What is Cloud Pentesting?

Updated: Nov 16, 2021

Cloud Penetration Testing or 'Pentesting' typically refers to the testing of a Cloud-hosted environment such as against Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure. Typically the pen test provider is not pen-testing the cloud providers directly but more your deployment within the environment. For example, say you are hosting a new website in AWS, the pen test company would run a web application penetration test against your website and not the underlying AWS platform. Pen testing directly against the cloud platform, rather than your deployment is often not permitted by the cloud provider.


hand typing on keyboard with back-light

What is meant by cloud security?

Cloud security typically means the security of your environment within the cloud environment you are using. The cloud provider such as Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure will provide the environment for you to deploy 'onto'. They will be responsible for the cloud security of everything up to the point of your deployment, for example, the underlying cloud architecture and environment. You will then typically be responsible for the cloud security of everything you deploy and configure within the cloud environment.


Cloud pen-testing checklist

When conducting a Cloud Penetration Test or 'Pen Test' there are some basics you should ensure are part of any checklist you have.


  1. Ensure the pen test vendor has expertise with a testing cloud environment.

  2. Ensure the pen test company has knowledge of the nuances to testing cloud environment and associated cloud security challenges.

  3. Ensure the pen test consultants have the right accreditations. This may include certifications under CREST, Offensive Security and/or TigerScheme.

If you like this blog post, find more content in our Glossary.