Download Publication

Cloud Penetration Testing Playbook
Release Date: 07/12/2019
Working Group: Top Threats
As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.
This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the hypervisor of an IaaS environment that is controlled by the cloud service provider isn’t. As for testing hybrid clouds, this document does not cover the hybrid interface and on-premises environment.
Download this Resource
Prefer to access this resource without an account? Download it now.
Related Resources
Acknowledgements

Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.
Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. H...

Victor Chin
Victor Chin

Jon-Michael Brook
Jon-Michael Brook
Jon-Michael C. Brook is a certified, 25-year practitioner of cybersecurity, cloud, and privacy. He is the principal contributor to certification sites for privacy and cloud security, and has published books on privacy. Jon-Michael received numerous awards and recognition during his time with Raytheon, Northrop Grumman, Symantec, and Starbucks. He holds patents and trade secrets in intrusion detection, GUI design, and semantic data redaction...

Greg Jensen
Greg Jensen

Asaf Hecht
Asaf Hecht

Shlomi Ohayon
Shlomi Ohayon

Chris Farris
Chris Farris
Are you a research volunteer? Request to have your profile displayed on the website here.
Interested in helping develop research with CSA?
Related Certificates & Training

CSA's Cloud Infrastructure Security training provides a high-level introduction to the most critical cloud security topics through virtual self-paced courses. Each Cloud Infrastructure Security training focuses on a specific area of cloud computing, and is design to be succinct, taking one-hour to complete.
Learn more
Learn more