Service

CLOUD
security audit.

Configuration review and penetration testing across AWS, Azure, and Google Cloud Platform. We map IAM privilege escalation paths, audit storage exposure, harden Kubernetes, and align findings to CIS Benchmarks and the cloud provider’s own security pillars.

CLOUD

Lift-and-shift exposed your blast radius.

The shared responsibility model puts configuration squarely on you. The most common cloud breaches in 2024–2025 weren’t exotic zero-days — they were over-permissive IAM roles, public storage, leaked credentials, and forgotten dev environments still attached to production accounts.

Our cloud audit combines automated control evaluation against CIS Benchmarks with hands-on exploitation of identified weaknesses — including IAM privilege escalation chains, cross-account confused-deputy attacks, and SSRF-to-metadata abuse.

AWS coverage.

  • IAM — user, role, group, and policy review; privilege escalation paths (PassRole, iam:CreateAccessKey, lambda:UpdateFunctionCode chains)
  • S3 — bucket policies, ACLs, block-public-access, server-side encryption, cross-account access
  • EC2 — security groups, IMDSv2 enforcement, EBS encryption, AMI hygiene, key-pair management
  • VPC — flow logs, NACLs, security groups, peering, transit gateways, endpoints
  • RDS / Aurora — public accessibility, encryption, IAM auth, snapshot exposure
  • Lambda — resource policies, IAM execution roles, environment variable secrets, layer permissions
  • CloudTrail / GuardDuty / Security Hub — logging coverage, alert tuning, response readiness
  • EKS — cluster IAM, OIDC, IRSA, network policies, pod security
  • Secrets Manager / Parameter Store — rotation, KMS keys, cross-account access

Azure coverage.

  • Entra ID (Azure AD) — conditional access, privileged identity management, MFA, application registrations, consent grants
  • RBAC — role assignments at subscription, resource group, and resource scope; custom roles and privilege escalation
  • Storage Accounts — public blob containers, SAS token sprawl, shared key disable, network restriction
  • Key Vault — access policies vs. RBAC, network access, soft-delete, purge protection
  • Virtual Machines — managed identity scope, disk encryption, just-in-time access
  • Network Security Groups — rule analysis, exposed management ports, Application Gateway WAF
  • AKS — cluster RBAC, pod identity, network policies, defender for cloud integration
  • Defender for Cloud — secure score, regulatory compliance posture, recommendations triage

GCP coverage.

  • IAM — bindings, service account key rotation, privilege escalation (iam.serviceAccounts.actAs chains)
  • Cloud Storage — bucket IAM, uniform vs. fine-grained, public access prevention, CMEK
  • Compute Engine — service account scopes, OS Login, shielded VMs, metadata SSH-key abuse
  • VPC — firewall rules, IAP for TCP forwarding, private Google access
  • GKE — workload identity, network policies, binary authorization, private clusters
  • Cloud Functions / Cloud Run — invoker IAM, ingress restrictions, runtime service account
  • Cloud Audit Logs — coverage, retention, log sinks, alerting

Kubernetes & containers.

  • Cluster configuration review (etcd, API server, kubelet)
  • RBAC analysis — over-permissive roles, ClusterRole vs. Role scope, system:masters abuse
  • Pod Security Standards / Pod Security Policies / OPA Gatekeeper review
  • Network policies and east-west traffic restrictions
  • Container image hygiene — SBOM review, base image vulnerability scanning
  • Admission controllers, mutating webhooks, supply-chain integrity
  • Runtime detection (Falco) tuning and gap analysis
  • Mapped against CIS Kubernetes Benchmark and NSA/CISA Hardening Guide

Our methodology.

  1. Scoping & access. Read-only IAM credentials issued for each cloud provider in scope. Designated point of contact for the engagement.
  2. Inventory & baseline. Enumerate every resource, IAM principal, network configuration, and policy via cloud APIs.
  3. Configuration review. Automated evaluation against CIS Benchmarks, AWS Well-Architected, Azure Security Baseline, GCP CIS — with false-positive filtering.
  4. Privilege escalation mapping. Use tooling (Cloudsplaining, PMapper, ROADtools) and manual analysis to identify reachable high-privilege roles from any compromised principal.
  5. Exploitation. Validate the highest-impact findings with safe exploitation in coordination with you — not destructive, but conclusive.
  6. Reporting & retest. Findings prioritized by exploitability, business impact, and remediation effort. Free retest within 30 days.

Tools & tradecraft.

ProwlerScoutSuitePacuCloudsplainingPMapperROADtoolsStormspotterkubectl-who-cankube-benchkube-huntertrivycheckovtfsecSteampipe

Compliance mapping.

  • CIS Benchmarks — AWS Foundations, Azure Foundations, GCP Foundations, Kubernetes
  • AWS Well-Architected Security Pillar
  • Azure Security Baseline and Microsoft Cloud Security Benchmark
  • NIST SP 800-53 Rev. 5 — cloud control mapping
  • ISO/IEC 27017 / 27018 — cloud-specific extensions
  • SOC 2 Type II — trust services criteria for cloud-hosted services
  • PCI-DSS v4.0 in cloud environments (shared responsibility model)
  • FedRAMP Moderate / High control coverage

What you receive.

  • Executive summary — cloud security posture and risk register
  • Detailed findings report — every misconfiguration with reproduction steps, impact, and remediation guidance
  • IAM privilege escalation graph — visual map of reachable privileges from each principal
  • Compliance gap analysis — CIS Benchmark scorecard with delta from baseline
  • Terraform / IaC remediation snippets for high-impact fixes
  • Cost-impact estimates for remediation projects
  • Free retest within 30 days with clean attestation

Frequently asked questions.

Which cloud providers do you audit?

AWS, Microsoft Azure, and Google Cloud Platform are our primary platforms. We also assess hybrid and multi-cloud environments including Kubernetes (EKS, AKS, GKE, self-hosted) and serverless (Lambda, Functions, Cloud Run).

What access do you need to perform a cloud audit?

Read-only IAM credentials with broad coverage (AWS SecurityAudit, Azure Reader + Security Reader, GCP Security Reviewer). For deeper testing we may request targeted write access in dedicated test accounts to validate exploitation paths.

Does the audit follow CIS Benchmarks?

Yes. Every cloud audit is mapped against the relevant CIS Benchmark (AWS Foundations, Azure Foundations, GCP Foundations, Kubernetes) plus provider-specific frameworks like AWS Well-Architected Security Pillar.

Can you assess our Kubernetes cluster?

Yes. Kubernetes assessment covers cluster configuration, RBAC, network policies, pod security standards, container image hygiene, supply chain, and admission controllers. We map to CIS Kubernetes Benchmark and NSA/CISA hardening guidance.

Related services.

Find what your CSPM misses

AUDIT YOUR
cloud estate.

Free scoping call. Bring your AWS / Azure / GCP architecture and we’ll propose a focused audit within 24 hours.

Book Free Scoping Call →All Services