IAM blast radius
Per-principal: what can it access, what can it escalate to, what would the blast radius be in a worst case. Cloud-native analysis with Pacu, ScoutSuite, Prowler.
pentest · cloud
Test the cloud blast radius.
AWS, GCP, Azure pentest. IAM walks, public object-storage discovery, metadata-service abuse via SSRF, cross-account assume-role chains, control-plane logging gaps. Mapped to your compliance scope.
01. in scope
What we test.
Configuration audit plus active exploitation. Read-only access by default; write access only with explicit approval.
Exposed object storage
S3 / GCS / Blob bucket discovery. Public read, public write, leaked credentials in objects, snapshot exposure.
Metadata service via SSRF
For any application running on EC2/GCE/VM. SSRF to metadata, credential theft, lateral via assumed roles. IMDSv2 enforcement check.
Cross-account chains
For multi-account orgs: assume-role chains, tooling-account blast radius, audit-account independence, cross-account trust mistakes.
Control-plane logging
CloudTrail, Cloud Audit Logs, Activity Log. Data events enabled? Centralized? Sufficient for incident reconstruction?
Container + Kubernetes
EKS, GKE, AKS. Pod security, RBAC, service-account chains, image-pull authentication, network policies.
02. methodology
Methodology Methodology.
Read-only access to the cloud control plane. Active exploitation against the application layer where it touches cloud APIs.
- IAM enumeration + analysisCloud-native tooling: AWS Access Analyzer, GCP IAM Recommender, Azure PIM analysis. Manual walks of high-blast-radius roles.
- Configuration auditCSPM-style review of public exposure, encryption, logging, monitoring. Reconciled against your stated compliance scope.
- Application-layer exploitationSSRF, deserialization, file uploads in cloud-hosted apps. Translated into cloud-credential theft where possible.
- Report + readoutAttack-path diagrams from external foothold to crown-jewel data. Engineer Q&A on remediation priorities.
03. deliverables
What you walk away with.
Cloud pentest deliverables.
Findings report
Per-finding: severity, exploit chain, blast radius, fix guidance. Provider-specific remediation (AWS, GCP, Azure).
IAM blast-radius graphs
Visual per-principal blast radius. Useful for ongoing reviews after the engagement closes.
Compliance evidence pack
Findings and remediation evidence formatted for SOC 2, ISO 27001, PCI auditors.
Retest within 30 days
Post-fix retest included. Re-verify resolution on the new configuration state.
04. when
When teams hire us for this.
Common triggers for a cloud pentest.
Post cloud migration
On-prem patterns do not translate cleanly to cloud IAM. First post-migration pentest catches the mistakes.
Multi-cloud expansion
You added GCP or Azure on top of AWS. The trust model across providers needs review.
Container or Kubernetes adoption
EKS/GKE/AKS introduces a new attack surface (pod security, service accounts, network policies). Worth its own test.
Compliance: SOC 2, ISO 27001, FedRAMP
Audit expects cloud configuration to be tested independent of the application layer.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
Read-only or write access?
Read-only by default. Write access only if you want us to implement remediation pull requests as part of the engagement (rare).
Which providers do you cover?
AWS, GCP, Azure as standard. Oracle Cloud, IBM Cloud, Alibaba on request.
What about Kubernetes?
Covered. EKS, GKE, AKS, and on-prem K8s clusters tested for pod security, RBAC, service-account chains, network policies, and admission control.
Test the cloud?
60-minute scoping call covers cloud providers, account structure, and compliance context. Free.