Securing Cloud Solutions: A Penetration Tester’s Approach
Yash Prajapati
FEB 20, 2025
While surfing through some industry reports to get updated with the latest information, one subject caught my attention—Cloud Security, one of the most debated topics after AI and Cybersecurity today. Since it’s been a while since I last explored cloud security in detail, I decided to dig up the reports and collect top facts on recent figures exclusively for you guys.
Among all the reports I analyzed, SANS presented the most eye-opening statistics.
What is SANS?
If you are a newcomer to the cybersecurity profession or come from a non-technical background, let me provide a quick introduction to SANS. So, what is SANS in simple terms? Established in 1989, when cybersecurity was still in its early stages, SANS has been a constant force in the industry, providing best information, cyber security solutions, and best practices. It guides secure digital assets by providing training, certifications, and research. The SANS Top 25 is the second most recognized security vulnerability list among penetration testers, next to the OWASP Top 10.
Now, since I have some information on human psychology, I know you'd want to jump straight to the SANS-derived figures first—but I've kept them for the end intentionally. So, do read through all the figures in order to get accurate insights!
The risk of cybersecurity attacks has persisted to rise year after year. In 2022, realized cyber dangers had been the biggest difficulty for businesses globally. The threat from cybercrime agencies, large breaches, and disruption attacks became of extra concern than commercial enterprise technique outages and herbal failures (Cyber Risks Top Worldwide Business Concerns in 2022, 2022).
Newly located vulnerabilities along with Log4j, further to a remote staff migration, caused an increase in cybersecurity assaults by 50% in 2021 (Zurier, 2022).
Not only has the number of attacks increased drastically, but also the level of access a cybercriminal can obtain in the internal systems of an enterprise is also growing. A recent study indicated that an attacker would be able to gain access to 93% of an enterprise network as soon as they have access to an internal network device, including the local and protected resources. (Cybercriminals can penetrate 93 Percent of Company Networks, 2021).
The value associated with cybercrime will develop by 15% year over year by 2025. This value consists of the evaluation and research of assaults, regulatory fines and charges, generation to go back to everyday commercial enterprise operations, and any misplaced statistics and productivity related to the assault (Morgan, 2020).
The risk posed by cyber attackers will increase over the approaching years. While a noticeable increase in sophisticated threat actor activity, and a wider cyber-attack surface is expected due to the increase in cloud migrations within organizations (Cybercrime To Cost The World $10.5 Trillion Annually By 2025).” - SANS Institute studies 2022
Now since we’ve got much of the insights about what exactly the SANS institute is and the statistics it has provided us, let me now walk you through the technicals.
Cloud computing has revolutionized how businesses operate, but with this shift comes the growing need to secure cloud environments. In the world of penetration testing (PT), cloud security is often misunderstood, especially with shared responsibility models. As a Penetration tester, my role is to test these environments to expose the weaknesses and ensure that the system is as safe as possible. Here's how I approach securing cloud solutions, using a strategic and thorough methodology.
Before proceeding any further, let’s first discuss about:
The Shared Responsibility Model
The first thing to understand is that Cloud Security is a shared responsibility. While cloud service providers (CSPs) such as AWS, Azure, or GCP manage the infrastructure, it is up to the client to secure their data, app and certain configurations. This dynamic means that as a penetration tester, I should keep in mind what CSP manages and what is responsible for the customer. The distinction is crucial because it impacts the scope of testing and helps avoid potential issues or miscommunications, and abiding to cloud security best practices and meet the standards by preventing the cloud security risks.
Cloud Security: Similar to Internal Network Pentesting
In many ways, cloud security resembles internal network penetration testing. Once you have access to a cloud environment (typically with internal access rights), you start seeing patterns that are similar to traditional on-premise network tests. Most vulnerabilities in the cloud stem from misconfigurations, outdated versions, or improperly assigned roles and permissions—just like in internal networks. Cloud environments are vast, and sometimes, misconfigurations can expose the system to external threats or leave sensitive data vulnerable.
Using the Right Tools
It is important to ensure that you are leveraging the correct tool when it comes to cloud security assurance. Some of the cloud security tools that I often use, include:
a) Prowler: An effective tool for AWS safety assessment, which helps me test 200+ safety checks.
b) Scoutsuit: An open-source multi-cloud security auditing tool, ideal for assessing configuration.
c) Steampipe: A tool to query cloud infrastructure in services, provide visibility and assist with compliance check.
These tools helps to automatically scan and highlight the potential cloud security risks that can be exploited thus saving some time for manual exploitation, and covering most of the attack surface and scenarios for me.
Vulnerability Assessment vs. Penetration Testing
The common myth in the field is that penetration testing is only worth the effort if multiple critical vulnerabilities are found. Yet, "penetration testing is more than counting criticals!!" The difference between Vulnerability Assessment (VA) and Penetration Testing (PT) is being pointed out here:
a) Vulnerability Assessment: This is about finding as many vulnerabilities as possible, using both automated tools and manual techniques. It gives a broad view of the security posture and covers most of the attack surface.
b) Penetration Testing: Once vulnerabilities are found, it's time for manual testing to determine if these vulnerabilities are exploitable and whether they pose an actual risk. This is where we go beyond just finding vulnerabilities; we exploit them to understand the potential impact.
A good penetration tester ensures that every vulnerability, even low-level ones, is considered because sometimes it’s the small ones that chain together to create a bigger threat.
Internal Access and Cloud Configuration Pain Points
At times, the application or application server within the cloud infrastructure can have roles assigned to it through policies, thus giving it more privileges than were initially expected. If such roles are vulnerable to exploitation, they can become a point of entry to internal network that would otherwise be difficult to access. This is one of the less obvious attack vectors; however, it can lead to serious compromises if not properly tested.
Using Tools Like CloudFox and Pacu for Deeper Insights
The majority of the testers utilize CSP provided Cloud security tools or Cloud monitoring tools while few organisations also prefer tools like CloudFox or Pacu in the CI/CD pipelines, or locally for quick vulnerability scans. Though these tools help in discovering surface-level bugs, they also provide information regarding deeper attack surfaces, which may be used to achieve privilege escalation. Instead of just documenting those, I believe one needs to investigate how such vulnerabilities can be chained to build a foothold and privilege escalation within the cloud ecosystem. Such proactive analysis provides a more inclusive and realistic assessment of the cloud security posture.
Defining the Right Scope in Cloud Pen Testing
Cloud infrastructures are enormous and complex, particularly when it comes to services like AWS, Azure, or Google Cloud. In performing a penetration test, the scope must be defined. Unlike in traditional systems, there is no need to seek permission from the Cloud Service Provider (CSP) to test cloud resources; however, it is important to understand the boundaries of the shared responsibility model.
When determining the scope, certain questions that apply must be taken into account:
a) What services and resources make up the client's environment?
b) What roles and permissions are defined?
c) What is the responsibility of the CSP, and where does it end?
Without a clearly identified scope, there is a risk of encroaching on areas that can interfere with the infrastructure of the cloud service provider.
Keep a Fresh Perspective
One of the most important mindsets when conducting penetration testing is not to make any assumptions regarding the internal setup. Cloud environments are dynamic, and a small mistake can make a critical vulnerability. For example, a publicly available configuration file can reveal sensitive information like authentication tokens or private keys. A seemingly harmless URL can direct an attacker to this treasure trove of information, which, combined with other vulnerabilities, can result in a critical breach.
Cloud Security: Client vs. Provider Responsibility
One of the fundamental questions that come up with penetration testing is: Who is responsible for fixing a flaw discovered through testing? The provider or client?
The answer generally hinges on the nature of the issue:
a) If the issue is in the client's configuration, then the client needs to correct it (e.g., an invalid IAM policy).
b) If it's a service-level issue that impacts many clients, then the provider is responsible for it (e.g., a CSP infrastructure vulnerability). [Report it responsibly]
A seasoned penetration tester should be well aware of where his/her work stops and where the client's or provider's work starts.
To Recapitulate
Securing cloud solutions requires cloud security best practices and an end-to-end and thorough approach, formulating automated vulnerability scanning with detailed manual penetration testing. The process requires knowledge of the shared responsibility model, the use of the proper tools, proper scope definition, and ongoing monitoring of the security posture of the environment.
As a penetration tester committed to professional development, my goal is to ensure that vulnerabilities—regardless of how severe they may be—are not only identified but also put into context, thus ensuring a robust security assessment that transcends compliance with standard processes.
During a Vulnerability Assessment and Penetration Testing (VAPT) for cloud solutions, the overall goal is to provide the client with actionable intelligence that can properly improve the security of their cloud environment and minimize the risk of potential threats.
Strengthen Your Financial Data with AI-Powered Cybersecurity Solutions
At Webelight Solutions Pvt. Ltd., we feel that end-to-end security needs to be infused at the beginning of the software development life cycle. With threats evolving online, our sophisticated measures against these threats keep evolving too. From the development stage all the way through to deployment, we adhere to the highest cybersecurity standards to safeguard your financial data against malicious threats.
