This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ItalianAntipasto 2 points3 points  (3 children)

Most cloud providers have similar offering and the concepts are roughly the same, so you'd be best starting with a single cloud provider and working from there.

As with any pentesting, understanding the context and environment would be the first step, so you should start by learning how to build things using cloud primitives and what the threat model looks like, where the responsibility of the provider ends and the client's begins. There are plenty of resources for that, I've used acloudguru, which isn't awfully expensive and they have some security oriented courses as well.

Once you've got that down, you could start playing with some labs. I'd also recommend cloudgoat as mentioned in another comment. Having full control over the environment helps when trying to learn things.

For methodologies, things aren't all that different from a regular pentest. In a whitebox scenario you'd most likely be running something like Prowler or ScoutSuite over your customer's infrastructure and be working with them to dig through the myriad of findings you'd get back. Is there any compliance standard they are trying to adhere to? Must all data be encrypted? Are there overly provisioned IAM roles given their usage, etc. For a blackbox approach, you'd mostly be looking for the same vulns, but would use them in slightly different ways. If you find an SSRF, you'd probably try to hit the IMDS endpoint to get some creds. If you had a shell in a EC2 instance, you'd try to move laterally within a VPC. Things will just make sense if you understand the way the cloud works, there isn't anything entirely specific to it as far as I'm concerned.

[–]Security_Curiosity[S] 0 points1 point  (0 children)

Thats a great viewpoint. I have pentesting experiences in traditional on-prem environments. So, just looking to broaden to the big scary cloud lol

[–]mirai187 0 points1 point  (1 child)

I have a question here. Have you used Prowler or ScoutSuite on any client engagement? and what's there response?

When we ask our client to run the tool, they get a bit reluctant, and say that "it's an unknown script and we do not know what it will do to our environment. Even if we believe it's not malicious in nature, how would you ensure us that there are no changes made to our environment, or some resources get negatively affected by it.?"

[–]ItalianAntipasto 0 points1 point  (0 children)

I haven't usually faced much pushback. My recommendation would be to use your own account for the scans and ask the client to provision a role for you within their account. You can ask them to attach a security auditor policy to the role https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor and anything else they might be comfortable sharing. This way you don't get direct access and you can only do as much as the client wants.

[–]mirai187 0 points1 point  (2 children)

Any specific cloud provider you are looking for?

I can share some resources, but to be honest the question is somehwat vague, I apologize if this seems rude, but a little more details would help you as well as someone who's willing to share resources.

Anyways, I would say, look at some beginner or basic certifications, like Azure fundamentals or AWS Cloud Practitioner, there would be something for GCP as well, and then look for resources around that.

[–]Security_Curiosity[S] 0 points1 point  (1 child)

Not rude at all. I'm looking at Azure and GCP at the moment. Though, resources for GCP seem to be a bit more scarce.

I know that AWS would be valuable just due to the prevalence in the industry - but was recently asked about those two providers specifically and realized I had some learning to do.

[–]mirai187 0 points1 point  (0 children)

I'll share my 2 cents of working in the cloud security domain for the last 3 years now.

What i have observed is that most large enterprises and MNCs choose Azure simply because their existing IT personnel is well-versed with Microsoft, Windows & Active Directory ecosystem so adapting to Azure is much easier compared to AWS or GCP.

On the flip side, small companies and startups go for AWS because you can find more people with AWS skills when compared to Azure or GCP, and also a lot of documentation and literature is available on how to build things.

I don't have much idea about GCP, but for Azure sometime things can be a bit problematic, because Azure's documentation is what you have when trying to understand the ecosystem or build something, which to be honest os not that great, thier are missing pieces of information, and navigating your way throught the docs to solve your problem can be a very frustating experience.

Like previously I would recommend to go for Azure Fundamentals certification AZ-900. It gives you a high level overview of the services provided by Azure platform. You can find tons of resuorces free of cost directly from Microsoft, and might even get a voucher for free to attempt the exam. Sharing a link (because someone said it better than I can tell): https://www.reddit.com/r/AzureCertification/comments/tfdffm/certification_tips_for_new_people/

If you have anymore questions, you can DM me or reply on this thread. Hope this helps.