Service A.04 · Cloud Penetration Testing

Cloud penetration testing for AWS, Azure and GCP - built around manual exploitation, not policy review.

CyberFortify's cloud penetration testing services assess the security of cloud environments the way attackers exploit them - through IAM privilege escalation, instance-metadata abuse, container escapes, Kubernetes RBAC weaknesses, exposed storage, serverless attack chains and identity-federation flaws. We test what configuration scanners cannot reach: the gaps between services, the trust relationships, the human errors that survive contact with production.

Cloud platforms: AWS · Azure · GCP Engagement: 7-14 business days Standards: MITRE ATT&CK Cloud · CIS Benchmarks · PTES
AWS
Full IAM coverage
Azure
Entra + Resource
GCP
Project + Org
K8s
RBAC + supply chain
Test classes: IAM privilege escalation · Assumed-role chains · metadata exfil · SSRF → STS · container escapes · K8s RBAC · pod-spec abuse · service-account theft · lambda env exfil · SAML federation flaws · M365 abuse · Conditional Access bypass Test classes: IAM privilege escalation · Assumed-role chains · metadata exfil · SSRF → STS · container escapes · K8s RBAC · pod-spec abuse · service-account theft · lambda env exfil · SAML federation flaws · M365 abuse · Conditional Access bypass
// Executive summary

CyberFortify cloud penetration testing exploits IAM trust paths, federation flaws, container escapes and SSRF→STS chains across AWS, Azure and GCP - producing a report engineering can ship from and auditors will accept for SOC 2, ISO 27001 and PCI DSS.

// 01 What is cloud penetration testing?

// DefinitionCloud Pen Test

Cloud penetration testing is the manual offensive assessment of an AWS account, Azure subscription or GCP project - including the IAM systems binding them and the workloads running on top.

It is not a CSPM scan and not a checklist audit. It demonstrates attacker impact by exploiting the gaps and trust relationships posture tools cannot reason about.

The modern cloud perimeter is identity. CyberFortify engagements typically begin from an assumed-breach position - a low-privilege role or leaked credential - and chain forward to whatever the IAM graph allows: cross-account roles, federated trust, exposed metadata, runaway service principals.

// 02 AWS, Azure & GCP - what changes between providers

The same exploitation primitives appear in all three clouds, but the surface differs. CyberFortify scopes per-provider, with a senior tester who specialises in the platform leading each.

AWS · A.04.1

AWS pen testing

Account · Org · Control Tower · STS
IdentityIAM users, roles, SCPs, permission boundaries, AssumeRole chains, identity-centre / SSO
WorkloadEC2, Lambda, ECS, EKS, Fargate, Step Functions, App Runner
DataS3, RDS / Aurora, DynamoDB, KMS, Secrets Manager, Parameter Store
Abuse pathsSSRF→IMDSv1, iam:PassRole privesc, Lambda env exfil, RDS snapshot sharing, cross-account confused deputy
Azure · A.04.2

Azure pen testing

Tenant · Subscription · Mgmt Group
IdentityEntra ID, Conditional Access, service principals, managed identities, RBAC role assignments
WorkloadVMs, AKS, App Service, Functions, Container Apps, Logic Apps, Automation accounts
DataStorage accounts, Cosmos DB, SQL DB, Key Vault, ADLS, Blob SAS
Abuse pathsManaged-identity escalation, Conditional Access bypass, Storage SAS leakage, AKS Pod Identity, M365 cross-tenant abuse
GCP · A.04.3

GCP pen testing

Org · Folder · Project hierarchy
IdentityIAM bindings, service accounts, Workload Identity Federation, OIDC, organisation policies
WorkloadGCE, GKE (+ Autopilot), Cloud Run, Cloud Functions, App Engine
DataGCS, BigQuery, Cloud SQL, Firestore, Secret Manager, Cloud KMS
Abuse pathsSA-key abuse, actAs / iam.serviceAccountTokenCreator privesc, GKE Workload Identity escape, GCS public ACLs, project IAM cycles

// 03 Cloud kill chain

Real cloud breaches follow a recognisable shape. CyberFortify exercises the full chain - not just the entry point - because realistic impact is established by reaching the data, not by demonstrating the foothold.

01

Initial access

Leaked key in repo, SSRF in web app, CI / CD secret exposure, OAuth phish.

02

Identity pivot

STS AssumeRole, managed-identity token, GH Actions OIDC, service-account key.

03

Privilege escalation

iam:PassRole, actAs, role-assignment write, attribute-based-access misuse.

04

Lateral movement

Cross-account roles, peered VPCs, container escape, K8s service-account token theft.

05

Data access

S3 / GCS / Blob exfil, RDS snapshot, KMS decrypt, BigQuery / Cosmos read.

06

Persistence & cover

Backdoor IAM user, Lambda layer plant, CloudTrail / Activity Log gap, GuardDuty muting.

// 04 Container, Kubernetes & serverless scope

Managed Kubernetes (EKS, AKS, GKE), container platforms and serverless functions are tested as first-class cloud surfaces - not as out-of-scope appendages. The unit of compromise has shifted from "host" to "workload identity."

K.01

RBAC & service accounts

Cluster role and role-binding review, default-namespace SA token reachability, service-account-token automount audit, impersonation chains.

K.02

Pod-spec abuse

Privileged: true, hostPID / hostNetwork / hostPath, capabilities, securityContext bypass, hostPath escapes to node-IAM.

K.03

Workload identity

EKS IRSA, GKE Workload Identity, AKS Pod Identity / Workload Identity - pod→cloud token theft pathways.

K.04

Supply chain & admission

Image signing (cosign / Notary), admission controllers (OPA / Kyverno / Gatekeeper), registry trust, base-image CVE pressure.

K.05

Serverless

Lambda / Cloud Functions / Azure Functions environment variable exfil, function-URL / HTTP trigger abuse, layer poisoning, cold-start side channels.

K.06

IaC & CI/CD

Terraform / Bicep / CloudFormation drift, GitHub Actions OIDC role over-trust, self-hosted runner abuse, build-time secret leakage.

// 05 Common cloud pen test findings

Recurring real-engagement findings, mapped to MITRE ATT&CK for Cloud techniques. Treat as a self-audit checklist before scoping.

CriticalF.C01

iam:PassRole → admin role

Identity with the ability to launch a workload (EC2, Lambda, ECS task) under a high-privilege role becomes account-admin within minutes. Most common AWS privesc path.

T1078.004 / T1098.001
CriticalF.C02

SSRF → IMDS → STS

Application-layer SSRF reaches the EC2 metadata endpoint, harvests instance role credentials, pivots to AWS APIs. IMDSv1 still enabled on production fleet.

T1552.005 / T1078.004
HighF.C03

GitHub Actions OIDC over-trust

Cloud trust policy accepts any branch / any repo from the org, allowing a fork or low-trust repo to assume a production role.

T1078.004 / T1199
HighF.C04

Public S3 / GCS / Blob with PII

Storage container readable to anonymous internet, indexed by buckets-search engines. Data classification policy not enforced via guardrail.

T1530
HighF.C05

K8s service-account token automount

Pod compromise yields a service-account token reachable from the application container. Token grants list / get on cluster-wide secrets.

T1552.007
MediumF.C06

Conditional Access bypass via legacy auth

Entra ID Conditional Access enforces MFA for modern auth but legacy protocols remain enabled, allowing username + password from any geography.

T1078.004 / T1556.006

// 06 Pen test vs CSPM, scanner & audit

Different tools verify different properties. Cloud pen testing is complementary to CSPM, vulnerability scanning and configuration audit - it is not a replacement for any of them, and none of them are a replacement for it.

Capability
Cloud pen test
CSPM
Config audit
IAM privesc chains
Manual exploitation
Static graph
No
SSRF→STS & metadata abuse
Yes
No
No
Container escape
Adversarial
No
No
Federation & OIDC trust
Exploited
Listed
Reviewed
Misconfiguration listing
As byproduct
Continuous
Point-in-time
Detection-engineering value
CloudTrail / Activity / Audit logs exercised
No
No

// 07 Cloud pen testing methodology

CyberFortify's seven-phase engagement, tuned for cloud. Default posture is assumed-breach: a low-privilege role or read-only credential, the way real intrusions actually start.

01

Pre-engagement

Provider notification where required, scope account list, workload inventory, blast-radius boundaries.

Provider compliant
02

Reconnaissance

Account / org enumeration, IAM graph extraction, exposed-resource discovery, federation map.

Read-only first
03

Threat modelling

Per-tenant attack-path priorities mapped to MITRE ATT&CK Cloud.

ATT&CK Cloud
04

Vulnerability identification

Manual analysis primary; Pacu, ScoutSuite, Prowler, kube-hunter, Peirates as targeted aids.

Manual primary
05

Exploitation & lateral movement

Bounded, documented chains - IAM escalation, SSRF→STS, container escape, federation abuse.

Controlled
06

Reporting

CIS Benchmark cross-reference, ATT&CK technique IDs, CVSS v3.1, fix-by-priority.

Audit-ready
07

Free remediation retest

Updated attestation issued after engineering closes findings.

Included

// 08 Standards & compliance mapping

StandardReferenceWhat our test covers
MITRE ATT&CK for CloudIaaS, SaaS, M365, Containers matricesAdversary technique mapping per finding
SOC 2CC6.1, CC6.6, CC7.1Logical access, boundary protection, detection
ISO/IEC 27001:2022A.5.23, A.8.20, A.8.21Cloud services, network & segregation
PCI DSS v4.0Req 1, 11.4, 6.4.3 + cloud guidanceCardholder environments hosted in cloud
NIST CSF 2.0ID.AM, PR.AC, DE.CMAsset, identity, continuous monitoring
CIS BenchmarksAWS / Azure / GCP / KubernetesConfiguration hardening cross-reference

// 09 Frequently asked questions

How is cloud pen testing different from a CSPM tool?

A CSPM tool emits a list of policy violations. Cloud penetration testing exploits the violations, validates real attacker impact, and chains misconfigurations into attack paths a posture tool cannot reason about - for example, a low-severity SSRF combined with an over-permissive instance role becoming full account takeover.

Do you need provider authorisation to test?

CyberFortify follows each provider's current penetration-testing policy. AWS, Azure and GCP are largely permissive for customer-owned resources without prior notification, with documented exceptions for shared infrastructure. Provider-specific compliance is documented during scoping.

Do you test Kubernetes / EKS / AKS / GKE?

Yes by default. RBAC, service-account boundaries, pod-spec abuse, supply-chain (signed images, admission controllers), network policies and cluster-scoped resources are all in scope. Container-escape testing is performed where cluster topology permits.

Is identity federation in scope?

Yes. SAML / OIDC, GitHub Actions OIDC role chains, third-party SaaS-to-cloud OAuth scopes and cross-account assume-role chains are all tested. Identity is the modern cloud perimeter and where most successful attacks pivot.

Do you test the application running on the cloud as well?

On request. Most cloud engagements pair with a web application pen test or API security assessment, since cloud and application risk frequently chain.

How long does a cloud pen test take?

Seven to fourteen business days of active testing depending on account count, services in scope and Kubernetes depth. Total elapsed time including scoping, reporting and the free remediation retest typically spans four to six weeks.

Ready for a cloud penetration test?

Schedule a free 30-minute scoping call. CyberFortify's offensive security team will recommend AWS / Azure / GCP scope and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →