Cloud 101CircleEventsBlog
Our website will be down for scheduled maintenance on February 13th from 4:00 PM to 5:00 PM PST. We apologize for any inconvenience and appreciate your patience!

Download Publication

Cloud Penetration Testing Playbook
Cloud Penetration Testing Playbook

Cloud Penetration Testing Playbook

Release Date: 07/12/2019

Working Group: Top Threats

As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.

This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the hypervisor of an IaaS environment that is controlled by the cloud service provider isn’t. As for testing hybrid clouds, this document does not cover the hybrid interface and on-premises environment.
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources
Zero Trust Guidance for Small and Medium Size Businesses (SMBs) - Japanese Translation
Zero Trust Guidance for Small and Medium Size B...
Cloud Security for Startups 2024 - Japanese Translation
Cloud Security for Startups 2024 - Japanese Tra...
Cybersecurity and the Data Lifecycle
Cybersecurity and the Data Lifecycle
From Y2K to 2025: Evolution of the Cybersecurity and Information Security Landscape over the Past 25 Years
From Y2K to 2025: Evolution of the Cybersecurity and Information Se...
Published: 02/12/2025
What's the Baseline for Cyber Resilience?
What's the Baseline for Cyber Resilience?
Published: 02/11/2025
BeyondTrust Breach: A Wake-Up Call for Remote Access Security
BeyondTrust Breach: A Wake-Up Call for Remote Access Security
Published: 02/07/2025
Agentic AI Threat Modeling Framework: MAESTRO
Agentic AI Threat Modeling Framework: MAESTRO
Published: 02/06/2025

Acknowledgements

Michael Roza
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC

Michael Roza

Risk, Audit, Control and Compliance Professional at EVC

Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.
Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. H...

Read more

Victor Chin Headshot Missing
Victor Chin

Victor Chin

Jon-Michael Brook
Jon-Michael Brook

Jon-Michael Brook

Jon-Michael C. Brook is a certified, 25-year practitioner of cybersecurity, cloud, and privacy. He is the principal contributor to certification sites for privacy and cloud security, and has published books on privacy. Jon-Michael received numerous awards and recognition during his time with Raytheon, Northrop Grumman, Symantec, and Starbucks. He holds patents and trade secrets in intrusion detection, GUI design, and semantic data redaction...

Read more

Greg Jensen Headshot Missing
Greg Jensen

Greg Jensen

Asaf Hecht Headshot Missing
Asaf Hecht

Asaf Hecht

Shlomi Ohayon Headshot Missing
Shlomi Ohayon

Shlomi Ohayon

Chris Farris Headshot Missing
Chris Farris

Chris Farris

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training