Penetration Testing
Cloud Penetration Testing
AWS, Azure & Kubernetes — real attack paths instead of checklists
A cloud penetration test assesses your cloud environment for real-world attack vectors — from IAM misconfigurations and exposed storage services to Kubernetes and workload risks.
The focus is on connected attack chains:
How can an attacker move from a compromised account to sensitive data or production workloads?
Privilege escalation, cross-account, tokens/secrets — documented clearly and traceably.
AWS / Azure / Hybrid
Focused on IAM, storage, networking, and cloud-native controls.
Risk rating + action plan so teams can remediate quickly.
What is a Cloud Pentest?
A cloud pentest combines active attack simulation with cloud-specific configuration and architecture assessment. The outcome is not a pure “best-practice review”, but solid evidence of which attack paths are actually possible in your environment.
Typical techniques (depending on scope):
- Credential abuse & token hijacking
- Privilege escalation via IAM/RBAC
- Cross-account / cross-subscription access
- Exposed storage and data access paths
- Abuse of service-to-service trust
- Kubernetes RBAC / secrets / admission & pod security (if in scope)
Is this relevant for you?
Typical triggers
- Cloud-first strategy or rapid migration
- Multi-account / multi-subscription setup
- Kubernetes / container platform in use
- Many roles/policies, limited visibility
- ISO 27001 / NIS2 / TISAX preparation
- Incident / suspected compromise
Common risks
- Over-privileged roles (no least privilege)
- Weak trust relationships (cross-account)
- Public exposure (storage, services, APIs)
- Unsecured secrets / tokens / keys
- Unclear network boundaries & poor segmentation
- Kubernetes cluster/workload misconfigurations
Typical Scope
- Roles, policies, service principals
- Least-privilege assessment & privilege escalation paths
- Key/token exposure & rotation governance
- Cross-account / cross-subscription trust
- S3 / Blob / (GCS on request)
- Public access, ACLs, policies
- Snapshots/backups, logging, access paths
- Data exfiltration scenarios (if in scope)
- Security groups / NSGs / firewall rules
- VPC/VNet segmentation, peering, private endpoints
- Internet-exposed services & API gateways
- Hybrid connectivity (VPN/ExpressRoute) — optional
- RBAC, ServiceAccounts, ClusterRoles
- Secrets management & workload identity
- Admission controls / pod security / network policies
- Supply chain attack surfaces (registry/IaC) — optional
Cloud Pentest vs Configuration Review
Many teams already have “checks” or tools — and incidents still happen. The key difference is proof through attack paths.
| Cloud Pentest | Configuration Review |
|---|---|
| Attack simulation & escalation paths | Best-practice comparison |
| Proof: what is truly exploitable? | Risk is theoretical / tool-driven |
| Prioritized by exploitability & impact | Prioritized by severity rules |
| Documented kill chain (if in scope) | Checklist output |
Shared Responsibility: What is actually assessed?
Cloud security is shared responsibility. A cloud pentest therefore explicitly considers:
- Your configurations (IAM, networking, storage, workloads)
- Governance & controls (policies, guardrails, logging)
- Responsibilities in scope (provider vs customer)
This makes it clear whether risks result from architecture, implementation, or missing controls.
Process
Goals, boundaries, accounts, test scenarios
Read-only / test accounts, approvals
Discovery, exposure, trust map
Escalation, paths, data access
Findings, priorities, debrief
Typical duration: 5–15 business days (depending on accounts, workloads, and Kubernetes complexity).
Deliverables
Executive Summary
Risk overview, priorities, management-ready recommendations.
Attack Paths & Evidence
Exploit paths, screenshots, reproduction — documented clearly and traceably.
Findings with Risk Rating
Impact, exploitability, affected resources, clear prioritization.
Hardening & Governance Plan
Concrete configuration and guardrail recommendations for teams.
Verification of implemented measures — especially useful for compliance requirements.
Typical Costs
1 account / few workloads
€7,000–15,000
multiple services / first clusters
€15,000–30,000
multi-account / multi-cloud
from €30,000
- Number of accounts / subscriptions
- Workload scope & critical data paths
- Kubernetes & identity integration (workload identity, IRSA, etc.)
- Logging/monitoring requirements
- Retest / verification
Access & Operational Safety
We work in a controlled, traceable way with clear abort rules.
- Read-only permissions for discovery & assessment
- Optional: test accounts for exploit paths
- Scope approvals for automations
- Authorization & responsibilities
- Test windows / change freeze (if needed)
- Escalation contacts & emergency stop
FAQ
Is this a classic pentest or more of a configuration review?
Both — we combine active attack simulation (attack paths) with cloud-specific architecture and configuration analysis.
Which providers are supported?
AWS and Azure are standard. Kubernetes environments (e.g. EKS/AKS/on-prem) are supported. GCP on request.
Do you need access to production systems?
For most checks, read-only permissions are sufficient. For solid exploit paths, separate test accounts can be useful in some cases.
How do you handle shared responsibility?
We explicitly assess responsibilities in scope (provider vs customer) and derive governance and configuration measures from that.
Can multiple accounts / subscriptions be tested?
Yes — this is often the most important part (trust, cross-account access). Effort scales with the number and complexity.
Is there a retest?
Optional — to verify implemented measures, especially relevant for compliance.