Professional AWS cloud security auditing tool — 30 modules covering IAM, S3, compute, networking, serverless, containers, data stores, messaging, DNS, WAF, CI/CD secrets, organizational governance, and event-driven architectures.
AWS Pentest Agent performs automated security audits across all major AWS services. It detects misconfigurations, privilege escalation paths, publicly exposed resources, secret leakage, and detection gaps — then generates an executive-grade Markdown report with severity ratings, PoC commands, and remediation guidance.
Authorization required. This tool is for authorized penetration testing, red team engagements, and security audits only.
| # | Module | File | Key Checks |
|---|---|---|---|
| 00 | Master Audit | account.py |
Account ID, caller identity, password policy, aliases |
| 01 | IAM Privilege Escalation | iam.py |
CreateAccessKey, PassRole, AssumeRole, wildcard policies |
| 02 | S3 Misconfiguration | s3.py, s3_website.py |
Public ACL, Block Public Access bypass, website hijack |
| 03 | Multi-Region Compute | compute.py |
EC2 enum, user-data secret scanning, multi-region |
| 04 | Network Security Groups | network_sg.py |
0.0.0.0/0 admin ports, IPv6, NACL, critical service exposure |
| 05 | Logging Posture | logging.py |
CloudTrail, GuardDuty, Config, VPC Flow Logs status |
| 06 | RDS / KMS / Secrets | rds.py, kms_secrets.py |
Publicly accessible RDS, unencrypted snapshots, secret rotation |
| 07 | Lambda Analysis | lambda_analysis.py |
Env vars, Function URL, public invoke, PassRole in execution role |
| 08 | EKS Cluster | eks_analysis.py |
Public API endpoint, audit logs, node IAM role scope |
| 09 | CloudTrail Exfiltration | cloudtrail_exfil.py |
Public log buckets, cross-account access, unencrypted storage |
| 10 | EBS Snapshots | ebs_snapshots.py |
Public/shared snapshot exposure, unencrypted volumes |
| 11 | S3 Subdomain Enum | s3_subdomain.py |
Bucket takeover, CNAME dangling verification |
| 12 | Git Repo Detector | s3_git_detector.py |
Exposed .git artifacts on S3, SSRF risks |
| 13 | ECR Containers | ecr_analysis.py |
Public repos, scan findings, mutable tags |
| 14 | IAM Backdoor Generator | iam_backdoor.py |
Dry-run, confirmation guard, credential output |
| 15 | IMDS Enumeration | imds_enum.py |
IMDSv1/v2, SSRF, role credential leakage, user-data secrets |
| 16 | SSM-Managed EC2 | ssm_ec2.py |
Session Manager scope, Run Command boundaries, RCE paths |
| 17 | S3 Versioning History | s3_versions.py |
Deleted secret recovery, regex pattern matching |
| 18 | Amazon MQ / ActiveMQ | mq_enum.py |
Broker exposure, default credentials, CVE versions |
| 19 | STS Cross-Account | sts_cross_account.py |
Trust policy analysis, confused deputy, OIDC conditions, role chains |
| 20 | API Gateway | api_gateway.py |
Auth bypass, resource policy, WAF, JWT authorizers, CORS wildcard |
| 21 | Cognito / Identity Pool | cognito.py |
Unauthenticated access, MFA policy, app client secrets |
| 22 | DynamoDB | dynamodb.py |
Access control, encryption at rest, stream exposure, PITR |
| 23 | SQS / SNS | sqs_sns.py |
Public policy, subscription endpoint leakage, SSE/KMS |
| 24 | CloudFormation | cloudformation.py |
Stack output secrets, stack role privesc, drift |
| 25 | Route53 / DNS | route53.py |
Subdomain takeover, DNSSEC, NS delegation hijack |
| 26 | CodeBuild / CodePipeline | codebuild_pipeline.py |
Plaintext env var secrets, buildspec hardcoded creds, privileged mode, unencrypted artifacts |
| 27 | WAF Rule Analysis | waf_analysis.py |
Default-ALLOW posture, missing managed rules, no rate limit, logging disabled, unassociated ACLs |
| 28 | SCP Audit | scp_audit.py |
Organization membership, SCP coverage gaps, missing critical denies, unprotected OUs |
| 29 | Step Functions / EventBridge | stepfunctions_eventbridge.py |
Public event buses, cross-account targets, API destination HTTP endpoints, state machine logging gaps, hardcoded secrets |
# 1. Clone & install
git clone https://github.com/capture0x/aws-pentest.git
cd aws-pentest
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# 2. Configure credentials
python3 aws_agent.py configure
# 3. Run a full audit
python3 aws_agent.py audit --mode all
# 4. Targeted module scans
python3 aws_agent.py scan-dns
python3 aws_agent.py scan-apigw
python3 aws_agent.py scan-cognito| Command | Description |
|---|---|
configure |
Save AWS credentials to .env (supports session tokens) |
audit |
Full multi-module audit with Markdown report generation |
exploit-iam |
IAM privilege escalation analysis + PoC CLI commands |
exploit-s3 |
S3 misconfiguration exploitation hints per bucket |
backdoor-create |
[DESTRUCTIVE] Create persistent IAM admin user with dry-run guard |
| Command | Module | Key Output |
|---|---|---|
scan-sts |
STS Cross-Account | Risky trust policies, OIDC providers, role chains |
scan-apigw |
API Gateway | Auth bypass, WAF gaps, JWT authorizer issues |
scan-cognito |
Cognito | Unauthenticated pools, MFA status, app client issues |
scan-dynamodb |
DynamoDB | Encryption, stream exposure, resource policy |
scan-sqs-sns |
SQS / SNS | Public policies, HTTP subscriptions, missing SSE |
scan-cfn |
CloudFormation | Secret outputs, stack role privesc, drift |
scan-dns |
Route53 | Subdomain takeovers, DNSSEC, NS hijack |
scan-codebuild |
CodeBuild / CodePipeline | Plaintext secrets, buildspec creds, privileged mode, unencrypted artifacts |
scan-waf |
WAF Rule Analysis | Default-ALLOW posture, missing managed rules, logging gaps, unassociated ACLs |
scan-scp |
SCP Audit | Organization membership, missing critical denies, unprotected OUs |
scan-sfn |
Step Functions / EventBridge | Public event buses, cross-account rules, state machine logging, hardcoded secrets |
# STS — Cross-account role trust & OIDC analysis
python3 aws_agent.py scan-sts
python3 aws_agent.py scan-sts --regions us-east-1,eu-west-1
# API Gateway — REST & HTTP auth, WAF, JWT, CORS
python3 aws_agent.py scan-apigw
python3 aws_agent.py scan-apigw --regions us-east-1,us-west-2
# Cognito — Unauthenticated pools, MFA, app clients
python3 aws_agent.py scan-cognito
python3 aws_agent.py scan-cognito --regions us-east-1
# DynamoDB — Encryption, streams, resource policy
python3 aws_agent.py scan-dynamodb
python3 aws_agent.py scan-dynamodb --regions us-east-1,eu-west-1
# SQS / SNS — Public policies, endpoint leakage, SSE
python3 aws_agent.py scan-sqs-sns
python3 aws_agent.py scan-sqs-sns --regions us-east-1,ap-southeast-1
# CloudFormation — Secret outputs, stack role privesc, drift
python3 aws_agent.py scan-cfn
python3 aws_agent.py scan-cfn --regions us-east-1,us-west-2
# Route53 / DNS — Subdomain takeover, DNSSEC, NS hijack
python3 aws_agent.py scan-dns
python3 aws_agent.py scan-dns --region us-east-1
# CodeBuild / CodePipeline — Plaintext env var secrets, buildspec creds, privileged mode
python3 aws_agent.py scan-codebuild
python3 aws_agent.py scan-codebuild --regions us-east-1,eu-west-1
# WAF — Web ACL posture, missing managed rules, rate limit, logging
python3 aws_agent.py scan-waf
python3 aws_agent.py scan-waf --regions us-east-1,us-west-2
# SCP — Organizations SCP coverage, missing critical deny actions
python3 aws_agent.py scan-scp
# Step Functions / EventBridge — Public buses, cross-account rules, state machine secrets
python3 aws_agent.py scan-sfn
python3 aws_agent.py scan-sfn --regions us-east-1,eu-west-1| Mode | Scope | Use Case |
|---|---|---|
recon |
IAM, S3, SGs, EKS, Lambda, new modules | Fast initial assessment |
loot |
+ Network, RDS, KMS, EBS, ECR, CloudTrail | Sensitive data extraction |
all |
Everything | Full engagement audit |
# Examples
python3 aws_agent.py audit --mode all --regions us-east-1,eu-west-1 --output /tmp/audit
python3 aws_agent.py audit --mode recon --auto-backdoor --verbose
python3 aws_agent.py exploit-iam --auto-assume-role --identity user/pentest-user
python3 aws_agent.py scan-dns --region us-east-1
python3 aws_agent.py scan-cfn --regions us-east-1,us-west-2
python3 aws_agent.py backdoor-create --dry-run
python3 aws_agent.py backdoor-create --user-name my-pentest-user
Every audit run produces a timestamped Markdown report in reports/ with 29 sections:
1. Account Information
2. IAM Identity & Access (privesc paths + PoC + detailed findings)
3. STS Cross-Account Trust Analysis
4. S3 Storage (buckets, website, git leaks, version history)
5. Compute — EC2
6. Network Exposure & Security Groups
7. Lambda Function Analysis
8. EKS Cluster Analysis
9. ECR Container Analysis
10. Instance Metadata (IMDS) & Credential Exposure
11. SSM-Managed EC2 (RCE Candidates)
12. RDS Databases & Snapshots
13. KMS / Secrets Manager / SSM Parameters
14. EBS Snapshot Exposure
15. CloudTrail Exfiltration Risks
16. Logging & Detection Posture
17. Amazon MQ / ActiveMQ
18. API Gateway Security
19. Cognito / Identity Pool Analysis
20. DynamoDB Security
21. SQS / SNS Security
22. CloudFormation Security
23. Route53 / DNS Security
24. CodeBuild / CodePipeline Secret Exposure
25. AWS WAF Rule Analysis
26. Service Control Policy (SCP) Audit
27. Step Functions / EventBridge Exposure
28. Consolidated Recommendations (sorted by severity)
29. Auto-Backdoor Capability Assessment
| Severity | Finding | PoC |
|---|---|---|
| 🔴 Critical | IAM Action:* Resource:* |
aws iam create-user; aws iam attach-user-policy --policy-arn .../AdministratorAccess |
| 🔴 Critical | Route53 dangling CNAME | Claim abandoned S3/EB/GitHub resource at same subdomain |
| 🔴 Critical | CloudFormation secret output | aws cloudformation describe-stacks --query Stacks[].Outputs |
| 🔴 Critical | Cognito unauthenticated pool | aws cognito-identity get-id ...; get-credentials-for-identity |
| 🔴 Critical | CodeBuild plaintext AWS_SECRET_ACCESS_KEY env var |
aws codebuild batch-get-projects --names <proj> → read env vars directly |
| 🟠 High | WAF Web ACL with no rules | All traffic reaches origin unfiltered — exploit any web vulnerability directly |
| 🟠 High | SCP missing cloudtrail:DeleteTrail deny |
aws cloudtrail delete-trail --name <trail> → silent log destruction |
| 🟠 High | Account not in AWS Organization | No preventative guardrails — a single IAM misconfiguration = full compromise |
| 🟠 High | Cross-account role, no ExternalId | aws sts assume-role --role-arn <ARN> --role-session-name pentest |
| 🟠 High | API Gateway no authorizer | curl https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/ |
| 🟠 High | SQS public SendMessage policy |
aws sqs send-message --queue-url <URL> --message-body '{"action":"inject"}' |
| 🟠 High | Public EBS snapshot | aws ec2 copy-snapshot --source-snapshot-id snap-xxx → attach → mount |
| 🟡 Medium | WAF default action ALLOW | Unmatched requests pass through — combine with any unpatched app vuln |
| 🟡 Medium | CodeBuild privileged mode | Container escape via Docker socket → host access |
| 🟡 Medium | Cognito MFA optional | Social-engineering → account takeover without MFA |
| 🟡 Medium | DynamoDB unencrypted + stream | Stream consumer can read all table data as it changes |
| 🟡 Medium | CloudFormation stack drift | Resources modified out-of-band, IaC state is unreliable |
aws-pentest/
├── aws_agent.py # CLI entrypoint — 16 commands
├── core/
│ ├── session_manager.py # Multi-region boto3 session management
│ ├── orchestrator.py # 30-module scan pipeline
│ └── reporter.py # 29-section Markdown report generator
├── modules/
│ ├── account.py # [00] Account & identity context
│ ├── iam.py # [01] IAM privilege escalation
│ ├── s3.py # [02] S3 access control
│ ├── s3_website.py # [02] S3 website hijack
│ ├── s3_subdomain.py # [11] Subdomain enumeration
│ ├── s3_git_detector.py # [12] Git artifact detection
│ ├── s3_versions.py # [17] Version history / secret recovery
│ ├── compute.py # [03] EC2 multi-region enum
│ ├── network_sg.py # [04] Security group analysis
│ ├── network_enum.py # [04] Network endpoint enumeration
│ ├── logging.py # [05] CloudTrail / Config / GuardDuty
│ ├── rds.py # [06] RDS findings
│ ├── rds_enum.py # [06] RDS enumeration
│ ├── kms_secrets.py # [06] KMS / Secrets Manager
│ ├── lambda_analysis.py # [07] Lambda security
│ ├── eks_analysis.py # [08] EKS cluster posture
│ ├── cloudtrail_exfil.py # [09] CloudTrail exfiltration
│ ├── ebs_snapshots.py # [10] EBS snapshot exposure
│ ├── ecr_analysis.py # [13] ECR container analysis
│ ├── iam_backdoor.py # [14] IAM backdoor persistence
│ ├── imds_enum.py # [15] IMDS / instance metadata
│ ├── ssm_ec2.py # [16] SSM-managed EC2
│ ├── mq_enum.py # [18] Amazon MQ / ActiveMQ
│ ├── sts_cross_account.py # [19] STS cross-account trust
│ ├── api_gateway.py # [20] API Gateway security
│ ├── cognito.py # [21] Cognito / Identity Pool
│ ├── dynamodb.py # [22] DynamoDB security
│ ├── sqs_sns.py # [23] SQS / SNS security
│ ├── cloudformation.py # [24] CloudFormation security
│ ├── route53.py # [25] Route53 / DNS security
│ ├── codebuild_pipeline.py # [26] CodeBuild / CodePipeline secrets
│ ├── waf_analysis.py # [27] AWS WAF v2 rule analysis
│ ├── scp_audit.py # [28] SCP / Organizations governance
│ └── stepfunctions_eventbridge.py # [29] Step Functions / EventBridge exposure
├── reports/ # Generated audit reports (gitignored)
├── requirements.txt
└── tools/
└── convert_report.py # Markdown → HTML / PDF conversion
╭──────────────────────────────────────────────────────╮
│ AWS Cloud Security Audit │
│ Profile: default/env Region: us-east-1 │
╰──────────────────────────────────────────────────────╯
Audit Summary
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Module ┃ Result ┃ Risk ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Account │ 123456789012 │ │
│ IAM Users / Roles │ 4 users / 12 roles │ 🔴 2 CRITICAL │
│ S3 Buckets │ 8 total │ 🔴 3 public │
│ S3 Versioning / Secrets │ 5 versioned │ 🟠 2 suspicious │
│ EC2 Instances │ 6 │ │
│ Lambda Functions │ 14 │ │
│ Lambda Security Issues │ 3 │ 🟠 3 functions │
│ EKS Clusters │ 2 │ 🟠 1 public API │
│ MQ Brokers │ 1 │ ✅ │
│ SG Admin Ports Exposed │ 2 │ 🔴 2 │
│ Logging / GuardDuty │ CloudTrail: ✅ GD: 🔴 │ │
│ STS Cross-Account Roles │ 8 cross-acct │ 🟠 3 risky │
│ API Gateway APIs │ 5 APIs │ 🟠 2 risky │
│ Cognito Pools │ 2 user / 1 identity │ 🔴 1 unauthenticated │
│ DynamoDB Tables │ 9 │ 🟠 4 risky │
│ SQS / SNS Resources │ 12 resources │ 🟠 2 risky │
│ CloudFormation Stacks │ 23 │ 🔴 1 secret outputs │
│ Route53 Zones │ 3 │ 🔴 2 takeover candidates │
│ CodeBuild Projects │ 4 │ 🔴 2 plaintext secrets │
│ WAF Web ACLs │ 2 │ 🟠 1 no rules │
│ SCP / Organizations │ not in org │ 🟠 no guardrails │
└─────────────────────────────────┴───────────────────────┴──────────────────────────────┘
Report saved: reports/aws_audit_report_20260410_120001.md
Critical Findings:
🔴 2 CRITICAL IAM wildcard policies (full admin equivalent)
🔴 3 publicly accessible S3 bucket(s)
🔴 2 subdomain takeover candidate(s) in Route53
🔴 1 CloudFormation stack output(s) with potential secret exposure
🔴 1 Cognito identity pool(s) with unauthenticated access
🔴 2 CodeBuild project(s) with plaintext secret env vars
🟠 WAF: 1 Web ACL with no rules (zero protection)
🟠 Account not in AWS Organization — no SCP guardrails
🟠 GuardDuty not enabled
| Audit Dashboard | IAM Privilege Escalation | S3 Scanner |
|---|---|---|
 |
 |
 |
| EKS Clusters | Backdoor Creation | Executive Report |
|---|---|---|
 |
 |
 |
| Category | Modules | MITRE ATT&CK Tactics |
|---|---|---|
| Identity & Access | IAM, STS, Cognito | TA0004 (Privilege Escalation), TA0003 (Persistence) |
| Storage | S3, EBS, S3-Versions | TA0009 (Collection), TA0010 (Exfiltration) |
| Compute | EC2, Lambda, EKS, SSM, IMDS | TA0002 (Execution), TA0008 (Lateral Movement) |
| Networking | SG, Network Enum, Route53 | TA0043 (Reconnaissance), TA0011 (C2) |
| Serverless / APIs | Lambda, API Gateway | TA0001 (Initial Access), TA0004 (Privesc) |
| Data Stores | RDS, DynamoDB, KMS, Secrets | TA0009 (Collection), TA0006 (Credential Access) |
| Messaging | SQS, SNS, MQ | TA0009 (Collection), TA0001 (Initial Access) |
| IaC / Logging | CloudFormation, CloudTrail, Config, GuardDuty | TA0005 (Defense Evasion) |
| Containers | ECR, EKS | TA0002 (Execution), TA0004 (Privesc) |
| CI/CD Pipeline | CodeBuild, CodePipeline | TA0006 (Credential Access), TA0003 (Persistence) |
| WAF / Perimeter | WAF v2 (Regional + CloudFront) | TA0001 (Initial Access), TA0005 (Defense Evasion) |
| Governance | SCP / AWS Organizations | TA0005 (Defense Evasion), TA0040 (Impact) |
| Event-Driven | Step Functions, EventBridge | TA0009 (Collection), TA0008 (Lateral Movement) |
pip install boto3 botocore click rich python-dotenvPython ≥ 3.8, AWS credentials with at minimum ReadOnlyAccess (Security Auditor role recommended).
- IAM Privilege Escalation Detection
- S3 Misconfiguration Analysis
- Multi-Region Compute Enumeration
- Network Security Group Analysis
- Logging & Detection Posture
- RDS / KMS / Secrets Enumeration
- Lambda Function Analysis
- EKS Cluster Posture
- CloudTrail Exfiltration Analytics
- EBS Snapshot Exposure
- S3 Subdomain Enumeration
- Git Repo Detector
- ECR Container Analysis
- IAM Backdoor / Persistence Generator
- IMDS / Instance Metadata Enumeration
- SSM-Managed EC2 Enumeration
- S3 Versioning / Secret History
- Amazon MQ / ActiveMQ Enumeration
- STS Cross-Account Trust Analysis
- API Gateway Security Assessment
- Cognito / Identity Pool Analysis
- DynamoDB Security Analysis
- SQS / SNS Security Analysis
- CloudFormation Stack Security
- Route53 / DNS Security (Subdomain Takeover, DNSSEC)
- WAF Rule Analysis
- Secrets in CodeBuild / CodePipeline
- Service Control Policy (SCP) Audit
- Step Functions / EventBridge Exposure
| Category | Status | SAST Coverage |
|---|---|---|
| 🔴 IAM Backdoor | ✅ PASS | Critical Review |
| 🔴 IAM Privesc | ✅ PASS | Privesc Analysis |
| 🔴 STS Cross-Account | ✅ PASS | Trust Analysis |
| 🟡 S3 Misconfiguration | ✅ PASS | S3 Analysis |
| 🟡 S3 Versioning History | ✅ PASS | Secret History |
| 🟡 S3 Subdomain Enum | ✅ PASS | Takeover Analysis |
| 🟡 API Gateway | ✅ PASS | Auth Review |
| 🟡 Cognito / Identity Pool | ✅ PASS | Identity Review |
| 🟡 Lambda Functions | ✅ PASS | Lambda Analysis |
| 🟡 RDS / KMS / Secrets | ✅ PASS | Secrets Analysis |
| 🟡 CloudFormation | ✅ PASS | Stack Review |
| 🟡 EKS Cluster | ✅ PASS | EKS Posture |
| 🟢 Network Security Groups | ✅ PASS | Network Analysis |
| 🟢 Multi-Region Compute | ✅ PASS | Compute Enum |
| 🟢 Logging Posture | ✅ PASS | Detection Review |
| 🟢 CloudTrail Exfiltration | ✅ PASS | Exfil Analytics |
| 🟢 EBS Snapshots | ✅ PASS | Snapshot Review |
| 🟢 ECR Containers | ✅ PASS | Container Review |
| 🟢 IMDS Enumeration | ✅ PASS | IMDS Review |
| 🟢 SSM-Managed EC2 | ✅ PASS | SSM Review |
| 🟢 Amazon MQ / ActiveMQ | ✅ PASS | Broker Review |
| 🟢 Git Repo Detector | ✅ PASS | Git Review |
| 🟢 DynamoDB | ✅ PASS | DynamoDB Review |
| 🟢 SQS / SNS | ✅ PASS | Queue Review |
| 🟢 Route53 / DNS | ✅ PASS | DNS Review |
| 🟢 Master Audit | ✅ PASS | Full Methodology |
| 🔴 CodeBuild / CodePipeline | ✅ PASS | codebuild_pipeline.py |
| 🔴 WAF Rule Analysis | ✅ PASS | waf_analysis.py |
| 🔴 SCP / Organizations | ✅ PASS | scp_audit.py |
Complete SAST Suite (30 modules): https://github.com/capture0x/aws-pentest-sast
⚠️ Authorized use only. Run only against accounts you own or have explicit written permission to test.
⚠️ backdoor-createcreates real persistent IAM users withAdministratorAccess. Use--dry-runfirst.
⚠️ exploit-iam --auto-assume-rolemakes live STS API calls that appear in CloudTrail.
⚠️ Route53 CNAME resolution checks make real DNS queries to external resolvers.
MIT License — See LICENSE.
⭐ Star if useful · 🐛 Report issues · 💪 Contribute modules
Created by tmrswrr ❤️