Open Skills Logo
Open Skills

AWS Penetration Testing

This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.

Author

zebbern

Category

Other Tools

Install

Hot:12

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-aws-penetration-testing&locale=en&source=copy

AWS Penetration Testing - Cloud Environment Security Assessment and Red Teaming Tools

Skill Overview

AWS Penetration Testing is a professional cloud security testing skill that provides security testers and red team members with a complete penetration testing methodology for AWS environments, covering core techniques such as IAM permission enumeration, credential escalation, metadata SSRF exploitation, S3 bucket testing, and Lambda code injection.

Applicable Scenarios

1. Cloud Infrastructure Security Assessment

When an organization needs to audit its AWS deployment, this skill provides a systematic testing process, including IAM permission boundary checks, S3 bucket public access detection, EC2 security configuration reviews, and more, helping to uncover security weaknesses in the cloud environment.

2. SSRF Exploitation and Credential Retrieval

When an SSRF vulnerability is found at the application layer, access the AWS metadata endpoint (169.254.169.254) to obtain temporary IAM credentials for an EC2 instance. Supports both IMDSv1 and IMDSv2 modes, as well as techniques for obtaining credentials from Fargate containers.

3. Red Team Operations and Persistence

Provides lateral movement and persistence techniques in AWS environments for authorized red team engagements, including creating access keys, attaching administrator policies, Lambda code injection, SSM command execution, and covers CloudTrail log handling and GuardDuty evasion recommendations.

Core Features

1. IAM Permission Enumeration and Privilege Escalation

Comprehensively analyze the permission scope of the current credentials using tools such as enumerate-iam, Pacu, and Principal Mapper. Identify Shadow Admin privileges (e.g., iam:CreateAccessKey, iam:AttachUserPolicy), and provide multiple escalation paths: create access keys for a target user, attach an administrator policy to your own account, obtain elevated privileges via Lambda code injection, and more.

2. Metadata Endpoint SSRF Exploitation

Provides a complete EC2 metadata endpoint exploitation workflow, from obtaining the IAM role name to extracting temporary credentials (AccessKeyId, SecretAccessKey, Token). Includes IMDSv2 token retrieval methods and the Fargate container credential path (/v2/credentials/), helping testers leverage SSRF to take over cloud resources.

3. S3 and Lambda Resource Testing

Integrates multiple S3 bucket discovery tools, supporting public bucket enumeration and bulk download. Lambda functionality covers function listing, code download, remote invocation, and code-injection-based escalation. Paired with the aws_consoler tool, CLI credentials can be converted into console login URLs to complete the resource testing loop.

Frequently Asked Questions

What prerequisites are needed for AWS penetration testing?

Requires the AWS CLI configured with valid access credentials (even a low-privilege user), a Python 3 environment, and the boto3 library. Recommended tools include Pacu (open-source AWS exploitation framework), Prowler (security auditing), SkyArk (Shadow Admin discovery), and enumerate-iam (permission enumeration). Important prerequisite: must obtain written authorization from the client to ensure all testing activities are within legal scope.

How can IMDSv2 metadata endpoint protections be bypassed?

IMDSv2 requires obtaining a token before accessing metadata. This skill provides a complete bypass approach: use the X-aws-ec2-metadata-token-ttl-seconds header to get the token, then use the token to access the credential endpoint. For Fargate containers, you can read the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable from /proc/self/environ, then access 169.254.170.2 to obtain credentials. If IMDSv2 is enforced, try to find application-level SSRF or other credential leakage points.

Will testing activities be recorded by CloudTrail?

Most AWS API calls are recorded by CloudTrail, including IAM operations, S3 access, and EC2 management. This skill provides log handling suggestions, but emphasizes that audit trails should be preserved according to compliance requirements. Note that the default User-Agent of Kali/Parrot/Pentoo Linux can trigger GuardDuty alerts during testing; it is recommended to use the Pacu framework (which can modify the User-Agent). All actions should have full documentation for post-audit and retrospective.

Are there any usage restrictions for this skill?

Yes. This skill is only to be used for security testing, red team exercises, CTF competitions, and security research scenarios with explicit written authorization. It is prohibited to use it for unauthorized access, data theft, or destructive operations. The test scope should be strictly limited to resources specified by contract; do not modify data in production environments or leave undocumented persistent backdoors.