Cloud Pentesting — AWS, Azure, GCP
Pacu, Prowler, ScoutSuite, AzureHound, gcp_scanner — attacking and auditing cloud accounts.
Cloud pentest moved from "guess at console misconfig" to dedicated toolkits with deep IAM coverage. For Entra ID / Azure AD specifically also see Active Directory Pentesting. For Kubernetes see Container & K8s Pentesting. For SAST / IaC scanning see Security Scanning. For SOC 2 / ISO programmatic ops see Compliance (SOC 2 / ISO).
Multi-cloud audit (the starting point)
- ★ ★ Prowler — AWS / Azure / GCP / k8s; CIS, ISO, NIST, PCI, HIPAA, GDPR checks; thousands of controls; CLI + Prowler SaaS (free + paid). Free OSS. The 2024–26 default.
- ★ ScoutSuite (NCC) — multi-cloud auditing; AWS / Azure / GCP / OCI / Aliyun; static HTML report. Free.
- CloudSploit (Aqua) — multi-cloud OSS scanner.
- Cloudfox (BishopFox) — "exploitable findings" reporting on AWS / Azure (currently AWS-strongest); pairs nicely with Pacu.
- Steampipe — query AWS / Azure / GCP as SQL; brilliant for custom posture checks. Free.
AWS-specific
- ★ Pacu (Rhino Security) — modular AWS exploitation framework; 50+ modules: EC2 takeover, IAM privesc, Lambda backdoor, S3 ransom. The reference offensive AWS toolkit. Free.
- Stratus Red Team (Datadog) — emulates 50+ AWS / GCP / k8s / Entra ID attacks safely against your own account; brilliant for blue-team detection testing. Free.
- enumerate-iam — quick "what can this key do?"
- awsume — assume-role helper.
- principalmapper / pmapper — IAM privesc graph.
- ZeusCloud — CSPM-style; OSS.
- AWS Security Hub — built-in posture; paid usage-based.
- GuardDuty / Detective / Macie — AWS detection services.
- rhino-leakooze, GoAWSConsoleSpray — cred / login spray helpers.
- awscli + jq — there's no replacement for
aws iam list-…chains.
Azure / Entra ID
- ★ AzureHound — collector for BloodHound CE; maps Az / Entra graph. See Active Directory Pentesting.
- ROADtools / roadrecon — Entra ID enumeration.
- MicroBurst (NetSPI) — Az red-team toolkit (Storage / Functions / Automation / KeyVault).
- AADInternals — PowerShell Entra ID toolkit.
- BARK — BloodHound Attack Research Kit.
- TokenSmith / TokenTactics / TokenTacticsV2 — Entra ID token impersonation.
- PowerZure (legacy).
- AzureRT — red-team utility belt.
- Stormspotter (sunset → ROADtools).
GCP
- gcp_scanner (Google) — auth-aware GCP enum.
- gcp-iam-collector — IAM graph builder.
- GCPBucketBrute — GCS bucket brute / public-access.
- GCPTokenReuse — service-account token abuse helpers.
- Hayat — GCP audit script collection.
- ScoutSuite GCP / Prowler GCP — see above.
Cred-harvesting helpers
- TruffleHog / GitGuardian / gitleaks — pull leaked AWS / Azure / GCP keys from public repos. See Security Scanning.
- noseyparker — fast Rust secret scanner.
- AWS_Key_Disabler / aws-pwn-cleanup — defender-side response.
- CloudTracker — find users / roles with unused permissions.
CSPM / drift / OSS
- Cloud Custodian — policy-as-code remediation; not just detect. Free.
- Steampipe / Powerpipe / Flowpipe (Turbot) — SQL + dashboards + workflows over cloud APIs. Free.
- Cartography (Lyft) — neo4j-backed cloud asset graph.
- Wiz / Orca / Lacework / Aqua / Sysdig — paid CSPM heavyweights.
CTF / lab targets
- CloudGoat (Rhino) — vulnerable AWS terraform scenarios.
- ThunderCloud / TerraGoat (Bridgecrew) — IaC-bug practice.
- AzureGoat / GCPGoat — Bishop Fox.
- flaws.cloud / flaws2.cloud — classic AWS challenges.
Realistic engagement flow
- Recon: Prowler / ScoutSuite read-only audit on a low-priv key → Pacu/Cloudfox attack-surface enumeration.
- Privesc: pmapper graph → identify chain → Pacu module to exploit.
- Persistence: Lambda backdoor / role assumption / role-chain across accounts.
- Detection-test: Stratus Red Team to validate your own GuardDuty / Sentinel rules.
Pick this if…
- Default multi-cloud read-only audit: Prowler.
- Multi-cloud HTML report: ScoutSuite.
- AWS attack: Pacu + Cloudfox.
- Az / Entra ID attack: AzureHound + ROADtools + MicroBurst.
- GCP attack: gcp_scanner + Hayat.
- Validate your detections: Stratus Red Team.
- SQL queries against cloud state: Steampipe.
- Lab to practice: CloudGoat / AzureGoat / GCPGoat.