Authorized testing only. The techniques and tools on this page are for use against systems you own or have explicit written authorization to test. Running them against anyone else's cloud - including a former employer's, a customer's, or a vendor's - is illegal under the U.S. Computer Fraud and Abuse Act, the U.K. Computer Misuse Act, and equivalent laws in most jurisdictions. Get the rules-of-engagement document signed before you start. The CSOH community does not condone unauthorized access.
The 30-second version: Cloud pentesting trades the network for the API and the host for the identity. The control plane is the new attack surface; the IAM graph is the new internal network; a leaked access key is the new SQL injection. The professional toolkit is open source and well-documented - Pacu for AWS, ROADtools and MicroBurst for Azure, gcphound and the Rhino privesc matrix for GCP, BloodHound across all three. Vulnerable training environments - CloudGoat, AWSGoat, Sadcloud, IAM Vulnerable - let you build the muscle memory without the legal risk.
This page is the methodology and the production-targeting perspective. If you want to practice the techniques in a safe environment, the CTFs page is the lab. If you want to know how defenders see these techniques, the detection engineering page is the mirror.
On this page
- Why cloud pentesting is different
- Legal & provider policy
- Rules of engagement
- Methodology frameworks
- Recon
- Initial access vectors
- AWS attack paths
- Azure attack paths
- GCP attack paths
- Kubernetes attack paths
- Container & supply-chain attacks
- Persistence in cloud
- Data exfiltration
- Open-source toolkit
- Pentest vs red team vs adversary emulation
- Reporting
- CSP offerings & vetted firms
- AWS / Azure / GCP side-by-side
- Maturity stages
- Common pitfalls
- Further reading
- FAQ
Why cloud pentesting is different
A traditional network pentest starts with an IP range and a goal of finding listening services with exploitable vulnerabilities. The mental model is a perimeter to breach, a network to traverse, and hosts to compromise. The toolkit reflects that: nmap, Metasploit, Burp, BloodHound for on-prem Active Directory.
A cloud pentest starts with a set of accounts, subscriptions, or projects and a goal of finding chains of API calls that produce unauthorized outcomes. The mental model is a control plane to misuse, an IAM graph to traverse, and identities to compromise. nmap rarely helps; SDK calls and IAM policy analysis do.
Three shifts that matter
- API as the attack surface. Almost everything an attacker wants - read an S3 object, spin up an instance, modify an IAM policy, exfiltrate logs - is a single signed HTTPS request to a public AWS / Azure / GCP endpoint. There is no firewall in front of the cloud control plane; the only gate is authentication and authorization, and both are policy-driven. Misconfigure either and the door is open from anywhere on the internet.
- Identity as the new perimeter. An attacker with a valid access key, OIDC token, or service-principal certificate is "inside" by definition. The classic network-segmentation model assumes you can keep attackers out and then make movement difficult; cloud assumes any identity is potentially an attacker and makes the entire program about scoping the blast radius of each one. That's why IAM dominates cloud-security work and why most successful cloud attacks chain through an over-permissioned identity.
- Control plane vs data plane. The control plane is the management API - IAM, configuration, resource lifecycle. The data plane is the workload traffic - S3 GETs, database queries, Kubernetes pod-to-pod. Cloud pentesting concerns itself overwhelmingly with the control plane: it's where privilege escalation, persistence, and most exfiltration live. Data-plane testing exists (web app pentests, API security testing) but it's the same craft as on-prem with cloud-shaped logging behind it.
Practical consequence: the cloud pentester's day is reading IAM policies, mapping trust relationships, enumerating buckets, and writing one-line scripts against provider SDKs - not running scanners against ports. The same person who's expert at internal-network pivoting often struggles for the first month in cloud; the skill transfer is non-trivial. Tools like Pacu exist partly to bridge that gap by encoding the API-call shape of common techniques.
Legal & provider policy
Before any other consideration: cloud pentesting is unauthorized computer access unless explicitly authorized. Three layers of permission matter - the law, the cloud provider's policy, and the system owner's written authorization. Skipping any of the three is professional and legal risk.
The law
- U.S. - Computer Fraud and Abuse Act (CFAA). Unauthorized access or exceeding authorized access is a federal offense. The DOJ's 2022 policy revision narrowed prosecutorial focus toward "deliberate exceeding," but the underlying statute is unchanged.
- U.K. - Computer Misuse Act 1990. Section 1 covers unauthorized access; Sections 2 and 3 escalate based on intent and consequences.
- EU - NIS2 and Member State laws. National implementations criminalize unauthorized access; some (e.g., Germany's §202c) historically swept in tool possession, though scope has narrowed in practice.
- Other jurisdictions. Most countries have equivalent statutes. International testing crosses jurisdictional lines and requires authorization from each.
Provider policies
- AWS - since 2019, customers may perform penetration testing against most services without prior approval. Disruptive activities (DNS zone walking, port flooding, protocol flooding, request flooding, login flooding) still require approval via the Simulated Events form. Testing is bounded to your own resources; testing AWS infrastructure or other customers' resources is prohibited.
- Azure - customers may test their own subscriptions per the published Penetration Testing Rules of Engagement. Some operations (DoS testing, sustained heavy load) still require notification. Office 365 testing has its own document.
- GCP - customers may test their own projects per the Acceptable Use Policy without prior approval. The provider's network and other tenants are off-limits.
- SaaS on top of cloud - testing Snowflake, Databricks, Auth0, or any other SaaS that happens to run on AWS / Azure / GCP requires authorization from that SaaS provider, not the underlying cloud. Many have their own bug-bounty or pentest-disclosure programs.
System-owner authorization
Even with provider permission, you need the system owner's explicit written authorization. For internal teams testing their employer's environment, "I work here" is not authorization - employees can and have been prosecuted under the CFAA for exceeding their authorized scope. Get a document signed by an executive with authority over the systems in scope, naming the testers, the windows, the techniques, and the specific accounts / subscriptions / projects. Without it you have no defense if something breaks.
For external engagements, this is the master services agreement plus a statement of work plus a rules-of-engagement document. Keep all three signed and accessible during testing; engineers on the defending side will sometimes call security to verify when they see suspicious activity, and being able to produce the authorization within minutes is the difference between "noted, please continue" and "we just locked your account."
Rules of engagement
Rules of engagement (RoE) is the artifact that turns "permission to test" into "permission to test these specific things in these specific ways." A serviceable RoE document covers:
Scope
Which accounts, subscriptions, projects, regions, services, and applications are in scope. Equally important: what is explicitly out - production databases, third-party integrations, customer data, executive identities. Ambiguity here is the single most common cause of post-test disputes.
Windows
The hours and dates testing is authorized. Some orgs allow 24/7 testing; others want business-hours-only or weekend-only to limit incident response load. Define time zones explicitly; "9-5" is meaningless on a global team.
Techniques
What's permitted - phishing, password spraying, social engineering, denial-of-service simulation, malware deployment, physical. Most pure cloud engagements exclude DoS and social engineering by default; red-team engagements typically include them with explicit approval.
Communications
Daily standups, end-of-day status reports, immediate notification of high-impact findings, the emergency kill-switch contact. Both sides should know who to call at 3 AM when a tester's automation runs longer than expected.
Escalation
What triggers a stop-test? Finding evidence of an active intrusion (not yours), discovering customer PII that wasn't expected in scope, accidentally affecting a production system, regulatory data accessed without authorization. Define the threshold and the response.
IR notification
Who on the SOC / IR team knows the test is happening, and what level of detail they're given. Fully informed = compliance test. Partially informed (deconflict only) = realistic exercise. Uninformed = full red team, with executive sponsor available to vouch on demand.
Sign every revision. RoE that drift mid-engagement without written approval are the source of every "I thought you said we could do that" conversation that ends a relationship with a customer or an internal stakeholder.
Methodology frameworks
You don't need to memorize all of these, but you do need one as your skeleton. The discipline of working through every phase - not just the ones that produced findings last time - is what separates pentesting from ad-hoc hacking.
- PTES (Penetration Testing Execution Standard) - the long-standing seven-phase pentest model: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting. Cloud-agnostic; still the best general scaffold.
- MITRE ATT&CK Cloud Matrix - the lingua franca for techniques. Sub-matrices for IaaS (AWS / Azure / GCP) and SaaS (Office 365, Google Workspace, Entra ID). Mapping your findings to ATT&CK technique IDs makes them immediately legible to defenders and to the auditor.
- OWASP Cloud Security Testing Guide - vendor-neutral test categories and method recommendations. Less mature than the OWASP Web Security Testing Guide but useful as a checklist.
- Hacking the Cloud (HTC) wiki - the community-maintained encyclopedia of cloud attack techniques, with concrete commands and tool references. Maintained by Nick Frichette and contributors. The closest thing to a one-stop reference for cloud-specific TTPs.
- CloudPentestCheatsheets - Beau Bullock / Black Hills Information Security maintained cheat sheets across cloud platforms.
- NetSPI Cloud Penetration Testing Playbook and similar vendor-published playbooks - practitioner-written sequences that map well to engagements.
- Provider attack-path knowledge - Rhino Security Labs' AWS IAM Privilege Escalation, GCP IAM Privilege Escalation, and the corresponding Azure community lists. Memorize the named techniques; they're the building blocks of every cloud privesc chain.
Pick PTES or ATT&CK as the primary; reference the others. The deliverable should map every finding to a phase and a technique - the reader downstream (engineer, auditor, executive) gets to navigate it that way.
Recon
Cloud recon is less about port-scanning and more about enumerating the public surface area an organization has accidentally created: forgotten buckets, expired CDN domains, certificate-transparency leaks, credentials in public repos. The work is fast, asymmetric, and entirely legal when done against your own org (or with permission).
Public storage enumeration
- S3Scanner - fast scanner for publicly accessible S3 buckets and listable contents.
- cloud_enum - multi-cloud bucket / blob / GCS bucket enumeration by keyword.
- GrayhatWarfare - index of public buckets and the files in them. Useful for keyword-driven discovery.
- CloudHunter - bucket discovery across AWS, Azure, and GCP with permission probing.
- bucket-stream, Rhino's S3 tools - older but well-known reference implementations.
DNS, ASN, and certificate-transparency
- amass - comprehensive subdomain discovery across passive and active sources.
- dnstwist - typo-squat and homograph discovery; surfaces lookalike domains that may indicate prior or in-progress phishing.
- crt.sh, Censys, Shodan - certificate-transparency and internet-scanning surfaces that frequently leak cloud asset hostnames.
- ASN / IP-range discovery - AWS publishes
ip-ranges.json, Azure publishes service tag ranges, GCP publishescloud.json. Cross-reference public-facing IPs back to provider services to identify cloud surface.
Credential discovery
- TruffleHog - scans GitHub, GitLab, S3, Docker, and more for live credentials with verification.
- Gitleaks - fast secret scanner with extensive rule library.
- Postman, Docker Hub, public CI configs - frequent secret-leak surfaces. Don't underestimate Docker Hub:
ENV AWS_SECRET_ACCESS_KEY=…baked into a layer is more common than it should be. - Paste sites, Discord channels, leak archives - for engagements where threat-actor mimicry is in scope. Tread carefully - possession of someone else's credentials is itself a legal issue.
Initial access vectors
Cloud initial access overwhelmingly comes from credentials, not exploits. The 2022-2025 breach record (Capital One, SolarWinds-related, MOVEit, Snowflake-customer wave, Sisense, Microsoft midnight-blizzard, et al.) is a long list of stolen, exposed, or phished access tokens. Concrete vectors:
- Leaked IAM keys in public code. GitHub, GitLab, Bitbucket public repos; gists; Postman public workspaces; archive.org. Tools above plus continuous monitoring (GitHub Secret Scanning, GitGuardian, Aikido) catch the obvious ones; targeted hunting still finds plenty.
- Server-side request forgery (SSRF) to instance metadata. The 2019 Capital One breach is the canonical example: SSRF in a web app that called the AWS IMDS endpoint, retrieved temporary credentials, and pivoted to S3. IMDSv1 is exposed by default to any code that can reach
169.254.169.254. IMDSv2 requires a session token (PUT then GET), defeating most SSRF; enable it everywhere. Equivalent metadata endpoints exist for Azure (169.254.169.254/metadata/identity, requires header) and GCP (metadata.google.internal, requiresMetadata-Flavor: Google). - CI/CD token theft. GitHub Actions OIDC, GitLab CI tokens, CircleCI contexts, Buildkite agent secrets. A compromised workflow file or a malicious public-repo pull-request can ship tokens to an attacker. The Codecov, CircleCI, and Travis CI incidents collectively redefined the threat model here.
- OIDC trust misconfiguration. An AWS role with a
token.actions.githubusercontent.comtrust policy that doesn't constrainsubclaims is callable from any GitHub Actions workflow on the public internet. Same pattern across Azure federated credentials and GCP Workload Identity Federation. - Supply-chain compromise. npm, PyPI, RubyGems, Docker Hub, Terraform Registry. A backdoored dependency in your build executes with your CI's cloud credentials. See threat research for the running list of major incidents.
- Phishing. Identity providers (Entra ID, Okta, Google Workspace) are the primary front door now. Modern phishing kits (Evilginx, EvilProxy, Tycoon, Mamba 2FA) proxy through real login pages and capture session cookies, bypassing most MFA forms. Conditional access policies and phishing-resistant MFA (FIDO2 / passkeys) are the practical mitigations.
- Compromised third-party integrations. SaaS connectors with cloud-read permissions (CSPM tools, analytics platforms, billing tools) are increasingly the foothold. The 2024 Sisense disclosure made this category mainstream; SaaS security (SSPM) covers the defensive view.
- Forgotten infrastructure. An EC2 instance with an old IAM role attached, an Azure VM in an abandoned resource group, a GCP project from a long-departed team. Discoverability + permission persistence = foothold.
AWS attack paths
AWS attack paths overwhelmingly involve IAM. Once you've established a foothold (credentials, role, instance), the workflow is: enumerate what you can do, find the path to what you want, execute it.
Enumeration
- enumerate-iam - brute-force every IAM action against a set of credentials to discover what's permitted. Loud but thorough.
aws sts get-caller-identity- sanity check on identity; the first command run against any new credential.- Cloudfox - fast situational-awareness tool from Bishop Fox. Inventories users, roles, instances, secrets, and exploitable conditions in minutes.
- CloudMapper, PMapper, awspx - IAM-graph analysis. Find paths from low-privileged identities to admin or to specific target resources.
- BloodHound CE with AWS ingestor - the same BloodHound interface defenders use, applied to AWS identity graphs.
IMDS abuse
SSRF against http://169.254.169.254/latest/meta-data/iam/security-credentials/ returns the role name; another GET returns temporary credentials valid for the role's session. IMDSv2 requires a PUT to /latest/api/token first with a TTL header, blocking simple SSRF. Many environments still allow IMDSv1; aws ec2 modify-instance-metadata-options --http-tokens required is the fix.
IAM privilege escalation chains
The named primitives - memorize them, then watch Rhino's full matrix for the rest:
iam:PassRole+ec2:RunInstances- launch an EC2 with a more-privileged role attached; SSH or SSM into it; inherit the role.iam:PassRole+lambda:CreateFunction+lambda:InvokeFunction- create a Lambda with a target role, invoke it, exfiltrate the role's credentials fromprocess.env.iam:CreateAccessKeyon another user - mint a key for them, log in as them.iam:UpdateAssumeRolePolicy- modify a role's trust policy to trust you, then assume it.iam:AttachUserPolicy/AttachRolePolicy/PutUserPolicy- grant yourselfAdministratorAccess.iam:CreatePolicyVersion+SetDefaultPolicyVersion- modify an existing policy you can use, escalate.sts:AssumeRolechain - cross-account or cross-role assumption that grants more permission. AWS allows transitive assumption; the chain may span accounts you don't initially see.
Resource-specific paths
- S3. Bucket policies with wildcard principals, ACLs granting
AuthenticatedUsers(every AWS user, not just yours), pre-signed URLs leaked in code, sub-resource attacks on website config / lifecycle / CORS. - SSM Run Command / Session Manager.
ssm:SendCommandwith the right document permissions is remote code execution on every instance with the SSM agent.ssm:StartSessionis interactive shell. - EC2 / EBS. Snapshot creation + sharing to attacker account, EBS direct API (read snapshots without attaching), AMI sharing.
- Lambda. Environment-variable secrets, Lambda layers with backdoors, function-URL exposure, event-source-mapping persistence.
- Secrets Manager / SSM Parameter Store.
GetSecretValue/GetParameterwith overly broad resource policies. - KMS. Key policies that allow decryption from broader principals than intended; cross-account key-grant abuse.
- Cognito. Misconfigured user-pool trust, sign-up enabled on private apps, identity-pool unauth role with too much access.
Pacu modules to know
Pacu packages most of the above into named modules. The first-day list:
iam__enum_permissions,iam__enum_users_roles_policies_groups,iam__privesc_scanec2__enum,s3__bucket_finder,lambda__enumcloudtrail__download_event_history(post-exploit reconnaissance)iam__backdoor_users_keys,lambda__backdoor_new_*(persistence - only with explicit authorization)detection__enum_services- find what's logging, what's monitoring, what's likely to alert
Azure attack paths
Azure paths split between the management plane (subscriptions, resource groups, RBAC) and the identity plane (Entra ID, formerly Azure AD). The most damaging attacks chain across both - phish an identity, abuse RBAC inheritance, pivot to managed identities, escalate to Global Administrator.
Entra ID / Azure AD recon
- ROADtools - the gold standard for Entra ID enumeration. Dumps tenant directory into a local database; queryable graph. Author: Dirk-jan Mollema.
- AADInternals - extensive PowerShell toolkit for Entra ID research; Dr. Nestori Syynimaa's running encyclopedia of tenant-level techniques.
- MFASweep - probe whether MFA is enforced on each Microsoft endpoint (Office portal, Azure portal, Graph, ActiveSync, legacy auth).
- TeamFiltration - Teams-focused enumeration and access; useful for password-spraying-with-context.
- GraphRunner - post-compromise toolkit for Microsoft Graph; data exfil, persistence, Teams-side actions.
Phishing & consent grants
- Adversary-in-the-middle phishing. Evilginx, EvilProxy, Tycoon, Mamba 2FA. Proxy the real Microsoft login page, capture the session cookie post-MFA, replay it. Defeats most non-FIDO2 MFA. The Microsoft midnight-blizzard and Storm-2372 patterns documented this category at scale.
- Illicit consent grants. Trick a user into approving a malicious OAuth app with delegated permissions (read mail, read files, send-as). Once approved, the attacker has Graph API access scoped to the user - no password needed. Mitigations: user-consent restrictions, admin-consent workflows.
- Device code phishing. Send a target a legitimate Microsoft device-code URL; they paste your code; you're logged in. Conditional access on device compliance is the practical fix.
RBAC and managed identity
- RBAC inheritance. Permissions flow management-group → subscription → resource-group → resource. A user with Owner at management-group scope has Owner everywhere. Run
az role assignment list --all; review high-scope assignments first. - Managed identity abuse. System-assigned and user-assigned MIs attach to compute resources. Any code on the VM, App Service, or Function can request a token via the metadata endpoint. Equivalent to AWS instance roles; same caveats about role scoping.
- Service principal credentials. Stored in app registrations, often in code or in Storage; common credential-discovery target.
az ad sp credential list. - Privileged Identity Management (PIM) gaps. Standing-permanent role assignments instead of just-in-time; eligible-to-active without approval; cooling-off period bypasses.
Tools
- MicroBurst - NetSPI's PowerShell-based Azure offensive toolkit. Subscription enumeration, storage-account discovery, key-vault dumping.
- BloodHound CE with AzureHound - graph attack paths across Entra ID and Azure resources.
- Stormspotter - Microsoft's open-source Azure-resource graph tool (defender-oriented but useful offensively).
- ScoutSuite - multi-cloud auditor with Azure module.
- AzureC2-related toolchains and similar projects - use only in authorized testing.
GCP attack paths
GCP gets less open-source pentest tooling attention than AWS or Azure, but its attack surface is fully present. Service-account impersonation is the GCP equivalent of iam:AssumeRole, and most privilege escalations chain through it.
Recon
- gcp_enum - GitLab Red Team's enumeration script.
- GCPBucketBrute - GCS bucket enumeration with permission probing.
- cloud_enum, ScoutSuite - both have GCP modules.
- gcp_scanner - Google-published asset discovery tool, originally for incident response, widely repurposed.
- hayat - GCP auditing / pentest helper.
GCP IAM privilege escalation
Rhino Security Labs maintains the canonical GCP IAM privilege escalation matrix. The named primitives:
iam.serviceAccounts.getAccessToken- direct service-account impersonation. The most common privesc primitive.iam.serviceAccounts.implicitDelegation- chain impersonation across multiple service accounts.iam.serviceAccounts.signJwt/signBlob- mint signed credentials.deploymentmanager.deployments.create- run Deployment Manager as the project's default service account; classic privesc to Owner.cloudfunctions.functions.create/create+actAs- create a Cloud Function with a higher-privileged service account.compute.instances.setMetadata- inject SSH keys into instance metadata; gain shell as a privileged user.cloudbuild.builds.create- Cloud Build runs as the Cloud Build service account, often more privileged than the caller.- IAM Conditions bypass - conditional bindings can be set to expressions that evaluate to
truefor the attacker if the writer misconstructed the condition.
Resource-specific paths
- GCS. Public buckets,
allUsers/allAuthenticatedUsersbindings, bucket-takeover via dangling DNS to non-existent buckets. - Compute Engine. Metadata-server abuse (with the required
Metadata-Flavor: Googleheader), SSH-key injection, OS Login bypasses. - Cloud Run / Functions. Unauthenticated invocation flags, container-image build poisoning, environment-variable secret exposure.
- BigQuery. Authorized-views misconfiguration, dataset-level
allUsers, scheduled-query exfiltration. - Workload Identity Federation. Overly permissive trust on external identity providers, OIDC
subclaims not constrained.
Tools
- BloodHound for GCP via gcphound and SpecterOps research - modeling GCP IAM as a BloodHound graph is the current frontier.
- Pacu-style GCP framework - there isn't a single dominant one yet; the community uses combinations of the above.
Kubernetes attack paths
Kubernetes is its own attack surface that sits inside a cloud account. Compromising a pod gives you a foothold; the question is whether you can escape the pod, escalate within the cluster, or reach the cloud control plane via the cluster's identity.
- Pod escape via privileged containers.
privileged: true,hostPID,hostNetwork,hostPathmounts - each is a known escape primitive. Mount/from the host, write to/etc/cron.d, you have root on the node. - Container-runtime CVEs. CVE-2024-21626 (runc), CVE-2022-0185 (kernel), historical CVE-2019-5736 (runc). The escape pattern is the same: container code writes to a host-accessible path, gets executed by the host.
- ServiceAccount token theft. Every pod mounts a token at
/var/run/secrets/kubernetes.io/serviceaccount/tokenunless explicitly disabled. Exfiltrate the token, query the API server as that SA. - RBAC privilege escalation. A ServiceAccount with
get secretsinkube-systemcan read every cluster secret; withcreate podsin any namespace +bindon a higher-privilege ClusterRole, escalate. Tools: KubiScan, peirates. - Exposed kubelet. Port 10250 with anonymous-auth enabled (historically common) gives shell-on-any-pod via the kubelet API.
- Cloud-credential pivots. A pod with IRSA (AWS), workload identity (GCP), or Azure Workload Identity gets cloud credentials; compromising the pod gets you the cloud role.
- Tiller / Helm legacy. Still occasionally found. Helm v2's Tiller is a cluster-admin in disguise.
- Misconfigured admission. No PodSecurity admission, no policy engine, or one that's been disabled - pods can be launched with any spec.
Tools
- kube-hunter - active and passive scanning for cluster-side weaknesses.
- peirates - post-exploitation framework for Kubernetes; the Pacu of K8s.
- KubeStriker - multi-faceted Kubernetes security assessment.
- kube-bench - CIS Kubernetes Benchmark scoring; defender-oriented but useful baseline.
- kubeletctl - directly query the kubelet API where exposed.
More on hardening: the Kubernetes page.
Container & supply-chain attacks
The 2020-2025 wave (SolarWinds, Codecov, ua-parser-js, MOVEit, 3CX, Okta breach via Sisense, XZ Utils, npm typosquats) made supply-chain the most discussed attack vector in cloud security. From an offensive perspective, the patterns:
- Registry takeover. Expired DNS on a registry domain, abandoned package maintainer accounts, scoped-package squatting.
- Base-image poisoning. Public Docker Hub images marketed as legitimate; users
FROMthem and inherit the backdoor. Watch for low-reputation images getting pulled. - Build-time injection. Compromised GitHub Actions runners, malicious GitHub Actions in the marketplace (the
tj-actions/changed-files2025 incident), GitLab CI runner registration leaks. - Dependency confusion. Internal package names registered on public registries with higher version numbers; CI installs the public malicious version.
- SLSA evasion. Even high-SLSA-grade builds can be subverted at the source-code level (typosquat in a test file, backdoor in a feature branch that's auto-merged). Provenance attestations don't replace code review.
- OIDC trust over-broad scope. A federated trust that accepts any
repo:org/*claim is callable from any forked PR workflow on a public repo. Constrain to specific repos and refs.
See threat research - supply chain attacks for the running incident log; see CI/CD for the defensive side.
Persistence in cloud
Persistence in cloud rarely looks like a host-resident implant. It looks like an IAM artifact that an attacker can use to come back even after the initial credentials are rotated.
- Backdoor IAM users. Create a new user with a benign name (
billing-readonly,backup-svc), attach an admin policy, mint an access key. Stays until someone audits the user list. - Additional access keys on existing users. Each IAM user can have two active keys. Mint a second key on a privileged user; the first owner sees nothing unusual.
- Trust-policy modifications. Add the attacker's account (or an external OIDC provider) to a role's
AssumeRolePolicyDocument. The role still works for legitimate users; it also works for the attacker. - Lambda backdoors. A Lambda triggered by an innocuous event (a daily CloudWatch rule, a never-used SQS queue) that re-creates the attacker's access on each run. Pacu's
lambda__backdoor_new_*family. - Event-source-mapping persistence. Persistent associations between event sources and functions that survive function deletion.
- SSM hybrid activations. Register a non-AWS server (or a server the attacker controls) as an SSM-managed instance in the account; gives them ongoing console access.
- Azure equivalents - service-principal credential additions, application-permission grants, federated-credential additions, custom role definitions, conditional-access exclusions.
- GCP equivalents - service-account key creation, IAM bindings on the project that grant
roles/ownerto attacker-controlled identities, Cloud Function triggers. - Identity-provider-layer persistence. Adding a federated IdP that the attacker controls, modifying SSO assertion mappings, adding break-glass accounts the org doesn't audit.
Defenders: this is exactly the catalog detection engineering should be building rules against. The CloudTrail / Activity Log / Audit Log events for each of the above are well-documented; alerting on them by default catches a large fraction of real-world post-compromise behavior.
Data exfiltration
- S3 cross-account replication. Configure replication from the victim bucket to an attacker-controlled bucket. Future writes are mirrored; the rule is invisible unless someone reviews the bucket's replication configuration.
- Public snapshot sharing. EBS, RDS, AMI snapshots can be shared with another account ID or made public; the data is then readable from outside without exfiltrating bytes through the victim's network.
- SQS / SNS to attacker account. Subscribe an attacker SQS queue to a victim SNS topic; messages flow out without ever leaving the AWS network.
- BigQuery data transfer / authorized views. Set up a scheduled transfer or an authorized view that exposes data to an attacker project.
- Storage Transfer Service. GCP's bulk-copy service can move TBs of GCS data to an attacker-controlled destination - provider-internal, no network traffic to monitor.
- DNS exfiltration. Encoded data in DNS queries to attacker-controlled domains; defeats most network egress controls.
- Pre-signed URL leakage. Generate long-lived pre-signed URLs to sensitive S3 objects; the URLs themselves are credentials.
- Cross-account Lambda invocation. Lambda function URL with permissive resource policy; data passed through.
- VPC endpoint policy gaps. Most orgs allow
s3:GetObjectat any S3 endpoint, including buckets in other AWS accounts. Resource-perimeter controls (SCPs withaws:ResourceOrgID) close this.
The recurring pattern: cloud exfil prefers staying inside the cloud's own network where possible. Egress monitoring designed for traditional data exfiltration (lots of bytes leaving via HTTPS) misses most of it. Provider-side controls (resource perimeters, deny-by-default cross-account flows, replication monitoring) are the actual defense.
Open-source toolkit overview
The full landscape, organized by where you'll use it. Most tools are MIT or Apache-2.0; treat the active maintainer list as a signal of whether something is current.
AWS
- Pacu - the exploitation framework. Modular, scriptable, well-documented.
- ScoutSuite - multi-cloud auditor; auditor-shaped reports.
- Prowler - open-source security assessment, with strong AWS coverage and growing Azure / GCP / K8s modules.
- Cloudfox - situational-awareness for AWS, Azure, GCP.
- IAM Vulnerable - practice environment for IAM privilege escalation.
- awspx - IAM-graph visualization and attack-path analysis.
- PMapper - Principal Mapper; finds attack paths in IAM at scale.
- enumerate-iam - brute-force permission enumeration.
- S3Scanner, cloud_enum - public storage discovery.
- TruffleHog, Gitleaks - secret discovery.
- weirdAAL, aws_enum family - older but instructive enumeration toolkits.
Azure
- ROADtools - Entra ID recon and analysis.
- MicroBurst - PowerShell offensive toolkit.
- AzureHound + BloodHound CE - attack-path graphing.
- Stormspotter - Microsoft's Azure resource graph tool.
- AADInternals - comprehensive Entra ID toolkit.
- TeamFiltration - Teams / O365 enumeration and access.
- GraphRunner - post-exploit Microsoft Graph toolkit.
- MFASweep - MFA enforcement probing.
- Evilginx - AiTM phishing framework (authorized testing only).
GCP
- gcp_enum - GitLab Red Team enumeration script.
- gcp_scanner - Google-published scanner.
- GCPBucketBrute - GCS enumeration.
- hayat - GCP auditing.
- GCP IAM Privilege Escalation - reference matrix and tooling.
- gcphound / BloodHound for GCP - emerging graph tooling.
- ScoutSuite, Prowler - auditors with GCP coverage.
Multi-cloud and graph
- BloodHound CE - open-source graph attack-path tool, the spiritual successor to the AD-only BloodHound. Now supports AWS, Azure, GCP.
- Cartography - Lyft's asset-relationship graph; defender-oriented but powerful for offensive recon.
- Steampipe - SQL over cloud APIs; rapid ad-hoc queries.
- CloudQuery - cloud asset ingestion to your DB of choice.
Adversary emulation & training
- Stratus Red Team - Datadog's tool for granular cloud-attack emulation; each technique mapped to MITRE ATT&CK.
- Leonidas - F-Secure / WithSecure framework for AWS attack emulation.
- CALDERA with cloud plugins - MITRE's automated adversary emulation.
- CloudGoat - AWS deliberately-vulnerable lab. The training environment most cloud pentesters start on.
- AWSGoat, AzureGoat, GCPGoat - INE Labs' vulnerable-by-design environments.
- Sadcloud - Terraform for spinning up insecure AWS architectures.
- AttackForge, commercial purple-team platforms - non-OSS, but in the same workflow category.
- AWS Threat Detection Tester and similar provider-published red-team kits.
For where to practice with these - full lab and CTF list - see the CTFs page.
Pentest vs red team vs adversary emulation vs purple team
The terms get used interchangeably. They're not the same activity, and confusing them in scoping leads to underwhelmed customers.
| Activity | Goal | Method | Deliverable | Typical duration |
|---|---|---|---|---|
| Pentest | Find exploitable issues in defined scope | Manual + tool-assisted technical testing | Finding-by-finding report with CVSS-style scoring | 1-4 weeks |
| Red team | Achieve a defined objective covertly | Whatever the RoE permits - phish, code, physical | Attack narrative + objective-completion summary | 4-12 weeks |
| Adversary emulation | Reproduce a specific actor's TTPs to test detections | Structured execution of mapped ATT&CK techniques | Coverage matrix (which techniques detected, which missed) | 1-3 weeks per emulation plan |
| Purple team | Collaboratively improve detection & response | Red-team executes, blue-team watches, both iterate live | Improved detections; closed gaps; team training | 1-5 days per exercise; ongoing program |
| Bug bounty | Crowdsource finding novel issues | External researchers; pay per valid report | Continuous flow of triaged findings | Continuous |
A mature program uses several. The most common starting sequence: annual external pentest (for compliance), quarterly internal red team or Stratus-driven exercises (for change validation), continuous bug bounty (for novel-issue volume), regular purple-team days (for detection improvement).
Reporting
The report is the deliverable. Most engagements live or die on it: a clean technical narrative that shows the chain, not just the findings, is what gets remediation prioritized. The structure that travels well:
- Executive summary. One page. Three to five sentences on what was tested, what the most impactful findings were, what risk they represent in business terms, and what's recommended. The CISO reads this; the board reads this. No CVSS scores.
- Scope & methodology. What was in / out, what techniques were used, what frameworks were referenced (PTES phases, ATT&CK techniques). Lets the reader judge how much to generalize the findings.
- Attack narrative. The story of how a notional attacker would progress from foothold to objective - including the failures, the dead ends, and the conditions under which the attack succeeded. This is the section that converts findings into business-decision input.
- Findings. Per-finding writeups with: title, severity, affected assets, reproduction steps, evidence (screenshots, command output, IDs), exploitability prerequisites, remediation guidance, references. Map each to ATT&CK and to the affected control framework if relevant.
- Strategic recommendations. Beyond the findings - patterns the team saw (e.g., "service-account keys are everywhere," "no organization-wide CloudTrail," "no policy-as-code"). These produce roadmap items.
- Retest commitments. Which findings will be retested, by when, by whom. A finding without a retest is a finding the org might not fix.
- Appendix. Raw tool output, full enumeration logs, screenshots, hashes of any artifacts. Auditors will sometimes ask for these.
The single most common reporting mistake is dropping a list of CVEs without showing exploitability. A CVE-2024-something on an internal Lambda runtime is a finding. A CVE-2024-something on a public Lambda function URL that accepts unauthenticated requests and uses a role with iam:PassRole on the admin role is a critical attack chain. Same vuln, different report.
CSP offerings & vetted firms
The cloud providers each ship offensive-security-adjacent services, and there's a small set of consulting firms that have built distinct cloud-pentest reputations.
Provider offerings
- AWS Customer Incident Response Team (CIRT) - not a pentest, but the team you'll work with on an active incident.
- AWS Well-Architected reviews with a Security Pillar focus - partner-delivered design assessments; not a pentest but adjacent.
- Microsoft Detection & Response Team (DART) and Azure Red Team blogs - Microsoft's own offensive-security publishing is a primary reference for Entra-ID-side techniques.
- Google Project Zero / Google Cloud Threat Intelligence and Mandiant (now part of Google Cloud) - heavyweight offensive research and engagement-as-a-service.
Cloud-pentest-known firms
- Mandiant - incident response heritage; deep red-team practice.
- Bishop Fox - maintainers of Cloudfox; cloud-specialist red team.
- Praetorian - cloud-pentest specialty; Chariot platform.
- Rhino Security Labs - maintainers of Pacu, CloudGoat, the IAM privesc matrices. The reference point for AWS pentesting.
- NCC Group - maintainers of ScoutSuite, PMapper, Sadcloud. Broad cloud + identity practice.
- TrustedSec - strong on social-engineering / red-team blended engagements.
- Coalfire - significant FedRAMP 3PAO and pentest practice.
- IOActive - long-standing pentest firm; cloud-aware.
- NetSPI - maintainers of MicroBurst; Azure-strong.
- Black Hills Information Security - broad pentest; CloudPentestCheatsheets author.
- WithSecure (formerly F-Secure) - Leonidas maintainers; cloud-specific research.
- SpecterOps - BloodHound CE / AzureHound stewards; identity-graph specialty.
Selection criteria: ask for redacted reports from prior engagements, ask which tools they maintain or contribute to, ask whether they'll use a named team or hand the work to whoever's available. The named-firm-but-junior-tester pattern is the dominant complaint about big-name consulting.
AWS, Azure, and GCP side-by-side
The pentest-relevant differences between the three clouds, reduced to a one-screen reference.
| Dimension | AWS | Azure | GCP |
|---|---|---|---|
| Customer pentest policy | Permitted on most services without approval (since 2019) | Permitted per Rules of Engagement | Permitted per Acceptable Use Policy |
| Notification required | For disruptive techniques only (Simulated Events form) | For some high-impact tests | No, but contact required if AUP applies |
| Out-of-scope | Provider infrastructure, other tenants | Provider infrastructure, other tenants, M365 separately | Provider infrastructure, other tenants |
| Dominant identity model | IAM users + IAM roles + STS | Entra ID + RBAC + managed identities | Cloud IAM + service accounts |
| Privesc primitive | iam:PassRole + run/invoke service |
RBAC role assignment / managed-identity abuse | iam.serviceAccounts.actAs + service that runs as it |
| Metadata endpoint | 169.254.169.254 (IMDSv1 / v2) |
169.254.169.254/metadata/identity (header required) |
metadata.google.internal (Metadata-Flavor: Google) |
| Premier exploitation framework | Pacu | ROADtools + MicroBurst + AADInternals | No single dominant; gcp_enum, gcp_scanner, ScoutSuite |
| Graph tool | BloodHound CE, PMapper, awspx | BloodHound CE + AzureHound | BloodHound CE + gcphound |
| Provider attack-emulation tooling | AWS Threat Detection Tester, Detective | Defender for Cloud attack-path analysis | Security Command Center Attack Path Simulation |
| Vulnerable-by-design lab | CloudGoat, AWSGoat, Sadcloud, IAM Vulnerable | AzureGoat, MicroBurst-Lab | GCPGoat, GCP-Goat |
Maturity stages
A useful staging model for a cloud-offensive-testing program:
Stage 1 - Annual external pentest
One external engagement per year, scoped against the compliance framework (SOC 2, ISO 27001, PCI DSS). Findings tracked in a spreadsheet; retest scheduled six months later. The minimum for most audit programs. Cost: $40k-$150k depending on scope.
Stage 2 - Quarterly internal exercises
Stratus Red Team or CloudGoat-driven exercises run quarterly by the security team. Bug bounty stood up. Findings flow to the same backlog as external-pentest findings. Detection engineering starts pairing rules to each emulated technique.
Stage 3 - Continuous adversary emulation
Adversary-emulation plans for the threat actors most relevant to the business - credential-theft groups, ransomware affiliates, supply-chain actors. Each plan run continuously; gaps in detection coverage tracked as a primary security metric. Internal red team forming.
Stage 4 - Mature purple-team program
Dedicated red team, integrated with detection engineering and IR. Engagement objectives align to business risk (exfiltrate the customer database, achieve admin-level persistence undetected for 30 days). Findings inform product roadmap, not just remediation tickets.
Skipping stages is expensive. Stage 4 without Stage 1's compliance signoff means the audit fails. Stage 4 without Stage 2's tool familiarity means the red team can't reproduce its own findings in writing. Sequence matters.
Common pitfalls
- Scope drift. "While we were in there we also looked at…" produces findings the customer hasn't authorized you to discover. Stay in the documented scope; document every observation you didn't act on.
- No executive sponsor. Without a named executive who can ratify the engagement in real time, the test stops the moment any operational team objects. Get the sponsor confirmed before tooling fires.
- Test-only-in-prod. Real-world TTPs need real-world environments, but every test in production carries availability risk. Stage in pre-prod where possible; reserve prod for techniques that can't be reproduced anywhere else, with explicit per-technique approval.
- No retest discipline. Findings without a scheduled retest become "we'll get to it" tickets that age out. Schedule the retest in the contract, not after.
- Findings without exploitability. CVE lists are an inventory; chain demonstrations are a pentest. If the customer can't tell what an attacker would actually do with the finding, they will under-prioritize it.
- Dropping CVEs without showing the chain. A vulnerability scanner produces output; a pentester produces narrative. Customers paying pentester rates expect the latter.
- Misunderstanding shared responsibility. Pentesting AWS infrastructure (vs your account) is prohibited. Pentesting M365 has its own rules separate from Azure. Read the policies; don't accidentally violate them in service of "thoroughness."
- Treating the IAM graph as static. Policies change daily; a permission that didn't escalate Tuesday might escalate Thursday. Time-bound your enumeration data.
- Forgetting to clean up. Backdoors, test users, modified policies, persistence artifacts - all of it must be reversed at the end. Maintain a precise change log during testing; revert in reverse order; verify reversion.
- No coordination with detection engineering. A pentest that didn't produce any alerts is either an unsuccessful test or a successful proof that detections don't exist. Either way, the SOC needs to know. Build the loop with detection engineering.
Further reading
Reference wikis and matrices
- Hacking the Cloud (HTC) - Nick Frichette et al.
- MITRE ATT&CK Cloud Matrix
- AWS IAM Privilege Escalation matrix
- GCP IAM Privilege Escalation matrix
- CloudPentestCheatsheets (Black Hills InfoSec)
- PTES (Penetration Testing Execution Standard)
- OWASP Cloud Security Testing Guide
Provider policies
- AWS Penetration Testing
- Microsoft Cloud Penetration Testing Rules of Engagement
- Google Cloud Penetration Testing
Tools to bookmark
- Pacu
- Cloudfox
- ROADtools
- MicroBurst
- BloodHound CE
- AzureHound
- Stratus Red Team
- CloudGoat
- ScoutSuite
- Prowler
Related CSOH pages
- CTFs - labs and challenges for hands-on practice.
- Detection engineering - the defensive mirror of every technique on this page.
- Breach kill chains - real-world chains in the wild.
- Threat research - the running incident catalog.
- Incident response - what happens after the attack succeeds.
- IAM & identity - the surface most attacks exploit.
- Kubernetes - the cluster-side attack surface.
FAQ
How is cloud pentesting different from traditional network pentesting?
The attack surface is the cloud control plane API, not a network of listening ports. Identity replaces network position as the primary perimeter - an attacker with a leaked access key or a stolen OIDC token is already "inside," regardless of what's open on TCP. The toolkit shifts accordingly: less nmap and Metasploit, more Pacu, ROADtools, BloodHound, Cloudfox, and provider SDKs. The vulnerability classes shift too: misconfigured trust policies, over-permissioned roles, IMDS abuse, public storage objects, and privilege-escalation chains across the IAM graph dominate the findings list.
Do I need permission from AWS, Azure, or GCP to pentest my own cloud account?
Mostly no - but read each provider's policy. AWS removed the pre-authorization requirement for most penetration testing against your own resources in 2019; certain disruptive techniques (DNS zone walking, port flooding, protocol flooding, request flooding) still require explicit approval via the Simulated Events form. Azure documents allowed activities in its Penetration Testing Rules of Engagement; some operations require notification. GCP allows customer-owned testing without prior approval but expects compliance with the Acceptable Use Policy. In all three: you are only permitted to test resources you own or have explicit written authorization to test - and never the underlying provider infrastructure, other tenants, or third-party SaaS that happens to live in the same cloud.
What's the single highest-value tool to learn first?
For AWS, Pacu - Rhino Security Labs' exploitation framework. It's modular (60+ modules for enumeration, privilege escalation, persistence, and exfiltration), it teaches the API-call shape of each technique, and the source code is readable. Pair it with Cloudfox for fast situational awareness and PMapper or awspx for privilege-escalation-path analysis. For Azure, ROADtools (recon) plus BloodHound with AzureHound (graph analysis) is the equivalent starter kit. For GCP, gcphound or ScoutSuite plus the GCP IAM Privilege Escalation matrix from Rhino Security Labs.
What's the difference between a pentest, a red team, and adversary emulation?
A pentest is scope-bounded technical testing - find as many exploitable issues in the defined target as time allows, report them. A red team is goal-bounded adversary simulation - achieve a defined objective (exfiltrate a crown-jewel dataset, persist for 30 days undetected, demonstrate ransomware staging) using whatever techniques the rules of engagement permit, including phishing, physical, and supply-chain pivots. Adversary emulation is a structured exercise that reproduces a specific threat actor's known TTPs (mapped to MITRE ATT&CK) to test specific detections, usually as a purple-team collaboration with the SOC. Pentest finds bugs, red team tests resilience, adversary emulation tests detections.
Is it legal to run BloodHound or Pacu against my employer's cloud?
Only with explicit written authorization. "I work here and I'm curious" is not authorization. The Computer Fraud and Abuse Act (U.S.), the Computer Misuse Act (U.K.), and equivalent laws in most jurisdictions criminalize unauthorized access - and that includes employees exceeding their authorized scope, not just outside attackers. Get a written rules-of-engagement document signed by an executive with authority over the systems in scope, naming the testers, the windows, the techniques, and the targets. Without that document you have no defense if something breaks or if findings turn up evidence of someone else's actions.
How often should we be running cloud pentests?
Annual external pentests are table stakes for SOC 2 / ISO 27001 / PCI DSS programs. The valuable cadence is continuous: monthly internal exercises with Stratus Red Team, CloudGoat, or your CSPM's adversary-emulation features; quarterly focused engagements on specific changes (new region, new product, new IAM model); and an annual external red team that tests the whole program end to end. The compliance pentest checks the box; the continuous program finds the real issues before an actor with worse intent does.
Should we hire external testers or build an internal red team?
Both, eventually. External testers bring fresh eyes, current TTPs, and the credibility of an independent report - required for most compliance frameworks and most enterprise customer audits. Internal red teams bring depth on your specific environment, continuous coverage, and the relationship with detection engineering that makes purple teaming work. Most orgs start with annual external pentests, add Stratus / CloudGoat-style internal exercises in year two, and stand up an internal red team somewhere around 200-500 engineers if the threat model justifies it. Financial services, defense, and large SaaS reach that threshold sooner.
Where next
- CTFs - the safe places to actually run these techniques.
- Detection engineering - write the detections for everything on this page.
- Breach kill chains - see these techniques in actual incidents.
- Threat research - the live catalog of cloud-attack incidents and write-ups.
- Incident response - what to do when one of these chains hits you.
- Friday Zoom - pentest war stories, tool walkthroughs, and Q&A every week.