Cloud Security Audit
Auditing AWS, Azure, and GCP environments for misconfigurations, exposed resources, and overly permissive IAM policies. This workflow covers automated compliance scanning, manual enumeration of cloud-specific attack surfaces, and adversary emulation to validate real-world exploitability.
Scope Definition and Credential Setup
Establish which cloud accounts, regions, and services are in scope. Obtain read-only credentials (or assume-role ARNs for AWS, service principal for Azure, service account for GCP) with sufficient permissions for enumeration. Verify your access works by listing basic resources in each account. Document any services explicitly excluded from testing.
Tools for this step
enumerate-iamTip: enumerate-iam brute-forces AWS API calls to determine exactly what permissions your credentials have. Run this first so you know your actual access level before assuming anything based on the policy document you were given.
IAM and Identity Enumeration
Map all users, roles, groups, service accounts, and their attached policies. Look for overly permissive policies (wildcards in actions or resources), unused credentials, accounts without MFA, cross-account trust relationships, and privilege escalation paths. IAM misconfigurations are the most common and most impactful findings in cloud audits.
Tools for this step
Prowler
ScoutSuite
CloudFoxTip: Prowler's IAM checks are comprehensive for AWS. CloudFox specifically looks for privilege escalation paths and identifies which credentials can reach sensitive data. ScoutSuite gives you a visual dashboard across all services. Run all three - they each catch different things.
Storage Bucket and Data Exposure Scanning
Check all storage services (S3, Azure Blob, GCS) for public access, misconfigured bucket policies, and sensitive data exposure. Look for buckets that allow anonymous listing or reading, overly broad access policies, and any data that shouldn't be publicly accessible. Storage misconfigurations are responsible for a huge percentage of cloud data breaches.
Tools for this step
S3ScannerTip: S3Scanner specifically tests bucket permissions and can enumerate readable objects. Check for both bucket-level ACLs and bucket policies - they're separate access control mechanisms. Don't forget about CloudFront or CDN distributions that might expose private bucket contents through misconfigured origin access.
Network Exposure and Security Group Review
Identify all internet-facing resources, open security groups, public IPs, load balancers, and API gateways. Map the network topology to understand how traffic flows between VPCs, subnets, and external networks. Look for overly permissive ingress rules, especially SSH and RDP open to 0.0.0.0/0, and services exposed without authentication.
SteampipeTip: Steampipe lets you query cloud resources with SQL, which is excellent for custom checks like 'show me all security groups with port 22 open to the internet.' CloudFox maps network exposure and shows which resources are reachable from the internet. Cross-reference with actual port scans to verify what's actually listening.
Compliance and Best Practice Audit
Run your findings against compliance frameworks like CIS Benchmarks, SOC 2, PCI DSS, or HIPAA depending on what's relevant to the organization. This catches configuration drift and baseline violations that might not be immediately exploitable but represent security debt. Focus on logging, encryption at rest and in transit, key rotation, and backup policies.
Tools for this step
CloudSploitTip: Prowler maps findings directly to CIS Benchmark controls and can generate compliance reports. Cloudsploit provides its own set of best practice checks. Use Steampipe's compliance mod for customizable framework assessments. Don't just report pass/fail - prioritize findings by actual risk.
Adversary Emulation and Attack Simulation
Validate your findings by simulating real-world cloud attacks. Attempt the privilege escalation paths you identified, try to exfiltrate data from misconfigured storage, and test whether detection and alerting are working. This turns theoretical findings into proven exploits and demonstrates real business impact to stakeholders.
Tools for this step
Stratus Red TeamTip: Stratus Red Team provides pre-built attack techniques mapped to MITRE ATT&CK for cloud. Run these in a controlled manner and coordinate with the SOC team to verify detection coverage. CloudFox can identify which attack paths are most likely to succeed based on current configuration.
Report and Remediation Roadmap
Compile all findings with evidence, risk ratings, and specific remediation steps for each issue. Group findings by service and severity. Include a prioritized remediation roadmap that addresses the highest-risk items first. Cloud misconfigurations can often be fixed quickly with infrastructure-as-code changes, so provide the specific policy or configuration changes needed.
Tip: Include Terraform or CloudFormation snippets for fixes where possible - this dramatically increases the chance that findings actually get remediated. Highlight any findings where the organization's detection failed during your adversary emulation phase.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.