Cloud Security (AWS & GCP)

What is a cloud security assessment?

A cloud security assessment is a security investigation of your AWS or Google Cloud environment. We assess configuration, architecture and access management from an attacker's perspective. The goal: find misconfigurations that lead to data exposure, privilege escalation or full account takeover.

The cloud is fundamentally different from on-premises. The shared responsibility model means AWS or GCP secures the infrastructure, but you are responsible for configuration. And that is where things go wrong: publicly accessible S3 buckets, excessive IAM permissions, hardcoded secrets in Lambda functions, misconfigured security groups, missing logging. We find these mistakes because we know how attackers exploit them.

What do we investigate?

• IAM - excessive permissions, wildcard policies, cross-account access, service account abuse, privilege escalation paths.
• Storage - S3/GCS buckets: public access, misconfigured ACLs, encryption.
• Compute - EC2/GCE: security groups, metadata service exploitation (SSRF to credential theft), IMDSv1 vs. IMDSv2.
• Secrets management - hardcoded credentials in code, Lambda environment variables, parameter stores without encryption.
• Networking - VPC configuration, security groups/firewall rules, public IPs, load balancer configuration.
• Logging & monitoring - CloudTrail/Cloud Audit Logging enabled? Events actually monitored?

Why should you get a cloud security assessment?

One wrong IAM policy can expose your entire organisation:

• Misconfiguration is cause #1: most cloud incidents result from configuration errors, not sophisticated attacks.
• IAM is overwhelming: AWS alone has 14,000+ permissions. Who oversees which role can do what?
• Multi-cloud = multi-risk: each provider has its own pitfalls.
• Compliance: NIS2, ISO 27001 and SOC 2 require demonstrable control.

Our approach

We approach your cloud as an attacker with insider knowledge. We share findings directly - no surprises in the final report:

• Inventory - inventorying all resources, roles, policies and configurations with ScoutSuite, Prowler and Cartography.
• IAM analysis - manual review of policies, trust relationships, resource-based policies. Identifying privilege escalation paths.
• Configuration review - storage, compute, networking, logging and encryption against CIS Benchmarks.
• Attack simulation - from a limited-access account, testing which escalation paths are actually exploitable.
• Secrets scanning - hardcoded credentials, API keys and tokens in code, Lambda functions and configuration.
• Reporting - findings with risk classification, attack paths and concrete remediation steps. Including Terraform/CloudFormation snippets where relevant.

Questions after delivery? Call us. We do not disappear after the report.

What does a cloud security assessment cost?

Our hourly rate is €175 per hour. Indications:

• Cloud provider(s): AWS, GCP, or both.
• Size: number of accounts/projects, regions, services.
• Complexity: multi-account setups, organizations, custom IAM.

An AWS account with 50-200 resources: €7,000 - €15,000. Larger multi-account environments higher. For Microsoft Azure / Entra ID, see our Azure / Entra ID Assessment.