Cloud Penetration Test Checklist
Before testing begins
After ROE Call
- For AWS, provide read-only minimal_policy.json for credentials
One week before the test
- Test remote access to testing system (Nexus implant)
- Test credential access
- Review Beau’s GitHub on Cloud Pentesting
Test start
- Review the ROE notes for special requests/requirements, status update requests, etc.
- Send the Start email to the customer.
- Test credential access
- Test implant access if appropriate
AWS Testing
- Credential Requirements
- User must be provisioned security auditor level access to all AWS accounts in scope (S3 read privileges is also nice)
- Both programmatic and console access are preferred
- Customer AWS console URLs are also required
- User must be provisioned security auditor level access to all AWS accounts in scope (S3 read privileges is also nice)
- Testing Requirements
- Run ScoutSuite
- Review Scout’s report
- Disks encrypted?
- Users rotating keys and passwords?
- Root account being accessed often?
- Any resource policies grant access to all principals (
"Principal": { "AWS": "*" })?
- Review Scout’s report
- Review a sample of Lambdas
- Review EC2 instance metadata
- Escalate your privileges
- Review S3 buckets for sensitive data of all kinds
- Check the password policy. IAM > Account Settings
- Run Pacu
- Run WeirdAAL
- Recon-all should identify possible escalation paths
- Run ScoutSuite
Azure Testing
- Credential Requirements
- Credentials token.json file if access provisioning method was an SPN
- Username and password if access was delegated to a user account
- Known external IP addresses and service exposures
- Testing Requirements
- Install and Run Scoutsuite from their Github
- Disks encrypted?
- Secrets available to the auditor account?
- Can a user with access to Microsoft 365 access portal.azure.com?
- Active Directory Users and Computers
- Run ROADRecon
- Access to Active Directory Users and Computers available?
- Investigate user sign-ins (is MFA universally enforced?)
- Azure key vaults
- Azure applications
- Azure service principals
- Run AzureHound
- Install and Run Scoutsuite from their Github
roadrecon plugin policies caps.html
roadrecon plugin bloodhound -f bh-data