Nerd Level Tech logo
|
Lesson 24 of 24

Cloud Pentesting & Assessment

Cloud Security Assessment Tools

4 min read

Effective cloud security assessment requires specialized tools for configuration auditing, vulnerability scanning, and offensive testing. Understanding when to use each tool maximizes assessment coverage and efficiency.

Configuration Assessment Tools

Prowler - AWS Security Assessment

Prowler is the industry-standard open-source tool for AWS security auditing:

# Install Prowler
pip install prowler

# Run full assessment
prowler aws

# Run specific checks
prowler aws --checks iam_user_mfa_enabled_console_access s3_bucket_public_access

# Run by compliance framework
prowler aws --compliance cis_3.0_aws

# Output formats
prowler aws -M json-ocsf -F prowler-results
prowler aws -M html -F prowler-report

# Scan specific services
prowler aws --services iam s3 ec2

Key check categories:

  • IAM: User/role policies, MFA, access keys
  • S3: Public access, encryption, logging
  • EC2: Security groups, IMDSv2, EBS encryption
  • CloudTrail: Logging enabled, integrity validation
  • VPC: Flow logs, default security groups

ScoutSuite - Multi-Cloud Assessment

# Install ScoutSuite
pip install scoutsuite

# AWS assessment
scout aws

# Azure assessment
scout azure --cli

# GCP assessment
scout gcp --user-account

# Generate HTML report
scout aws --report-dir ./scout-report

ScoutSuite findings:

  • Danger (red): Critical security issues
  • Warning (orange): Best practice violations
  • Good (green): Properly configured

CloudSploit - Continuous Monitoring

# Clone repository
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit

# Install dependencies
npm install

# Run AWS scan
./index.js --cloud aws --config ./config.js

# Run with compliance mapping
./index.js --cloud aws --compliance cis

Offensive Security Tools

Pacu - AWS Exploitation Framework

# Install Pacu
pip install pacu

# Start Pacu
pacu

# Create new session
Pacu > new_session pentester

# Configure AWS keys
Pacu > set_keys

# Run enumeration
Pacu > run iam__enum_users_roles_policies_groups
Pacu > run iam__enum_permissions
Pacu > run lambda__enum

# Privilege escalation scan
Pacu > run iam__privesc_scan

# Data exfiltration
Pacu > run s3__download_bucket

Key Pacu modules:

Module Purpose
iam__enum_permissions Map current permissions
iam__privesc_scan Find escalation paths
ec2__enum Enumerate EC2 instances
lambda__enum List Lambda functions
s3__bucket_finder Discover S3 buckets

CloudGoat - Vulnerable Lab Environment

# Install CloudGoat
pip install cloudgoat

# Configure AWS credentials
cloudgoat config profile

# Deploy vulnerable scenario
cloudgoat create iam_privesc_by_rollback
cloudgoat create ec2_ssrf

# Practice exploitation scenarios
# Each scenario teaches specific cloud attack paths

# Clean up
cloudgoat destroy iam_privesc_by_rollback

CloudGoat scenarios:

  • iam_privesc_by_rollback: Policy version rollback
  • ec2_ssrf: SSRF to metadata service
  • lambda_privesc: Lambda role abuse
  • codebuild_secrets: Secret exfiltration
  • rce_web_app: Web app to cloud pivot

ROADtools - Azure AD Assessment

# Install ROADtools
pip install roadrecon

# Authenticate and gather data
roadrecon auth --device-code
roadrecon gather

# Generate report
roadrecon gui

# Access at http://localhost:5000

Compliance Scanning Tools

Checkov - Infrastructure as Code

# Install Checkov
pip install checkov

# Scan Terraform
checkov -d /path/to/terraform

# Scan CloudFormation
checkov -f template.yaml

# Scan Kubernetes manifests
checkov -d /path/to/k8s/

# Scan with specific framework
checkov -d . --framework terraform --check CKV_AWS_1,CKV_AWS_2

# Output formats
checkov -d . -o json > results.json
checkov -d . -o sarif > results.sarif

Trivy - Container and Cloud Scanning

# Scan container image
trivy image myapp:latest

# Scan filesystem
trivy fs --scanners vuln,misconfig .

# Scan AWS account
trivy aws --region us-east-1

# Scan Kubernetes cluster
trivy k8s --report summary cluster

Assessment Workflows

Pre-Assessment Checklist

Task Purpose
Scope definition Define accounts, regions, services
Credential collection Gather read-only/test credentials
Tool preparation Install and configure tools
Baseline documentation Document existing configurations
Emergency contacts Establish incident response chain

Assessment Workflow

┌─────────────────────────────────────────────────────────────┐
│                  Cloud Security Assessment                   │
├─────────────────────────────────────────────────────────────┤
│  Phase 1: Discovery (Prowler/ScoutSuite)                    │
│  └─ Configuration audit, compliance check                   │
├─────────────────────────────────────────────────────────────┤
│  Phase 2: Enumeration (Manual + Pacu)                       │
│  └─ IAM mapping, resource discovery, trust relationships    │
├─────────────────────────────────────────────────────────────┤
│  Phase 3: Exploitation (Pacu + Manual)                      │
│  └─ Privilege escalation, lateral movement, data access     │
├─────────────────────────────────────────────────────────────┤
│  Phase 4: Reporting                                         │
│  └─ Findings, risk ratings, remediation guidance            │
└─────────────────────────────────────────────────────────────┘

Continuous Assessment

# Automated daily Prowler scan
0 2 * * * /usr/local/bin/prowler aws -M json -F /reports/daily-$(date +\%Y\%m\%d)

# Weekly ScoutSuite comprehensive scan
0 3 * * 0 /usr/local/bin/scout aws --report-dir /reports/weekly-$(date +\%Y\%m\%d)

# Integrate with CI/CD
# .github/workflows/security.yml
name: Cloud Security Scan
on:
  schedule:
    - cron: '0 0 * * *'
jobs:
  prowler:
    runs-on: ubuntu-latest
    steps:
      - uses: prowler-cloud/prowler-action@v1
        with:
          prowler_version: 4.0
          cloud_provider: aws

Tool Selection Guide

Use Case Primary Tool Secondary
AWS config audit Prowler ScoutSuite
Multi-cloud audit ScoutSuite Cloud-specific tools
AWS exploitation Pacu Manual CLI
IaC scanning Checkov Trivy
Container security Trivy Grype
Azure AD ROADtools AzureHound
Learning/Labs CloudGoat Pwned Labs

Next Steps

You've completed the Cloud Security Fundamentals course. To continue your cloud security journey:

  1. Practice: Deploy CloudGoat scenarios and practice exploitation
  2. Certify: Consider AWS Security Specialty, Azure Security Engineer, or GCP Professional Cloud Security Engineer
  3. Contribute: Contribute to open-source tools like Prowler or ScoutSuite
  4. Stay current: Follow cloud provider security blogs and release notes

Continue learning with our Bug Bounty Hunting course to apply cloud security knowledge to real-world vulnerability discovery. :::

Quiz

Module 6: Cloud Pentesting & Assessment

Take Quiz