Home / Solutions / Cloud Security Review
Cloud Security Review

Cloud Penetration Testing — AWS, GCP, Azure

Cloud Penetration Testing — AWS, GCP, Azure

Your cloud isn't a misconfiguration audit.

AWS, GCP, and Azure security reviews focused on actual attack paths — not CIS benchmark checklists. We map IAM privilege chains, lateral movement opportunities, and the seams between services.

Coverage
AWS · GCP · Azure · DigitalOcean · Cloudflare
IAM privilege graph mapping
K8s RBAC + pod security review
CI/CD supply chain assessment
Cross-cloud trust boundaries
01 // MISCONFIG vs ATTACK PATH

CSPM tools find misconfigurations. We find what they lead to.

Wiz, Prowler, and Orca will tell you that your IAM role has wildcards. They won't tell you that this specific wildcard, chained with an EC2 instance profile, leads to your customer database. We chain misconfigs into actual attack paths.

  • Privilege escalation graph across all roles
  • Lateral movement opportunities mapped end-to-end
  • Crown-jewel reachability from each entry point
  • Cross-account trust relationship abuse
Privilege escalation path 
// Discovered chain — 4 hops to crown jewels

ec2-readonly-role
   ↓ iam:PassRole (wildcard)
   ↓ ec2:RunInstances
   ↓ instance with admin profile
   ↓ FULL ACCOUNT TAKEOVER

// CSPM said: "permissive PassRole"
// CSPM did NOT say: "this leads to admin"

// Recommended fix
{
  "Effect": "Deny",
  "Action": "iam:PassRole",
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "iam:PassedToService": ["ec2.amazonaws.com"]
    }
  }
}

Cloud surfaces

Across every major provider.

IAM & access

Policies, roles, trust relationships, privilege paths, MFA enforcement.

Network

VPC peering, security groups, NACLs, public exposure, egress controls.

Storage

S3 / GCS / Blob bucket policies, encryption, public access, lifecycle.

Compute

EC2 / GCE / VM hardening, instance profiles, IMDS abuse paths.

Containers & K8s

Pod security, RBAC, network policies, secret mounts, runtime threats.

CI/CD security

GitHub Actions, GitLab CI, OIDC trust, secret leakage, supply chain.

Engagement Model

Scoped by account count, not engineer-hours.

Cloud security reviews are scoped by AWS account count, GCP project count, or Azure subscription count, plus K8s cluster count. Multi-cloud environments are tested as one engagement to surface cross-provider trust seams. Single-account startup: 1-2 weeks, $9K-$14K. Multi-account enterprise (10+ accounts): 4-6 weeks, $40K+. Read-only access only — no production changes without explicit written authorization.

Deliverables

Privilege paths, not config dumps.

Privilege escalation graph

Visual map of every privilege path in your cloud — entry point through escalation through crown-jewel reachability. Shows which roles, when chained, lead where attackers actually want to go.

IAM hardening report

Specific policy fixes for permissive roles, wildcard PassRole misuse, cross-account trust gaps, forgotten access keys. Each with the exact policy JSON to apply.

K8s posture review

EKS / GKE / AKS / self-hosted clusters reviewed for RBAC, pod security standards, network policies, secret mounts, runtime threats. Falco / Tetragon / Cilium recommendations where relevant.

CI/CD supply chain assessment

GitHub Actions OIDC trust review, GitLab CI runner exposure, dependency confusion risk, secret leakage through build logs. Often where the biggest privilege paths start.

Frequently Asked Questions

Common questions, answered.

AWS, GCP, or Azure — which do you cover?
All three plus DigitalOcean, Cloudflare, Oracle Cloud, and most major providers. Multi-cloud environments are the norm now — we test the whole estate including the seams between providers (cross-cloud trust relationships, replicated workloads, federated identity).
Do you replace our CSPM tool?
No. CSPM is great for continuous coverage of known patterns. We add the human layer that chains those patterns into real attack paths — telling you which permissive role actually leads to your customer database, not just which roles are permissive. Most clients run both.
How long does a cloud review take?
Typical engagement is 2-4 weeks depending on account count and complexity. Single-account startups can be done in 1-2 weeks. Multi-cloud enterprise environments may run 4-6 weeks.
What access do you need?
Read-only IAM role with cross-account trust to our pentest account. We don't install agents, don't modify your environment, and don't need write access to anything. Specific permissions are documented in our scoping doc — typically AWS Security Audit + Read Only Access policies (or equivalents in GCP/Azure).
How much does a cloud security review cost?
Single-account startups typically run $14k-$28k. Mid-size multi-account environments (3-10 accounts) typically $28k-$58k. Enterprise multi-cloud with K8s and complex CI/CD typically $58k-$140k. Pricing is fixed-fee scoped after discovery.
Do you test our Kubernetes clusters?
Yes — RBAC review, pod security standards, network policies, secret-mount audit, runtime threat assessment, and admission-controller review. Coverage spans EKS, GKE, AKS, and self-hosted clusters.
What about CI/CD supply chain?
Yes. GitHub Actions, GitLab CI, CircleCI, Jenkins. Specific focus on OIDC trust relationships (where your cloud trusts your CI), secret leakage in build logs, dependency confusion, action pinning, and runner compromise paths.
Do you handle SaaS-to-cloud integrations (Snowflake, Databricks, MongoDB Atlas)?
Yes. SaaS-to-cloud federation (where SaaS providers assume roles in your cloud) is increasingly common and increasingly attacked. We review trust relationships, scope-down policies, and audit trail coverage for these integrations.
Are findings mapped to compliance frameworks?
Yes — SOC 2 CC6, ISO 27001 A.13/A.14/A.18, CIS Benchmarks, PCI DSS Requirements 1/2/7, HIPAA 164.312. Your auditor gets pre-mapped evidence.
Can you do this without disrupting our environment?
Yes — that's the standard mode. Read-only access plus passive enumeration. The only times we'd touch state are explicit testing windows for things like S3 bucket policy validation against test buckets we provision, never your production data.
What's the difference between this and a CSPM tool like Wiz or Prowler?
CSPMs continuously surface known misconfigurations. We do that too — and chain those misconfigurations into actual attack paths to your crown jewels. CSPM tells you "this role has wildcard PassRole." We tell you "this role, chained through that EC2 instance profile, gives an attacker admin in your production account in 4 hops." Most clients run both. Our value is the chaining, not the surface scan.
Can we do this as a one-time review or do you only do continuous?
Both. One-time cloud security reviews are common engagements (often required for SOC 2, ISO, FedRAMP). Continuous coverage is offered as part of Continuous AppSec for clients who want quarterly re-mapping as their cloud estate evolves. Most clients start with a one-time review then add continuous.
How do you access our cloud accounts?
Read-only. We provision a dedicated audit role with read-only permissions to the services in scope (typically IAM, EC2, S3, Lambda, RDS, EKS, etc.). For services where read APIs alone don't reveal posture, we accept very narrowly-scoped write permissions only with explicit authorization. We never use your console credentials.
Do you cover multi-cloud and hybrid environments?
Yes. Multi-cloud is the norm now — most engagements involve at least two providers (typically AWS + Cloudflare, or GCP + Azure). We specifically test the trust boundaries between providers: federated identity, cross-cloud secrets, replicated data flows. This is where novel attacks hide.
What about SaaS provider security (Okta, GitHub, etc.)?
In scope by default. Okta SSO misconfigurations, GitHub repo and org permissions, Slack workspace permissions — these are part of your cloud attack surface even if they're technically third-party SaaS. Often the actual entry point for cloud breaches.

Related

Continue exploring

Continuous
Continuous AppSec

Cloud coverage every quarter, not yearly.

Read more →
How
DevSecOps Integration

CI/CD security in-depth.

Read more →
Audits
Compliance Readiness

SOC 2 cloud control evidence.

Read more →
Adversarial
Red Team Engagement

Cloud lateral movement under real attack conditions.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck — just a working session about your stack.

What is cloud penetration testing

Attack-path testing for AWS, GCP, and Azure environments.

Cloud penetration testing is the security assessment of an organization's cloud infrastructure — IAM policies, network configuration, storage policies, compute hardening, container and Kubernetes deployments, and CI/CD supply chain — to identify exploitable attack paths rather than just surface-level misconfigurations. It complements but doesn't replace a Cloud Security Posture Management (CSPM) tool like Wiz, Prowler, or Orca.

The fundamental difference between CSPM and cloud pentest: CSPM tools tell you which roles have wildcard PassRole permissions; a cloud pentest tells you that this specific wildcard PassRole, chained with this EC2 instance profile assumption, leads to your customer database. We trace attack paths end-to-end so your remediation focuses on the few permissions that actually matter rather than the thousands of CSPM findings that don't.

Engagements cover the full cloud attack surface: IAM privilege escalation chains, network-level lateral movement, public-resource exposure, secrets management, container and Kubernetes runtime threats, and CI/CD supply chain risks. Multi-cloud is the norm — we test the seams between AWS, GCP, and Azure as well as the providers individually.

  • AWS, GCP, Azure, plus DigitalOcean, Cloudflare, Oracle Cloud
  • Read-only access via cross-account role; no agents, no install
  • K8s coverage: EKS, GKE, AKS, plus self-hosted clusters
  • CI/CD supply chain: GitHub Actions OIDC, GitLab CI, OIDC trust mappings

Pricing & timeline

Priced by account count and architectural complexity.

Cloud reviews are scoped by account count, region count, K8s cluster count, and CI/CD pipeline complexity. Read-only access is provisioned via a cross-account IAM role; we don't install agents or modify your environment.

Single-account startup
$14k - $28k
Mid-size multi-account (3-10 accounts)
$28k - $58k
Enterprise multi-cloud (10+ accounts, K8s)
$58k - $140k
Typical timeline
2-4 weeks
Re-tests included
One free retest within 90 days
Access required
Read-only IAM role (cross-account)

Related

Related services

Continuous AppSec

Cloud reviewed continuously, not annually.
API Security Testing

API gateway reviews are part of cloud surface.
DevSecOps Integration

CI/CD security is half of cloud security.
Compliance Readiness

SOC 2 / ISO / PCI cloud control evidence.
Red Team Engagement

Cloud-aware red team with lateral-movement scope.
Sample Pentest Report

Preview a sanitized cloud security report.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output