The move to cloud platforms such as AWS and Azure can provide many benefits for hosting both applications and infrastructure; however it can also introduce a whole range of new vulnerabilities and security concerns and areas that need to be tested.
As well as testing the applications and infrastructure hosted on the platform, the security of the resources within the cloud platform itself also needs to tested.
The specific steps will depend on the cloud service type, the features used by the client, and the degree to which features are exposed to the Internet or internal users. It will typically include:
- Reconnaissance - Understanding the service and environment, and any existing monitoring or alerting processes that may be in place.
- Scanning - Automated detection of potential vulnerable services or configuration errors that may increase the potential for the service to be attacked.
- Resource Configuration Review - Determining whether resources have been correctly configured, and whether available security and hardening controls are enabled.
- Network Segregation Review - Mapping out the internet network, and ensuring that appropriate segregation is in place to prevent unauthorised access.
- Identity and Access Management Review - Reviewing the users, authentication controls and permissions to identify any misconfigurations or inappropriate privileges.
- Data Exfiltration Testing - Where appropriate, attempting to identify routes that would allow data to be exfiltrated from the environment.
- Container Security Testing - Reviewing the configuration of the infrastructure hosting Kubernetes containers, and attempts to escalate privileges or break out of containers.
- Cleanup - Wherever possible, leaving minimal evidence of the engagement.
- Offline Analysis - Obtaining and analysing any data obtained to understand the potential impact of compromise to the client.
- Reporting - Ensuring that the client gets a full understanding of the findings of the engagement, and recommended solutions to address any issues identified.