Cloud Penetration Testing: A Complete Guide
Updated on: September 6, 2023
Jinson Varghese
15 mins read
Cloud Penetration Testing is the process of detecting and exploiting security vulnerabilities in your cloud infrastructure by simulating a controlled cyber attack. Performed under strict guidelines from cloud service providers like AWS and GCP, it aids in the detection and remediation of vulnerabilities before they are used by malicious entities.
How Does Cloud Penetration Testing Differ from Penetration Testing?
In layman’s terms, penetration testing is the process of performing offensive security tests on a system, service, or network to find security weaknesses in it. So, when it comes to cloud penetration testing, it is just performing a simulated attack on your cloud services to test their security.
What is the Purpose of Cloud Pentesting?
The prime purpose of this is to find security issues in your cloud service before hackers do. Different types of manual methods, cloud penetration testing methodology, and cloud pentesting tools may be used depending on the type of your cloud service and the provider. However, since you do not own the cloud infrastructure/platform/software as an entity but rather as a service, there are several legal and technical challenges to performing cloud penetration tests. We shall read about them later in this article.
Benefits of Cloud Penetration Testing
Cloud penetration testing by third-party is not only beneficial to cloud service providers, but also to the organizations that store their sensitive data and applications in the cloud. Cloud penetration testing helps maintain the shared responsibility model placed by most cloud providers between themselves and the customers through:
1. Aids in the identification of vulnerabilities
Identification of any vulnerabilities by carrying out cloud penetration tests ensures their quick fixing. The comprehensive scanners can pick up even the most minute vulnerabilities. This is crucial as it helps in the immediate remediation before the vulnerability is exploited by hackers.
2. Enhances cloud and application security
Another benefit of cloud penetration testing is that it helps with the constant updating of security measures. Not only this, it helps make the existing security measures better if any security gaps are found in them.
3. Increases reliability among providers and customers
Carrying out periodic cloud pentests can help increase the reliability and trustworthiness attributed to the cloud providers. This can bring in more clients owing to the security-conscious nature of the cloud provider while keeping the existing client happy with the level of protection available for the data stored by them.
4. Aids in the maintenance of compliance
Carrying out cloud pentests not only helps find vulnerabilities but also areas of non-compliance with various regulatory standards. Thus these areas that are identified can be remedied to meet the compliance requirements and avoid fines for non-compliance.
Why Astra is the best in pentesting?
- We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform
- Vetted scans ensure zero false positives
- Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest
- Astra’s scanner helps you shift left by integrating with your CI/CD
- Our platform helps you uncover, manage & fix vulnerabilities in one place
- Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
Cloud Pentesting Methodology
These are the different cloud pen testing methodologies that ensure the penetration test is authentic and covers all important aspects of the cloud platform and application.
OSSTMM
OSSTMM is short for Open-Source Security Testing Methodology Manual. It is one of the most widely used and recognized standards of penetration testing. It’s based on a scientific approach to penetration testing that contains adaptable guides for testers. You can use this to conduct an accurate assessment.
OWASP
OWASP stands for Open Web Application Security Project. Widely known, this pentest standard is developed and updated by a community keeping in trend with the latest threats. Apart from application vulnerabilities, this also accounts for logic errors in processes.
NIST
National Institute of Standards and Technology (NIST) offers specific cloud pentesting methodology for pentesters to help them improve the accuracy of the test. Both large and small companies, in various industries, can leverage this framework for a penetration test.
PTES
Penetration Testing Execution Standards is a pentest methodology designed by a team of information security professionals. The goal of PTES is to create a comprehensive and up-to-date standard for penetration testing for cloud and other assets as well as to build awareness among businesses as to what to expect from a pentest.
Most Common Cloud Vulnerabilities
There are quite a few vulnerabilities that can lead to a compromised cloud account. Mentioning each one is beyond the scope of this article so, the most prominent ones are mentioned below:
1. Insecure APIs
APIs are widely used in cloud services to share information across various applications. However, insecure APIs can also lead to a large-scale data leak as was seen in the case of Venmo, Airtel, etc. Sometimes using HTTP methods like PUT, POST, DELETE in APIs improperly can allow hackers to upload malware on your server or delete data. Improper access control and lack of input sanitization are also the main causes of APIs getting compromised which can be uncovered during cloud penetration testing.
2. Server misconfigurations
Cloud service misconfigurations are the most common cloud vulnerability today (misconfigured S3 Buckets, in particular ). The most famous case was that of the Capital One data leak which led to the compromise of the data of roughly 100 million Americans and 6 million Canadians. The most common cloud server misconfigurations are improper permissions, not encrypting the data and differentiation between private and public data.
3. Weak credentials
Using common or weak passwords can make your cloud accounts vulnerable to brute force attacks. The attacker can use automated tools to make guesses thereby making way into your account using those credentials. The results could be disastrous leading to a complete account takeover. Since people tend to reuse passwords and use easily rememberable passwords, these attacks are fairly common. This fact can be verified during cloud penetration testing.
4. Outdated software
Outdated software contains critical security vulnerabilities that can compromise your cloud services. Most of the software vendors do not use a streamlined update procedure or the users disable automatic updates themselves. This makes the cloud services outdated which hackers identify using automated scanners. As a result, cloud services using outdated software are compromised by a large number.
5. Insecure coding practices
Most businesses try to get their cloud infrastructure built for as cheaply as possible. So, due to poor coding practices, such software often contains bugs like SQLi, XSS, CSRF. The ones which are most common among them are labeled as OWASP top 10. It is these vulnerabilities that are the root cause for the majority of cloud web services being compromised.
| Type of Cloud Service | Security Responsibilities of Cloud Providers | Security Responsibilities of Clients |
|---|---|---|
| Infrastructure as a Service (IaaS) | Virtualization. Network, Infrastructure, Physical | User Access, Data, Application, Operating System |
| Platform as as Service (PaaS) | Operating System, Virtualization, Network, Infrastructure, Physical | User Access, Data, Application |
| Software as a Service (SaaS) | Application, Operating System, Virtualization, Network, Infrastructure, Physical | User Access, Data |
Based on the Service Level Agreement (SLA) between the client and the cloud service provider certain aspects of cloud security are controlled and handled by the cloud provider and the client is responsible for the others. For instance, the cloud provider will not be held responsible for security errors related to user identity.
Similarly, the client is not responsible for the physical security of the data centers managed by the cloud providers. This shared model of cloud security is termed ‘security in the cloud’ and not ‘security of the cloud’. The scope of the cloud pentest is dictated by this shared model.
Cloud Penetration Testing Best Practices
1. Continuous Vulnerability Scans
Cloud pentesting tools should also offer continuous and comprehensive vulnerability scans to assess and find any vulnerabilities within the cloud system. It should beagle to find vulnerabilities based on known vulnerabilities from CVEs, intel, OWASP Top 10, and SANS 25. It should also be able to scan behind the logins and find any business logic errors.
2. Regular Penetration Tests
Regular penetration tests are crucial for the security of a cloud environment by both the customers and the providers to analyze and exploit the vulnerabilities within the security system.
The results of such a pentest will detail the flaws found along with the measures that can be taken to fix them before any malicious attackers take advantage of them.
3. Firewalls
A cloud-based firewall is a non-traditional solution to maintaining security for the data stored and transmitted with your cloud. These firewalls are hosted in the cloud itself. Cloud-based firewalls are easily scalable according to the needs of the cloud provider or the customer.
4. Data Encryption
Securing the data that is being transmitted and stored by cloud customers is absolutely critical. This is where data encryption comes into play. Encrypting data that is at rest and in transit using Transport Layer Security. This makes sure that the data can not be decrypted by the wrong parties thus maintaining confidentiality.
5. Intrusion Detection
Ensure that the tool you choose for your cloud’s security assessment has the right measures to detect any unauthorized activities and provide real-time alerts for the same. Machine learning can help cloud security measures recognize patterns and thereby detect activities that fall outside the established patterns in security.
6. Compliance
Cloud pentesting also ensures that as a cloud customer or a provider, the compliance you must maintain like HIPAA, PCI-DSS, GDPR, and other data protection laws is abided by.
Cloud Penetration Testing Checklist
- Identify the cloud provider(s) and service(s) being used.
- Understand the liabilities, rules, and regulations.
- Understand the cloud provider’s security controls.
- Identify who has access to the cloud environment and what level of access they have.
- Prepare a pentest plan.
- Start the pentest and continuously monitor its progress.
- Ensure that strong authentication and authorization controls are in place.
- Implement least privilege principles.
- Produce a pentest report.
- Keep your cloud environment up to date with the latest security patches and updates.
What are the Challenges in cloud penetrating testing?
1. Lack of transparency
Some cloud services have data centers managed by third parties. Users may be unaware of where the data is stored and what hardware or software configuration is being used thus exposing the user data to security risks on a cloud service. For instance, the cloud service provider may be hoarding sensitive data without the knowledge of the user. Moreover, popular CSPs like AWS, Azure, GCP, etc are known to conduct in-house security audits whiles customers can make use of cloud security companies.
A lack of transparency means that these resources cannot be audited by the security auditor of your choice. As a result, you may be unable to respond if those underlying resources are hacked.
2. Resource sharing
It is a well-known fact that cloud services share resources across multiple accounts. However, this resource sharing can prove to be challenging during cloud penetration testing. Sometimes the service providers do not take adequate steps for segmentation of all the users.
In those cases, if your business needs to be PCI DSS compliant, the standard says that all the other accounts sharing the resource and the cloud service provider should be PCI DSS compliant too. Such complex scenarios are present because there are multiple ways to implement the cloud infrastructure. This complexity hinders the process of cloud penetration testing.
3. Policy restrictions
Each cloud service provider has its own policy regarding conducting cloud penetration testing. This defines the endpoints and types of tests that can be conducted. Now let us take a brief overview of the cloud pentesting policy of the 3 most popular cloud service providers:
| Cloud Provider | Prohibited Attacks |
|---|---|
| AWS | Denial of Service (DOS) and Distributed Denial of Service Attacks (DDOS), DNS zone walking, Port, Protocol, or Request flooding attacks |
| Azure | DOS and DDoS attacks, intensive network fuzzing attacks, Phishing or any other social engineering attacks, |
| GCP | Piracy or any other illegal activity, Phishing, Distributing trojans, ransomware, Interfering |
3.1. AWS
There are 8 permitted services for Amazon web services on which cloud pen testing can be performed without giving prior notice. Those are mentioned in the Permitted Services of the policy.
However, if you wish to perform a network stress test, there is a separate policy for that. What constitutes DOS attacks and what does not is later explained in more detail at the end of this article.
3.2. Azure
Azure allows cloud pentesting on eight Microsoft products which are mentioned in its policy. Anything beyond that is out of scope. Moreover, the following types of tests are prohibited:
- Conducting cloud pen testing on other Azure customers or data other than yours.
- Tests that create a huge amount of traffic.
- Violating Acceptable Use Policy.
3.3. GCP
For Google Cloud Platform, there is no special cloud penetration testing policy as such, you just need to follow their Acceptable Use Policy and Terms of Service. Moreover, there is no need to inform Google before conducting tests. However, the Acceptable Use Policy mentions a few things that you should not perform which are as follows:
- Spamming.
- Violating the rights of other GCP users or conducting penetration tests on them.
- Violating or trying to circumvent terms of service.
- Interfering with the equipment supporting GCP.
4. Other factors
Due to the sheer scale of cloud services, one machine can host multiple VMs, this adds to the scale of cloud penetration testing. Also, the scope for such tests can vary from user software (CMS, Database, etc.) to service provider software (VM Software, etc). Both these factors combined further add to the complexity of cloud penetration testing. When encryption is added to this list, it can further worsen the situation for auditors as the company being audited may not be willing to share encryption keys.
Performing Step-by-Step Cloud Penetration Testing
Step 1: Understand the cloud service provider’s policies
Before beginning with the tests, it is important to formulate a testing plan based on the policy of the cloud service provider. This is because each CSP has its own policy regarding:
- Types of cloud pentest that can be performed.
- Endpoints that can be tested.
- Permissions to perform the tests.
- Scope of the tests.
So, if your testing plan is not in accordance with that, the cloud provider can penalize you. For example, if you try to test your account for DDOS and the CSP does not allow that, there are automatic systems in place that can detect that. Thereafter, the CSP can lock your account for some time and you will have a lot of explanation to do before you get your account back. The crux of the get matter is to get familiar with your CSP policy.
Step 2: Create a cloud penetration testing plan
Now comes the second part, which is to create a plan for performing cloud pen testing. There is no set formula for creating a plan as it varies from auditor to auditor. But, some of the steps you can take to formulate a plan are:
- Map out all the endpoints like user interface, APIs, subnetworks, etc for which testing is to be done.
- Decide which endpoints to exclude based on policy restrictions, user permissions, etc.
- Decide the route for performing the pentest i.e. from application or database.
- Figure out how well the application server and VMs can take the load of the tests that you wish to perform.
- Find out the laws that need to be followed while performing tests.
- Figure out which tools to be used and what types of tests will be performed on which endpoints (Automated or Manual).
- Finally, get the approval for your plan from the client and inform them when you wish to begin.
Step 3: Execute the plan
Now, it is time to execute your plan. Run the tools as you wished and observe the responses for vulnerability. Although some tools like Nmap, Sqlmap, OpenVAS, etc are well-known, there are some CSP-specific tools too which you can add to your plan. Some of the tools that you can include in your plan for cloud penetration testing are as follows:
- AWS Inspector: A customized security solution for AWS. It can be used as a basic minimum or preliminary testing tool.
- S3Scanner: An open-source tool to scan S3 buckets for misconfigurations and dump their data.
- MicroBurst: A collection of PowerShell scripts to scan Azure services for security issues. So, to use them you need to have PowerShell installed which is present by default on Windows OS.
- Azucar: This is another popular Azure scanning tool built using PowerShell just like MicroBurst.
- Cloudsploit: This is a popular open-source tool that can scan multiple types of cloud service providers like Azure, AWS, Google Cloud Platform, OCI, etc.
Step 4: Detect and fix vulnerabilities
Some of the automated tools may generate false positives. So, it is necessary to verify that each one is exploitable before adding it to the report. Repeat this process for each layer (network, database, application, etc) that you are testing.
Next comes the most underrated activity of cloud penetration testing, the report generation. It is important for the cloud penetration testers to present the vulnerabilities to the client in an understandable manner. The presentation is the difference between the client taking vulnerabilities seriously or not seriously. So, make sure the reports are well organized and categorized based on the type and level of threat.
After the vulnerabilities have been found, get in touch with your developers to patch them. Else what was the use of cloud penetration testing in the first place if you ignore the bugs? Some of the vulnerabilities can be fixed while making minor changes to the code while some may require a significant overhaul. However, if your tests were unable to detect any vulnerability, maybe you need to change your plan and perform more elaborate security tests.
Cloud Penetration Testing with Astra’s Pentest
Astra’s Pentest is a complete penetration testing service for mobile and web applications as well as cloud infrastructure. It combines a vulnerability scanner with manual pentest to offer a well-rounded picture of the security posture of your cloud-hosted application.
With3000+ tests, CI/CD integration, zero false positives, and collaborative remediation, Astra’s pentest suite can be a one-stop solution for your cloud pentest needs.
Was this post helpful?
Jinson Varghese
What are the Benefits of Cloud Penetration Testing?
Doing a cloud penetration test provides a lot of benefits, mainly through-
1. Finding vulnerabilities to be fixed thereby ensuring the safety of the customer data stored.
2. Helping improve the cloud security system currently in place.
3. Allowing organizations to be compliant with various standards and regulations like ISO 27001, HIPAA, and more.
4. Building trust between cloud providers and customers by establishing the security of data at rest and in transit.
5. Helping maintain reputation and preventing any monetary losses for organizations using it.
Hope this clarifies your doubt.
What is shared responsibility model in cloud?
Hey Daniel, shared responsibility model in cloud refers to following a precise set of rules with a clear understanding between both parties i.e. the cloud provider and customers regarding their obligations and areas of accountability.