Cloud Assessment Scoping

Download Scoping Document Read the methodology

This cloud assessment scoping form given below will helps us understand your requirements and tailor our assessment to your needs. Complete the form below or click ‘Download’ to save a copy and fill it in at your convenience. Once completed, please send it to sales@cyberalchemy.co.uk.

Provide company name, your name, email and job title. 

For example, AWS, Azure, Google Cloud Platform, Oracle Cloud
For example, We have two Azure subscriptions, one for production and one for development, and three AWS availability zones within the eu-west-1 region.
For example, 3 x S3 Buckets and 2 x EC2 instances
For example, AWS Lambda functions and S3 buckets containing customer data must not be tested.
For example, CIS benchmark

Cloud Assessment Scoping Methodology

Approach:

Cyber Alchemy’s cloud system assessments are performed remotely, depending on the accessibility of the assets in scope. The primary objective is to identify vulnerabilities and deviations from best practices that could be exploited to compromise the system, escalate privileges, bypass controls, or extract sensitive data.

Our consultants use proven, non-invasive testing techniques aligned with industry standards to identify weaknesses efficiently and minimise disruption. The methodology outlined below is tailored to assess a wide range of cloud service providers, including AWS, Azure, and Google Cloud.

Methodology:

The assessment begins by establishing primary contacts, defining testing objectives, and understanding the cloud environment’s context. This collaborative approach allows us to tailor the assessment to your specific cloud architecture and business needs. Once objectives are agreed upon, we perform a comprehensive assessment covering the following areas:

Cloud-Specific Information Gathering

    • Conduct Open-Source Intelligence (OSINT) to identify cloud assets and configurations.

    • Analyse the cloud services, technologies, and infrastructure in use.

    • Map the cloud environment’s attack surface, focusing on public-facing services and external exposures.

Cloud Service Enumeration

    • Identify and catalogue all active cloud services across AWS, Azure, and Google Cloud.

    • Analyse service configurations, including storage, virtual machines, APIs, and databases.

    • Document cloud resources, including regions, accounts, and multi-cloud setups.

Identity and Access Management (IAM) Assessment

    • Review Identity and Access Management (IAM) policies and their implementation.

    • Identify misconfigurations, overly permissive roles, and privilege inheritance issues.

    • Evaluate multi-factor authentication (MFA) adoption and the security of service accounts.

Cloud Infrastructure Scanning

    • Perform automated scans to identify exposed cloud resources and services.

    • Assess storage configurations (e.g., S3 buckets, Azure Blob Storage) for public access.

    • Evaluate the security of virtual machines, containers, serverless functions, and databases.

Vulnerability Assessment in Cloud Environment

    • Scan for known vulnerabilities in cloud-based infrastructure, APIs, and applications.

    • Identify and assess configuration weaknesses that increase the risk of exploitation.

    • Prioritise vulnerabilities by evaluating their business impact and likelihood of exploitation.

Vulnerability Verification and Exploitation

    • Validate identified vulnerabilities using safe and controlled exploitation techniques.

    • Assess the risk associated with successful exploitation (e.g., data exposure or lateral movement).

    • Document proof of exploitation and provide detailed steps for reproduction and mitigation.

    • Examples of vulnerabilities include:
      • Insecure or exposed API endpoints
      • Misconfigured cloud storage or over-permissive access
      • Weak encryption or unencrypted sensitive data
      • Publicly accessible administrative interfaces

        • Insufficient logging, monitoring, or alerting mechanisms

Privilege Escalation in Cloud Environment

    • Investigate opportunities for privilege escalation across cloud services and roles.

    • Identify and test misconfigurations that could allow unauthorised privilege increases.

    • Document escalation paths and their impact on cloud security posture.

Security Misconfiguration Assessment

    • Examine cloud environments for security misconfigurations and deviations from best practices.

    • Assess network segmentation, security group effectiveness, and firewall rule enforcement.

    • Validate compliance with industry frameworks (e.g., CIS Benchmarks).

Data Protection and Encryption Analysis

    • Evaluate encryption practices for data in transit and at rest across cloud services.

    • Assess the security of encryption key management (e.g., AWS KMS, Azure Key Vault).

Ensure alignment with relevant data protection regulations (e.g., GDPR, UK DPA).

Neil Richardson

Got a question?

Speak to an expert about Cloud Assessment Scoping.

Contact us now