Skip to main content
The cloud-security agent is a senior cloud security assessor covering AWS, Azure, and GCP. It combines configuration review, penetration testing, and compliance auditing into a single autonomous agent. The agent operates in two modes:
  • Advisory auditor — Configuration review, policy analysis, and architecture risk assessment. Available immediately, no authorization gate required.
  • Pentest operator — Active exploitation and vulnerability validation. Requires explicit written authorization confirmation before any offensive action.

Activating the agent

Press Tab until cloud-security appears in the status bar, then describe your target environment.

Tools

CategoryTools
Multi-cloud auditScoutSuite, Prowler, CloudSploit
AWSAWS CLI, Prowler, Pacu (pentest mode only)
AzureAzure CLI, ScoutSuite, ROADtools
GCPgcloud CLI, ScoutSuite
Kuberneteskube-bench, kube-hunter, kubeaudit, Trivy
IaC scanningCheckov, Terrascan, tfsec, KICS
Container scanningTrivy, Grype, Syft
Secret scanningTruffleHog, GitLeaks, detect-secrets
Networknmap (pentest mode only, rate-limited)

Testing methodology

The agent follows a 14-phase methodology from scoping through reporting.
1

Scoping and threat modeling

Collects business context, regulatory requirements (PCI, HIPAA, SOC2, GDPR), and identifies crown jewels — databases with PII, payment processors, authentication services. Builds a STRIDE or PASTA threat model for the top five data flows and produces a scope document with in/out-of-scope items.
2

Asset inventory

Enumerates all cloud resources non-intrusively: EC2 instances, S3 buckets, Lambda functions, load balancers, public IPs (AWS); resource groups, storage accounts, public IPs (Azure); compute instances, GCS buckets, external addresses (GCP). Builds a complete inventory before any testing begins.
3

IAM review

Generates and analyzes credential reports. Identifies users without MFA, inline policies with wildcard permissions, access keys older than 90 days, and overly broad role trust policies. On Azure, checks Owner/Contributor assignments at subscription level and service principal permissions. On GCP, finds allUsers or allAuthenticatedUsers IAM bindings and default service accounts with Editor role.
4

Network and segmentation review

Identifies security groups allowing 0.0.0.0/0 ingress on sensitive ports (SSH, RDP, management interfaces). Reviews VPC peering connections and NACLs. On Azure, checks NSG rules for any allow from Internet. On GCP, checks for the default network and overly permissive firewall rules.
5

Compute review

Checks for IMDSv1 on EC2 instances (vulnerable to SSRF-based token theft), Lambda environment variables containing secrets, and publicly accessible AMIs. Reviews Azure VM extensions and patch status. Checks GCP instances for use of the default service account with broad scopes.
6

Storage and data security

Checks all S3 buckets for public access block configuration and bucket policies granting access to the * principal. Verifies account-level S3 Block Public Access is enabled. On Azure, checks Blob containers for public access. On GCP, checks for allUsers or allAuthenticatedUsers on GCS bucket IAM policies.
7

Container and Kubernetes review

Reviews RBAC for anonymous or unauthenticated access. Identifies privileged containers, pods running as root, and hostPath mounts. Checks for namespaces without network policies. Runs kube-bench against master and node targets. Reviews EKS, AKS, and GKE-specific configurations (public endpoint exposure, RBAC, private cluster mode).
8

Secrets and key management

Checks KMS key rotation status, Secrets Manager for unrotated secrets (AWS), Key Vault soft delete and purge protection settings (Azure), and Cloud KMS key rotation periods (GCP). Reviews CI/CD pipelines for hardcoded secrets and checks artifact registries for access controls.
9

Logging, monitoring, and detection

Verifies CloudTrail is enabled with multi-region coverage and log file validation (AWS). Checks GuardDuty and Security Hub status. On Azure, reviews Defender for Cloud pricing tiers and activity log retention. On GCP, reviews audit log configuration and log sink exports.
10

CI/CD and supply chain

Reviews pipeline definitions for hardcoded secrets, artifact registry access controls, build environment isolation, dependency scanning configuration, artifact signing and provenance, and OIDC federation for CI/CD (versus long-lived static credentials).
11

SaaS integrations and third-party access

Reviews SAML/OIDC identity provider configurations, cross-account role trust policies, marketplace integrations, OAuth app consents (particularly Azure AD Application.ReadWrite.All grants), and external sharing policies.
12

Vulnerability validation (pentest mode only)

Validates Critical and High findings through non-destructive proof techniques: reading canary files rather than production data, listing resource names rather than contents, and demonstrating privilege escalation to the role level without using it destructively. Every step requires explicit user approval before execution.

Provider checklists

IAM: Root account has MFA, no root access keys, user MFA enforced, no inline *:* policies, access keys rotated within 90 days, ExternalId condition on cross-account trust policies, SCPs restrict dangerous actions.Network: No security group allows 0.0.0.0/0 on SSH (22) or RDP (3389), VPC flow logs enabled, default VPC unused, ALB access logs enabled.Storage: Account-level S3 Block Public Access enabled, all buckets encrypted, S3 access logging enabled, versioning on critical buckets.KMS: Customer-managed keys have auto-rotation enabled, key policies are restricted to necessary principals.Governance: AWS Organizations with SCPs, AWS Config enabled in all regions, GuardDuty enabled in all regions, Security Hub enabled.
IAM: No Global Admin accounts without PIM activation, Conditional Access enforces MFA, legacy authentication blocked, service principals audited for excessive permissions, no User Access Administrator at root management group.Network: NSGs on all subnets with deny-all default, no wildcard allows on management ports, Network Watcher enabled, Private Endpoints used for PaaS services.Storage: No public blob access, HTTPS-only enforcement, TLS 1.2 minimum, storage firewall configured, soft delete enabled.Key Vault: Soft delete and purge protection enabled, network-restricted access, RBAC authorization model, diagnostic logging enabled.Governance: Management Groups configured, Azure Policy assignments, Defender for Cloud enabled for all resource types, Activity Log exported to storage or Log Analytics.
IAM: No allUsers or allAuthenticatedUsers IAM bindings, domain restriction org policy, Workload Identity used for GKE, default Compute Engine service account not used with Editor role, IAM recommender reviewed.Network: Default network deleted or restricted, no 0.0.0.0/0 SSH/RDP firewall rules, VPC flow logs enabled, Private Google Access enabled on subnets, Cloud Armor configured.Storage: Uniform bucket-level access enabled, no public bindings, CMEK, object versioning, retention policies on regulated data.Cloud KMS: Auto-rotation configured, access restricted to necessary service accounts, separated admin and user roles.Governance: Org policies configured, Security Command Center Premium, audit log sinks to external storage, VPC Service Controls on sensitive projects.

Common IAM pitfalls

ProviderMisconfigurationWhat the agent checks
AWSiam:PassRole + lambda:CreateFunction = privilege escalationIAM policies for PassRole combined with compute creation permissions
AWSConfused deputy via sts:AssumeRole without ExternalIdRole trust policies for missing Condition blocks
AWSS3 bucket policy granting access to * principalBucket policies parsed for wildcard principals
AzureUser Access Administrator at root management groupaz role assignment list --scope "/"
AzureService principal with Application.ReadWrite.AllApp registration Graph API permissions
GCPDefault Compute Engine SA with Editor roleProject metadata for default service account configuration
GCPallUsers IAM bindingProject IAM policy for public bindings

Example workflows

cyberstrike run --agent cloud-security \
  "Audit AWS account 123456789012 — focus on IAM users without MFA, overly permissive policies, and access keys older than 90 days"

Finding output format

Each finding follows a structured template:
  • Cloud provider and service — e.g., AWS / S3
  • Severity — Critical / High / Medium / Low / Informational with rationale
  • Affected resources — ARN, resource ID, or name
  • Steps to reproduce — Copy-pasteable CLI commands
  • Evidence — Command output
  • Impact and blast radius — Scope and business impact
  • Root cause — Specific configuration detail
  • Remediation — Short-term CLI fix and long-term architecture improvement
  • Confidence — CONFIRMED / LIKELY / UNVERIFIED
The agent requires written authorization confirmation before any active exploitation or intrusive testing. In advisory mode, it performs only read-only, non-destructive analysis. Unauthorized cloud testing may violate the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act (CMA), and cloud provider terms of service.

Build docs developers (and LLMs) love

Get started for freeTalk to us