ChaptersCircleEventsBlog
Get early access to CSA’s Trusted AI Safety Certification Program—updates, resources & beta invites!

Download Publication

Cloud Penetration Testing Playbook
Cloud Penetration Testing Playbook

Cloud Penetration Testing Playbook

Release Date: 07/12/2019

Working Group: Top Threats

As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.

This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the hypervisor of an IaaS environment that is controlled by the cloud service provider isn’t. As for testing hybrid clouds, this document does not cover the hybrid interface and on-premises environment.
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources
State of SaaS Security Report 2025
State of SaaS Security Report 2025
Zero Trust Privacy Assessment and Guidance - Japanese Translation
Zero Trust Privacy Assessment and Guidance - Ja...
CSA Code of Conduct to EU Cloud Code of Conduct Mapping
CSA Code of Conduct to EU Cloud Code of Conduct...
Integrity: An Overlooked Foundation of Zero Trust
Integrity: An Overlooked Foundation of Zero Trust
Published: 05/15/2025
Cloud and SaaS Security in Critical Infrastructure: Lessons from Recent Attacks
Cloud and SaaS Security in Critical Infrastructure: Lessons from Re...
Published: 05/13/2025
Demystifying Integrations: APIs, Connectors, Collectors, and Agents
Demystifying Integrations: APIs, Connectors, Collectors, and Agents
Published: 05/12/2025
A CISO's Guide to Reporting on Cloud Security (Without Putting Everyone to Sleep)
A CISO's Guide to Reporting on Cloud Security (Without Putting Ever...
Published: 05/09/2025

Acknowledgements

Michael Roza
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC

Michael Roza

Risk, Audit, Control and Compliance Professional at EVC

Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 140 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.

Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. His lea...

Read more

Victor Chin Headshot Missing
Victor Chin

Victor Chin

Jon-Michael Brook
Jon-Michael Brook

Jon-Michael Brook

Jon-Michael C. Brook is a certified, 25-year practitioner of cybersecurity, cloud, and privacy. He is the principal contributor to certification sites for privacy and cloud security, and has published books on privacy. Jon-Michael received numerous awards and recognition during his time with Raytheon, Northrop Grumman, Symantec, and Starbucks. He holds patents and trade secrets in intrusion detection, GUI design, and semantic data redaction...

Read more

Greg Jensen Headshot Missing
Greg Jensen

Greg Jensen

Asaf Hecht Headshot Missing
Asaf Hecht

Asaf Hecht

Shlomi Ohayon Headshot Missing
Shlomi Ohayon

Shlomi Ohayon

Chris Farris Headshot Missing
Chris Farris

Chris Farris

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training