A collection of awesome resources to help you get started with AWS penetration testing.
Tools
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
Prowler is an Open-Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It’s similar to a subdomain brute forcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.
Grayhat Warfare is basically an online index for open buckets and the files inside of them.
Cloudlist is a multi-cloud tool for getting Assets from Cloud Providers. This is intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with very little configuration efforts.
Courses
Introduction to AWS Penetration Testing
Beginner-friendly course from ITProTV to gain more experience exploiting security flaws in the AWS environment. Brush up your knowledge base by walking through some of the most relevant and basic AWS concepts and skills.
Other Resources
TweekFawkes Presentations / Slides
An awesome collection of slides by TweekFawkes focusing on cloud security and penetration testing.
Awesome Cloud Security Resources, especially for cloud security engineers.