Tooling

Cloud Pentesting — AWS, Azure, GCP

Pacu, Prowler, ScoutSuite, AzureHound, gcp_scanner — attacking and auditing cloud accounts.

Cloud pentest moved from "guess at console misconfig" to dedicated toolkits with deep IAM coverage. For Entra ID / Azure AD specifically also see Active Directory Pentesting. For Kubernetes see Container & K8s Pentesting. For SAST / IaC scanning see Security Scanning. For SOC 2 / ISO programmatic ops see Compliance (SOC 2 / ISO).

Multi-cloud audit (the starting point)

  • ★ ★ Prowler — AWS / Azure / GCP / k8s; CIS, ISO, NIST, PCI, HIPAA, GDPR checks; thousands of controls; CLI + Prowler SaaS (free + paid). Free OSS. The 2024–26 default.
  • ScoutSuite (NCC) — multi-cloud auditing; AWS / Azure / GCP / OCI / Aliyun; static HTML report. Free.
  • CloudSploit (Aqua) — multi-cloud OSS scanner.
  • Cloudfox (BishopFox) — "exploitable findings" reporting on AWS / Azure (currently AWS-strongest); pairs nicely with Pacu.
  • Steampipe — query AWS / Azure / GCP as SQL; brilliant for custom posture checks. Free.

AWS-specific

  • Pacu (Rhino Security) — modular AWS exploitation framework; 50+ modules: EC2 takeover, IAM privesc, Lambda backdoor, S3 ransom. The reference offensive AWS toolkit. Free.
  • Stratus Red Team (Datadog) — emulates 50+ AWS / GCP / k8s / Entra ID attacks safely against your own account; brilliant for blue-team detection testing. Free.
  • enumerate-iam — quick "what can this key do?"
  • awsume — assume-role helper.
  • principalmapper / pmapper — IAM privesc graph.
  • ZeusCloud — CSPM-style; OSS.
  • AWS Security Hub — built-in posture; paid usage-based.
  • GuardDuty / Detective / Macie — AWS detection services.
  • rhino-leakooze, GoAWSConsoleSpray — cred / login spray helpers.
  • awscli + jq — there's no replacement for aws iam list-… chains.

Azure / Entra ID

  • AzureHound — collector for BloodHound CE; maps Az / Entra graph. See Active Directory Pentesting.
  • ROADtools / roadrecon — Entra ID enumeration.
  • MicroBurst (NetSPI) — Az red-team toolkit (Storage / Functions / Automation / KeyVault).
  • AADInternals — PowerShell Entra ID toolkit.
  • BARK — BloodHound Attack Research Kit.
  • TokenSmith / TokenTactics / TokenTacticsV2 — Entra ID token impersonation.
  • PowerZure (legacy).
  • AzureRT — red-team utility belt.
  • Stormspotter (sunset → ROADtools).

GCP

  • gcp_scanner (Google) — auth-aware GCP enum.
  • gcp-iam-collector — IAM graph builder.
  • GCPBucketBrute — GCS bucket brute / public-access.
  • GCPTokenReuse — service-account token abuse helpers.
  • Hayat — GCP audit script collection.
  • ScoutSuite GCP / Prowler GCP — see above.

Cred-harvesting helpers

  • TruffleHog / GitGuardian / gitleaks — pull leaked AWS / Azure / GCP keys from public repos. See Security Scanning.
  • noseyparker — fast Rust secret scanner.
  • AWS_Key_Disabler / aws-pwn-cleanup — defender-side response.
  • CloudTracker — find users / roles with unused permissions.

CSPM / drift / OSS

  • Cloud Custodian — policy-as-code remediation; not just detect. Free.
  • Steampipe / Powerpipe / Flowpipe (Turbot) — SQL + dashboards + workflows over cloud APIs. Free.
  • Cartography (Lyft) — neo4j-backed cloud asset graph.
  • Wiz / Orca / Lacework / Aqua / Sysdig — paid CSPM heavyweights.

CTF / lab targets

  • CloudGoat (Rhino) — vulnerable AWS terraform scenarios.
  • ThunderCloud / TerraGoat (Bridgecrew) — IaC-bug practice.
  • AzureGoat / GCPGoat — Bishop Fox.
  • flaws.cloud / flaws2.cloud — classic AWS challenges.

Realistic engagement flow

  • Recon: Prowler / ScoutSuite read-only audit on a low-priv key → Pacu/Cloudfox attack-surface enumeration.
  • Privesc: pmapper graph → identify chain → Pacu module to exploit.
  • Persistence: Lambda backdoor / role assumption / role-chain across accounts.
  • Detection-test: Stratus Red Team to validate your own GuardDuty / Sentinel rules.

Pick this if…

  • Default multi-cloud read-only audit: Prowler.
  • Multi-cloud HTML report: ScoutSuite.
  • AWS attack: Pacu + Cloudfox.
  • Az / Entra ID attack: AzureHound + ROADtools + MicroBurst.
  • GCP attack: gcp_scanner + Hayat.
  • Validate your detections: Stratus Red Team.
  • SQL queries against cloud state: Steampipe.
  • Lab to practice: CloudGoat / AzureGoat / GCPGoat.

On this page