During a cloud security audit I review your cloud infrastructure against cloud security best-practices regarding the following topics:
- User Management, Authentication, Authorization, Access Policies
- Component Isolation, Security Groups, VPN Settings, Ingress/Egress Routing
- Object Storage Visibility (like S3)
- Security of Serverless Functions (like Lambdas)
- Hardening of Metadata WebServices (which can be abused by SSRF vulnerabilities)
- Encryption of Data-in-Transit & Data-at-Rest
- Key Management & Secret Management (use of vaults)
- Logging & Monitoring
- DFIR-Readiness (Digital Forensics & Incident Response)
My security review approach includes the latest benchmark tests as well my extensive pentesting experience of cloud-based environments.
Review of Container Orchestration Platforms
Often cloud environments use container orchestration platforms like Kubernetes (K8s) or OpenShift to distribute and manage heavily container-based applications. For reviewing the security of container platforms I offer a separate service: Container Platform Review
The resulting report of the found security issues includes detailed descriptions of the findings (along with all evidence collected) and mitigation advice to remediate each issue and tips to further harden your application. To better distribute the individual findings towards the relevant parties, I categorize all findings by function (business, architecture, development, operations) to which the finding applies.
After sending the report an on-site or remote debriefing meeting will be arranged to further discuss the report and any potential questions along with the team members assigned to remediate the findings.
This process can optionally be followed by a second check of remediated findings, which leads to an updated report.
This kind of security check requires access on high-privileged level to the cloud environment in order to review its security.
It is helpful to get some information upfront about your architecture and desired cloud setup in order to let the review be as targeted as possible. This also includes some high-level information about your architecture, as what components are used and what kind of data (in terms of sensitivity) is handled on which component.
This information is usually provided and discussed in a kick-off workshop (remote or on-site) at latest a few days before the review begins.