/ services / cloud config pentest

Your cloud account, read like an attacker.

CredShields One offers AI-driven cloud configuration penetration testing for AWS, GCP, and Azure. We review identity, networking, data, and logging configurations end to end and map the privilege escalation paths an attacker could chain from initial access to crown jewels.

For teams running production workloads on AWS, GCP or any other cloud platform. Our AI reviews your account configuration end to end, across identity, networking, data, and logging, and maps the privilege escalation paths an attacker could chain from initial access to crown jewels.

Access: read-only role Scope: AWS · GCP · Azure Turnaround: days, not weeks
// sample findings · prod-aws-001
CRIT EC2 role → admin via iam:PassRole 3-step chain
CRIT Public RDS snapshot, prod customer data us-east-1
HIGH KMS grant on shared key, dev account cross-acct
HIGH CloudTrail multi-region trail disabled audit gap
MED SG 0.0.0.0/0 on internal-only ALB 5 resources
MED Lambda env vars, plaintext secrets 12 fns
/ why scanners aren't enough

A scanner finds settings. We find chains.

Cloud breaches almost never start with one bad config. They start with three benign ones that compose. Our AI reasons across the whole graph; a senior reviewer validates every chain before it ships.

/ 01

Settings vs. paths

Scanners flag a public bucket. We tell you which role can reach it, who can assume that role, and what they can do once they're in.

/ 02

The whole graph

Identity, network, data, and logging in one model. Misconfigs only matter when you compose them. That's where real risk lives.

/ 03

Humans validate

Every critical chain is reproduced and written up by a senior reviewer. No AI hallucinations in your report, no compliance-checkbox noise.

/ what we review

Six surfaces. Every misconfig, every chain.

IAM

Roles · policies · trust

Over-privileged roles, wildcard actions, confused-deputy chains, cross-account trust gaps, and the assume-role paths that lead to admin.

  • Privilege escalation
  • Wildcard policies
  • Cross-account trust
  • Service-linked roles

Public exposure

Buckets · endpoints · DNS

Storage buckets, databases, snapshots, endpoints, and any resource accidentally readable from the open internet, including the ones the console hides from you.

  • Public storage
  • Exposed databases
  • Snapshot leakage
  • DNS takeover

Network controls

VPC · SG · peering

Security groups, NACLs, peering, transit gateways, and the lateral-movement paths between VPCs, accounts, and on-prem, including egress nobody's looking at.

  • Permissive SGs
  • Lateral movement
  • Unrestricted egress
  • Peering misconfig

Encryption + KMS

Keys · grants · rotation

Where encryption is missing, where the keys are reachable by the wrong principals, and where a single grant or alias quietly undoes the whole strategy.

  • Unencrypted data
  • Key policy gaps
  • Grant abuse
  • Rotation gaps

Logging gaps

CloudTrail · Flow · audit

Trails that aren't on, regions that aren't covered, retention that's too short, and the actions an attacker could take that would leave no trace anyone notices.

  • Trail coverage
  • VPC Flow blind spots
  • Retention gaps
  • Tamper-resistance

CIS benchmarks

AWS · GCP · Azure

Full CIS benchmark coverage mapped to your account, with every finding tied to its real-world exploit path. Not just a compliance checkbox.

  • CIS AWS
  • CIS GCP
  • CIS Azure
  • Exploit-path map
/ example findings

What a chain actually looks like.

Two redacted findings from real engagements. Each is reproducible, each is mapped to a specific principal and resource, each was validated by a senior reviewer.

EC2 instance role → account admin via iam:PassRole
severity: critical aws 3-step chain

An EC2 instance running the staging app held a role that could iam:PassRole any role in the account to a new Lambda function. The Lambda then ran with a privileged role, granting full administrative access across the production account.

SR
The AI flagged the PassRole permission, but the chain to admin only emerged after I traced which roles the Lambda runtime could assume. Reproduced end-to-end in the staging account.
Public RDS snapshot exposing prod customer database
severity: critical aws data exposure

A nightly snapshot of the production RDS instance was marked public as part of a debugging workflow that was never reverted. The snapshot was discoverable via the public AWS snapshot index and contained full customer PII.

AK
The setting was technically a known-bad CIS control, but no scanner correlates "public snapshot" with "production data". The reviewer pulled a redacted dump to confirm the contents before reporting.
> full reports include reproduction steps, blast radius, and remediation per finding.
/ how it runs

Read-only access. Written-down chains.

You give us a read-only role. Our AI ingests the configuration, reasons about the graph of permissions and resources, and a senior reviewer validates every chain before it lands in your report. Same five-stage pipeline as the rest of CredShields One. Different surface, same standard.

See the full platform tour
/ invite-only

Ready to map your cloud? Request access.

Tell us where your workloads live and we'll scope a pilot. Read-only access, written-down chains, in your inbox in days.

Request access