pentest-cloud

star 5

Cloud security pentest — AWS/Azure/GCP IAM analysis, lateral path, container escape pattern, serverless abuse advisory. Triggers on cloud pentest, AWS, Azure, GCP, IAM, S3 misconfig, EC2 metadata, Azure AD, GCP IAM, Pacu, ScoutSuite, Prowler, CloudGoat.

fatihkan By fatihkan schedule Updated 6/11/2026
play_arrow Run Skill in Manus View GitHub

name: pentest-cloud description: Cloud security pentest — AWS/Azure/GCP IAM analysis, lateral path, container escape pattern, serverless abuse advisory. Triggers on cloud pentest, AWS, Azure, GCP, IAM, S3 misconfig, EC2 metadata, Azure AD, GCP IAM, Pacu, ScoutSuite, Prowler, CloudGoat. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi homepage: https://github.com/fatihkan/badi-skills/tree/main/skills/pentest-cloud badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents cloud-security

pentest-cloud

AWS / Azure / GCP pentest methodology. IAM lateral path, public asset enum, container escape pattern.

Triggers

  • "AWS pentest"
  • "Azure AD test"
  • "GCP IAM enum"
  • "S3 public bucket"
  • "EC2 metadata abuse"
  • "IMDSv2 bypass"
  • "Pacu / ScoutSuite / Prowler usage"

Cloud-Provider Specific

AWS

Attack Surface Test
S3 public read/write aws s3 ls s3://<bucket> --no-sign-request
EC2 IMDSv1 curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Lambda env leak Lambda invoke + env var dump
IAM privilege esc iam:CreateAccessKey, iam:AttachUserPolicy, sts:AssumeRole
CloudTrail bypass sts:GetSessionToken (logged as user, not source)
Misconfigured IAM * action on * resource
Cross-account roles external Principal "arn:aws:iam::OTHER:root"
Resource policy S3 bucket policy with "Principal": "*"
SSM RunCommand EC2 to OS via SSM session manager

Azure

Attack Surface Test
Anonymous storage container https://<acc>.blob.core.windows.net/<container>?restype=container&comp=list
Azure AD enumeration UserList API anonymous
Service Principal abuse Excessive RBAC role assignment
Managed Identity VM -> token endpoint -> assume role
Azure DevOps PAT Repo scan for PAT in code
Key Vault RBAC misconfig, public access

GCP

Attack Surface Test
GCS public bucket gsutil ls gs://<bucket> (no auth)
Compute metadata curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -H "Metadata-Flavor: Google"
IAM lateral iam.serviceAccounts.actAs, iam.roles.update
GKE container RBAC misconfig + IMDS reach

Recommended Commands

# QUIET — AWS misconfig audit (read-only IAM)
prowler aws --profile <profile> --severity high,critical

# QUIET — ScoutSuite multi-cloud audit
scout aws --profile <profile> --report-dir ./scout-report

# MODERATE — Pacu enumeration (Pacu CLI)
# Pacu is tied to its db; --modules for specific recon

# MODERATE — Azure recon
roadtools roadrecon auth --device-code
roadtools roadrecon gather

# MODERATE — GCP enum (enumerates the whole project, careful)
gcloud projects list
gcloud iam service-accounts list --project=<project>

IAM Privilege Escalation Patterns

AWS PrivEsc (common 25):

1. iam:CreateAccessKey on another user
2. iam:CreateLoginProfile on another user
3. iam:UpdateLoginProfile on another user
4. iam:AttachUserPolicy + ManagedPolicy AdministratorAccess
5. iam:AttachGroupPolicy
6. iam:AttachRolePolicy
7. iam:PutUserPolicy (inline policy)
8. iam:PutGroupPolicy
9. iam:PutRolePolicy
10. iam:AddUserToGroup
11. iam:UpdateAssumeRolePolicy
12. iam:PassRole + service action (lambda, ec2)
13. sts:AssumeRole (broad principal)
14. lambda:UpdateFunctionCode + lambda:InvokeFunction
15. lambda:CreateFunction + iam:PassRole
... (automated with Pacu modules)

Container Escape (K8s)

# QUIET — pod RBAC check (kubectl in pod)
kubectl auth can-i --list

# Pod escape signal:
# - hostPID: true
# - hostNetwork: true
# - privileged: true
# - hostPath mount /
# - Capabilities: SYS_ADMIN, SYS_PTRACE

# Service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# IMDSv1 reach from pod
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Output Template

## Cloud Pentest — <account>

### IAM Path
- User: dev-readonly
- Excessive: iam:UpdateAssumeRolePolicy on role "prod-admin"
- Path: dev-readonly -> update trust policy -> sts:AssumeRole prod-admin -> *
- Time-to-DA: 2 minutes

### Public Asset
- S3 bucket "company-backups" — anonymous list + read (1.2TB exposure)
- 3 prod EC2 instances IMDSv1 only -> SSRF chain risk

### Defensive Recommendations
- IAM policy review: iam:* actions only for the break-glass account
- S3 bucket policy: Principal "*" forbidden (block public access at account level)
- EC2 metadata: IMDSv2 required (hop limit 1)

Out-of-Scope

  • Deleting / writing production data
  • Creating resources (careful not to incur cost — engagement cost limit)
  • 3rd party services (Stripe, SendGrid) — out-of-scope by default
Install via CLI
npx skills add https://github.com/fatihkan/badi --skill pentest-cloud
Repository Details
star Stars 5
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
fatihkan
fatihkan Explore all skills →