Testing of Cloud services can be different to your traditional on-premise pen-test.

What we do, is we assess your AWS account, Microsoft 365 tenancy or Azure subscriptions using a combination of automated tools and manual testing, assessing the configuration against the security best practices from the Center for Information Security and the NCSC. We will also check whether good security hygiene practices, such as managing user accounts, are in place.

We usually recommend performing cloud reviews in conjunction with external pen-tests.  In these cases, we’ll use data on the resources and IP addresses we have discovered within your cloud environment to guide the scope of the external penetration test – helping to minimise cost and maximise coverage.

All testing we will perform falls within the penetration testing activities these platforms permit without prior notification.

Services we commonly test include:

• Productivity services
  • Microsoft 365
  • Google Workplace
• Public Clouds
  • AWS
  • Microsoft Azure
  • Google Cloud Platform (GCP)

Before we start any testing, we’ll agree on a formal testing Scope document with you. In this, we’ll agree on the accounts or tenancies in scope and how to access your accounts’ configuration.

Due to the complex and varied nature of people’s usage of Iaas, following the testing, we will explore some of the findings with you in a meeting to provide us with the situational awareness to provide recommendations relevant to your specific use of the cloud provider.

Once our testing is complete, we’ll provide you with a report with detailed findings, their impact and how to fix them. We can also provide consultancy to help fix these if that is useful to you.