Cloud methodology
Cloud assessment — what we need from you

Cloud pentest prerequisites

PentestMe's cloud assessment is a credentialed configuration & posture review — run with industry-standard auditors (Prowler, ScoutSuite, and kube-bench) against CIS Benchmarks and cloud best practice. It authenticates with the read-only credentials you provide and inspects identity/IAM, public storage, network exposure, encryption, logging/monitoring, secrets exposure, and compliance gaps. It is read-only — it never modifies resources or runs intrusive attacks against your control plane.

Pick your provider below, create a dedicated read-only credential (steps included), then paste the listed fields into the scan's Credentials step and run the live Test connection check before you queue the scan.

AWS

A read-only IAM access key (or a cross-account read-only role).

Runs: Prowler + IAM privilege-escalation analysis

Create the credential

  1. IAM → Users → Create user (e.g. "pentestme-readonly"), with no console access.
  2. Attach these AWS-managed, read-only policies: SecurityAudit and job-function/ViewOnlyAccess.
  3. Create an access key (type: Third-party service / CLI) and copy the Access Key ID and Secret Access Key.

Paste these fields

  • AWS Access Key IDstarts with AKIA…
  • AWS Secret Access Key
  • AWS Regionoptional — defaults to us-east-1; IAM/global checks always run
  • Cross-account Role ARN + External IDoptional, for org-wide audits

Note: Org-wide instead? Create the read-only role (SecurityAudit + ViewOnlyAccess) in the target account with a trust policy to your auditing principal and an External ID, then paste the Role ARN (+ External ID) here.

Azure

An App Registration (service principal) with Reader on the subscription.

Runs: ScoutSuite

Create the credential

  1. Microsoft Entra ID → App registrations → New registration (e.g. "pentestme-readonly").
  2. Add a credential — Certificates & secrets → New client secret → copy the Value (or upload a certificate and keep the matching PEM).
  3. Subscriptions → your subscription → Access control (IAM) → Add role assignment → Reader (required) + Security Reader (recommended).
  4. For identity/Entra checks: Microsoft Graph → Directory.Read.All (application permission) → Grant admin consent.

Paste these fields

  • Tenant IDEntra ID → Overview
  • Client (Application) IDApp registration → Overview
  • Subscription ID
  • Client Secret or Certificate (PEM)the secret Value, or the PEM private key + cert

Google Cloud (GCP)

A service account with read-only roles and a JSON key.

Runs: ScoutSuite

Create the credential

  1. IAM & Admin → Service Accounts → Create service account (e.g. "pentestme-readonly").
  2. Grant it, at the project (or organization) you want assessed: roles/viewer and roles/iam.securityReviewer.
  3. Keys → Add key → Create new key → JSON → download the key file.

Paste these fields

  • Service Account Key (JSON)paste the entire contents of the downloaded JSON key file

Kubernetes

A kubeconfig bound to a read-only ServiceAccount.

Runs: kube-bench + kube-hunter

Create the credential

  1. kubectl create serviceaccount pentestme-readonly -n kube-system
  2. kubectl create clusterrolebinding pentestme-readonly --clusterrole=view --serviceaccount=kube-system:pentestme-readonly (use cluster-reader on OpenShift)
  3. Produce a kubeconfig for that ServiceAccount's token, pointing at your cluster's API server endpoint.

Paste these fields

  • Kubeconfig (YAML)the full kubeconfig for the read-only ServiceAccount

Note: If the API server is private / not internet-reachable, attach a VPN connection to the engagement so our worker can reach it — tell us and we’ll set up the tunnel with you.

Microsoft 365 / Entra ID

An App Registration with read-only Microsoft Graph application permissions + admin consent.

Runs: Prowler + ROADtools / AzureHound

Create the credential

  1. Entra ID → App registrations → New registration (e.g. "pentestme-m365").
  2. Certificates & secrets → New client secret → copy the Value.
  3. API permissions → Microsoft Graph → Application permissions → add (all read-only): Directory.Read.All, Policy.Read.All, Reports.Read.All, SecurityEvents.Read.All, Mail.Read, Sites.Read.All.
  4. Grant admin consent for your tenant.

Paste these fields

  • Tenant IDEntra ID → Overview
  • Application (Client) ID
  • Client Secretthe secret Value

Verify before you scan

After entering your credentials, click Test connection. We run a live, read-only authentication check (e.g. AWS STS GetCallerIdentity, an Azure/Microsoft Graph token request, a GCP token exchange, or a Kubernetes API /version probe) and tell you exactly what to fix — wrong key, missing role, expired secret — before the scan is queued. Nothing is read from your environment until this passes.

How we handle your credentials

Least-privilege, read-only, and short-lived by design.

  • Use dedicated, least-privilege credentials created for this engagement — never a personal admin login or long-lived org-admin keys.
  • Credentials are encrypted at rest (AES-256-GCM), decrypted only for the scan, written to 0600 temp files inside the scanner that are shredded on exit, and never logged.
  • Everything is read-only — we never alter your environment.
  • Revoke / delete the credential (access key, client secret, SA key, ServiceAccount) as soon as the assessment is complete.

Ready to assess your cloud?

Set up your read-only credential, paste it into a new cloud scan, and run the connection test. We'll take it from there.

Start a cloud scanSee the cloud methodology