03 / Cloud Security Assessment
Cloud Security
Assessment
The keys to your cloud are hidden in plain sight. We find them.
Cloud infrastructure expands faster than the controls meant to secure it. The misconfiguration that leads to full account compromise rarely looks like one. We map the real attack paths — the IAM chains, the exposed metadata services, the trust boundaries that were never meant to be crossed.
Methodology
How we test.
IAM Analysis
- Permission enumeration across all principals
- Privilege escalation path mapping
- Cross-account trust policy review
- Service account & key hygiene
Network & Access Control
- Security group & firewall rule analysis
- VPC flow log coverage gaps
- Public IP exposure audit
- NAT gateway & peering config
Storage & Data
- S3/Blob/GCS public access check
- Encryption at rest & in transit
- Bucket policy & ACL review
- Sensitive data in public assets
Compute & Workload
- IMDSv1 & hop limit checks
- IMDS credential exposure via SSRF
- Container image vulnerability scan
- Serverless permission analysis
Secrets & Configuration
- Secrets Manager & KMS key policy review
- Environment variable secret exposure
- CI/CD pipeline secret scanning
- Config drift from baseline
Attack Path Simulation
- IAM privilege escalation to Admin
- Lateral movement across accounts
- Data exfiltration path analysis
- Persistence mechanism identification
Tooling
What we use.
Pacu
AWS exploitation framework for IAM privilege escalation and attack path testing.
Prowler
AWS/Azure/GCP security assessment aligned to CIS Benchmarks and compliance frameworks.
ScoutSuite
Multi-cloud security auditing tool for configuration review across providers.
CloudSploit
Automated cloud configuration scanning for common misconfigurations.
Enumerate-IAM
IAM permission enumeration without requiring privileged access.
Custom tooling
Engagement-specific scripts for cross-account analysis and attack path chaining.
Sample findings
What we find.
Representative findings from past engagements. Client details redacted.
CRITICAL
IAM Role with Wildcard S3 Permissions Assumable Externally
Overly permissive trust policy allowed any authenticated AWS account to assume a role with s3:* on production buckets.
CRITICAL
EC2 IMDSv1 Enabled — SSRF to Credentials
IMDSv1 without hop limit enabled SSRF exploitation, exposing instance role credentials.
HIGH
Azure Storage Account with Public Blob Access
Backup container publicly accessible with SAS tokens hardcoded in environment variables across 12 services.
MEDIUM
GCP Service Account Key Rotation Disabled — 847-Day-Old Key
Stale service account key with Editor role. Key present in GitHub commit history.
Pricing
Engagement tiers.
Essentials
$5,000 – $12,000
SMB / Single cloud / Pre-compliance
- Single cloud provider
- CIS Benchmark alignment review
- IAM permission analysis
- Storage & network exposure check
- Findings report + remediation
Read-only access required.
Get a QuoteMost common
Standard
$12,000 – $25,000
Mid-market / Full scope
- Single or dual cloud provider
- Full attack path analysis
- IAM privilege escalation mapping
- Secrets & credential exposure
- Compliance-ready report
Most common. Full cloud attack surface.
Get a QuoteEnterprise
$25,000 – $50,000+
Multi-cloud / Complex org
- Multi-cloud (AWS + Azure + GCP)
- Cross-account & cross-tenant analysis
- CI/CD pipeline security review
- Container & Kubernetes security
- Executive + technical package
Scoped per environment.
Get a QuoteFAQ
Common questions.
What access do you need?
A read-only IAM role. We provide a least-privilege policy document. We never require write access.
Do cloud providers need notification?
Yes — AWS, Azure, and GCP all have testing notification requirements. We handle this as part of pre-engagement setup.
How is this different from a compliance scan?
We find which misconfigurations chain into real breach paths. Compliance and exploitability are not the same thing.
Can you assess Kubernetes workloads?
Yes, on Enterprise tier engagements. RBAC misconfiguration, pod security, and secrets in etcd are included as add-on scope.