Skip to main content
CERT-In Empanelled · AWS · Azure · GCP · Kubernetes

Cloud Security
Assessment

Identity. Network. Storage. Workload. Containers. CIS Benchmarks as the floor — IAM privilege-path analysis as the value.

Request a Scoping Call Our Methodology
AWS · Azure · GCP
Multi-cloud
CIS
Benchmark Aligned
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
NPCI
HDFC
Mahindra
Aditya Birla
PhonePe
Pernod Ricard
Swiggy
Asian Paints
Yes Bank
Tata Play
Larsen & Toubro
Voltas
DHL Express
Etihad Airways
Amazon Pay
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
Groww
Sephora
STEP 01

Scope

Federated read-only access. Account / subscription / project boundaries mapped in Lemon.

STEP 02

Test

5–18 days of CIS validation, IAM analysis, network segmentation, storage exposure, container/workload review.

STEP 03

Deliver

Executive + technical reports with IaC fixes, IAM policy snippets, retest rounds, and security certificate.

What Is Cloud Security Assessment?

Cloud security assessment is a structured review of your AWS, Azure, or GCP environment by certified experts — covering identity, network, storage, workload, and data-protection postures, plus assumed-breach lateral-movement testing within the cloud control plane. Required for SOC 2, ISO 27001 A.5.23, CERT-In data localization, and DPDP technical-safeguards obligations.

Beyond CIS Benchmark compliance

CIS catches the obvious; we find the privilege-path that gets attackers from a Lambda to your customer database.

IAM Privilege Paths

Role chains, AssumeRole abuse, federated-identity gaps, tier-0 reachability

Network & Segmentation

SG / NSG / firewall rules, peering, transit gateway, lateral movement

Storage Exposure

S3 / Blob / GCS public access, encryption, snapshots, signed-URL hygiene

Workload & VM

EC2 / VM hardening, AMI / image hygiene, patch posture, agent coverage

Kubernetes

RBAC, pod-security standards, network policies, secret handling, admission controllers

Serverless

Lambda / Functions / Cloud Run identity, env-var secrets, layer trust

Secrets & Keys

KMS / Key Vault / KMS, rotation, scoped access, secret leakage detection

Logging & Detection

CloudTrail / Activity / Audit Log coverage, GuardDuty, Defender, SCC tuning

Related: Network Penetration Testing → · Related: Secure Code Review (IaC) →

Methodology

9 steps. Cloud-aware throughout.

Every engagement runs through Lemon, our audit-management platform — informed by 6,700+ prior assessments and consistent across the team that delivers it.

Discovery
01

Inventory & Read-Only Access

Federated read-only access provisioned across accounts / subscriptions / projects. Lemon ingests the asset graph — VPCs, subnets, IAM principals, services, regions, secrets stores.

02

Architecture Review

Account / subscription / project boundary review, network topology, identity model, data-flow mapping. Identify blast-radius and tier-0 components.

03

CIS Benchmark Baseline

Automated CIS Benchmark scan (AWS, Azure, GCP) plus delta against your stated controls. Baseline becomes the floor for everything we test below.

Testing
04

IAM & Privilege Path Analysis

Roles, policies, trust relationships, federated identity, AssumeRole chains. Tier-0 attack-path mapping. Privilege-escalation paths from common entry points.

05

Network & Segmentation

Security groups, NSGs, firewall rules, peering, transit gateway, exposed services, lateral-movement paths between subnets and accounts.

06

Storage & Data Exposure

S3 / Blob / GCS public-access posture, encryption at rest, key rotation, signed-URL expiry, backup access controls, snapshot exposure.

07

Workload, Container, Serverless

EC2/VM hardening, Kubernetes RBAC + pod-security + network policies, Lambda / Functions / Cloud Run identity boundary, secrets handling.

Delivery
08

Three-Layer QA Review

L1 cloud auditor → L2 senior consultant → L3 cloud architect. Every finding validated, every reproduction reviewed, every CVSS scored consistently.

09

Reporting & Re-test

Executive + technical reports with cloud-specific remediation (IaC examples, IAM policies, GuardDuty/Defender configs), retest rounds, and security certificate.

Compliance-Ready

Audit-ready reporting for cloud mandates

Cloud assessment reports satisfy the technical clauses your auditor and customer DPAs will check — CIS Benchmarks, SOC 2, ISO 27001 A.5.23, CERT-In data localization, DPDP, HIPAA, GDPR.

CIS Benchmarks
AWS, Azure, GCP, Kubernetes
SOC 2
Trust service criteria — security, availability
ISO 27001
Annex A 5.23 (cloud services)
CERT-In
Data localization compliance
PCI DSS v4.0
Cloud-hosted CDE assessments
DPDP Act
Personal-data infrastructure
HIPAA
PHI in cloud workloads
GDPR
EU data residency + processor obligations

Common engagement scopes

What clients ask us to test

Cloud engagements cluster into a handful of well-defined patterns — each sized for our 5–18 day delivery window.

AWS multi-account landing zone Org SCPs, IAM, network, GuardDuty, log archive
Azure tenancy + subscription Entra ID, RBAC, Defender, sentinel, network
GCP organization IAM, VPC SC, BeyondCorp, SCC posture
Kubernetes (EKS / AKS / GKE) RBAC, network policies, admission, runtime
Multi-cloud (AWS + Azure) Cross-cloud identity, peering, data flow
PCI DSS in cloud Hosted CDE, segmentation, key management

Deliverables

What you get

Two reports for two audiences — risk picture for leadership, IaC-ready remediation for your platform team (Terraform, CloudFormation, Bicep, IAM JSON).

Request sample report → Read cloud-related case studies →

Executive Report

Risk overview, critical findings, business impact, remediation priorities. Board-ready.

Technical Report + IaC Fixes

Findings with Terraform / CloudFormation / Bicep fix snippets, IAM JSON, severity, CVSS.

Retest & Walkthrough

Multiple retest rounds at no extra cost. Walkthrough call with your platform / SecOps team.

Security Certificate

Formal certificate for compliance, customer assurance, and vendor due diligence.

FAQ

Common questions

Can\'t find what you\'re looking for? Talk to our cloud-security lead.

Contact us
What is cloud security assessment? +
Cloud security assessment is a structured review of your AWS, Azure, or GCP environment by certified experts — covering identity, network, storage, workload, and data-protection postures. It includes CIS Benchmark validation, IAM privilege-path analysis, configuration drift detection, and assumed-breach lateral-movement testing within the cloud control plane.
AWS, Azure, or GCP — which do you cover? +
All three, plus multi-cloud scenarios. Our auditors hold cloud-specific certifications across providers. Most enterprise engagements span 2 or more clouds (e.g. AWS + Azure tenancy on Microsoft 365). We also handle DigitalOcean, Linode, Oracle Cloud, and Cloudflare on case-by-case.
Read-only access vs full credentials? +
Read-only is the default and sufficient for 95%+ of findings. We use cross-account / cross-subscription / cross-project federated read roles — no long-lived keys, scoped to your inventory and config-read APIs. Where active testing of a specific service is in scope, we provision narrow time-bounded write access with logging.
Is CIS Benchmark validation enough? +
No — CIS is the floor, not the ceiling. CIS catches 60-70% of misconfigurations but misses business-logic risk (over-permissive role assumed by a Lambda, a public S3 bucket holding PHI, an unattached snapshot containing decommissioned customer data). Manual review and assumed-breach analysis is where the high-impact findings come from.
Do you test Kubernetes / containers? +
Yes — RBAC, pod-security standards, network policies, secrets handling, image-signing, runtime drift, admission-controller posture, exposed dashboards, CI/CD integration risk. Across EKS, AKS, GKE, and self-managed clusters.
How long does a cloud assessment take? +
Single-account / single-subscription: 5–8 business days. Multi-account or multi-subscription with federated landing zones: 8–14 days. Hybrid (cloud + on-prem connectivity): 10–18 days. Lemon enforces daily progress tracking.
Is cloud testing required for SOC 2 / ISO 27001 / DPDP? +
Yes. SOC 2 Trust Service Criteria explicitly cover cloud security. ISO 27001:2022 added Annex A.5.23 (cloud-services security). DPDP Act expects technical safeguards on personal-data-processing infrastructure regardless of where it runs. CERT-In data-localization rules apply to Indian customer data.
Do you provide remediation guidance? +
Yes — reports include cloud-specific remediation: IAM policy snippets, IaC examples (Terraform, CloudFormation, Bicep), service-control-policy patterns, GuardDuty / Defender / SCC tuning, and a walkthrough call with your platform team.

Find the cloud privilege path before someone else does.

Whether it\'s a single-account hardening pass, a multi-cloud landing zone audit, or a Kubernetes admission-controller review — talk to our cloud-security lead.

Request a Scoping Call View All Services