Penetration testing of Azure will look very like any other penetration test, that is, it will look for vulnerabilities both in Azure cloud environments and on-premise ones. Afterwards, it will attempt to exploit those vulnerabilities to determine how true the risk to your organization is. At SecuityBoat we will use many of the same tools and techniques as when we test networks or web applications. As we review Azure cloud security, some of the techniques we use will be a little different, as well as special tools.
We use three different attack vectors within Azure for our cloud pen testing:
1.Testing applications for vulnerabilities that could compromise the cloud environment.
As part of our Azure penetration testing engagements, we utilize many of the same techniques we use for traditional penetration tests as well as checking for Azure-specific vulnerabilities and misconfigurations. The checks may include evaluating public storage accounts, improperly scoped Azure role-based access controls (RBACs), weak password policies, guest access, and attempt to penetrate Windows Active Directory solutions synced to Azure Active Directory using Azure Active Directory Connect.