Cloud penetration testing or “pentesting” usually refers to testing an environment hosted in the cloud, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure.

Typically, the penetration testing provider is not directly testing the cloud providers, but rather your deployment within the environment. For example, let’s say you’re hosting a new website on AWS, the pentest company would run a web application penetration test against your website and not against the underlying AWS platform. Penetration testing directly against the cloud platform, rather than your deployment, is often not allowed by the cloud provider.

What is understood by cloud security?

Cloud security typically means the security of your environment within the cloud environment you are using. The cloud provider, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure, will provide you with the environment in which to deploy. They will be responsible for the cloud security of everything up to the point of your deployment, for example, the architecture and the underlying cloud environment. Typically, you will be responsible for the cloud security of everything you deploy and configure in the cloud environment.

Checklist for cloud penetration testing

When carrying out a cloud penetration test or pentest there are some basic aspects that you should make sure are part of any checklist you have.

  1. Make sure the pentest provider has experience with a cloud testing environment.
  2. Make sure the pentest company is aware of the nuances of testing in cloud environments and the security challenges associated with the cloud.
  3. Make sure the pentest consultants have the appropriate accreditations. This may include certifications from CREST, Offensive Security, and/or TigerScheme.