Skip to main content
CERT-In Empanelled · AWS · Azure · GCP · Kubernetes

Cloud Security
Assessment

Identity. Network. Storage. Workload. Containers. CIS Benchmarks as the floor — IAM privilege-path analysis as the value.

Request a Scoping Call Our Methodology
AWS · Azure · GCP
Multi-cloud
CIS
Benchmark Aligned
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Scope

Federated read-only access. Account / subscription / project boundaries mapped in Lemon.

STEP 02

Test

5–18 days of CIS validation, IAM analysis, network segmentation, storage exposure, container/workload review.

STEP 03

Deliver

Executive + technical reports with IaC fixes, IAM policy snippets, retest rounds, and security certificate.

What Is Cloud Security Assessment?

Cloud security assessment is a structured review of your AWS, Azure, or GCP environment by certified experts — covering identity, network, storage, workload, and data-protection postures, plus assumed-breach lateral-movement testing within the cloud control plane. Required for SOC 2, ISO 27001 A.5.23, CERT-In data localization, and DPDP technical-safeguards obligations.

Beyond CIS Benchmark compliance

CIS catches the obvious; we find the privilege-path that gets attackers from a Lambda to your customer database.

IAM Privilege Paths

Role chains, AssumeRole abuse, federated-identity gaps, tier-0 reachability

Network & Segmentation

SG / NSG / firewall rules, peering, transit gateway, lateral movement

Storage Exposure

S3 / Blob / GCS public access, encryption, snapshots, signed-URL hygiene

Workload & VM

EC2 / VM hardening, AMI / image hygiene, patch posture, agent coverage

Kubernetes

RBAC, pod-security standards, network policies, secret handling, admission controllers

Serverless

Lambda / Functions / Cloud Run identity, env-var secrets, layer trust

Secrets & Keys

KMS / Key Vault / KMS, rotation, scoped access, secret leakage detection

Logging & Detection

CloudTrail / Activity / Audit Log coverage, GuardDuty, Defender, SCC tuning

Related: Network Penetration Testing → · Related: Secure Code Review (IaC) →

Methodology

9 steps. Cloud-aware throughout.

Every engagement runs through Lemon, our audit-management platform — informed by 6,700+ prior assessments and consistent across the team that delivers it.

Discovery
01

Inventory & Read-Only Access

Federated read-only access provisioned across accounts / subscriptions / projects. Lemon ingests the asset graph — VPCs, subnets, IAM principals, services, regions, secrets stores.

02

Architecture Review

Account / subscription / project boundary review, network topology, identity model, data-flow mapping. Identify blast-radius and tier-0 components.

03

CIS Benchmark Baseline

Automated CIS Benchmark scan (AWS, Azure, GCP) plus delta against your stated controls. Baseline becomes the floor for everything we test below.

Testing
04

IAM & Privilege Path Analysis

Roles, policies, trust relationships, federated identity, AssumeRole chains. Tier-0 attack-path mapping. Privilege-escalation paths from common entry points.

05

Network & Segmentation

Security groups, NSGs, firewall rules, peering, transit gateway, exposed services, lateral-movement paths between subnets and accounts.

06

Storage & Data Exposure

S3 / Blob / GCS public-access posture, encryption at rest, key rotation, signed-URL expiry, backup access controls, snapshot exposure.

07

Workload, Container, Serverless

EC2/VM hardening, Kubernetes RBAC + pod-security + network policies, Lambda / Functions / Cloud Run identity boundary, secrets handling.

Delivery
08

Three-Layer QA Review

L1 cloud auditor → L2 senior consultant → L3 cloud architect. Every finding validated, every reproduction reviewed, every CVSS scored consistently.

09

Reporting & Re-test

Executive + technical reports with cloud-specific remediation (IaC examples, IAM policies, GuardDuty/Defender configs), retest rounds, and security certificate.

Compliance-Ready

Audit-ready reporting for cloud mandates

Cloud assessment reports satisfy the technical clauses your auditor and customer DPAs will check — CIS Benchmarks, SOC 2, ISO 27001 A.5.23, CERT-In data localization, DPDP, HIPAA, GDPR.

CIS Benchmarks
AWS, Azure, GCP, Kubernetes
SOC 2
Trust service criteria — security, availability
ISO 27001
Annex A 5.23 (cloud services)
CERT-In
Data localization compliance
PCI DSS v4.0
Cloud-hosted CDE assessments
DPDP Act
Personal-data infrastructure
HIPAA
PHI in cloud workloads
GDPR
EU data residency + processor obligations

Common engagement scopes

What clients ask us to test

Cloud engagements cluster into a handful of well-defined patterns — each sized for our 5–18 day delivery window.

AWS multi-account landing zone Org SCPs, IAM, network, GuardDuty, log archive
Azure tenancy + subscription Entra ID, RBAC, Defender, sentinel, network
GCP organization IAM, VPC SC, BeyondCorp, SCC posture
Kubernetes (EKS / AKS / GKE) RBAC, network policies, admission, runtime
Multi-cloud (AWS + Azure) Cross-cloud identity, peering, data flow
PCI DSS in cloud Hosted CDE, segmentation, key management

Deliverables

What you get

Two reports for two audiences — risk picture for leadership, IaC-ready remediation for your platform team (Terraform, CloudFormation, Bicep, IAM JSON).

Request sample report → Read cloud-related case studies →

Executive Report

Risk overview, critical findings, business impact, remediation priorities. Board-ready.

Technical Report + IaC Fixes

Findings with Terraform / CloudFormation / Bicep fix snippets, IAM JSON, severity, CVSS.

Retest & Walkthrough

Multiple retest rounds at no extra cost. Walkthrough call with your platform / SecOps team.

Security Certificate

Formal certificate for compliance, customer assurance, and vendor due diligence.

FAQ

Common questions

Can\'t find what you\'re looking for? Talk to our cloud-security lead.

Contact us
What is cloud security assessment? +
Cloud security assessment is a structured review of your AWS, Azure, or GCP environment by certified experts — covering identity, network, storage, workload, and data-protection postures. It includes CIS Benchmark validation, IAM privilege-path analysis, configuration drift detection, and assumed-breach lateral-movement testing within the cloud control plane.
AWS, Azure, or GCP — which do you cover? +
All three, plus multi-cloud scenarios. Our auditors hold cloud-specific certifications across providers. Most enterprise engagements span 2 or more clouds (e.g. AWS + Azure tenancy on Microsoft 365). We also handle DigitalOcean, Linode, Oracle Cloud, and Cloudflare on case-by-case.
Read-only access vs full credentials? +
Read-only is the default and sufficient for 95%+ of findings. We use cross-account / cross-subscription / cross-project federated read roles — no long-lived keys, scoped to your inventory and config-read APIs. Where active testing of a specific service is in scope, we provision narrow time-bounded write access with logging.
Is CIS Benchmark validation enough? +
No — CIS is the floor, not the ceiling. CIS catches 60-70% of misconfigurations but misses business-logic risk (over-permissive role assumed by a Lambda, a public S3 bucket holding PHI, an unattached snapshot containing decommissioned customer data). Manual review and assumed-breach analysis is where the high-impact findings come from.
Do you test Kubernetes / containers? +
Yes — RBAC, pod-security standards, network policies, secrets handling, image-signing, runtime drift, admission-controller posture, exposed dashboards, CI/CD integration risk. Across EKS, AKS, GKE, and self-managed clusters.
How long does a cloud assessment take? +
Single-account / single-subscription: 5–8 business days. Multi-account or multi-subscription with federated landing zones: 8–14 days. Hybrid (cloud + on-prem connectivity): 10–18 days. Lemon enforces daily progress tracking.
Is cloud testing required for SOC 2 / ISO 27001 / DPDP? +
Yes. SOC 2 Trust Service Criteria explicitly cover cloud security. ISO 27001:2022 added Annex A.5.23 (cloud-services security). DPDP Act expects technical safeguards on personal-data-processing infrastructure regardless of where it runs. CERT-In data-localization rules apply to Indian customer data.
Do you provide remediation guidance? +
Yes — reports include cloud-specific remediation: IAM policy snippets, IaC examples (Terraform, CloudFormation, Bicep), service-control-policy patterns, GuardDuty / Defender / SCC tuning, and a walkthrough call with your platform team.

Find the cloud privilege path before someone else does.

Whether it\'s a single-account hardening pass, a multi-cloud landing zone audit, or a Kubernetes admission-controller review — talk to our cloud-security lead.

Request a Scoping Call View All Services