How cloud pentesting differs from traditional network penetration testing, the six-phase cloud pentest methodology, the five patterns found in almost every cloud engagement, and how to structure a cloud pentest report.
Sign in to mark this article as read and track your progress.
On-premises penetration testing starts with network scanning and lateral movement through the LAN. Cloud pentesting starts from the outside — with API calls, IAM enumeration, and metadata service probing. The attack surface is fundamentally different:
| Dimension | Traditional Pentest | Cloud Pentest |
|---|---|---|
| Entry point | Network perimeter, VPN, web apps | APIs, web apps, compromised credentials, supply chain |
| Privilege escalation | OS vulnerabilities, service accounts | IAM iam:PassRole, assume-role chains, overprivileged lambdas |
| Lateral movement | SMB, PtH, Kerberoasting | Cross-account role assumption, service-linked roles |
| Evidence | Network captures, log files | CloudTrail, VPC Flow Logs, API call history |
| Scope limitation | IP ranges, hostnames | AWS accounts, GCP projects, Azure subscriptions |
| Rules of engagement | Written authorisation | AWS/Azure/GCP pentest authorisation forms required |
Critical: Cloud providers require advance notification or prior authorisation for certain test activities. AWS permits security testing of your own resources without prior notification for most services, but DDoS simulation and DNS zone walking require prior approval. Always check provider-specific policies.
Passive reconnaissance identifies exposed cloud assets without touching the target environment:
company-dev, company-backup, company-logs)Active enumeration (with authorisation):
aws sts get-caller-identity — confirms credential validity and reveals account IDaws iam list-users, aws iam list-roles — enumerate identity inventoryaws s3 ls — list accessible bucketsiam:PassRole, iam:CreatePolicyVersion, etc.Document findings with business impact, technical evidence, and remediation steps.
These five patterns appear in almost every cloud engagement:
Overprivileged IAM role on EC2: The instance role has s3:* or iam:* permissions. Combined with SSRF or RCE, this becomes critical.
Public S3 bucket with sensitive data: Development or backup buckets left public. Often contains database dumps, source code, or API keys.
Cross-account trust misconfiguration: A role trust policy allows assumption from * or an entire AWS account rather than a specific role or service.
Disabled or misconfigured logging: CloudTrail not enabled in all regions, S3 bucket for logs is publicly writable, or GuardDuty is disabled.
Secrets in environment variables: API keys, database passwords, and tokens stored in Lambda environment variables or EC2 user data, visible in plaintext to anyone with read access to the configuration.
| Tool | Purpose | Cloud |
|---|---|---|
| CloudSploit | Automated misconfiguration scanning | AWS, Azure, GCP |
| Pacu | AWS exploitation framework | AWS |
| ScoutSuite | Multi-cloud security auditing | AWS, Azure, GCP, Alibaba |
| Enumerate-IAM | Brute-force IAM permission enumeration | AWS |
| ROADtools | Azure AD enumeration and attack | Azure |
| Gitleaks | Secret scanning in repositories | Any |
Cloud penetration testing is a specialised discipline that requires cloud-native thinking. The most impactful findings — overprivileged IAM, public data exposure, disabled logging — are not found with Metasploit but with careful API enumeration and configuration review. Mastery of IAM, CloudTrail, and the five common patterns gives you the foundation for any cloud security assessment.