Cloud Security Assessment
Your cloud environment was likely built incrementally, and security controls were added to fit around it, not designed into it. An independent cloud security assessment reviews every layer of your AWS, Azure, or GCP account: identity and access management, storage permissions, network rules, encryption configuration, and logging coverage. Findings are risk-rated in context and mapped to industry standard security benchmarks, producing a report your auditor can work with and your engineers can action.
Not Another Alert List
Automated Scanning
- 300+ findings per account
- No contextual triage
- Generic severity ratings
- No compliance mapping
- No remediation code
CREST-Accredited Review
- 15-20 contextualised, risk-rated findings
- Architecture-aware risk analysis
- Industry standard benchmark control mapping per finding
- Audit-ready compliance evidence
- Terraform / CLI remediation code
When to Commission a Cloud Assessment
Most cloud security assessments are triggered by a specific compliance or procurement deadline. If any of these scenarios describe your situation, this review provides the evidence you need.
ISO 27001 Surveillance Audit
Your Annex A.12 controls require evidence of secure cloud configuration. Our report maps directly to the auditor's evidence checklist.
Cyber Essentials Plus Renewal
Your cloud infrastructure is in scope for Cyber Essentials Plus. An independent configuration review provides the technical evidence your assessor requires.
Client Vendor Questionnaire
A client has asked: "Have you conducted an independent cloud security assessment in the last 12 months?" Our report answers that question with evidence.
Post-Migration Validation
You have migrated workloads to AWS, Azure, or GCP and need independent assurance that the target environment meets your security baseline before going live.
Inherited Cloud Environment
You have inherited a cloud account from a predecessor team, an acquisition, or an outsourced provider and need to understand the security posture before assuming responsibility.
CSPM Alert Fatigue
Your CSPM tool generates thousands of findings. You need an expert to triage them in context, identifying the 15-20 that represent real risk in your specific environment.
What Our Assessments Reveal
FINDINGS PER ACCOUNT
Median number of findings per cloud account reviewed. Most organisations have at least two Critical findings.
ACCOUNTS WITH CRITICAL FINDINGS
Of production cloud accounts reviewed, 94% have at least one Critical severity finding requiring immediate remediation.
PORTAL DELIVERY
Findings delivered live via our real-time penetration testing portal as we discover them. No waiting for the final report.
Controls
What We Typically Find
Across every cloud account we review, certain misconfiguration patterns appear repeatedly. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
Root or global admin account without MFA enforcement
Unrestricted account takeover if credentials are phished or leaked. Single credential compromise grants full environment control across all services and regions.
Storage buckets with public read access enabled
S3 buckets, Azure Blob containers, or GCP Cloud Storage buckets exposing sensitive data to unauthenticated internet users. Object-level ACLs may bypass bucket-level blocking.
Security Groups permitting unrestricted SSH/RDP ingress
Management ports open to 0.0.0.0/0 across Security Groups or NSGs. Direct brute-force attack surface on infrastructure management interfaces.
Hardcoded credentials in environment variables or repositories
Access keys or service account credentials embedded in code, CI/CD pipelines, or environment variables. Permanent exposure if repository is cloned or made public.
IAM access keys older than 90 days without rotation
Programmatic access keys with no rotation policy create an undetected compromise window. Stolen keys remain valid indefinitely until manual revocation.
CloudTrail or audit logs disabled or missing regional coverage
CloudTrail, Activity Logs, or Cloud Audit Logs not enabled across all regions. No forensic evidence available following a breach or incident in uncovered regions.
Most organisations we assess have at least two Critical and eight or more High findings in a production cloud account that has never had an independent review.
What We Assess
A hybrid approach combining automated scanning across all regions and services with manual expert review for contextual depth. This is the triage judgement that separates a risk-rated report from a CSPM alert list.
Identity & Access Management
Reviewing IAM users, roles, and policies for least privilege violations. We identify over-permissive roles, unused credentials, and lack of MFA that could allow full account takeover. For AWS, we verify SecurityAudit role boundaries and IAM Access Analyzer alerts. For Azure, we review Entra ID role assignments and Privileged Identity Management coverage. For GCP, we assess IAM bindings and service account key management.
Storage & Data Exposure
Scanning for public S3 buckets, Azure Blob containers with anonymous access, and GCP Cloud Storage buckets with overly permissive ACLs. We verify encryption at rest and in transit for all sensitive data stores, including EBS volumes, RDS snapshots, and Azure managed disks.
Network Security Controls
Analysing Security Groups, NACLs, VPC configurations, Azure NSGs, and GCP VPC Service Controls. We identify overly permissive firewall rules (0.0.0.0/0 on SSH/RDP) and unrestricted inter-subnet traffic that enables lateral movement after initial compromise.
Logging & Monitoring
Ensuring CloudTrail (AWS), Activity Logs (Azure), and Cloud Audit Logs (GCP) are enabled, cover all regions, and stored in tamper-resistant locations. We verify VPC Flow Logs, GuardDuty enablement, and Microsoft Defender for Cloud coverage.
Encryption & Key Management
Verifying KMS key policies, rotation schedules, and envelope encryption across all storage and compute services. We assess Azure Key Vault access policies, GCP Cloud KMS IAM bindings, and AWS KMS grant configurations to ensure cryptographic controls match your data classification.
Industry Benchmark Alignment
Every finding mapped to its specific industry standard benchmark control. We assess AWS, Azure, and GCP environments against the applicable cloud security foundations benchmarks, covering IAM, storage, networking, logging, and encryption. Level 1 and Level 2 controls assessed per your environment classification.
From Scoping to Report
From read-only access to a compliance-ready report. A safe, non-intrusive assessment lifecycle with a fixed timeline agreed during the scoping call.
Access & Scoping
We define the scope (Production, Staging, specific accounts). You provide read-only audit access: SecurityAudit role in AWS, Reader role in Azure, or Viewer role in GCP. We never require admin credentials and make no changes.
Automated & Manual Review
Industry-standard tools (ScoutSuite, Prowler) for broad coverage across all regions and services, followed by deep manual verification by CREST-accredited cloud security architects who understand your architecture.
Contextual Risk Analysis
Findings are risk-rated in context, not listed mechanically. A public S3 bucket serving static assets is low risk. A public S3 bucket containing PII is critical. Expert triage, not alert lists.
Report & Remediation
Detailed report mapping every finding to its industry standard benchmark control. Terraform, CloudFormation, or Azure Bicep code snippets and CLI commands per issue. Delivered within 5 business days.
What You Receive
Every cloud security assessment includes the following deliverables, formatted for both technical remediation teams and non-technical stakeholders.
Reports are delivered in PDF and, on request, in a format suitable for import into your GRC or ticketing tool.
Review. Monitor. Protect.
A cloud security assessment identifies your configuration gaps. Pair it with continuous monitoring to detect drift and new misconfigurations as your environment evolves. Feed assessment findings directly into detection rules for 24/7 coverage.
Discuss Your RequirementsGo Further With Penetration Testing
A configuration review identifies what is misconfigured. Penetration testing goes further by actively exploiting those weaknesses to demonstrate real-world attack impact. Explore our platform-specific testing services.
AWS Penetration Testing
IAM privilege escalation, S3 exploitation, Lambda abuse, and EC2 lateral movement.
Azure Penetration Testing
Entra ID attacks, service principal abuse, storage exploitation, and RBAC weaknesses.
GCP Penetration Testing
Service account escalation, workload identity attacks, and Cloud Storage exploitation.
Microsoft 365 Assessment
Exchange Online abuse, Teams exfiltration, Power Platform risks, and Conditional Access gaps.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
A cloud security assessment is a white-box, read-only review of your cloud environment (AWS, Azure, or GCP). Unlike a penetration test which attempts to breach systems from outside, a cloud security assessment uses read-only credentials to inspect the internal configuration of your cloud accounts: IAM roles, storage permissions, network rules, encryption settings, and logging coverage. The output is a risk-rated report mapped to industry standard security benchmarks, suitable as evidence for ISO 27001, Cyber Essentials Plus, and PCI DSS audits.
Penetration testing may not identify misconfigurations that are not currently exploitable from the network perimeter, for example a dormant IAM user with admin rights, an S3 bucket with object-level ACLs that bypasses bucket-level blocking, or a CloudTrail log that is enabled but not covering all regions. A cloud security audit finds these latent risks before an attacker who has already gained initial access can exploit them.
CSPM tools (Cloud Security Posture Management, products like Wiz, Prisma Cloud, and Microsoft Defender for Cloud) provide continuous, automated scanning across your cloud accounts. They are broad and fast. The problem is volume: a typical multi-account environment generates hundreds or thousands of findings, most requiring human judgement to triage. An expert-led cloud security assessment applies that judgement. We review your environment in context, understanding your architecture, data classification, and threat model, and identify the 15 to 20 findings that represent real risk in your specific environment, rather than the 300 findings an automated tool flags because they deviate from a default profile. The two approaches are complementary: CSPM for continuous monitoring, expert review for periodic contextual depth and compliance-mapped evidence.
We require read-only access only. For AWS, this means attaching the SecurityAudit managed policy to a dedicated IAM user or role. For Azure, we require the Reader role at the subscription level, plus Security Reader for Defender for Cloud data. For GCP, we require the Viewer role plus Security Reviewer. We never request admin credentials, never make configuration changes, and never access or exfiltrate data. You can revoke access immediately after review completion.
We assess against industry standard cloud security foundations benchmarks for AWS, Azure, and GCP. Each finding is mapped to the specific benchmark control. The report is structured to satisfy ISO 27001 Annex A.12 (Operations Security), Cyber Essentials Plus technical controls, and PCI DSS Requirement 2 (vendor defaults and security parameters). The report is accepted as audit evidence by ISO 27001 certification bodies, Cyber Essentials assessors, and PCI DSS QSAs.
Cloud security benchmarks are configuration guidelines published by recognised standards bodies, providing prescriptive hardening guidance for cloud platforms. For AWS, Azure, and GCP, the applicable benchmarks each contain 50 to 100+ controls covering identity management, storage, networking, logging, and encryption. Controls are rated Level 1 (broadly applicable, low performance impact) or Level 2 (additional hardening, may require testing in your environment before deployment). ISO 27001 auditors, PCI DSS QSAs, and Cyber Essentials assessors commonly reference these industry standard benchmarks when evaluating cloud security controls.
Yes. We can review your Terraform, CloudFormation, or Azure Bicep code to identify security issues before infrastructure is deployed. This shift-left approach catches misconfigurations at the source, preventing them from reaching production, and is highly recommended for teams using GitOps or automated deployment pipelines.
The misconfigurations we document in reports to UK organisations every month include: IAM users with access keys older than 90 days with no rotation policy (High severity, all platforms); root or global admin accounts without MFA (Critical, AWS and Azure); S3 buckets or Azure Blob containers with public read access enabled (Critical); Security Groups or NSGs permitting unrestricted ingress on SSH or RDP ports (Critical); CloudTrail or Activity Logs disabled or not covering all regions (High); data at rest unencrypted across EBS volumes, RDS snapshots, or Azure managed disks (High); access keys or service account credentials hardcoded in environment variables or repository history (Critical). Most organisations we assess have at least two Critical and eight or more High findings in a production cloud account that has never had an independent review.
A typical single-account review takes 2 to 4 days of assessment time. Findings are visible in our real-time penetration testing portal as we discover them, so you do not need to wait for the final report to begin remediation. Multi-account organisations or environments with hundreds of resources may require additional time. We provide a fixed-cost, fixed-timeline quote after a brief scoping call.