--- name: pentest-cloud description: Cloud security pentest — AWS/Azure/GCP IAM analiz, lateral path, container escape pattern, serverless abuse advisory. Triggers on cloud pentest, AWS, Azure, GCP, IAM, S3 misconfig, EC2 metadata, Azure AD, GCP IAM, Pacu, ScoutSuite, Prowler, CloudGoat. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents cloud-security --- # pentest-cloud AWS / Azure / GCP pentest methodology. IAM lateral path, public asset enum, container escape pattern. ## Triggers - "AWS pentest" - "Azure AD test" - "GCP IAM enum" - "S3 public bucket" - "EC2 metadata abuse" - "IMDSv2 bypass" - "Pacu / ScoutSuite / Prowler kullanim" ## Cloud-Provider Spesifik ### AWS | Saldiri Yuzeyi | Test | |----------------|------| | S3 public read/write | `aws s3 ls s3:// --no-sign-request` | | EC2 IMDSv1 | `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/` | | Lambda env leak | Lambda invoke + env var dump | | IAM privilege esc | iam:CreateAccessKey, iam:AttachUserPolicy, sts:AssumeRole | | CloudTrail bypass | sts:GetSessionToken (logged as user, not source) | | Misconfigured IAM | `*` action on `*` resource | | Cross-account roles | external Principal "arn:aws:iam::OTHER:root" | | Resource policy | S3 bucket policy with `"Principal": "*"` | | SSM RunCommand | EC2 to OS via SSM session manager | ### Azure | Saldiri Yuzeyi | Test | |----------------|------| | Anonymous storage container | `https://.blob.core.windows.net/?restype=container&comp=list` | | Azure AD enumeration | UserList API anonymous | | Service Principal abuse | Excessive RBAC role assignment | | Managed Identity | VM -> token endpoint -> assume role | | Azure DevOps PAT | Repo scan for PAT in code | | Key Vault | RBAC misconfig, public access | ### GCP | Saldiri Yuzeyi | Test | |----------------|------| | GCS public bucket | `gsutil ls gs://` (no auth) | | Compute metadata | `curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -H "Metadata-Flavor: Google"` | | IAM lateral | iam.serviceAccounts.actAs, iam.roles.update | | GKE container | RBAC misconfig + IMDS reach | ## Onerilen Komutlar ```bash # QUIET — AWS misconfig audit (read-only IAM) prowler aws --profile --severity high,critical # QUIET — ScoutSuite multi-cloud audit scout aws --profile --report-dir ./scout-report # MODERATE — Pacu enumeration (Pacu CLI) # Pacu db'ye bagli; --modules ile spesifik recon # MODERATE — Azure recon roadtools roadrecon auth --device-code roadtools roadrecon gather # MODERATE — GCP enum (Hayat icin tum projeyi sayar, dikkat) gcloud projects list gcloud iam service-accounts list --project= ``` ## IAM Privilege Escalation Patterns ``` AWS PrivEsc (yaygin 25): 1. iam:CreateAccessKey on another user 2. iam:CreateLoginProfile on another user 3. iam:UpdateLoginProfile on another user 4. iam:AttachUserPolicy + ManagedPolicy AdministratorAccess 5. iam:AttachGroupPolicy 6. iam:AttachRolePolicy 7. iam:PutUserPolicy (inline policy) 8. iam:PutGroupPolicy 9. iam:PutRolePolicy 10. iam:AddUserToGroup 11. iam:UpdateAssumeRolePolicy 12. iam:PassRole + service action (lambda, ec2) 13. sts:AssumeRole (broad principal) 14. lambda:UpdateFunctionCode + lambda:InvokeFunction 15. lambda:CreateFunction + iam:PassRole ... (Pacu modulleri ile otomatize edilir) ``` ## Container Escape (K8s) ```bash # QUIET — pod RBAC check (kubectl in pod) kubectl auth can-i --list # Pod escape signal: # - hostPID: true # - hostNetwork: true # - privileged: true # - hostPath mount / # - Capabilities: SYS_ADMIN, SYS_PTRACE # Service account token cat /var/run/secrets/kubernetes.io/serviceaccount/token # IMDSv1 reach from pod curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ ``` ## Output Sablonu ```markdown ## Cloud Pentest — ### IAM Path - User: dev-readonly - Excessive: iam:UpdateAssumeRolePolicy on role "prod-admin" - Path: dev-readonly -> update trust policy -> sts:AssumeRole prod-admin -> * - Time-to-DA: 2 dakika ### Public Asset - S3 bucket "company-backups" — anonymous list + read (1.2TB ifsa) - 3 prod EC2 instance IMDSv1 only -> SSRF chain riski ### Defensive Onerisi - IAM policy review: iam:* aksiyonlari sadece break-glass acct - S3 bucket policy: Principal "*" yasak (block public access acct-level) - EC2 metadata: IMDSv2 zorunlu (hop limit 1) ``` ## Out-of-Scope - Production veri silme / yazma - Resource olusturma (cost olusturmadan dikkat — engagement cost limiti) - 3. taraf service (Stripe, SendGrid) — out-of-scope default