How to conduct a cloud security assessment

Why an organization needs cloud security assessment

High-profile data breaches and cybersecurity incidents related to the cloud continue to plague corporations, education systems, healthcare organizations and other entities. Some examples and research include the following:

• Microsoft disclosed in early 2024 that its Azure cloud, along with Microsoft 365 accounts and infrastructure, had been compromised by a Russian threat actor known as Midnight Blizzard. The threat actors gained access to source code and internal systems with authentication tokens and credentials harvested during the campaign, as well, which could then be leveraged to attack Microsoft cloud users.
• Football Australia, the country's governing body for the sport, exposed sensitive details about players and fans, including passport information, player contracts and more. The exposure was caused by a vulnerable AWS access key and poorly configured S3 buckets.
• In its 2024 Threat Detection Report, Red Canary research found that cloud account compromise was the fourth most prevalent Mitre ATT&CK technique used by threat actors in 2023, a 16 times increase from 2022.

Key benefits of a cloud security assessment

When an organization conducts a cloud security assessment it gets a breakdown of potential gaps in design and controls implementation, as well as the potential attackable surface area and its risks. Some of the key benefits to performing a cloud security assessment include the following:

• Discovery of exposed attack surface. Many organizations might not know exactly how exposed their cloud services and assets are. A careful cloud security assessment could reveal to development and deployment teams that they have more internet-facing services and applications than they realize.
• Discovery of vulnerable workloads and images. PaaS and IaaS clouds often employ a range of workload types. An assessment might help to identify currently vulnerable systems and images. Plus, you could discover inadequate vulnerability-management practices for workload creation and operation. 
• Discovery of poor configuration practices for data access. Weak permissions and access controls for storage nodes and data-management services in the cloud are leading contributors to breaches. A review of all data storage, with particular emphasis on nodes that store and process sensitive data, can help to spot missing best practices in cloud data security.
• Discovery of poorly secured IAM roles, policies and processes. One of the most prevalent weaknesses in cloud security is the proliferation of overly privileged identity and access management (IAM) roles and policies. IAM policies are associated with cloud services, workloads, most types of assets as well as individual user accounts and groups. A thorough analysis of IAM policies and roles can vastly improve the overall state of cloud security.
• Discovery of flawed cloud architecture. Leading cloud service providers offer best practice design patterns and architecture models that emphasize cost optimization, high-fidelity monitoring and operations/security telemetry, minimization of privileges and access, and much more. Azure and AWS offer their Well-Architected Frameworks, while Google offers a similar Cloud Architecture Framework. Cloud engineering and security teams should review existing and planned architecture models to ensure best practices are in place wherever possible.
• Improvements in monitoring and alerting models. A cloud security assessment will often uncover gaps in logging and monitoring for security-related events. Security operations teams can benefit from learning about the types of cloud services deployed and what types of activity they should be paying attention to.
• Increased alignment between cloud engineering and security operations. By coordinating and collaborating on a cloud security assessment, teams can often develop better governance and more common ground on controls and processes.
• Compliance and cost improvements. Ensuring that cloud deployments meet compliance requirements is a natural byproduct of performing a cloud security assessment, but perhaps surprisingly, so is an improvement in cloud cost efficiency. Steps that tune and align a cloud environment for more effective security can result in a more streamlined operational model, meaning the organization could end up spending less on certain types of services.

How to perform a cloud security assessment

A cloud security assessment evaluates an organization's cloud infrastructure for the following:

• Overall security posture.
• IAM policies.
• Service provider security features.
• Compliance.
• Documentation.
• Exposure to future threats.

To start, the organization's security team should inventory all cloud accounts and subscriptions in use. Larger organizations with many accounts might selectively sample several to keep the assessment manageable. Choose accounts or subscriptions with sensitive data or a high level of exposure.

Once it has an inventory of cloud accounts and subscriptions, the security team should evaluate services and assets. Start by reviewing IAM policies for cloud accounts and privileges and permissions allowed within these policies. From there, look at security guardrail services such as Amazon GuardDuty or Microsoft Defender, including their configurations and running states. Scan images used to deploy containers and VM workloads to identify vulnerabilities. This is especially important for anything exposed to the internet. Review services and objects against cybersecurity standards and frameworks, such as provider architecture frameworks, and NIST, Cloud Security Alliance or Center for Internet Security guidelines.

Weak permissions and access controls for storage nodes and data-management services in the cloud are leading contributors to breaches.

If your organization has internal configuration standards, include these in a cloud security assessment. Ensure running workloads and storage exposed to the internet are documented. Evaluate firewalls, network segmentation and web application firewalls for potential misconfigurations.

From there, analyze cloud accounts for any infrastructure as code (IaC) templates in deployment. These templates often contain critical configuration items and services in use. Cloud security posture management (CSPM) tools capable of scanning IaC templates can improve efficiency in this process.

With assets, exposure and configuration posture documented, organizations should perform threat-modeling exercises to evaluate existing trust boundaries and potential attacks against cloud assets and services. Threat modeling should test against possible attacks and threats to the cloud environment, ease of attacks based on exposure and susceptibility, and the state of preventive and detective controls in place. Organizations with multi-cloud deployments should expect to conduct separate threat-modeling sessions for each respective cloud service.

Optionally, organizations can perform cloud penetration testing and live scans against cloud accounts and subscriptions for extra testing and review. Based on the analysis, the security team should create a high-level report. Outline all audits, document risks and possible gaps in controls, and provide remediation recommendations for vulnerabilities and weaknesses.

A security assessment checklist

Many cloud security frameworks and configuration guides are available, most notably from each major PaaS and IaaS provider. The Cloud Security Alliance, Center for Internet Security and other industry groups also offer guidance for planning a cloud security assessment. Even so, a more categorical checklist of areas that need focus might prove helpful.

The following list can help serve as a guide when starting to plan for your organization's security assessment:

1. Prepare. Early in the process, ensure that the right teams are involved. These should include security architecture, security operations, cloud engineering, DevOps and any IT operational teams that play a role in cloud deployment or management, such as networking, systems administration and IAM. For some organizations, audit and compliance teams might need to be involved at some point, but usually not as often or as early.
2. Gather information. Ask for any and all documentation that pertains to the following:
   1. Cloud architecture patterns, as well as application designs for any exposed cloud services in use.
   2. DevOps pipeline operations and security controls in deployments.
   3. Role designations and privilege assignments for different groups in each deployment and cloud account/subscription.
   4. Secret management tools and operational models in deployments and cloud operating models (if different).
   5. Data classification and security practices employed in the cloud.
   6. Workload image creation, management and update processes (This might be included in the DevOps pipeline operations).
   7. Cloud-native and third-party security services in use, such as CSPM, observability tools, package management and vulnerability management tools, workload runtime protection, which is often incorporated into a cloud-native application protection platform (CNAPP) and so on.
3. Plan. Get representative team members together and determine the following:
   1. Whether a specific cloud account, subscription or cloud application deployment makes sense as a starting point.
   2. Whether any existing tooling (CNAPP, CSPM, and so on) could facilitate the assessment.
   3. How IAM credentials for security teams to access cloud resources will be securely provisioned.
   4. What the starting dates will be, and what the expected outputs of the assessment will consist of.
   5. Whether the assessment will be aligned with a particular framework or hardening standard or if it will be performed against compliance or regulatory requirements.
4. Start with the familiar. Begin with simple steps such as the following:
   1. For workloads (VMs and possibly containers), look for image creation and management practices, runtime protection controls, vulnerability scanning and reporting, and patching and configuration management practices.
   2. For storage, look for access controls and encryption, as well as data monitoring and tracking, where possible.
   3. With networking controls, look for both third-party appliances and services that perform core network security functions and provide access controls, as well as cloud-native access controls and protection services. Connectivity to cloud environments should also be evaluated.
5. Emphasize IAM.
   1. IAM is a huge, complex area that can be challenging to tackle in a single cycle. The first place to focus is on access controls in the cloud -- IAM access keys, remote access using SSH and other services, and restrictions on who can access cloud environments and from where.
   2. Second, ensure strong authentication is enabled for as many users as possible -- and definitely for any privileged accounts. Multifactor authentication should be a hard requirement for privileged users.
   3. Evaluate all existing IAM policies defining roles and privilege assignments, and determine where they are applied. This might be possible with native tools such as the AWS IAM Access Analyzer; or it might require third-party cloud infrastructure entitlement management (CIEM) and CNAPP tools to discover and analyze everything in large and complex cloud environments.
6. Evaluate core cloud security services and controls.
   1. Are cloud-native monitoring and analysis services such as AWS GuardDuty, Google Security Command Center and Azure Security Center enabled and providing security recommendations and alerts?
   2. Are central logging and monitoring services such as Azure Monitor, Google Cloud Logging and AWS CloudTrail enabled and sending alerts where they need to go for security analysis?
   3. Are detection and response controls and workflows defined, ideally with some degree of automation applied? If these are not in place, it should be a goal to strive toward.

It's critical to ensure all these areas are covered and that a collaborative approach is taken across teams to evaluate the cloud environment(s) in scope. Best practice architecture frameworks and industry benchmarks and guidance can provide a baseline to evaluate against and a target to work toward.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.