A penetration tester is preparing to assess a client's application hosted in a public cloud, single-tenant environment. The client insists that because they have a dedicated instance, there is no need to involve the cloud service provider. What is the tester's most appropriate initial action?
Request written confirmation from the client to absolve the tester of all liability before starting.
Proceed with the test, but use non-intrusive scanning techniques to avoid detection.
Review the cloud provider's rules of engagement for penetration testing and advise the client on the required procedures.
Begin testing only the application layer, as the cloud infrastructure is the provider's responsibility.
All major cloud providers have specific rules of engagement for penetration testing that customers and their designated testers must follow. These rules exist to protect the underlying shared infrastructure and other customers, even in a single-tenant model, and to ensure testing activities are not mistaken for a genuine attack. The shared responsibility model dictates that while the customer is responsible for security in the cloud, the provider is responsible for security of the cloud, and testing activities must respect this boundary. Therefore, the most professional and required first step is to consult the provider's policies and inform the client of the proper procedure, which often involves notification or adherence to specific guidelines.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a multi-tenant setup?
Open an interactive chat with Bash
Why is coordination with hosting providers important during security testing?
Open an interactive chat with Bash
What risks could occur without proper communication during security testing in a hosted environment?