Tech Wil

The Technology Guide

Running AWS and Azure? You’ve Doubled Your Attack Surface

Two cloud platforms, two consoles, two sets of permissions, two teams who each assume the other has security handled. Multi-cloud setups do not just double your infrastructure. They double the places where something can quietly go wrong, and they add a gap in between that neither platform is responsible for covering on its own.

Why two platforms create more than twice the complexity

Businesses end up running both AWS and Azure for perfectly sensible reasons: an acquisition brought a different stack with it, a particular Azure service suited one project better, AWS pricing worked out cheaper for another workload entirely. Each decision made sense on its own, made at a different time by a different team for a different reason. Together, they create an environment where identity, logging, and security policy all work differently depending on which console you happen to be looking at, and where consistency becomes something you have to actively build rather than something you get by default.

The real danger sits in the gaps between the two platforms rather than within either one individually. A security team fluent in AWS IAM may not apply the same rigour to Azure role-based access control, simply because it looks and behaves differently, uses different terminology, and rarely gets the same amount of attention in training. A properly scoped AWS pen testing examines both environments individually and, just as importantly, checks how data and identity flow between them, because that connective tissue is where oversights tend to hide.

Running AWS and Azure? You've Doubled Your Attack Surface — Aardwolf Security

Where consistency quietly breaks down

Logging is a common casualty of multi-cloud complexity. A business might have excellent CloudTrail configuration in AWS while Azure’s equivalent logging sits at default settings nobody reviewed after setup, simply because the migration project ran out of time before reaching that item on the list. Monitoring tools configured for one platform often need entirely separate configuration for the other, and it is common to find one covered thoroughly while the second receives only partial attention, simply because building genuinely equal coverage across two different systems takes real, ongoing effort that rarely gets budgeted for twice.

William Fieldhouse has seen this imbalance play out directly with clients running both platforms.

“We tested a client with mature AWS security and an Azure tenant that had barely been touched since migration, and the Azure side gave us a foothold that eventually let us reach data sitting comfortably behind their much stronger AWS defences”

— William Fieldhouse, Director of Aardwolf Security Ltd

That client had genuinely invested in security. They had simply invested unevenly, assuming that strength in one platform offered some protection to the other. It does not, because the two environments do not share defences any more than they share consoles, no matter how connected the underlying business processes might be.

Test both platforms as one connected system

Multi-cloud environments need security reviewed as a single connected system, not two separate projects running in parallel with different owners and different timelines. Standardise your logging and monitoring approach across both platforms, assign clear ownership for each, and test the connections between them specifically rather than assuming one strong platform compensates for a weaker one. Aardwolf Security’s combined Azure pen testing covers exactly this kind of dual-platform environment, so neither side of your infrastructure becomes the weak link the other one is quietly relying on.

Share: