Cloud penetration testing methodology

blog + Penetration test Z. Oualid today

share close

Cloud infrastructure is becoming more and more used by companies around the world. Therefore, performing a penetration test against your own cloud infrastructure or your client’s cloud is becoming so important to comply with the regulations. So, here is a cloud penetration testing methodology:

  1. CSP Contract checking (verify that the contract you have with the CSP allow a pentest)
  2. Planning the Pentest (scope)
  3. Reconnaissance
  4. Attacking
  5. Post exploitation
  6. Reporting

Most companies are opting for a hybrid cloud system to migrate a part of their network to the cloud. This migration has generated so many security questions which have forced standards to put in place recommendations to secure those infrastructures.

Therefore, to comply with those standards and regulations, companies need to follow those security recommendations. Performing a penetration test against the cloud infrastructure is one of them to comply with those regulations.

In this blog post, we will try to explain in detail the penetration testing methodology that we follow to perform penetration tests against cloud infrastructures.

CSP Contract checking

When you just get the idea of performing a penetration test against your cloud environment, the first thing you should do is to take a look at your CSP (Cloud service provider) contract. You need to take a close look at it to see if you have the right to perform a penetration tester.

Note all sorts of cloud contracts allow clients to perform penetration testing. For example, if you are using a Saas cloud model, then performing a penetration test against the app that you use is in 99% of situations not allowed. Generally, in this situation, the application security is managed by the cloud service provider.

In addition, even when dealing with a Paas or Iaas service, if the contract you have signed with your CSP does not contain a clear expression of performing penetration tests on it, then you can’t do it.

Therefore, either you already have a cloud or you are thinking about implementing it or even you are just doing a cloud penetration test for your client, you should read the contract or request this from your CSP, before launching the mission or buying the cloud service.

Planning the Pentest

Once you are 100% sure that you have the right to perform a penetration test against your cloud infrastructure, the first thing you should start with is the scoping.

Defining the scope of the penetration test is always important and if you take a look at the blog post I have written about penetration test The 7 best penetration testing methodologies in the market or even the API penetration testing methodology you will notice that defining the scope is always the first step.

Understanding the perimeter of the penetration test by both the penetration tester and the client, help them avoid time-wasting. Moreover, the scope of the mission can contain even the small details about what tools would be used and at which moment those penetration tests need to be performed to avoid client disruption.

Defining the scope is always the same even in the context of the cloud infrastructure. The only difference here might be related to the information that would be shared by the client in a gray box penetration test concerning the way you will connect to this environment.

I have written a more detailed blog post about how to define your scope for the penetration test for optimum results.


Reconnaissance is also always the first step in any penetration test mission. The idea is to correctly understand the target by collecting as much information as possible about it. The more information you collect the quicker you will gain access.

However, this step still a little bit different in a cloud environment. The idea here is to collect information about:

  • Checking for existing buckets
  • Looking for existing accounts
  • Looking for AWS credentials in files
  • Looking for SSH keys

This step is the most important one in the whole cloud penetration test. This step is even more important in cloud penetration testing than in any regular penetration test. Usually, the extremely vulnerable services that you can use to get first access, are rare in a cloud environment due to multiple reasons. Logical vulnerabilities or misconfiguration vulnerabilities are more likely to be found than regular ones.

Moreover, identifying the deployed applications and service is important for further scans and tests. Most first access can be easily be gotten by exploiting a vulnerability.

Performing username harvesting in Azure for example or enumerating open file shares need to be performed in this step so that the results get used in attacking the cloud systems.


Using the information you have collected in the reconnaissance step, you can start the attacking process. In the attacking step the penetration tester tries to get first access to the system. To do that, the penetration tester can:

  • Attack identity systems

The most important part of cloud security is the identity and access management (IAM) systems. This system is responsible for affecting permissions to access resources and offer a unified view into security policy across your entire organization. Each cloud service provider has its own IAM system.

Tacking control over this system is very similar to taking control over the Active Directory administrator account in a normal network. Having this access means full control over the whole cloud infrastructure.

  • Attack Cloud-Native Applications

As I said, vulnerable applications are usually the first access points for the penetration tester. A lot of web application vulnerabilities can be exploited to gain remote code execution on the hosting system. Vulnerabilities like SQL injection, unrestricted file upload, and others.

Post exploitation

Having the first access to the system does not mean that the penetration test job is done. Performing a privileges escalation and lateral movement to prove the impact of the discovered vulnerabilities on the client. To do that the penetration tester could perform some techniques to abuse the cloud services.


At the end of the penetration test, a professional detailed report needs to be elaborated by the penetration tester. The report needs to include all the vulnerabilities with detailed information on how those vulnerabilities can be reproduced.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *