Cloud Red Teaming & Practice Labs
Cloud penetration testing is less about scanning open ports and more about tracing identity: what can this role assume, what can that assumed role read, and does any of it lead somewhere it shouldn't. This page covers methodology, real tools, and where to practice safely.
Before You Start: Know the Rules of Engagement
AWS, Azure, and GCP each publish a penetration testing policy - read it before testing anything beyond a personal sandbox account:
- AWS Penetration Testing - most services can be tested against your own resources without prior authorization; a small list (DoS-style testing, DNS zone walking) still requires a request.
- Microsoft Cloud Unified Penetration Testing Rules of Engagement - covers Azure, Microsoft 365, and Dynamics 365.
- Google Cloud Platform Terms of Service plus Google's Vulnerability Reward Program scope for what's in-bounds.
Testing your own account's resources for misconfigurations is generally fine everywhere; testing anything that could affect other tenants or the provider's shared infrastructure is not, regardless of provider.
A Cloud Security Assessment Methodology
- Enumerate identity - what IAM users/roles/service principals/service accounts do you have credentials for, and what can each one actually do? (
aws iam get-account-authorization-details,az role assignment list,gcloud projects get-iam-policy) - Check for public exposure - storage buckets, snapshots, and any resource with a public-facing endpoint (cross-link: S3 Security, Azure Identity & Data Security, GCP IAM & Data Security).
- Check network exposure - security groups/NSGs/firewall rules open to
0.0.0.0/0on ports that shouldn't be. - Look for hardcoded or overly long-lived credentials - access keys in code/CI variables, service account JSON keys checked into repos, instance metadata services reachable from an application with an SSRF flaw.
- Trace privilege escalation paths - can a low-privilege identity reach a high-privilege one through role assumption, policy attachment permissions, or resource-based policies?
- Check logging/monitoring coverage - is anything you just did actually being logged and alerted on? (cross-link: CloudTrail, GuardDuty)
CSPM / Auditing Tools (Defensive, But Great for Finding Your Own Gaps)
| Tool | Coverage |
|---|---|
| Prowler | AWS, Azure, GCP, Kubernetes - 400+ checks, the most widely used open-source CSPM |
| ScoutSuite (NCC Group) | Multi-cloud security auditing, strong report visualization |
| Cloudsplaining | AWS IAM least-privilege assessment - flags overly permissive policies specifically |
Offensive Tools by Provider
AWS
- Pacu - the standard offensive AWS exploitation framework, modular attack/enumeration modules
- CloudMapper - visualizes an AWS account's network and resource layout
- PMapper - graphs IAM privilege escalation paths
- S3Scanner - finds open/misconfigured S3 buckets
Azure
- ROADtools - Entra ID (Azure AD) enumeration
- AzureHound - maps Azure AD attack paths into BloodHound
- MicroBurst - PowerShell toolkit for Azure-specific attacks
GCP
- GCPBucketBrute - enumerates GCS bucket permissions
- gcp_scanner - Google's own GCP privilege/resource scanner
Practice Labs (Safe, Legal, Deliberately Vulnerable)
AWS
- flaws.cloud and flaws2.cloud by Scott Piper - the classic AWS CTFs, attacker and defender tracks
- CloudGoat - Terraform-deployable, vulnerable-by-design AWS scenarios
- IAM Vulnerable (Bishop Fox) - focused specifically on IAM privilege escalation paths
Azure
- AzureGoat (INE Labs) - vulnerable Azure environment
- XMGoat - Azure misconfiguration CTF
- BadZure - spins up a deliberately misconfigured Entra ID tenant
GCP
- GCPGoat (INE Labs)
- ThunderCTF - GCP-focused CTF
Multi-cloud
- HackTricks Cloud - AWS/Azure/GCP/Kubernetes attack cheatsheet, the closest thing to a living reference
- TryHackMe Cloud Security path
Certification Path
AWS Certified Security - Specialty, Microsoft AZ-500, and Google Professional Cloud Security Engineer are the provider-specific tracks. CCSK and CCSP are the vendor-neutral options if you want cloud-security credibility that isn't tied to one provider.
Credits/References
- Prowler, ScoutSuite, Pacu
- CIS Benchmarks for AWS, Azure, and GCP
- AWS Penetration Testing Policy
- jassics/awesome-cloud-security-learning-resources - full, continuously updated list this page draws from