An Introduction To Pentesting Cloud Computing Environments

A penetration test on a cloud computing environment does not differ that much from any other penetration test, even an on-premise equivalent. So what do you need to know?

As the tech paradigm shifts and more organizations are going cloud native or serverless, cloud adoption in the form of IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service) is increasing exponentially. With the agility and flexibility that cloud computing provides, organizations are innovating and growing at a much faster pace compared to several years ago. As of 2021, some of the major Cloud Service Providers are AWS (Amazon Web Services), GCP (Google Cloud Platform), Microsoft Azure, and Alicloud.

But with the good of cloud computing also comes the bad. Cloud users now have more autonomy and flexibility than ever at setting up their cloud infrastructure, a skill that is still relatively new and rare in the market. How can cloud users (ie. CTOs, DevOps, Software Engineers) ensure that their cloud environments are secure as they continue to innovate in the cloud?

Aside from dedicated cloud security software to identify and fix vulnerabilities in cloud environments, organizations can consider pentesting their cloud computing environments for a more thorough assessment of their cloud security posture. Focusing on their DevOps and SDLC (Software Development Lifecycle) practices and having security incorporated into each of those processes is the long term strategy in ensuring a resilient cloud infrastructure.

Challenges of Cloud Pentesting

In the past, testing of cloud-based applications and infrastructure was somewhat restricted because of legal and geographical complications. Security enthusiasts and professional penetration testers were not permitted to perform intrusive security scans or penetration tests on cloud-based applications and environments without the explicit permissions of Cloud Service Providers like Microsoft Azure and AliCloud.

But the growing number of cyber attacks targeting the cloud in recent years is paving the way for mainstream cloud computing penetration testing. The CapitalOne data breach back in 2019 showed that a misconfigured access control (IAM) configuration on AWS was enough for a malicious attacker to obtain adequate credentials to illegally access Amazon S3 buckets and retrieve the information stored within.

Organizations are now open to hiring third parties to conduct penetration tests on their cloud environments under controlled circumstances. Some also engaged 3rd party bug bounty program platforms such as Bug Crowd and HackerOne to have a thorough look at their cloud attack surface. But before going deep into what a cloud environment pentest entails, it pays for users to understand that security of the cloud is a shared responsibility. Cloud service providers like Amazon Web Services (AWS) inherently build security in their infrastructure. Cloud firewalls such as Security Groups are configured by default to disallow all traffic unless otherwise specified by the user. It is this user flexibility that is ballooning the risk of human error in the cloud. If end users accidentally switch a configuration like removing a Security Group whitelist to a VPN or internal IP, they open up their cloud infrastructure and applications to a larger attack surface.

The Cloud Environment Pentesting Checklist

Technically, a penetration test on the cloud computing environment does not differ that much from any other penetration test, even an on-premise equivalent. While there may be key differences in the way that the cloud infrastructure and applications are set up, the principles remain the same. Whether we look at web servers running on the application tier with RDS service running the database tier or dockers in a Kubernetes cluster that has microservices running, both are still exposed to the same attacks on the web application and network layers.

There are various methodologies regarding how to properly pentest a cloud computing environment, but they are broadly divided into these sub phases, similar to a typical network and web application pentest:

  • Planning and Threat Modelling
  • Reconnaissance
  • Vulnerability Identification
  • Exploitation
  • Remediation
  • Follow-up
  • Reporting

However, what I would identify as the key differences would be that there are cloud specific vulnerabilities that can be exploited by malicious individuals. In addition to the usual web application and network layer vulnerabilities, there are specific vulnerabilities such as misconfiguration of cloud services that could lead to exploitation by attackers. Some of these vulnerabilities can be easily uncovered by third party security tools such as Shodan.

Some examples include:

In fact, according to the 2018 Gartner report Is The Cloud Secure, analysts posit that through 2022, 95% of cloud security failures will be the customer’s fault.

Alternative Solutions

Cloud computing users can take advantage of both open source and commercial cloud security tools like Horangi Warden, which is a CSPM (Cloud Security Platform Management) tool for AWS and GCP environments (with AliCloud and Azure support coming out this year), to build a more resilient cloud security posture and ensuring that your cloud workloads stay compliant to chosen security and regulatory frameworks. The GitHub forum also commonly showcases useful open source cloud security pentesting tools and repositories like Pacu.

Identify your security misconfigurations early so they don’t turn into security incidents. If your organization relies on the cloud for core business services and needs to develop a long-term holistic cybersecurity strategy, it pays to engage a reliable third party security vendor to conduct a cloud computing penetration test.

Need a quote? Contact us.

Bo Si Chua profile picture
Bo Si Chua

Bo Si Chua is the Principal Cloud Security Engineer at Horangi. Bo Si is a seasoned cybersecurity professional with a demonstrated history of performing security assessments and advisory such as Penetration Testing, Security Design, SSDLC advisory, CISO-as-a-Service, Code Review and Bug Bounty Program Management for SMEs.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.