Cloud Security Assessment: What Gets Reviewed and What Assessors Consistently Find
Cloud misconfigurations are among the most common causes of data breaches. Most organisations have a well-tested on-premises environment and an undertested cloud environment. This guide explains what a cloud security assessment covers and what assessors consistently find.
Cloud Security Assessment: What Gets Reviewed and What Assessors Consistently Find
A well-tested on-premises environment and an untested cloud environment leave you exposed where attackers look first.
Most organisations have a reasonably well-tested on-premises environment and a largely untested cloud environment. Cloud misconfigurations are among the most common causes of data breaches, not because cloud is inherently insecure, but because cloud environments are configured differently from on-premises systems and the security assumptions are different.
A cloud security assessment tests whether your cloud configuration, identity controls, network architecture and data access policies actually implement the security model you think they do. This article explains what a cloud security assessment covers, what assessors consistently find, how it relates to NIS2 and how it differs from a cloud penetration test.
TL;DR
A cloud security assessment reviews the configuration of AWS, Azure or GCP environments across identity and access management, network security, data storage, secrets management, logging and workload security. Assessors consistently find publicly accessible storage, overprivileged IAM roles, missing audit logging and secrets stored in insecure locations. The assessment differs from a cloud penetration test in that it focuses on configuration rather than exploitation. Both are needed for a complete cloud security programme and for NIS2 coverage of cloud-hosted assets.
Why cloud security needs its own assessment
On-premises security assessments are built around network perimeters, physical infrastructure and operating system controls. Cloud environments operate on fundamentally different models. Identity and access management replaces network location as the primary security boundary. Shared responsibility models divide security obligations between the cloud provider and the customer. Misconfigurations in IAM policies, storage bucket permissions, network security groups and logging settings can expose data or enable privilege escalation in ways that have no equivalent in traditional infrastructure.
Common cloud security failures are not exotic. They are misconfigured S3 buckets or Azure Blob storage with public access, IAM roles with excessive permissions that provide lateral movement paths, service accounts with administrator-level access used for automated tasks, publicly exposed management interfaces, missing logging and monitoring that leaves incidents undetected, and secrets stored in environment variables or source code repositories.
What a cloud security assessment covers
Identity and access management
IAM is the primary security boundary in cloud environments. The assessment covers whether the principle of least privilege is enforced across all accounts, roles and service identities. This includes checking for overprivileged IAM roles, unused permissions that expand the attack surface, service accounts with excessive privileges and whether multi-factor authentication is enforced for all human users with access to cloud management interfaces.
Network and perimeter configuration
Cloud network security groups, security policies and virtual network configurations determine which resources are accessible from the internet, from other cloud environments and from within the environment itself. The assessment identifies publicly exposed management interfaces, overly permissive inbound rules and whether network segmentation correctly isolates sensitive workloads.
Data storage and access controls
Object storage misconfigurations are a leading cause of cloud data breaches. The assessment covers whether storage resources have appropriate access controls, whether encryption is applied to data at rest and in transit, whether access logs are enabled and whether lifecycle policies appropriately manage sensitive data.
Secrets management
API keys, database credentials, service account tokens and other secrets frequently end up in insecure locations: environment variables accessible to all processes, application configuration files in version control or plaintext in container images. The assessment identifies where secrets are stored and whether they are managed through appropriate secrets management services such as AWS Secrets Manager, Azure Key Vault or HashiCorp Vault.
Logging, monitoring and incident detection
Cloud environments provide extensive logging capabilities. Many organisations do not enable them consistently. The assessment verifies whether audit logs are enabled for management plane actions, whether data access logging is enabled for sensitive storage, whether logs are retained for an appropriate period and whether there are alerts configured for high-risk actions such as IAM policy changes, security group modifications and privilege escalation.
Workload and container security
For environments running containers or serverless workloads, the assessment covers whether container images are built from trusted and regularly updated base images, whether container runtime security controls are in place, whether serverless functions have appropriately scoped execution roles and whether workload-to-workload communication is restricted to what is necessary.
What cloud assessments consistently find
Across cloud assessments, Sectricity consistently finds a recurring set of issues. Publicly accessible object storage containing production data. IAM roles attached to compute instances with permissions far beyond what the workload needs. Audit logging disabled in certain regions or accounts. Secrets committed to source code repositories and still active weeks later. Management interfaces exposed to the public internet without IP restrictions or strong authentication. Network security groups with wide inbound rules originally added for troubleshooting and never tightened.
Most of these findings are not the result of misunderstanding the cloud. They are the result of operational drift: good initial configuration that degrades over time as teams ship features, add accounts and grant temporary access that becomes permanent.
Cloud security and NIS2
Under NIS2 Article 21, essential and important entities must implement risk management measures covering their network and information systems, including cloud-hosted components. An organisation that has tested its on-premises environment but not its cloud environment has an incomplete view of its risk. Cloud assets hosting sensitive data or critical processes must be included in the scope of security assessments to satisfy NIS2 requirements for comprehensive risk management.
Frequently asked questions about cloud security assessment
What is a cloud security assessment?
A cloud security assessment is a structured review of an organisation's cloud environment configuration, covering identity and access management, network security, data storage controls, secrets management, logging and monitoring and workload security. It identifies misconfigurations and security gaps that expose data or enable privilege escalation. A cloud security assessment differs from a standard penetration test in that it focuses on configuration and policy rather than vulnerability exploitation, though both are necessary for a complete cloud security programme.
What is the shared responsibility model?
The shared responsibility model divides security obligations between the cloud provider and the customer. The provider is responsible for the security of the cloud infrastructure, including physical facilities, hardware and the hypervisor layer. The customer is responsible for security in the cloud, including what they deploy, how they configure it, who has access and how data is protected. Most cloud security failures occur in the customer's area of responsibility, not in the provider's infrastructure.
What are the most common cloud security misconfigurations?
The most common and most consequential cloud security misconfigurations are publicly accessible object storage, overprivileged IAM roles that enable privilege escalation and lateral movement, missing or incomplete audit logging, secrets stored in insecure locations such as environment variables or code repositories, publicly exposed management interfaces and insufficient network segmentation between workloads with different sensitivity levels.
Does cloud security fall under NIS2?
NIS2 requires essential and important entities to implement risk management measures for their network and information systems, which includes cloud-hosted components. There is no exemption for cloud environments. If your organisation is NIS2-scoped and uses cloud services to host sensitive data or run critical processes, those cloud environments must be included in your security assessment and risk management programme.
What is the difference between a cloud security assessment and a cloud penetration test?
A cloud security assessment primarily reviews configuration and policy: how the environment is set up, what access controls are in place, whether logging is enabled. A cloud penetration test attempts to exploit vulnerabilities and misconfigurations to determine the actual impact an attacker could achieve. Both are valuable and complementary. A configuration assessment identifies what is wrong. A penetration test demonstrates what an attacker could actually do with those weaknesses.
Which cloud providers does Sectricity assess?
Sectricity assesses AWS, Microsoft Azure and Google Cloud Platform environments. The assessment is provider-specific in implementation, since each provider has its own IAM model, network constructs and logging services, but the methodology is consistent: review identity, network, storage, secrets, logging and workload controls against current best practices and map findings to business risk and regulatory obligations.
Related services and resources
Sectricity delivers cloud security assessments for AWS, Azure and GCP covering IAM, network configuration, storage controls, secrets, logging and workload security. Cloud assessments pair with web application penetration testing, API security testing and internal network pentesting for a complete picture. For related reading, see our guides on penetration testing in the EU and Zero Trust security. Start with a free security scan.