerate cloud assets (Serverless Functions, Virtual Machines) and services (file storage, block storage) after receiving this clear scope document.
3. Enumerate Cloud Assets and Services
Pentesters enumerate cloud assets (virtual machines, databases) and services (configuration, logging, and monitoring) in cloud penetration testing to define the potential attack surface and identify the primary vulnerable components (databases and APIs).
Security experts create an inventory of cloud resources, including components and services. They categorise components such as virtual machines, storage buckets, and databases. They also categorise services such as load balancers, firewalls, and APIs. These assets are then prioritised based on the level of sensitive data they handle or the criticality of the services they support.
Tools used for enumerating cloud assets and services include Cloud APIs (e.g., AWS SDKs, GCP CLI, Azure CLI), Cloud Security Posture Management Tools (Prisma Cloud, CloudHealth), and automated inventory tools (CloudMapper, CloudFormation). Pentester get a detailed inventory of cloud resources (assets, services) with critical access points.
The cloud penetration testing team focuses on identifying vulnerabilities within the cloud’s Identity and Access Management (IAM) system and APIs (AWS A3, Azure Blob Storage).
4. Identify IAM and API Vulnerabilities
Pentesters identify Identity and Access Management (IAM) vulnerabilities, such as overly permissive IAM roles and privilege escalation, in cloud penetration testing. They also detect API weaknesses, including excessive data exposure and broken authentication. These measures ensure that users or services access only authorised resources, secure sensitive cloud data, and maintain secure cloud access control.
Security experts identify IAM vulnerabilities, such as over-permissive access and privilege escalation, by reviewing IAM policies, including wildcard permissions and misconfigured resources. They detect API endpoint weaknesses, such as unprotected endpoints, poorly configured rate-limiting, and missing multi-factor authentication. They also test for insecure authentication by simulating attacks, including credential stuffing, brute-force attacks, and API key leakage.
IAM testing tools include AWS IAM Access Analyser and Azure AD tools. API testing tools include Postman, Burp Suite, and OWASP ZAP. Credential scanning tools include TruffleHog and Gitleaks. Pentester get a list of IAM and API vulnerabilities (excessive permissions, weak API authentication, unprotected endpoints) that attackers may exploit
The cloud penetration testing team exploits cloud infrastructure misconfigurations (improperly configured storage, overly permissive security groups) after reviewing the IAM and API vulnerabilities list.
5. Exploit Cloud Infrastructure Misconfigurations
Pentesters identify and exploit infrastructure misconfigurations (insecure storage permissions, improper network access controls) during cloud penetration testing to gain access to the cloud system.
Security professionals review cloud configurations by examining services, including S3 buckets, security groups, and firewalls, for misconfigurations. They test network segmentation by ensuring proper separation of network security groups and firewalls. They also exploit misconfigured permissions by checking overly permissive IAM roles, S3 bucket policies, and other access control misconfigurations.
Tools used for cloud misconfiguration exploitation include automated scanning with CloudSploit, manual testing with Burp Suite, and vulnerability scanners such as Qualys and Nessus. Pentesters get a list of exploitable misconfigurations that may lead to unauthorised access to critical data on the cloud system.
The cloud penetration testing team continue with privilege escalation within the cloud environment after getting this list of exploitation misconfigurations (insecure storage permissions, improper network access controls). These exploitation techniques align with MITRE ATT&CK for Cloud tactics, including Initial Access (TA0001) via Exploit Public-Facing Application and Persistence (TA0003) via Account Manipulation.
6. Escalate Privileges Within Cloud Environment
Pentesters escalate privileges during cloud penetration testing by gaining high-level access that is initially granted within the cloud environment. They also exploit vulnerabilities, such as insecure storage permissions and improper network access controls, to assess the potential for privilege escalation by attackers.
Security professionals test misconfigured IAM policies by exploiting overly permissive permission roles. They leverage cross-account permissions to allow privilege escalation across cloud resources, such as virtual machines and storage services. They also abuse cross-service trust relationships, including AWS IAM roles, based on a higher privileges assumption.
Tools used for privilege escalation include AWS IAM Access Analyser, Azure AD enumeration tools, Metasploit, and BloodHound. Pentesters also assess Role-Based Access Control (RBAC) configurations for privilege escalation paths. Pentesters receive a comprehensive pathway demonstrating escalated privileges within the cloud environment and explaining how attackers could gain unauthorised, higher-level access.
Cloud penetration testing teams move forward with lateral movement capability testing after getting a complete roadmap of escalated privileges within the cloud environment. Privilege escalation activities map to MITRE ATT&CK Privilege Escalation (TA0004), including techniques such as Valid Accounts: Cloud Accounts (T1078.004) and Abuse Elevation Control Mechanism (T1548).
7. Test Lateral Movement Capabilities
Pentesters test lateral movement capabilities during cloud penetration testing to understand how far an attacker could penetrate after escalating privileges and whether access to sensitive systems (database, file storage) is compromised.
Security professionals simulate moving between virtual machines to test access control and network segmentation. They exploit service-to-service access with improper access controls, such as unprotected APIs and open databases. They also abuse permissions to bypass segmentation, discover hidden assets, and access additional cloud resources.
The tools used for lateral movement testing include Metasploit for lateral movement exploits, BloodHound for mapping Active Directory permissions, and nmap for network scanning and identifying accessible systems. Pentesters gain a lateral movement capability report highlighting vulnerabilities (overly permissive IAM roles, privilege escalation) that could allow attackers to spread across the environment.
The cloud penetration testing team starts validating data exfiltration vectors (exposed APIs, unprotected storage) after the lateral movement assessment to ensure that compromised systems do not leak sensitive data from the cloud environment. Lateral movement testing corresponds to MITRE ATT&CK Lateral Movement (TA0008), including techniques such as Use Alternate Authentication Material (T1550) and Internal Spearphishing (T1534).
8. Validate Data Exfiltration Vectors
Pentesters test exfiltration vectors during cloud penetration testing to understand how an attacker might steal data with broken access and make cloud data removal difficult for attackers.
Security professionals test unrestricted outbound access by checking cloud services for unrestricted internet connectivity. They assess misconfigured storage services by demonstrating access to cloud storage buckets and identifying potential data leak paths. Pentesters document proof of access using directory listings, object metadata, or sanitised screenshots rather than extracting actual production data containing personal or financial information. Only pre-approved test data is accessed or transferred to maintain compliance and prevent data protection violations.
Tools used for validating data exfiltration vectors include Wireshark (for sniffing network traffic), Burp Suite (for testing data exfiltration via HTTP requests), and AWS S3 Bucket Misconfiguration Tools (CloudSploit and ScoutSuite).
Pentesters get complete details of exfiltration vectors (exposed APIs, unprotected storage), data protection weaknesses (unencrypted data at rest, weak key management), transfer mechanisms (plain HTTP transfers, unsecured API endpoints), and sensitive data exposure (Personally Identifiable Information/PII, Payment card data/PCI).
The cloud penetration testing team assesses the security monitoring and detection capability of the cloud environment after validating potential exfiltration vectors. Data exfiltration testing aligns with MITRE ATT&CK Exfiltration (TA0010), including Transfer Data to Cloud Account (T1537) and Exfiltration Over Web Service (T1567).
9. Assess Security Monitoring and Detection Capabilities
Pentesters assess security monitoring and detection capabilities during cloud penetration testing to evaluate how the cloud environment detects and responds to potential attacks (privilege escalation, lateral movement, data exfiltration) before such attacks lead to major damage.
Security professionals perform assessments by reviewing logs and monitoring configurations to ensure logging of critical resources (APIs, VMs) is enabled. Pentesters test the alert mechanism by triggering malicious events (unauthorised access attempts or abnormal data transfers) and evaluate threat intelligence integration.
Tools used for cloud service monitoring include Google Cloud Operations Suite, AWS CloudTrail, and Azure Monitor. Tools used for cloud service monitoring and log management are OSSEC, Splunk, and Elastic Stack. Pentesters receive a comprehensive assessment of the cloud environment’s detection capabilities, identifying gaps in monitoring and alerting, while highlighting the potential for undetected malicious activity.
The cloud penetration testing team starts documenting vulnerabilities and remediation strategies after assessing the cloud environment’s detection and monitoring capabilities.
10. Document Vulnerabilities and Remediation Strategies
Pentesters document vulnerabilities during cloud penetration testing to secure the cloud environment against potential attacks.
Security professionals create a detailed report by describing each discovered vulnerability, its severity, and potential impact. They provide remediation recommendations for each vulnerability by suggesting best practices and solutions, such as updating IAM policies, fixing misconfigurations, and enabling encryption. They also prioritise remediation efforts by ranking vulnerabilities based on their potential risks to the organisation and exploitability, along with a remediation timeline.
Tools used for documentation of vulnerabilities and remediation strategies include Nessus, Palo Alto Prisma Cloud, Qualys VMDR (Vulnerability Management, Detection and Response), Rapid7, InsightVM, and Wiz. Pentesters receive a comprehensive vulnerability report that provides a detailed overview of all findings and actionable remediation strategies, while also offering the organisation a clear path to secure its cloud environment.
The cloud penetration testing team plans to retest after documenting vulnerabilities and remediation strategies to ensure that all discovered vulnerabilities have been addressed and the environment is secure.
11. Retest After Remediation Implementation
Pentesters perform a retest after implementing remediation suggestions in cloud penetration testing to ensure that issues have been resolved and fixes are effective, while maintaining a secure cloud environment.
Security professionals retest re-scanning identified vulnerable assets, such as IAM roles, APIs, and storage services, to ensure that fixes are applied. They also validate remediation effectiveness by testing the same attack vectors used in the previous cloud penetration test. Pentesters perform full regression tests by conducting retesting for the entire cloud environment to verify that no new vulnerabilities were introduced during remediation.
Tools used for restesting include Nessus, Qualys, or Acunetix (vulnerability scanning after remediation), and manual verification.
The cloud penetration testing team provides a final test report confirming that all discovered vulnerabilities have been fixed, while highlighting any additional issues that require attention and verification to improve the security posture of the cloud environment.
What are the common cloud security threats found in Cloud penetration testing?
Cyphere’s cloud penetration testers noted that most breaches stem from basic security lapses (weak password policy, poor credential lifecycle) rather than zero-day vulnerabilities during cloud penetration tests. Security professionals believe that these small issues (relaxing network rules and clearing text at the edge) can be addressed using a practical amount of resources and time. The real perimeter is identity, configuration, and data handling. Small issues (open ports, old keys) chain into a full compromise when identity, configuration, and data handling slip.
Eight common cloud security threats found during cloud penetration testing by Cyphere are listed below:
- Missing MFA: A single phishing attempt or reused password grants full control when Multi-Factor Authentication (MFA) is not consistently enforced on the admin and root accounts. For example, several admins log in to the root account of Amazon Web Services (AWS) with just one password because no MFA is implemented on that root account. A threat actor can easily gain access to the cloud console when MFA is not implemented.
- Weak password policy: A weak password policy (short password length, no lockout, and no banned password list) makes guessing and stuffing easy. In AWS, we still see 8‑character minimums and no rotation rules applied via Organisations/SCP. A weak password can lead to a security breach, as threat actors access the console to exploit the stored data and information.
- Poor credential lifecycle: A poor credential lifecycle, such as never changing passwords and not locking down emergency access, is a common security finding in cloud penetration testing. On the AWS platform, the root account lacks hardware MFA and active access keys, making these vulnerabilities exploitable by attackers.
- Unencrypted compute disks: Unencrypted compute disks (virtual machine volumes and snapshots) lead to theft or misrouting of exposed data at times. For example, the Azure and AWS platforms have Elastic Block Store (EBS) volumes and snapshots that lack encryption using Key Management Service (KMS). Unencrypted EBS snapshots allow malicious actors to yield database credentials.
- Clear‑text at the edge: Load balancers accept HTTP or weak Transport Layer Security/TLS and leak tokens and content on shared networks. For example, an Application Load Balancer (ALB) in AWS serves port 80 without HTTP Strict Transport Security (HSTS) or redirects to 443, and enables old ciphers.
- Relaxed network security rules: Azure’s Network Security Group (NSG) and AWS’s Network Access Control List (NACL) with broad access, such as 0.0.0.0/0 to ports 22 for SSH or 3389 for RDP, expose systems to the internet and could allow unauthorised access to sensitive resources. Broad and relaxed network rules enable cybercriminals to access admin ports on the cloud network. Relaxed rules weaken network security and lead to vulnerabilities if they are not properly restricted.
- Soft object storage: Soft object storage services (Azure blobs or S3 buckets) are made public by mistake, policies are too broad, versioning is disabled, and presigned links can last for months. Overly permissive storage rules make data stored inside object storage accessible to anyone on the internet, allowing unauthorised personnel to access, download, and even alter this data. A soft S3 bucket in AWS gives up customer files.
- Ageing keys and machine secrets: Ageing keys and machine secrets (Identity and Access Management /IAM access keys, API tokens, Secure Shell/SSH keys) are left active for months or years. In AWS, we see user keys that are over 180 days old and AMIs with pre-baked SSH keys. Attackers may potentially buy or guess user keys and SSH keys to gain access to the cloud system if credentials are not properly rotated or secured.
How effective is cloud penetration testing?
Cloud penetration testing is effective in reducing vulnerabilities and data breaches when combined with other security measures (data encryption, multi-factor authentication/MFA) in a unified framework. Cloud pentesting strengthens organisational resilience against cyber threats, according to a 2024 study by Abidemi Salami, Udochukwu Igwenagu and four additional authors, titled “Securing the Digital Frontier: Strategies for Cloud Computing Security, Database Protection, and Comprehensive Penetration Testing”.
Cloud penetration testing holds the second-largest market share in 2024, valued at £1.14 billion, according to the cybersecurity ventures study. Network penetration testing secures the first position in penetration testing types with a £1.86 billion market value, whilst web application penetration testing holds the third position at £1.2 billion.
What approaches are used for cloud penetration testing?
A cloud penetration testing approach is defined as the level of information provided to testers, determining whether testers simulate attacks with limited (Black‑Box), partial (Grey‑Box), or full (White‑Box) knowledge of the cloud environment.
Three cloud penetration testing approaches are listed below.
- Blackbox penetration testing: Cloud application testing with a blackbox approach involves evaluating the functionality, performance, and security of the cloud application from the end user’s perspective. The client provides minimal or no information to the pentester (such as API endpoints and website URLs), so security professionals rely on publicly available information to find and exploit vulnerabilities during cloud penetration testing. Realistic external attack simulations help clients identify exposed vulnerabilities that outsiders could exploit. Pentesters are unable to detect critical vulnerabilities (privilege escalation or misconfigured internal services) without prior knowledge or access to the internal system.
- Greybox penetration testing: Cloud application testing using the greybox method involves utilising partial knowledge of the application’s internal structure and architecture (API endpoints, database schemas) to design more effective test cases, while still testing the cloud application from an end-user’s perspective. The client provides partial knowledge of a cloud application’s environment (user credentials, API keys, architectural diagrams) about the cloud environment to simulate an insider attack with limited access to the system. The greybox testing approach is efficient because pentesters exploit vulnerabilities based on the information provided and do not waste time on discovering basic details. Greybox penetration testing misses because some internal misconfigurations (unreviewed source code or deeply embedded IAM roles) remain undetected, especially ones that require full visibility.
- Whitebox penetration testing: Whitebox testing for cloud applications involves examining the internal source code, logic, and structure of the cloud application with full access to the source code and underlying architecture. Comprehensive attack vector coverage allows pentesters to evaluate deep internal layers (source code, IAM roles, internal APIs, and security configurations) and to identify minor flaws (privilege escalation paths). Whitebox penetration testing is expensive as pentesters spend more time reviewing all internal systems (source code, configurations).
Which cloud platforms are commonly tested in cloud penetration testing?
Amazon Web Services, Google Cloud, Azure, and Office 365 are cloud platforms commonly tested in cloud penetration testing. The purpose of these platforms is to validate cloud-specific controls (IAM, APIs, storage, network, container/orchestration) while measuring blast radius, and proving business assets risk. Cloud penetration testing platforms provide identity and access controls, storage/networking management, and evidence audit trails and logging to the pentesters.
Google Cloud Penetration Testing
Google Cloud Platform (GCP) penetration testing involves simulating attacks on the Google Cloud project. GCP cloud penetration includes exploiting weaknesses in API access. It also involves auditing firewall rules and network configurations, testing Google Kubernetes Engine (GKE) security configurations, and scanning Compute Engine instances for vulnerabilities. Additionally, it includes identifying misconfigurations in IAM roles and permissions and assessing IAM for over-permissioned users.
GCP penetration testing targets vulnerabilities like unsecured service accounts with excessive privileges, exposed metadata service, publicly accessible Cloud Storage buckets, and misconfigured firewalls and network routes. Tools used for GCP Penetration Testing are Kube-hunter, gcloud CLI, ScoutSuite, Burp Suite, and Nmap.
Amazon Web Services Penetration Testing
Amazon Web Services (AWS) penetration testing involves simulating attacks on AWS services, such as IAM, Lambda, EC2, and S3. AWS penetration tests include assessing EC2 instances, exploiting instance metadata, and scanning for exposed management interfaces, including RDS (Relational Database Service) and ElastiCache. They also involve enumerating IAM to identify over-privileged users and roles and exploiting Lambda functions and insecure API access.
AWS penetration testing targets vulnerabilities such as open security groups, publicly exposed S3 buckets, and misconfigured IAM policies that grant excessive permissions. It also focuses on identifying weak or exposed AWS credentials embedded in code or environment variables. Additionally, it examines insufficiently secured Lambda functions that could allow unauthorised execution and unpatched EC2 instances that increase the attack surface. Common tools used for AWS penetration testing include Pacu, Scoutsuite, Burp Suite, Kali Linux, CloudSploit, and Nmap.
Microsoft Azure Penetration Testing
Microsoft Azure penetration testing involves identifying security weaknesses in Azure services, including Active Directory, virtual machines, containers, and storage.
Microsoft Azure penetration testing includes Azure AD enumeration to identify misconfigurations in role-based access control (RBAC). It also involves scanning for exposed storage containers and virtual machines to detect improperly protected assets. Security professionals assess app registrations, secrets, and Azure Functions to identify configuration flaws and potential abuse paths. They further examine virtual networks and Network Security Groups (NSGs) for misconfigurations that could enable unauthorised access. The process also includes penetrating containerised environments, such as Azure Kubernetes Service (AKS), to uncover insecure deployments and privilege escalation risks.
Vulnerabilities targeted by Azure penetration testing are weak or over-permissive Azure AD roles, unsecured container images, publicly accessible Azure storage accounts, and exposed secrets in app registrations or Key Vault. Tools used for Azure penetration testing are Az CLI, BloodHound, ScoutSuite, Prowler, Kube-hunter, Kube-bench, Burp Suite, Nmap, and Nessus.
Office 365 Penetration Testing
Office 365 penetration testing involves simulating attacks against email configurations, user identities, and SharePoint/OneDrive permissions to identify weak security controls in Azure AD and mail protocols (Exchange Online). Office 365 penetration testing includes testing for weak Multi-Factor Authentication (MFA) configurations, exploiting insecure app permissions and consent, attempting to bypass Conditional Access policies, and enumerating users and groups within Azure AD.
Vulnerabilities targeted by Office 365 penetration testing include weak or missing MFA, excessive app permissions, unrevoked app consent, improperly configured mailbox rules, exposed SharePoint and OneDrive files/folders, and Insecure API endpoints. Tools used for Office 365 penetration testing are MailSniper, PowerShell modules, BloodHound, SharpHound, Burp Suite, and Nmap.
Container and Kubernetes Security Testing
Container and Kubernetes security testing evaluates the security of containerised workloads and orchestration platforms within cloud environments. This testing includes container image scanning, Kubernetes cluster configuration reviews, runtime security testing, secrets management assessmen and service mesh security.
Assessing your container and Kubernetes security is a critical factor in your security roadmap for your entire organisation, as it helps to identify vulnerabilities in base images, assess RBAC policies, pod security and network policies. evaluating container escape possibilities, privilege escalation within pods, how secrets, credentials, and certificates are stored and accessed within Kubernetes and evaluating mTLS configuration, traffic policies, and service-to-service authentication.
Common tools for container security testing include Kube-hunter (for penetration testing Kubernetes clusters), Kube-bench (for CIS benchmark compliance), Trivy (for container image scanning), and Falco (for runtime security monitoring). Pentesters assess whether attackers can escape containers to access the underlying host, move laterally between pods, or access sensitive data through misconfigured secrets.
Multi-Cloud Testing Considerations
Multi-cloud penetration testing assesses organisations that operate workloads across two or more cloud service providers simultaneously. Many UK enterprises use multiple cloud platforms to avoid vendor lock-in, improve resilience, or leverage best-of-breed services. This approach introduces additional security complexity that single-cloud testing does not address.
Each cloud provider implements security controls differently. AWS, Azure, and GCP use distinct IAM models, networking constructs, encryption mechanisms, and logging systems. Security teams must understand these differences to configure consistent controls across platforms. Attackers targeting multi-cloud environments look for inconsistencies and gaps between platforms.
Multi-cloud environments create interconnection points where data and credentials flow between providers. These integration points often become weak links when security configurations are not aligned across platforms.
Our pentesters evaluate multi-cloud environments by examining areas such as cross-cloud identity federation, inconsistent IAM policies, data transfer security controls, network interconnections, centralised vs distributed logging, secrets management inconsistency and compliance alignment.
What tools are used in cloud penetration testing?
Cloud penetration testing tools are specialised software designed to identify and assess vulnerabilities in the cloud environment and improve the security posture of cloud infrastructure, applications and services.
Listed below are the most common cloud penetration testing tools.
- AWS CLI: AWS CLI (Command Line Interface) is a unified tool used to manage and control all Amazon Web Services through simple commands. Pentesters use AWS CLI to interact with the AWS environment for running scripts, configuration services, enumeration of cloud resources (EC2 instances, S3 buckets), and reconnaissance. Tasks performed by AWS CLI for cloud penetration testing include gathering metadata, conducting reconnaissance, automating test action, configuring security gathering, testing IAM roles, and enumerating cloud (EC2 instances, S3 buckets). The unique features of AWS CLI are scripting capabilities for complex action automation, CLI-based control for quick manipulation of cloud resources, and full integration with AWS services.
- Burp Suite: Burp Suite is used to identify vulnerabilities in cloud-native components (virtual machines, containers, serverless applications, and internet accessible APIs). Burp Suite tool is effective for testing the security of web apps, APIs and services running on cloud platforms (AWS, Google Cloud, and Azure). Tasks performed by Burp Suite for cloud penetration include vulnerability scan for cloud-based web apps, intercepting and modifying web traffic, and identifying application layer vulnerabilities (cross-site scripting (XSS), SQL injection). Unique features of Burp Suite include web traffic interception and an extensive plugin ecosystem for additional functionality.
- Nmap: Nmap is used in cloud penetration testing to discover hosts, detect open ports, and map the complete network of cloud-based infrastructure, such as virtual machines, load balancers, and databases. It also helps identify vulnerable network points that attackers could exploit. Tasks performed by Nmap include identification of misconfigured cloud network assets, vulnerability scanning with service version detection, and identification of cloud-based resources (operating systems and services, network scanning, and enumeration of the cloud environment’s host and open ports. Unique features of Nmap are network mapping service version detection, network audit on remote cloud system, operating system fingerprinting and host discovery.
- Prowler: Prowler is used for cloud penetration testing to assess the cloud environment by running configuration checks against common vulnerabilities and misconfigurations and by automating the detection of insecure settings in the cloud. Tasks performed by Prowler include misconfiguration Identification, auditing, security posture assessments, and automated compliance checks for regulatory standards. Unique features of Prowler include comprehensive multi-Cloud and Kubernetes coverage, flexible CLI-First workflow, and extensive built-in checks and compliance frameworks.
- Scout Suite: Scout Suite is used in cloud penetration testing for security data collection, cloud accounts audit automation, identification of vulnerabilities and misconfiguration of multiple cloud platforms. Tasks performed by Scout Suite include security audit, detection of weak security settings, identification of misconfigured permissions, assessment of cloud resources (IAM roles, security groups, and storage buckets), and compliance check. Unique features of Scout Suite are a web-based interface for reviewing reports, multi-cloud support (AWS, Azure, GCP), and real-time data collection through integration with cloud-native services.
- Gcloud CLI: Google Cloud CLI is used in cloud penetration testing to interact with Google Cloud resources for auditing, vulnerability testing, and configuration management. Tasks performed by gclouc CLI include Cloud security configurations testing (IAM roles, permissions), configuring and interacting with services for security checks, automating cloud testing processes, permission management, misconfiguration discovery, resource access, and enumerating resources (VM instances, storage buckets). Unique features of gcloud CLI are command-line-based automation, full integration with Google Cloud services (GCS), scalable scripting for security audits, and multi-platform support (Linux, macOS, Windows)
- Azure CLI: Azure CLI is used in cloud penetration testing to interact with Azure environments for automating vulnerability scanning, security configuration analysis, and resource management. Tasks performed by Azure CLI include automating testing of cloud resources for misconfigurations, enumerating resources (Azure VMs, storage accounts, networks), collecting data for security risk assessment, and configuring and auditing security settings (network security groups, access controls). Unique features of Azure CLI are Interaction with Azure Active Directory for management test identification, full integration with Azure services, security check automation, and support for multiple OS platforms (Linux, macOS, Windows).
- Pacu: Pacu is used in cloud penetration testing to exploit misconfigurations found in the AWS environment, perform advanced testing (privilege escalation), and test automation. Tasks performed by Pacu include privilege escalation and lateral movement in AWS, vulnerability exploitation, and enumeration and exploitation of IAM roles and permissions. Unique features of Pacu are Modules for exploiting common AWS misconfigurations (IAM, S3, EC2), automation of attack chains for faster testing, and active community support.
- Nessus: Nessus is used in cloud penetration testing to scan cloud-hosted systems and services for known vulnerabilities (missing patches, open ports, and outdated software) and misconfigurations. Tasks performed by Nessus include vulnerability scanning for cloud-hosted assets (e.g., VMs, databases, APIs). Security vulnerability and misconfiguration detection, comprehensive vulnerability report for remediation, and Internal/external-facing service scan in a cloud environment. Unique features of Nessus include a comprehensive vulnerability database with real-time updates, scan configuration for different cloud environments (Azure, AWS), and an extensive report with risk assessment for cloud-based assets (VMS/ Virtual Machines, Cloud storage Buckets).
- Wireshark: Wireshark is used in cloud penetration testing to monitor and analyse cloud network traffic by capturing data packets to identify vulnerabilities in communication protocols (replay attacks, Man-in-the-middle (MITM) attack), highlighting sensitive data being transmitted unencrypted, and identifying potential leaks of cloud configuration information. Tasks performed by Wireshark include capturing and analysing network traffic between cloud resources, evaluating API traffic for potential security flaws, Network traffic inspection for signs of attack, and identifying unencrypted communication and sensitive data leakage. Unique features of Wireshark are real-time traffic capture, the ability to decode and analyse hundreds of protocols, extensive filtering, and deep inspection of cloud application communication.
What standards should be followed while performing cloud penetration testing?
Cloud penetration testing standards are a set of industry guidelines, frameworks and best practices that pentesters should follow in a cloud environment.
Listed below are five common standards for cloud penetration testing.
- OWASP: Open Web Application Security Project’s Cloud-Native Application Security Top 10 is a list of the most important security risks for cloud-native applications (built using containers, microservices, or serverless architectures). The OWASP Top 10 includes risk identification in cloud-native app architecture (improper access control, broken authentication) and misconfigurations in cloud-native environments (Kubernetes, serverless functions, microservices). OWASP top 10 encourages pentesters to implement secure coding practices and proper security controls during development/ deployment, while recommending regular security audits and vulnerability assessments. The OWASP Top 10 helps security professionals focus on common threats and vulnerabilities found in cloud-native applications, ensuring better coverage of security flaws.
- NIST SP 800-53: The National Institute of Standards and Technology (NIST) Special Publication 800-53, a cybersecurity framework, provides guidelines for securing cloud infrastructure. NIST SP 800-53 includes a set of security and privacy controls for cloud systems, as well as guidance on access control, system integrity, configuration management, and incident response. NIST Special Publication 800-53 ensures that penetration testing aligns with the federal government’s security controls for cloud environments. It also recommends vulnerability testing for access control, system integrity, and data protection. NIST SP 800-53 helps security professionals ensure compliance with government and regulated sectors.
- PTES: Penetration Testing Execution Standard is a framework outlining seven key phases, including pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. PTES guides pentesters to follow best practices, such as a structured methodology for thorough testing, focusing on client interaction, setting clear expectations, and obtaining approval for testing methods. PTES standards recommend pentesters to use an iterative process for vulnerability discovery and exploitation to reduce risks. PTES ensures that tests are structured, repeatable, and cover all important aspects of engagements, thereby improving the quality of results and client satisfaction.
- OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework that provides a systematic approach for security testing. OSSTMM includes detailed processes for measuring and assessing security controls, testing methods for specific areas (applications, operational security, network, infrastructure). OSTTMM provides security test categories, including information security testing, physical security testing, operational security testing, and human security testing. It also offers security metrics for measuring and quantifying security controls and risk assessment, along with a clear methodology for assessing threat vectors. OSSTMM’s best practices include testing from a quantitative and objective standpoint. OSSTM provides a structured and scientifically backed testing methodology to perform deep and thorough risk assessment.
- MITRE ATT&CK for Cloud: MITRE ATT&CK for Cloud is a knowledge base that provides details about adversary tactics and techniques in cloud environments. It includes specific cloud-related techniques, such as exploiting misconfigurations in IAM, cloud metadata service abuse, and Kubernetes compromise. The framework also outlines adversary behaviour patterns, including how attackers move, escalate privileges, and maintain persistence, along with a comprehensive breakdown of attack vectors, such as exposed cloud storage buckets and misconfigured IAM roles. MITRE ATT&CK for Cloud framework guides pentesters into how attackers can exploit specific cloud platforms and services, and emphasises that organisations must have cloud-native defences (threat hunting, access control management). MITRE ATT&CK for Cloud allows security professionals to simulate real-world attack scenarios based on adversary pattern knowledge and specific cloud techniques.
What is the scope of cloud penetration testing?
The scope of cloud penetration testing defines which cloud resources, services, accounts, and configurations are authorised for testing. A clearly defined scope prevents misunderstandings, ensures comprehensive coverage, and aligns the assessment with organisational risk priorities.
A comprehensive cloud penetration testing scope document includes the following components:
- Cloud platforms and accounts in scope
- Cloud services and resources in scope
- Environments authorised for testing
- Testing methodology and approach
- Testing boundaries and exclusions
- Testing windows and scheduling
- Rules of engagement
- Compliance and regulatory requirements
How much does it cost to perform a Cloud penetration test?
The cost of a cloud penetration test is around £4,000 to £30,000+, depending on the complexity of the cloud environment and services.
The minimum cost to perform a cloud penetration test for small cloud-only environments (limited services, single cloud provider) is £4,000. The average cost of mid-size cloud penetration testing is £5,000–£15,000. The maximum cost for performing a complex cloud penetration test is £40,000+. General UK pentest day-rates are £1,000–£1,500 (8 hours), and the hourly rate is £125 to £375. The weekly rate for cloud penetration services is £4,000 to £10,000+.
The average salary of a Junior cloud penetration tester is £25,000–£40,000 per annum, while an expert cloud penetration tester gets around £40,000–£65,000 per annum. The average salary of a Senior cloud penetration tester is £60,000–£80,000+ per annum, depending on industry, location, and responsibilities.
Three main factors affecting the cost of cloud penetration testing include: test scope (single cloud provider, multicloud, only IaaS, full SaaS+PaaS), complexity of cloud environment (hybrid setup, microservices, multiple endpoints, multiple accounts, serverless functions), and the number of assets (virtual machines, users, APIs). Other factors influencing the cost are regulatory compliance requirements (mandatory, optional); internal or external focus; urgency (quick turnaround, schedule); and methodology (manual testing, automation).
A single prevented breach provides an ROI of 300% to 700% or more. The best ROI for hiring a cloud penetration tester is to prevent the high costs of a breach (approximately £3.29 million). Organisations spend over £3.29 million on recovery, penalties, and reputation damage, whereas hiring a professional pentester typically ranges from £5,000 to £15,000. This investment reduces exposure risk, prevents business downtime, ensures regulatory compliance, and saves the money the business would otherwise spend on a breach.
What are the uses of cloud penetration testing?
Organisations use cloud penetration testing to detect vulnerabilities in their cloud infrastructure, ensure compliance with security standards, and mitigate the risk of data breaches.
Listed below are six uses of cloud penetration testing.
- Identifying Security Vulnerabilities: Cloud penetration testing is used to identify vulnerabilities such as access control issues, exposed services, and misconfigurations within cloud infrastructure to avoid data breaches and unauthorised access.
- Staying Compliant with security standards: Cloud penetration testing is used to remain compliant with UK compliance standards such as Cyber Essentials, ISO/IEC 27001, and ISO/IEC 27017.
- Assessing Cloud Security Posture: Cloud penetration testing is used to determine the overall security posture of the cloud environment and ensure that security controls (encryption models, identity management, API security) are effective in preventing attacks.
- Testing Third-Party Cloud Services: Cloud penetration testing is used to evaluate the integration of third-party services into cloud infrastructure and ensure that new vulnerabilities don’t originate from third-party vendors.
- Detecting Privilege Escalation Risks: Cloud penetration testing is used to identify potential endpoints where attackers escalate privileges within the cloud environment to gain unauthorised access to sensitive data or services.
- Testing Multi-Cloud Environments: Cloud penetration testing is utilised in multi-cloud environments to identify security gaps between different cloud platforms, ensuring secure integration.
How Does Cloud Penetration Testing Differ from Penetration Testing?
The difference between cloud penetration testing and traditional penetration testing lies in their testing environment and authorisation. The testing environment for cloud-penetration testing includes cloud-native applications, configurations, and infrastructures, whereas the testing environment for penetration testing encompasses on-premises networks, internal systems, and services. Cloud Pentesters must get proper authorisation from both the system owner and the cloud service provider before starting the cloud penetration testing process, whereas pentesters only obtain authorisation from the system owner before performing penetration testing on locally hosted environments.
What best practices should be followed when performing cloud penetration testing?
Listed below are the best practices for performing cloud penetration testing.
- Define the Shared Responsibility Model: Define the shared responsibility model by highlighting all security aspects (configuration, access management, data security) that are your responsibility and those (physical infrastructure, hardware) that are the responsibility of the Cloud service provider (CSP).
- Obtain Proper Authorisation: Obtain explicit authorisation (written consent) from both the system owners and the Cloud Service Provider (CSP) before cloud penetration testing to avoid legal issues and service disruptions.
- Define a Clear Scope and Objectives: Clearly define the scope and objectives for cloud penetration services. Pentesters specify the goals (compliance, risk identification), exact services, environments (production or staging), applications, and IPs included in the test.
- Plan for a Robust Incident Response: Develop a comprehensive plan to handle security incidents, service disruptions, and live vulnerability discovery during testing, while adding escalation paths and communication protocols as a must-have.
- Map Cloud Environment: Map a detailed cloud environment, including all assets (undocumented resources, shadow IT), to ensure comprehensive security coverage.
How to become a cloud penetration tester?
To become a cloud penetration tester, build a solid understanding of cybersecurity, networking, scripting, and cloud computing. A cloud pentester’s career path begins by earning a degree in computer science, information security, or a related field and then acquiring cloud-specific knowledge and certifications ( AWS Certified Security-Specialist, Microsoft Certified: Azure Security Engineer).
The time required to become a cloud penetration tester ranges from 2 to 4 years, depending on the individual’s skill set and experience.
It is not easy to become a cloud penetration tester because there is a shortage of comprehensive penetration testing models and tools specifically designed for cloud and mobile cloud environments, making it harder for newcomers to learn and apply best practices, according to a 2019 study by A. Al-Ahmad, titled “Mobile cloud computing applications penetration testing model design”.





