Pentest_Notes

☁️ Cloud Penetration Testing (AWS, Azure, GCP)

Organized notes for cloud penetration testing. Last Updated: 2026-03-27

Overview

Cloud pentesting focuses on identifying misconfigurations, excessive permissions, exposed services, and insecure storage in cloud environments. The attack surface differs significantly from traditional on-premise testing.

General Cloud Reconnaissance

Checklist

Identify cloud provider (AWS, Azure, GCP) from DNS, headers, IP ranges
Enumerate subdomains and DNS records
Check for exposed cloud storage (S3, Azure Blob, GCS)
Check for exposed metadata services
Enumerate IAM permissions (if creds available)
Check for public snapshots, AMIs, or images
Test for SSRF to metadata endpoints

Cloud Provider Detection

# Check IP ranges
# AWS: https://ip-ranges.amazonaws.com/ip-ranges.json
# Azure: https://www.microsoft.com/en-us/download/details.aspx?id=56519
# GCP: https://www.gstatic.com/ipranges/cloud.json

# DNS CNAME analysis
dig CNAME target.com
# Look for: *.amazonaws.com, *.azurewebsites.net, *.cloudfront.net, *.googleapis.com

AWS Penetration Testing

S3 Bucket Enumeration

# Check if bucket exists
aws s3 ls s3://<bucket-name> --no-sign-request

# List bucket contents (no auth)
aws s3 ls s3://<bucket-name> --no-sign-request --recursive

# Download all bucket contents
aws s3 sync s3://<bucket-name> ./loot --no-sign-request

# Brute-force bucket names
# Tools: cloud_enum, S3Scanner, bucket-finder
python3 cloud_enum.py -k company_name

EC2 Metadata Service (SSRF Target)

# IMDSv1 — no authentication required
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>

# IMDSv2 — requires token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

⚠️ CPTS Exam Tip: If you find SSRF in a web application hosted on AWS, always try the metadata endpoint at 169.254.169.254.

AWS CLI Enumeration (With Credentials)

# Configure CLI
aws configure
# Enter: Access Key ID, Secret Access Key, Region, Output format

# Enumerate identity
aws sts get-caller-identity

# List S3 buckets
aws s3 ls

# List EC2 instances
aws ec2 describe-instances

# List IAM users
aws iam list-users

# List IAM policies
aws iam list-policies --only-attached

# Get current user's policies
aws iam list-attached-user-policies --user-name <USERNAME>

Tools

Tool	Purpose	Basic Command
aws-cli	AWS command-line interface	`aws sts get-caller-identity`
Pacu	AWS exploitation framework	`python3 pacu.py`
ScoutSuite	Multi-cloud security auditing	`scout aws`
Prowler	AWS security assessment	`prowler aws`
cloud_enum	Cloud resource enumeration	`python3 cloud_enum.py -k target`
S3Scanner	S3 bucket scanning	`s3scanner scan --bucket <name>`
enumerate-iam	IAM permission enumeration	`python3 enumerate-iam.py`

Azure Penetration Testing

Azure Blob Storage Enumeration

# Check for public blob containers
# URL format: https://<account>.blob.core.windows.net/<container>
curl https://<account>.blob.core.windows.net/<container>?restype=container&comp=list

# MicroBurst enumeration
Invoke-EnumerateAzureBlobs -Base <company_name>

Azure Metadata Service

# Azure IMDS
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# Get access token
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Azure AD Enumeration

# AADInternals (PowerShell)
Install-Module AADInternals
Import-Module AADInternals

# Check tenant information
Invoke-AADIntReconAsOutsider -DomainName target.com

# ROADtools
roadrecon auth -u user@target.com -p 'Password'
roadrecon gather
roadrecon gui

Tools

Tool	Purpose
Az CLI	Azure command-line interface
AzureHound	BloodHound data collection for Azure AD
ROADtools	Azure AD exploration
MicroBurst	Azure security assessment
AADInternals	Azure AD internal operations
ScoutSuite	Multi-cloud auditing

GCP Penetration Testing

GCP Metadata Service

# GCP metadata endpoint
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

GCS Bucket Enumeration

# Check for public bucket
curl https://storage.googleapis.com/<bucket-name>

# List bucket contents
gsutil ls gs://<bucket-name>

Common Cloud Misconfigurations

Misconfiguration	Risk	Cloud Providers
Public storage buckets	Data exposure	AWS, Azure, GCP
Overly permissive IAM roles	Privilege escalation	All
IMDSv1 enabled (no token)	Credential theft via SSRF	AWS
Public snapshots/AMIs	Data exposure	AWS
Unencrypted storage	Data at rest exposure	All
Exposed management consoles	Unauthorized access	All
Weak/default credentials	Account compromise	All
Missing MFA	Account takeover	All

Common Pitfalls / Gotchas

Forgetting that cloud pentesting rules differ by provider — check engagement rules
Not testing SSRF to metadata endpoints
Assuming IAM roles are restrictive without actually testing
Missing public S3 buckets with predictable naming
Not checking for cross-account access

Pentest_Notes

☁️ Cloud Penetration Testing (AWS, Azure, GCP)

Overview

General Cloud Reconnaissance

Checklist

Cloud Provider Detection

AWS Penetration Testing

S3 Bucket Enumeration

EC2 Metadata Service (SSRF Target)

AWS CLI Enumeration (With Credentials)

Tools

Azure Penetration Testing

Azure Blob Storage Enumeration

Azure Metadata Service

Azure AD Enumeration

Tools

GCP Penetration Testing

GCP Metadata Service

GCS Bucket Enumeration

Common Cloud Misconfigurations

Common Pitfalls / Gotchas

References & Further Reading