AWS Penetration Expert

Conduct authorized security assessments of Amazon Web Services environments. This skill covers IAM enumeration, S3 bucket security testing, Lambda function analysis, EC2 metadata exploitation, privilege escalation paths, and cloud-native attack techniques for authorized penetration testing engagements.

When to Use This Skill

Choose AWS Penetration Expert when you need to:

• Perform authorized penetration testing of AWS cloud infrastructure
• Enumerate IAM policies and identify privilege escalation paths
• Test S3 bucket configurations for data exposure risks
• Assess security of Lambda functions, EC2 instances, and other AWS services

Consider alternatives when:

• You need to harden AWS configurations defensively (use AWS Security Hub, Prowler)
• You need multi-cloud security testing (use Cloud Penetration Testing Studio)
• You need to audit AWS compliance (use AWS Config Rules)

Quick Start

Copy
pip install boto3 pacu
# aws configure — set up credentials for authorized testing

Copy
import boto3
from botocore.exceptions import ClientError

class AWSEnumerator:
    """Enumerate AWS resources for authorized security testing."""

    def __init__(self, profile_name=None, region='us-east-1'):
        session = boto3.Session(profile_name=profile_name, region_name=region)
        self.sts = session.client('sts')
        self.iam = session.client('iam')
        self.s3 = session.client('s3')
        self.ec2 = session.client('ec2')

    def whoami(self):
        """Identify current AWS identity."""
        identity = self.sts.get_caller_identity()
        print(f"Account: {identity['Account']}")
        print(f"ARN: {identity['Arn']}")
        print(f"UserId: {identity['UserId']}")
        return identity

    def enumerate_iam_users(self):
        """List IAM users and their permissions."""
        try:
            users = self.iam.list_users()['Users']
            print(f"\nIAM Users ({len(users)}):")
            for user in users:
                policies = self.iam.list_attached_user_policies(
                    UserName=user['UserName']
                )['AttachedPolicies']
                groups = self.iam.list_groups_for_user(
                    UserName=user['UserName']
                )['Groups']
                print(f"  {user['UserName']}")
                print(f"    Policies: {[p['PolicyName'] for p in policies]}")
                print(f"    Groups: {[g['GroupName'] for g in groups]}")
        except ClientError as e:
            print(f"  IAM enumeration denied: {e.response['Error']['Code']}")

    def check_s3_buckets(self):
        """Check S3 bucket permissions and public access."""
        try:
            buckets = self.s3.list_buckets()['Buckets']
            print(f"\nS3 Buckets ({len(buckets)}):")
            for bucket in buckets:
                name = bucket['Name']
                try:
                    acl = self.s3.get_bucket_acl(Bucket=name)
                    public = any(
                        g.get('URI', '').endswith('AllUsers') or
                        g.get('URI', '').endswith('AuthenticatedUsers')
                        for grant in acl['Grants']
                        for g in [grant.get('Grantee', {})]
                    )
                    status = "PUBLIC" if public else "private"
                    print(f"  {name}: {status}")
                except ClientError:
                    print(f"  {name}: access denied")
        except ClientError as e:
            print(f"  S3 enumeration denied: {e.response['Error']['Code']}")

# Usage (authorized testing only)
# enum = AWSEnumerator(profile_name='pentest')
# enum.whoami()
# enum.enumerate_iam_users()
# enum.check_s3_buckets()

Core Concepts

AWS Attack Surface

Service	Attack Vectors	Impact
IAM	Over-permissive policies, unused credentials, role chaining	Account takeover
S3	Public buckets, misconfigured ACLs, policy bypass	Data exfiltration
EC2	SSRF to metadata (IMDSv1), security group gaps	Instance compromise
Lambda	Environment variable secrets, over-permissive roles	Code execution
RDS	Public snapshots, weak credentials, unencrypted storage	Database access
STS	AssumeRole chains, cross-account trust	Privilege escalation
CloudTrail	Disabled logging, log tampering	Evidence destruction
Secrets Manager	Over-permissive access, unrotated secrets	Credential theft

IAM Privilege Escalation Checks

Copy
import boto3
import json
from botocore.exceptions import ClientError

def check_privilege_escalation(iam_client, username):
    """Check for common IAM privilege escalation paths."""
    findings = []

    # Check inline policies
    try:
        inline_policies = iam_client.list_user_policies(
            UserName=username
        )['PolicyNames']
        for policy_name in inline_policies:
            policy = iam_client.get_user_policy(
                UserName=username, PolicyName=policy_name
            )
            doc = policy['PolicyDocument']
            check_policy_document(doc, findings, f"inline:{policy_name}")
    except ClientError:
        pass

    # Check attached managed policies
    try:
        attached = iam_client.list_attached_user_policies(
            UserName=username
        )['AttachedPolicies']
        for policy in attached:
            version = iam_client.get_policy(
                PolicyArn=policy['PolicyArn']
            )['Policy']['DefaultVersionId']
            doc = iam_client.get_policy_version(
                PolicyArn=policy['PolicyArn'], VersionId=version
            )['PolicyVersion']['Document']
            check_policy_document(doc, findings, policy['PolicyName'])
    except ClientError:
        pass

    return findings

def check_policy_document(doc, findings, source):
    """Analyze a policy document for dangerous permissions."""
    dangerous_actions = [
        'iam:CreateUser', 'iam:CreateLoginProfile', 'iam:AttachUserPolicy',
        'iam:PutUserPolicy', 'iam:CreateAccessKey', 'iam:PassRole',
        'sts:AssumeRole', 'lambda:CreateFunction', 'lambda:InvokeFunction',
        'ec2:RunInstances', 'iam:AddUserToGroup', 'iam:UpdateAssumeRolePolicy',
    ]
    statements = doc.get('Statement', [])
    if isinstance(statements, dict):
        statements = [statements]

    for stmt in statements:
        if stmt.get('Effect') != 'Allow':
            continue
        actions = stmt.get('Action', [])
        if isinstance(actions, str):
            actions = [actions]
        for action in actions:
            if action == '*' or action in dangerous_actions:
                findings.append({
                    'source': source,
                    'action': action,
                    'resource': stmt.get('Resource', '*'),
                    'risk': 'Potential privilege escalation'
                })

# check_privilege_escalation(iam_client, 'testuser')

Configuration

Parameter	Description	Default
profile	AWS CLI profile for authorized testing	Required
region	Primary AWS region to test	"us-east-1"
all_regions	Test all AWS regions	false
services	AWS services to enumerate	All
output_format	Report format (json, html, csv)	"json"
metadata_version	IMDSv1 vs IMDSv2 testing	Both
skip_destructive	Skip tests that modify resources	true
rate_limit	Max API calls per second	5

Best Practices

1. Start with sts:GetCallerIdentity to understand your access level — Before any enumeration, confirm your identity, account number, and whether you're using a user, role, or federated credentials. This establishes your starting position for privilege escalation testing.

2. Enumerate all regions, not just the default — Resources can exist in any AWS region. Attackers commonly find unmonitored resources in rarely-used regions. Use ec2.describe_regions() and iterate through each region for comprehensive coverage.

3. Check for IMDSv1 on EC2 instances — IMDSv1 is exploitable via SSRF attacks to steal IAM role credentials. Test whether instances require IMDSv2 (token-based) by checking http-put-response-hop-limit and http-tokens settings. IMDSv1 availability is a significant finding.

4. Test cross-account trust relationships — Use iam:ListRoles and inspect AssumeRolePolicyDocument for roles that trust external accounts. Cross-account trust can provide lateral movement to other AWS accounts if the trusted account is compromised.

5. Document all findings with evidence and remediation — For each finding, record the AWS CLI or API command that demonstrates the vulnerability, the potential impact, and the specific remediation (policy change, configuration update). Include screenshots of console evidence.

Common Issues

Access denied errors on IAM enumeration — The test account may lack iam:List* and iam:Get* permissions. Request these permissions from the client for comprehensive testing, or use the Pacu framework which automatically tries alternative enumeration methods.

S3 bucket enumeration misses buckets in other accounts — s3.list_buckets() only shows buckets in the authenticated account. To find publicly accessible buckets belonging to the target, try common naming patterns (company-name-backup, company-data) with s3.head_bucket().

CloudTrail alerts trigger during testing — Coordinate with the client's security team before testing. Provide your testing IP ranges and time windows so SOC analysts can distinguish pentest activity from real attacks. Some engagements require real-time coordination.