Cloud Pentesting & Assessment
Cloud Security Assessment Tools
4 min read
Effective cloud security assessment requires specialized tools for configuration auditing, vulnerability scanning, and offensive testing. Understanding when to use each tool maximizes assessment coverage and efficiency.
Configuration Assessment Tools
Prowler - AWS Security Assessment
Prowler is the industry-standard open-source tool for AWS security auditing:
# Install Prowler
pip install prowler
# Run full assessment
prowler aws
# Run specific checks
prowler aws --checks iam_user_mfa_enabled_console_access s3_bucket_public_access
# Run by compliance framework
prowler aws --compliance cis_5.0_aws
# Output formats
prowler aws -M json-ocsf -F prowler-results
prowler aws -M html -F prowler-report
# Scan specific services
prowler aws --services iam s3 ec2
Key check categories:
- IAM: User/role policies, MFA, access keys
- S3: Public access, encryption, logging
- EC2: Security groups, IMDSv2, EBS encryption
- CloudTrail: Logging enabled, integrity validation
- VPC: Flow logs, default security groups
ScoutSuite - Multi-Cloud Assessment
# Install ScoutSuite
pip install scoutsuite
# AWS assessment
scout aws
# Azure assessment
scout azure --cli
# GCP assessment
scout gcp --user-account
# Generate HTML report
scout aws --report-dir ./scout-report
ScoutSuite findings:
- Danger (red): Critical security issues
- Warning (orange): Best practice violations
- Good (green): Properly configured
CloudSploit - Continuous Monitoring
# Clone repository
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
# Install dependencies
npm install
# Run AWS scan
./index.js --cloud aws --config ./config.js
# Run with compliance mapping
./index.js --cloud aws --compliance cis
Offensive Security Tools
Pacu - AWS Exploitation Framework
# Install Pacu
pip install pacu
# Start Pacu
pacu
# Create new session
Pacu > new_session pentester
# Configure AWS keys
Pacu > set_keys
# Run enumeration
Pacu > run iam__enum_users_roles_policies_groups
Pacu > run iam__enum_permissions
Pacu > run lambda__enum
# Privilege escalation scan
Pacu > run iam__privesc_scan
# Data exfiltration
Pacu > run s3__download_bucket
Key Pacu modules:
| Module | Purpose |
|---|---|
iam__enum_permissions | Map current permissions |
iam__privesc_scan | Find escalation paths |
ec2__enum | Enumerate EC2 instances |
lambda__enum | List Lambda functions |
s3__bucket_finder | Discover S3 buckets |
CloudGoat - Vulnerable Lab Environment
# Install CloudGoat
pip install cloudgoat
# Configure AWS credentials
cloudgoat config profile
# Deploy vulnerable scenario
cloudgoat create iam_privesc_by_rollback
cloudgoat create ec2_ssrf
# Practice exploitation scenarios
# Each scenario teaches specific cloud attack paths
# Clean up
cloudgoat destroy iam_privesc_by_rollback
CloudGoat scenarios:
iam_privesc_by_rollback: Policy version rollbackec2_ssrf: SSRF to metadata servicelambda_privesc: Lambda role abusecodebuild_secrets: Secret exfiltrationrce_web_app: Web app to cloud pivot
ROADtools - Microsoft Entra ID Assessment
# Install ROADtools
pip install roadrecon
# Authenticate and gather data
roadrecon auth --device-code
roadrecon gather
# Generate report
roadrecon gui
# Access at http://localhost:5000
Compliance Scanning Tools
Checkov - Infrastructure as Code
# Install Checkov
pip install checkov
# Scan Terraform
checkov -d /path/to/terraform
# Scan CloudFormation
checkov -f template.yaml
# Scan Kubernetes manifests
checkov -d /path/to/k8s/
# Scan with specific framework
checkov -d . --framework terraform --check CKV_AWS_1,CKV_AWS_2
# Output formats
checkov -d . -o json > results.json
checkov -d . -o sarif > results.sarif
Trivy - Container and Cloud Scanning
# Scan container image
trivy image myapp:latest
# Scan filesystem
trivy fs --scanners vuln,misconfig .
# Scan AWS account
trivy aws --region us-east-1
# Scan Kubernetes cluster
trivy k8s --report summary cluster
Assessment Workflows
Pre-Assessment Checklist
| Task | Purpose |
|---|---|
| Scope definition | Define accounts, regions, services |
| Credential collection | Gather read-only/test credentials |
| Tool preparation | Install and configure tools |
| Baseline documentation | Document existing configurations |
| Emergency contacts | Establish incident response chain |
Assessment Workflow
┌─────────────────────────────────────────────────────────────┐
│ Cloud Security Assessment │
├─────────────────────────────────────────────────────────────┤
│ Phase 1: Discovery (Prowler/ScoutSuite) │
│ └─ Configuration audit, compliance check │
├─────────────────────────────────────────────────────────────┤
│ Phase 2: Enumeration (Manual + Pacu) │
│ └─ IAM mapping, resource discovery, trust relationships │
├─────────────────────────────────────────────────────────────┤
│ Phase 3: Exploitation (Pacu + Manual) │
│ └─ Privilege escalation, lateral movement, data access │
├─────────────────────────────────────────────────────────────┤
│ Phase 4: Reporting │
│ └─ Findings, risk ratings, remediation guidance │
└─────────────────────────────────────────────────────────────┘
Continuous Assessment
# Automated daily Prowler scan
0 2 * * * /usr/local/bin/prowler aws -M json -F /reports/daily-$(date +\%Y\%m\%d)
# Weekly ScoutSuite comprehensive scan
0 3 * * 0 /usr/local/bin/scout aws --report-dir /reports/weekly-$(date +\%Y\%m\%d)
# Integrate with CI/CD
# .github/workflows/security.yml
name: Cloud Security Scan
on:
schedule:
- cron: '0 0 * * *'
jobs:
prowler:
runs-on: ubuntu-latest
steps:
- uses: prowler-cloud/prowler-action@v1
with:
prowler_version: 5.0
cloud_provider: aws
Tool Selection Guide
| Use Case | Primary Tool | Secondary |
|---|---|---|
| AWS config audit | Prowler | ScoutSuite |
| Multi-cloud audit | ScoutSuite | Cloud-specific tools |
| AWS exploitation | Pacu | Manual CLI |
| IaC scanning | Checkov | Trivy |
| Container security | Trivy | Grype |
| Entra ID | ROADtools | AzureHound |
| Learning/Labs | CloudGoat | Pwned Labs |
Next Steps
You've completed the Cloud Security Fundamentals course. To continue your cloud security journey:
- Practice: Deploy CloudGoat scenarios and practice exploitation
- Certify: Consider AWS Security Specialty, Azure Security Engineer, or GCP Professional Cloud Security Engineer
- Contribute: Contribute to open-source tools like Prowler or ScoutSuite
- Stay current: Follow cloud provider security blogs and release notes
Continue learning with our Bug Bounty Hunting course to apply cloud security knowledge to real-world vulnerability discovery. :::