AWS Penetration Testing Resources

· 2 min read
AWS Penetration Testing Resources
Photo by Mehmet Ali Peker / Unsplash

A collection of awesome resources to help you get started with AWS penetration testing.

Tools

Pacu

The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.

Prowler

Prowler is an Open-Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

ScoutSuite

Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

Cloudsplaining

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.

AWSBucketDump

AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It’s similar to a subdomain brute forcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.

Grayhatwarfare

Grayhat Warfare is basically an online index for open buckets and the files inside of them.

Cloudlist

Cloudlist is a multi-cloud tool for getting Assets from Cloud Providers. This is intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with very little configuration efforts.

Courses

Introduction to AWS Penetration Testing

Beginner-friendly course from ITProTV to gain more experience exploiting security flaws in the AWS environment. Brush up your knowledge base by walking through some of the most relevant and basic AWS concepts and skills.

Other Resources

TweekFawkes Presentations / Slides

An awesome collection of slides by TweekFawkes focusing on cloud security and penetration testing.

Awesome Cloud Security

Awesome Cloud Security Resources, especially for cloud security engineers.

## Convertkit Newsletter