Cloud Security Assessment
AWS, Azure, and GCP security auditing — IAM privilege escalation, storage misconfigurations, secrets exposure, and compliance posture.
Prerequisites
- Cloud provider credentials with read-only IAM access minimum
- AWS: Access Key ID + Secret Access Key (or role ARN for assume-role)
- Azure: Service Principal client ID + secret + tenant ID
- GCP: Service account JSON key file
- Written authorization from cloud account owner
- Scope defined: specific accounts, subscriptions, or projects
-
1
Select Cloud Security from Home Screen
Click ☁️ Cloud Security. Select your cloud provider(s): AWS, Azure, GCP, or multi-cloud.
-
2
Enter Cloud Credentials
Enter your cloud credentials in the encrypted credential vault. Credentials are AES-256-GCM encrypted immediately and never stored in plaintext.
AWS: Access Key ID : AKIA... Secret Access Key : [encrypted on entry] Region : us-east-1 (or All Regions) Account ID : 123456789012 Azure: Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Client ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Client Secret : [encrypted on entry] Subscription ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx GCP: Service Account : Upload JSON key file -
3
Select Assessment Scope
Assessment Type: ● Security Audit — read-only, no exploitation ● Privilege Escalation Test — attempt IAM privesc paths ● Full Red Team — active exploitation (explicit auth required) Compliance Framework: ○ CIS AWS/Azure/GCP Benchmark ○ SOC 2 Type II ○ PCI DSS ○ HIPAA ○ ISO 27001 -
4
Claude Audits Your Cloud Environment
AWS Assessment: IAM : Prowler + Pacu — over-privileged roles, unused keys, root usage S3 : Public buckets, ACL misconfigs, encryption status EC2 : Security groups (0.0.0.0/0), IMDSv1 enabled, unencrypted volumes Lambda : Env var secrets, overly permissive execution roles CloudTrail: Logging gaps, trail disabled in regions Secrets : TruffleHog scan of code repos, env vars, parameter store Azure Assessment: RBAC : Owner/Contributor assignments, guest users, service principals Storage : Public containers, SAS token expiry, encryption Network : NSG rules, open management ports Key Vault: Access policies, soft-delete disabled GCP Assessment: IAM : Primitive roles (Owner/Editor), service account keys Storage : Public buckets, uniform access disabled Compute : OS login disabled, public IPs, serial port enabled Logging : Audit log gaps -
5
Review Findings and Generate Cloud Security Report
Report includes: risk posture summary, findings by service, compliance mapping, IAM privilege escalation paths, and prioritized remediation roadmap with Terraform/IaC fix examples.
Common Issues
The IAM user/role needs at minimum the SecurityAudit managed policy plus ReadOnlyAccess. For full Prowler coverage, also attach: AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess, IAMReadOnlyAccess. Use the Prowler IAM policy document at github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json.
Lambda uses a different metadata mechanism. Target the ECS task metadata endpoint instead: http://169.254.170.2/v2/credentials/[task-role-id]. For EC2-based Lambda (rare), the standard IMDS endpoint applies. Check if IMDSv2 is enforced — it requires a session token PUT request first.
The service principal may not have Reader access on the subscription. Grant it: Azure Portal → Subscriptions → [subscription] → Access Control (IAM) → Add role assignment → Reader → [service principal]. Also verify the tenant ID is correct: az account show.