General Cloud

Cloud Basics and design

Cloud Security and Hardening

Cloud Pen Testing

Multi-Cloud Tools

  • Enumeration and Auditing
    • ​cloud-enum - enumerates public resources matching user requested keywords in public clouds
    • ​ScoutSuite - Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
    • ​SkyArk - SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
    • ​PMapper - Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
    • ​gitoops - GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
    • ​cloudbrute - This package contains a tool to find a company (target) infrastructure, files, and apps on the top cloud providers
  • Offensive Frameworks
    • ​ cloudsploit - CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
    • ​serverless-prey - Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container:
      • ​Panther: AWS Lambda written in Node.js
      • ​Cougar: Azure Function written in C#
      • ​Cheetah: Google Cloud Function written in Go

Azure - The Microsoft Cloud Environment


Azure Training

Azure CLI

Azure AD

Sentinel - The Azure SIEM

Azure Defender

Azure Pentesting Guides



  • Recon and Enumeration
    • ​BlobHunter - An opensource tool for scanning Azure blob storage accounts for publicly opened blobs.
    • ​o365recon - Script to retrieve information via O365 with a valid cred
  • Exploitation frameworks
    • ​PowerZure - PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
    • ​MicroBurst: A PowerShell Toolkit for Attacking Azure - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
    • ​lava - Microsoft Azure Exploitation Framework
    • ​XMGoat - An open source tool with the purpose of teaching penetration testers, red teamers, security consultants, and cloud experts how to abuse different misconfigurations within the Azure environment. In this way, you learn about common Azure security issues.
  • Azure AD Exploitation tools
    • ​AADInternals - AADInternals is PowerShell module for administering Azure AD and Office 365
    • ​Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
    • ​ROADtools - ROADtools is a framework to interact with Azure AD.
    • ​adconnectdump - Azure AD Connect password extraction
  • For Password Spraying
    • First check if the accounts is valid.​
    • Perform password spraying attack: MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)


  • Logging and Alerting
  • Security Auditing and Hardening
    • ​CRT - Crowdstrike Reporting Tool for Azure: This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.
    • ​AzureADRecon - AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment.
    • ​ROADTools - ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool.
    • ​azucar - Security auditing tool for Azure environments
    • ​AzureADAssessment - Tooling for assessing an Azure AD tenant state and configuration
  • DFIR

AWS - Amazon Cloud Services



AWS Pentesting Guides

AWS Services and their Attack Surfaces

AWS Service
Attack Surface
EC2 does in fact have a public attack surface similar to traditional physical infrastructure. Vulnerabilities that affect the OS will manifest exactly as they would on their hardware based counterpart. Things start to differ when you deal with anything that interacts with the local network or system. A vulnerability allowing command execution may allow an attacker to move laterally if configured with STS. Access tokens may also be stolen with SSRF vulnerabilities by reaching out to metadata IP addresses. More information: EC2 Pentesting in Depth​
S3 requires careful consideration for bucket-level and object-level permissions. The S3 bucket itself can grant permissions to β€˜Everyone’ or β€˜Authenticated Users’. The β€˜Authenticated Users’ permissions will grant access to all AWS users. Because of this a pentester must check both anonymous permissions as well as semi-public permissions with their own access tokens. More information: S3 Pentesting in Depth​
Did you know an ELB can introduce HTTP Request Smuggling? This commonly overlooked configuration can allow attackers to inject requests into other user’s sessions.
Misconfigured topics or queues can allow unauthorized users to subscribe to topics or push messages to queues. Testing of this can be done with the AWS CLI.
Databases on AWS are relatively straightforward, although a penetration test should check for databases configured with public access.
EBS volumes can be made publicly available. The AWS CLI can be used to verify if EBS snapshots are publicly accessible.
Cognito Authentication
An AWS pentest should determine if the Cognito configuration is appropriate for intended application behavior. This includes checking for self-signups, and enabling advanced security.


Offensive Tools

Defensive tools

  • ​Arsenal of AWS Tools - Tool collection of cloud security researcher Toni de la Fuente
  • Security Assessment and Hardening
    • ​Cloudsplaining - Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
    • ​Prowler - Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
    • ​cloudsploit - Cloud Security Posture Management (CSPM)
    • ​cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
    • ​cloudtracker - CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
    • ​aws-recon - Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
    • ​review-security-groups - A small set of scripts to summarize AWS Security Groups, and generate visualizations of the rules.
  • DFIR
    • ​aws_ir - Python installable command line utility for mitigation of host and key compromises.
    • ​acquire-aws-ec2 - Handy script for capturing EC2 instances in IR scenarios
  • Threat Hunting

AWS Training


Guides and Reference