Skip to main content

AWS Cloud Security Assessment

Updated over 5 months ago

Among all cloud security assessments conducted by CYE, the AWS Security Assessment is one of the most common and widely used. Its primary objectives are to:

  • Estimate the security level of AWS accounts

  • Identify high-risk vulnerabilities

  • Map potential attack routes in the environment

  • Recommend initial remediation steps for the assessed entities

Methodology

CYE’s AWS assessment is a hands-on, manual penetration test using a proprietary, structured methodology that includes analysis of representative systems and supporting interviews. Specifically, the infrastructure assessment is aligned with the NIST Cybersecurity Framework, and risk ratings are based on the CVSS 3.1 standard.

CYE's assessment takes a white-box approach to comprehensively evaluate cloud management resources and components, ensuring thorough analysis and coverage.

The activity includes, but is not limited to:

  • Identity and roles management
    Deep analysis of permission allocation, excessive permissions, privilege escalation vectors, and relevant security features such as permission boundaries and service control policies (SCP)

  • Cross-context access review
    Identifying risks from one context accessing another (e.g., “QA” to “developer”)

  • Third-party access
    Assessing external entities with access to the cloud infrastructure

  • Access point identification
    Identifying internet-facing assets and overly exposed resources such as databases and virtual machines

  • Segmentation and segregation
    Testing the level of isolation between cloud environments

  • Identity-level exposures
    Reviewing trust policies, vendor access, unauthenticated API gateways, and other risky configurations

  • Key and secret access and management
    Assessing secrets management practices and scanning for cleartext secrets in configurations, environment variables etc.

  • Hardening checks
    Identifying gaps against AWS and CIS best practices


CYE will not perform the following activities:

  • Application penetration tests for applications hosted in the AWS environment

  • Configuration changes in the environment being assessed

At the end of the review, identified weaknesses are evaluated and rated according to their risk to the organization.

Deliverables

  • All discovered findings are shown in Hyver, CYE’s Continuous Threat Exposure Management (CTEM) platform

  • Attack routes from threat sources to business-critical assets are presented on the mitigation graph and indicate risk

  • A maturity level reflecting the organization's security posture is determined, based on the NIST Cybersecurity Framework with discovered findings and organizational insights

Customers can use the risk and maturity evaluations to design and manage optimized mitigation plans independently, including timeline, ownership, and cost-effort considerations

Prerequisites

CYE’s user must be granted either one of the following roles:

  • ReadOnlyAccess (preferred): Includes all SecurityAudit permissions plus the ability to read data (e.g., access to S3 objects and configurations)

  • SecurityAudit: Grants access to most metadata and configurations, but not to stored data (e.g., S3 file contents)

In addition to console access, CYE requires programmatic access to the environment:

  • If access is provided via role assumption (for example - by trusting a user from our environment to assume the relevant role in each account): No additional action is needed

  • If access is provided via IAM user (The customer created an IAM user in their environment and gave us its credentials):

    • Customer must create and share access keys

    • Alternatively, the IAM user can be granted permissions to manage its own access keys using the policy below:

{
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",                
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }

To allow CYE visibility into AWS Organizations account hierarchy, one of the following options is required:

  • Attach the AWSOrganizationsReadOnlyAccess permission to CYE’s user in the AWS Management Account (Reference: AWSOrganizationsReadOnlyAccess)

  • Provide an exported list of AWS accounts:
    AWS Console > AWS Organizations > Policy management > AWS accounts > Actions > Export account list (Reference: Export account list)

Customer Engagement

  • A 1–2 hour scoping meeting is held with a customer representative to plan the assessment, define critical business assets, and identify relevant attack scenarios

  • Weekly one-hour meetings with a network architect are generally required throughout the engagement to to address specific questions about the environment, hosted assets, and user groups.

Relevant Standards

The proprietary methodology is derived from the following sources:

  • MITRE ATT&CK knowledge base of adversary tactics and techniques

  • NIST Cybersecurity Framework

  • Center for Internet Security (CIS) Critical Security Controls

Security Domains Covered

  • Cross-organization policies, procedures, and governance

  • Security operations, monitoring, and incident response

  • Network level security

  • Servers, network equipment, and endpoints security

  • Application-level security

  • Sensitive data and information management

  • Identity management and remote access

Related Articles
Maturity Assessment
Azure Cloud Security Assessment
GCP Cloud Security Assessment
SharePoint Security Configuration Review
OT Environment Maturity Assessment
Did this answer your question?