Professional AWS cloud security auditing tool โ 30 modules covering IAM, S3, compute, networking, serverless, containers, data stores, messaging, DNS, WAF, CI/CD secrets, organizational governance, and event-driven architectures.
AWS Pentest Tool performs automated security audits across all major AWS services. It detects misconfigurations, privilege escalation paths, publicly exposed resources, secret leakage, and detection gaps โ then generates an executive-grade Markdown report with severity ratings, PoC commands, and remediation guidance.
Authorization required. This tool is for authorized penetration testing, red team engagements, and security audits only.
# 1. Clone & install
git clone https://github.com/capture0x/aws-pentest.git
cd aws-pentest
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# 2. Configure credentials
python3 aws_agent.py configure
# 3. Run a full audit
python3 aws_agent.py audit --mode all
# 4. Targeted module scans
python3 aws_agent.py scan-dns
python3 aws_agent.py scan-apigw
python3 aws_agent.py scan-cognito| # | Module | File | Key Checks |
|---|---|---|---|
| 00 | Master Audit | account.py |
Account ID, caller identity, password policy, aliases |
| 01 | IAM Privilege Escalation | iam.py |
CreateAccessKey, PassRole, AssumeRole, wildcard policies |
| 02 | S3 Misconfiguration | s3.py, s3_website.py |
Public ACL, Block Public Access bypass, website hijack |
| 03 | Multi-Region Compute | compute.py |
EC2 enum, user-data secret scanning, multi-region |
| 04 | Network Security Groups | network_sg.py |
0.0.0.0/0 admin ports, IPv6, NACL, critical service exposure |
| 05 | Logging Posture | logging.py |
CloudTrail, GuardDuty, Config, VPC Flow Logs status |
| 06 | RDS / KMS / Secrets | rds.py, kms_secrets.py |
Publicly accessible RDS, unencrypted snapshots, secret rotation |
| 07 | Lambda Analysis | lambda_analysis.py |
Env vars, Function URL, public invoke, PassRole in execution role |
| 08 | EKS Cluster | eks_analysis.py |
Public API endpoint, audit logs, node IAM role scope |
| 09 | CloudTrail Exfiltration | cloudtrail_exfil.py |
Public log buckets, cross-account access, unencrypted storage |
| 10 | EBS Snapshots | ebs_snapshots.py |
Public/shared snapshot exposure, unencrypted volumes |
| 11 | S3 Subdomain Enum | s3_subdomain.py |
Bucket takeover, CNAME dangling verification |
| 12 | Git Repo Detector | s3_git_detector.py |
Exposed .git artifacts on S3, SSRF risks |
| 13 | ECR Containers | ecr_analysis.py |
Public repos, scan findings, mutable tags |
| 14 | IAM Backdoor Generator | iam_backdoor.py |
Dry-run, confirmation guard, credential output |
| 15 | IMDS Enumeration | imds_enum.py |
IMDSv1/v2, SSRF, role credential leakage, user-data secrets |
| 16 | SSM-Managed EC2 | ssm_ec2.py |
Session Manager scope, Run Command boundaries, RCE paths |
| 17 | S3 Versioning History | s3_versions.py |
Deleted secret recovery, regex pattern matching |
| 18 | Amazon MQ / ActiveMQ | mq_enum.py |
Broker exposure, default credentials, CVE versions |
| 19 | STS Cross-Account | sts_cross_account.py |
Trust policy analysis, confused deputy, OIDC conditions, role chains |
| 20 | API Gateway | api_gateway.py |
Auth bypass, resource policy, WAF, JWT authorizers, CORS wildcard |
| 21 | Cognito / Identity Pool | cognito.py |
Unauthenticated access, MFA policy, app client secrets |
| 22 | DynamoDB | dynamodb.py |
Access control, encryption at rest, stream exposure, PITR |
| 23 | SQS / SNS | sqs_sns.py |
Public policy, subscription endpoint leakage, SSE/KMS |
| 24 | CloudFormation | cloudformation.py |
Stack output secrets, stack role privesc, drift |
| 25 | Route53 / DNS | route53.py |
Subdomain takeover, DNSSEC, NS delegation hijack |
| 26 | CodeBuild / CodePipeline | codebuild_pipeline.py |
Plaintext env var secrets, buildspec hardcoded creds, privileged mode, unencrypted artifacts |
| 27 | WAF Rule Analysis | waf_analysis.py |
Default-ALLOW posture, missing managed rules, no rate limit, logging disabled, unassociated ACLs |
| 28 | SCP Audit | scp_audit.py |
Organization membership, SCP coverage gaps, missing critical denies, unprotected OUs |
| 29 | Step Functions / EventBridge | stepfunctions_eventbridge.py |
Public event buses, cross-account targets, API destination HTTP endpoints, state machine logging gaps, hardcoded secrets |
| Command | Description |
|---|---|
configure |
Save AWS credentials to .env (supports session tokens) |
audit |
Full multi-module audit with Markdown report generation |
exploit-iam |
IAM privilege escalation analysis + PoC CLI commands |
exploit-s3 |
S3 misconfiguration exploitation hints per bucket |
backdoor-create |
[DESTRUCTIVE] Create persistent IAM admin user with dry-run guard |
| Command | Module | Key Output |
|---|---|---|
scan-sts |
STS Cross-Account | Risky trust policies, OIDC providers, role chains |
scan-apigw |
API Gateway | Auth bypass, WAF gaps, JWT authorizer issues |
scan-cognito |
Cognito | Unauthenticated pools, MFA status, app client issues |
scan-dynamodb |
DynamoDB | Encryption, stream exposure, resource policy |
scan-sqs-sns |
SQS / SNS | Public policies, HTTP subscriptions, missing SSE |
scan-cfn |
CloudFormation | Secret outputs, stack role privesc, drift |
scan-dns |
Route53 | Subdomain takeovers, DNSSEC, NS hijack |
scan-codebuild |
CodeBuild / CodePipeline | Plaintext secrets, buildspec creds, privileged mode, unencrypted artifacts |
scan-waf |
WAF Rule Analysis | Default-ALLOW posture, missing managed rules, logging gaps, unassociated ACLs |
scan-scp |
SCP Audit | Organization membership, missing critical denies, unprotected OUs |
scan-sfn |
Step Functions / EventBridge | Public event buses, cross-account rules, state machine logging, hardcoded secrets |
# STS โ Cross-account role trust & OIDC analysis
python3 aws_agent.py scan-sts
python3 aws_agent.py scan-sts --regions us-east-1,eu-west-1
# API Gateway โ REST & HTTP auth, WAF, JWT, CORS
python3 aws_agent.py scan-apigw
python3 aws_agent.py scan-apigw --regions us-east-1,us-west-2
# Cognito โ Unauthenticated pools, MFA, app clients
python3 aws_agent.py scan-cognito
python3 aws_agent.py scan-cognito --regions us-east-1
# DynamoDB โ Encryption, streams, resource policy
python3 aws_agent.py scan-dynamodb
python3 aws_agent.py scan-dynamodb --regions us-east-1,eu-west-1
# SQS / SNS โ Public policies, endpoint leakage, SSE
python3 aws_agent.py scan-sqs-sns
python3 aws_agent.py scan-sqs-sns --regions us-east-1,ap-southeast-1
# CloudFormation โ Secret outputs, stack role privesc, drift
python3 aws_agent.py scan-cfn
python3 aws_agent.py scan-cfn --regions us-east-1,us-west-2
# Route53 / DNS โ Subdomain takeover, DNSSEC, NS hijack
python3 aws_agent.py scan-dns
python3 aws_agent.py scan-dns --region us-east-1
# CodeBuild / CodePipeline โ Plaintext env var secrets, buildspec creds, privileged mode
python3 aws_agent.py scan-codebuild
python3 aws_agent.py scan-codebuild --regions us-east-1,eu-west-1
# WAF โ Web ACL posture, missing managed rules, rate limit, logging
python3 aws_agent.py scan-waf
python3 aws_agent.py scan-waf --regions us-east-1,us-west-2
# SCP โ Organizations SCP coverage, missing critical deny actions
python3 aws_agent.py scan-scp
# Step Functions / EventBridge โ Public buses, cross-account rules, state machine secrets
python3 aws_agent.py scan-sfn
python3 aws_agent.py scan-sfn --regions us-east-1,eu-west-1| Mode | Scope | Use Case |
|---|---|---|
recon |
IAM, S3, SGs, EKS, Lambda, new modules | Fast initial assessment |
loot |
+ Network, RDS, KMS, EBS, ECR, CloudTrail | Sensitive data extraction |
all |
Everything | Full engagement audit |
# Examples
python3 aws_agent.py audit --mode all --regions us-east-1,eu-west-1 --output /tmp/audit
python3 aws_agent.py audit --mode recon --auto-backdoor --verbose
python3 aws_agent.py exploit-iam --auto-assume-role --identity user/pentest-user
python3 aws_agent.py scan-dns --region us-east-1
python3 aws_agent.py scan-cfn --regions us-east-1,us-west-2
python3 aws_agent.py backdoor-create --dry-run
python3 aws_agent.py backdoor-create --user-name my-pentest-user| Audit Dashboard | IAM Privilege Escalation | S3 Scanner |
|---|---|---|
 |
 |
 |
| EKS Clusters | Backdoor Creation | Executive Report |
|---|---|---|
 |
 |
 |
Every audit run produces a timestamped Markdown report in reports/ with 29 sections:
1. Account Information
2. IAM Identity & Access (privesc paths + PoC + detailed findings)
3. STS Cross-Account Trust Analysis
4. S3 Storage (buckets, website, git leaks, version history)
5. Compute โ EC2
6. Network Exposure & Security Groups
7. Lambda Function Analysis
8. EKS Cluster Analysis
9. ECR Container Analysis
10. Instance Metadata (IMDS) & Credential Exposure
11. SSM-Managed EC2 (RCE Candidates)
12. RDS Databases & Snapshots
13. KMS / Secrets Manager / SSM Parameters
14. EBS Snapshot Exposure
15. CloudTrail Exfiltration Risks
16. Logging & Detection Posture
17. Amazon MQ / ActiveMQ
18. API Gateway Security
19. Cognito / Identity Pool Analysis
20. DynamoDB Security
21. SQS / SNS Security
22. CloudFormation Security
23. Route53 / DNS Security
24. CodeBuild / CodePipeline Secret Exposure
25. AWS WAF Rule Analysis
26. Service Control Policy (SCP) Audit
27. Step Functions / EventBridge Exposure
28. Consolidated Recommendations (sorted by severity)
29. Auto-Backdoor Capability Assessment
| Severity | Finding | PoC |
|---|---|---|
| ๐ด Critical | IAM Action:* Resource:* |
aws iam create-user; aws iam attach-user-policy --policy-arn .../AdministratorAccess |
| ๐ด Critical | Route53 dangling CNAME | Claim abandoned S3/EB/GitHub resource at same subdomain |
| ๐ด Critical | CloudFormation secret output | aws cloudformation describe-stacks --query Stacks[].Outputs |
| ๐ด Critical | Cognito unauthenticated pool | aws cognito-identity get-id ...; get-credentials-for-identity |
| ๐ด Critical | CodeBuild plaintext AWS_SECRET_ACCESS_KEY env var |
aws codebuild batch-get-projects --names <proj> โ read env vars directly |
| ๐ High | WAF Web ACL with no rules | All traffic reaches origin unfiltered โ exploit any web vulnerability directly |
| ๐ High | SCP missing cloudtrail:DeleteTrail deny |
aws cloudtrail delete-trail --name <trail> โ silent log destruction |
| ๐ High | Account not in AWS Organization | No preventative guardrails โ a single IAM misconfiguration = full compromise |
| ๐ High | Cross-account role, no ExternalId | aws sts assume-role --role-arn <ARN> --role-session-name pentest |
| ๐ High | API Gateway no authorizer | curl https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/ |
| ๐ High | SQS public SendMessage policy |
aws sqs send-message --queue-url <URL> --message-body '{"action":"inject"}' |
| ๐ High | Public EBS snapshot | aws ec2 copy-snapshot --source-snapshot-id snap-xxx โ attach โ mount |
| ๐ก Medium | WAF default action ALLOW | Unmatched requests pass through โ combine with any unpatched app vuln |
| ๐ก Medium | CodeBuild privileged mode | Container escape via Docker socket โ host access |
| ๐ก Medium | Cognito MFA optional | Social-engineering โ account takeover without MFA |
| ๐ก Medium | DynamoDB unencrypted + stream | Stream consumer can read all table data as it changes |
| ๐ก Medium | CloudFormation stack drift | Resources modified out-of-band, IaC state is unreliable |
aws-pentest/
โโโ aws_agent.py # CLI entrypoint โ 16 commands
โโโ core/
โ โโโ session_manager.py # Multi-region boto3 session management
โ โโโ orchestrator.py # 30-module scan pipeline
โ โโโ reporter.py # 29-section Markdown report generator
โโโ modules/
โ โโโ account.py # [00] Account & identity context
โ โโโ iam.py # [01] IAM privilege escalation
โ โโโ s3.py # [02] S3 access control
โ โโโ s3_website.py # [02] S3 website hijack
โ โโโ s3_subdomain.py # [11] Subdomain enumeration
โ โโโ s3_git_detector.py # [12] Git artifact detection
โ โโโ s3_versions.py # [17] Version history / secret recovery
โ โโโ compute.py # [03] EC2 multi-region enum
โ โโโ network_sg.py # [04] Security group analysis
โ โโโ network_enum.py # [04] Network endpoint enumeration
โ โโโ logging.py # [05] CloudTrail / Config / GuardDuty
โ โโโ rds.py # [06] RDS findings
โ โโโ rds_enum.py # [06] RDS enumeration
โ โโโ kms_secrets.py # [06] KMS / Secrets Manager
โ โโโ lambda_analysis.py # [07] Lambda security
โ โโโ eks_analysis.py # [08] EKS cluster posture
โ โโโ cloudtrail_exfil.py # [09] CloudTrail exfiltration
โ โโโ ebs_snapshots.py # [10] EBS snapshot exposure
โ โโโ ecr_analysis.py # [13] ECR container analysis
โ โโโ iam_backdoor.py # [14] IAM backdoor persistence
โ โโโ imds_enum.py # [15] IMDS / instance metadata
โ โโโ ssm_ec2.py # [16] SSM-managed EC2
โ โโโ mq_enum.py # [18] Amazon MQ / ActiveMQ
โ โโโ sts_cross_account.py # [19] STS cross-account trust
โ โโโ api_gateway.py # [20] API Gateway security
โ โโโ cognito.py # [21] Cognito / Identity Pool
โ โโโ dynamodb.py # [22] DynamoDB security
โ โโโ sqs_sns.py # [23] SQS / SNS security
โ โโโ cloudformation.py # [24] CloudFormation security
โ โโโ route53.py # [25] Route53 / DNS security
โ โโโ codebuild_pipeline.py # [26] CodeBuild / CodePipeline secrets
โ โโโ waf_analysis.py # [27] AWS WAF v2 rule analysis
โ โโโ scp_audit.py # [28] SCP / Organizations governance
โ โโโ stepfunctions_eventbridge.py # [29] Step Functions / EventBridge exposure
โโโ reports/ # Generated audit reports (gitignored)
โโโ requirements.txt
โโโ tools/
โโโ convert_report.py # Markdown โ HTML / PDF conversion
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ AWS Cloud Security Audit โ
โ Profile: default/env Region: us-east-1 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Audit Summary
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Module โ Result โ Risk โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ Account โ 123456789012 โ โ
โ IAM Users / Roles โ 4 users / 12 roles โ ๐ด 2 CRITICAL โ
โ S3 Buckets โ 8 total โ ๐ด 3 public โ
โ S3 Versioning / Secrets โ 5 versioned โ ๐ 2 suspicious โ
โ EC2 Instances โ 6 โ โ
โ Lambda Functions โ 14 โ โ
โ Lambda Security Issues โ 3 โ ๐ 3 functions โ
โ EKS Clusters โ 2 โ ๐ 1 public API โ
โ MQ Brokers โ 1 โ โ
โ
โ SG Admin Ports Exposed โ 2 โ ๐ด 2 โ
โ Logging / GuardDuty โ CloudTrail: โ
GD: ๐ด โ โ
โ STS Cross-Account Roles โ 8 cross-acct โ ๐ 3 risky โ
โ API Gateway APIs โ 5 APIs โ ๐ 2 risky โ
โ Cognito Pools โ 2 user / 1 identity โ ๐ด 1 unauthenticated โ
โ DynamoDB Tables โ 9 โ ๐ 4 risky โ
โ SQS / SNS Resources โ 12 resources โ ๐ 2 risky โ
โ CloudFormation Stacks โ 23 โ ๐ด 1 secret outputs โ
โ Route53 Zones โ 3 โ ๐ด 2 takeover candidates โ
โ CodeBuild Projects โ 4 โ ๐ด 2 plaintext secrets โ
โ WAF Web ACLs โ 2 โ ๐ 1 no rules โ
โ SCP / Organizations โ not in org โ ๐ no guardrails โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Report saved: reports/aws_audit_report_20260410_120001.md
Critical Findings:
๐ด 2 CRITICAL IAM wildcard policies (full admin equivalent)
๐ด 3 publicly accessible S3 bucket(s)
๐ด 2 subdomain takeover candidate(s) in Route53
๐ด 1 CloudFormation stack output(s) with potential secret exposure
๐ด 1 Cognito identity pool(s) with unauthenticated access
๐ด 2 CodeBuild project(s) with plaintext secret env vars
๐ WAF: 1 Web ACL with no rules (zero protection)
๐ Account not in AWS Organization โ no SCP guardrails
๐ GuardDuty not enabled
| Category | Modules | MITRE ATT&CK Tactics |
|---|---|---|
| Identity & Access | IAM, STS, Cognito | TA0004 (Privilege Escalation), TA0003 (Persistence) |
| Storage | S3, EBS, S3-Versions | TA0009 (Collection), TA0010 (Exfiltration) |
| Compute | EC2, Lambda, EKS, SSM, IMDS | TA0002 (Execution), TA0008 (Lateral Movement) |
| Networking | SG, Network Enum, Route53 | TA0043 (Reconnaissance), TA0011 (C2) |
| Serverless / APIs | Lambda, API Gateway | TA0001 (Initial Access), TA0004 (Privesc) |
| Data Stores | RDS, DynamoDB, KMS, Secrets | TA0009 (Collection), TA0006 (Credential Access) |
| Messaging | SQS, SNS, MQ | TA0009 (Collection), TA0001 (Initial Access) |
| IaC / Logging | CloudFormation, CloudTrail, Config, GuardDuty | TA0005 (Defense Evasion) |
| Containers | ECR, EKS | TA0002 (Execution), TA0004 (Privesc) |
| CI/CD Pipeline | CodeBuild, CodePipeline | TA0006 (Credential Access), TA0003 (Persistence) |
| WAF / Perimeter | WAF v2 (Regional + CloudFront) | TA0001 (Initial Access), TA0005 (Defense Evasion) |
| Governance | SCP / AWS Organizations | TA0005 (Defense Evasion), TA0040 (Impact) |
| Event-Driven | Step Functions, EventBridge | TA0009 (Collection), TA0008 (Lateral Movement) |
pip install boto3 botocore click rich python-dotenvPython โฅ 3.8, AWS credentials with at minimum ReadOnlyAccess (Security Auditor role recommended).
- IAM Privilege Escalation Detection
- S3 Misconfiguration Analysis
- Multi-Region Compute Enumeration
- Network Security Group Analysis
- Logging & Detection Posture
- RDS / KMS / Secrets Enumeration
- Lambda Function Analysis
- EKS Cluster Posture
- CloudTrail Exfiltration Analytics
- EBS Snapshot Exposure
- S3 Subdomain Enumeration
- Git Repo Detector
- ECR Container Analysis
- IAM Backdoor / Persistence Generator
- IMDS / Instance Metadata Enumeration
- SSM-Managed EC2 Enumeration
- S3 Versioning / Secret History
- Amazon MQ / ActiveMQ Enumeration
- STS Cross-Account Trust Analysis
- API Gateway Security Assessment
- Cognito / Identity Pool Analysis
- DynamoDB Security Analysis
- SQS / SNS Security Analysis
- CloudFormation Stack Security
- Route53 / DNS Security (Subdomain Takeover, DNSSEC)
- WAF Rule Analysis
- Secrets in CodeBuild / CodePipeline
- Service Control Policy (SCP) Audit
- Step Functions / EventBridge Exposure
| Category | Status | SAST Coverage |
|---|---|---|
| ๐ด IAM Backdoor | โ PASS | Critical Review |
| ๐ด IAM Privesc | โ PASS | Privesc Analysis |
| ๐ด STS Cross-Account | โ PASS | Trust Analysis |
| ๐ก S3 Misconfiguration | โ PASS | S3 Analysis |
| ๐ก S3 Versioning History | โ PASS | Secret History |
| ๐ก S3 Subdomain Enum | โ PASS | Takeover Analysis |
| ๐ก API Gateway | โ PASS | Auth Review |
| ๐ก Cognito / Identity Pool | โ PASS | Identity Review |
| ๐ก Lambda Functions | โ PASS | Lambda Analysis |
| ๐ก RDS / KMS / Secrets | โ PASS | Secrets Analysis |
| ๐ก CloudFormation | โ PASS | Stack Review |
| ๐ก EKS Cluster | โ PASS | EKS Posture |
| ๐ข Network Security Groups | โ PASS | Network Analysis |
| ๐ข Multi-Region Compute | โ PASS | Compute Enum |
| ๐ข Logging Posture | โ PASS | Detection Review |
| ๐ข CloudTrail Exfiltration | โ PASS | Exfil Analytics |
| ๐ข EBS Snapshots | โ PASS | Snapshot Review |
| ๐ข ECR Containers | โ PASS | Container Review |
| ๐ข IMDS Enumeration | โ PASS | IMDS Review |
| ๐ข SSM-Managed EC2 | โ PASS | SSM Review |
| ๐ข Amazon MQ / ActiveMQ | โ PASS | Broker Review |
| ๐ข Git Repo Detector | โ PASS | Git Review |
| ๐ข DynamoDB | โ PASS | DynamoDB Review |
| ๐ข SQS / SNS | โ PASS | Queue Review |
| ๐ข Route53 / DNS | โ PASS | DNS Review |
| ๐ข Master Audit | โ PASS | Full Methodology |
| ๐ด CodeBuild / CodePipeline | โ PASS | codebuild_pipeline.py |
| ๐ด WAF Rule Analysis | โ PASS | waf_analysis.py |
| ๐ด SCP / Organizations | โ PASS | scp_audit.py |
Complete SAST Suite (30 modules): https://github.com/capture0x/aws-pentest-sast
โ ๏ธ Authorized use only. Run only against accounts you own or have explicit written permission to test.
โ ๏ธ backdoor-createcreates real persistent IAM users withAdministratorAccess. Use--dry-runfirst.
โ ๏ธ exploit-iam --auto-assume-rolemakes live STS API calls that appear in CloudTrail.
โ ๏ธ Route53 CNAME resolution checks make real DNS queries to external resolvers.
MIT License โ See LICENSE.
โญ Star if useful ยท ๐ Report issues ยท ๐ช Contribute modules
Created by tmrswrr โค๏ธ