Published: 06 August 2021    Last Updated: 03 July 2023

When penetration testing Amazon Web Services (AWS) environments there are different perspectives the assessment could consider, some are very similar to external infrastructure/web application assessments and some are different.

I’ll separate the things that are the same from the things that are different to traditional penetration testing by considering the following types of cloud testing and then breaking each one down into the kinds of testing that could take place:

Published: 06 August 2021    Last Updated: 05 July 2023

I recently wrote an introduction to PenTesting an AWS Environment. A sensible place to start given that I included that in Q1 of 2018 Amazon holds a 33% market share in cloud whereas Microsoft only holds 13%. However I did want to add a few notes that are specific to PenTesting within Azure environments here.

Many of the concepts are the same however, in my AWS article I broke the perspective a penetration tester could take of a cloud environment down into testing “on the cloud”, “in the cloud”, and “testing the cloud console.” That concept remains the same, which is: