Exam PT0-002 topic 1 question 62 discussion

Definitely A

Real world you don't have to let the CSP know that you're going to perform a pentest. Both AWS and Azure have changed their stance on this and you can perform attacks against VM's, containers, etc. You can't attack Azure/AWS services directly even if the client is hosting data there, but you can attack VM's as if they were owned by the client directly. https://learn.microsoft.com/en-us/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/

https://www.comptia.org/blog/penetration-testing-in-the-cloud#myself The first step as cloud consumers is to understand what level of testing the cloud provider allows. Contracts are the element that defines exactly what we can and can’t do within our cloud service provider. A good contract should specify what level of testing we can perform. It then becomes our responsibility to make sure we adhere to these limits or, if we subcontract penetration testing services, make sure that our vendor understands what our contract says.

I REALLY, REALLY, REALLY want to say “A” is correct but if you think about using your test taking skills, try to understand what the question is TRULY asking. My logic goes like this… the question states "when engaging in a penetration test”, so that means you already have permission from the CSP because you are ALREADY IN THE ACT OF “engaging” THE PEN TEST. So, following this logic, the obvious answer is C. Thoughts anyone?

When planning a penetration test in a cloud environment, the penetration tester must take several considerations into account. However, the primary concern usually lies in obtaining proper authorization and understanding the scope and boundaries of the test. Among the options provided, the one that should be considered FIRST is: A. **Whether the cloud service provider allows the penetration tester to test the environment**. Cloud environments often share resources among multiple clients, and aggressive testing could inadvertently affect other customers' services. Therefore, it's essential to obtain explicit permission from the cloud service provider, understand their policies, and make sure the testing won't violate any terms of service. Without this clearance, testing might lead to legal consequences or other serious issues. The other options, although important in different contexts or at later stages of planning, are not as critical as ensuring that the testing is allowed by the cloud provider.

A is the answer. First you make sure whether you the CSP will allow you to conduct the penetration test, and then (answers C & D) can check the location of the CSP and see if there is any new legislature you must comply to.

A. Whether the cloud service provider allows the penetration tester to test the environment should be considered first when engaging in a penetration test in a cloud environment. Before conducting any penetration testing in a cloud environment, it is essential to check the terms and conditions of the cloud service provider. Many cloud service providers prohibit penetration testing or have specific rules and restrictions that must be followed. Therefore, the first step is to check whether the cloud service provider allows penetration testing. Option B, "whether the specific cloud services are being used by the application," is an important consideration but should come after ensuring that the cloud service provider allows penetration testing. Option C, "the geographical location where the cloud services are running," is important for compliance and data protection purposes, but it is not the first consideration when engaging in a penetration test. Option D, "whether the country where the cloud service is based has any impeding laws," is also an important consideration, but again, it should come after ensuring that the cloud service provider allows penetration testing.

This is a tough one as you could make a case for A or C. Personally I think C. If a cloud company said yes and I assumed I could Pentest I could end up in a lot of trouble if I unknowingly violated international laws. If I checked that I could pentest the location based on geographical laws and it was a yes and then the company said no... i'd be in no trouble. For me the international/geographical limitations are the easier area to slip up in so I think CompTIA is trying to get us to make sure we always consider it. If anyone has the pentest+ book then i'm sure the naswer is very simple but i'm using UDemy

A is correct answer

The first thing a penetration tester should consider when engaging in a penetration test in a cloud environment is A. Whether the cloud service provider allows the penetration tester to test the environment. Before conducting any tests, it is important to ensure that the cloud service provider allows the penetration tester to conduct tests against the environment. If they do not, then all tests must be conducted in accordance with the provider's terms and conditions.

The Books Says C is Correct

C is to be considered as well. I think you can ask either first. If you can't pentest due to the geographical location then it doesn't matter if the cloud service provider allows it and vice versa. But I'll go with A in this case. I think it's tricky to ask that questions with both those are required to know before proceeding.

I think the answer is the geographical location. Because knowing that determines whether you can PenTest, which tools you're allowed to use, and the information policies that dictate the administrative controls for the baseline of the PenTest.

During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.