Automated AWS cloud security assessment framework for authorized audits, penetration tests, and red-team engagements.
AWS Pentest Tool audits AWS environments for identity risks, public exposure, secret leakage, weak trust relationships, logging gaps, and cloud service misconfigurations. It runs a multi-module assessment pipeline and produces a timestamped Markdown report with severity counts, evidence, proof-of-concept commands, and remediation guidance.
The CLI is designed for practical engagement work:
- Multi-region AWS enumeration through
boto3 - Full audit and targeted module scan modes
- Rich terminal progress during long scans
- Executive-style Markdown reports in
reports/ - Defensive and offensive validation helpers for authorized testing
Authorization required. Run this tool only against AWS accounts you own or have explicit written permission to test.
- Quick Start
- Audit Modes
- Commands
- Module Coverage
- Report Output
- Screenshots
- Requirements
- Project Structure
- Security Notes
- License
git clone https://github.com/capture0x/aws-pentest.git
cd aws-pentest
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python3 aws_agent.py configure
python3 aws_agent.py audit --mode reconRun a broader assessment:
python3 aws_agent.py audit --mode all --regions us-east-1,eu-west-1 --output reportsRun a targeted service scan:
python3 aws_agent.py scan-sts
python3 aws_agent.py scan-apigw --regions us-east-1,us-west-2
python3 aws_agent.py scan-dns --region us-east-1| Mode | Scope | Recommended Use |
|---|---|---|
recon |
Core identity, storage, compute, serverless, network, logging, and governance checks | Fast initial assessment |
loot |
recon plus deeper network, RDS, KMS, secrets, ECR, EBS, and CloudTrail checks |
Sensitive data and exposure review |
all |
Complete available scan path | Full engagement or final validation |
Example:
python3 aws_agent.py audit --mode all --profile security-audit --regions us-east-1,eu-west-1| Command | Purpose |
|---|---|
configure |
Save AWS credentials to a local .env file with 0600 permissions |
audit |
Run the full orchestrated assessment and generate a Markdown report |
exploit-iam |
Show IAM privilege escalation findings and proof-of-concept commands |
exploit-s3 |
Show S3 exposure and exploitation hints per bucket |
backdoor-create |
Create a persistent IAM administrator user; destructive and guarded by confirmation |
| Command | Module | Primary Checks |
|---|---|---|
scan-sts |
STS Cross-Account | Risky trust policies, weak ExternalId posture, OIDC providers, role chains |
scan-apigw |
API Gateway | Missing auth, weak resource policies, WAF gaps, JWT/CORS issues |
scan-cognito |
Cognito | Unauthenticated identity pools, weak MFA posture, app client exposure |
scan-dynamodb |
DynamoDB | Encryption, PITR, streams, resource policies |
scan-sqs-sns |
SQS / SNS | Public policies, HTTP subscriptions, missing server-side encryption |
scan-cfn |
CloudFormation | Secret outputs, stack role privilege risk, drift |
scan-dns |
Route53 | Subdomain takeover candidates, DNSSEC, NS delegation risk |
scan-codebuild |
CodeBuild / CodePipeline | Plaintext secrets, privileged mode, artifact encryption |
scan-waf |
AWS WAF | Default action, missing managed rules, rate limiting, logging |
scan-scp |
AWS Organizations SCP | Guardrail coverage, missing critical denies, organization membership |
scan-sfn |
Step Functions / EventBridge | Public event buses, cross-account targets, state machine logging and secrets |
python3 aws_agent.py audit --mode recon
python3 aws_agent.py audit --mode all --regions us-east-1,eu-west-1 --output /tmp/audit
python3 aws_agent.py audit --mode recon --auto-backdoor --verbose
python3 aws_agent.py exploit-iam --identity user/pentest-user
python3 aws_agent.py exploit-iam --auto-assume-role
python3 aws_agent.py exploit-s3 --bucket example-bucket
python3 aws_agent.py backdoor-create --dry-run
python3 aws_agent.py backdoor-create --user-name authorized-test-admin| # | Area | Module File | Key Checks |
|---|---|---|---|
| 00 | Account Context | account.py |
Caller identity, account aliases, password policy |
| 01 | IAM Privilege Escalation | iam.py |
Wildcards, PassRole, AssumeRole, CreateAccessKey, dangerous actions |
| 02 | S3 Access Control | s3.py, s3_website.py |
Public buckets, website exposure, public write, hijack risk |
| 03 | Compute Inventory | compute.py |
EC2 and Lambda inventory, user-data secret indicators |
| 04 | Network Security Groups | network_sg.py |
Internet-exposed admin ports, IPv4/IPv6 exposure |
| 05 | Logging Posture | logging.py |
CloudTrail, GuardDuty, Config, VPC Flow Logs |
| 06 | RDS / KMS / Secrets | rds.py, rds_enum.py, kms_secrets.py |
Public RDS, snapshots, KMS keys, Secrets Manager, SSM parameters |
| 07 | Lambda Analysis | lambda_analysis.py |
Function URLs, environment secrets, public invoke, execution role risk |
| 08 | EKS Analysis | eks_analysis.py |
Public API endpoint, audit logging, control plane exposure |
| 09 | CloudTrail Exfiltration | cloudtrail_exfil.py |
Public log buckets, cross-account access, unencrypted logs |
| 10 | EBS Snapshots | ebs_snapshots.py |
Public/shared snapshots, encryption posture |
| 11 | S3 Subdomains | s3_subdomain.py |
Bucket takeover and dangling CNAME checks |
| 12 | S3 Git Artifacts | s3_git_detector.py |
Exposed .git objects in S3 |
| 13 | ECR Containers | ecr_analysis.py |
Public repositories, image scanning, mutable tags |
| 14 | IAM Backdoor | iam_backdoor.py |
Dry-run guarded persistence validation |
| 15 | IMDS Enumeration | imds_enum.py |
IMDSv1/v2, role credentials, user-data secrets |
| 16 | SSM Managed EC2 | ssm_ec2.py |
Managed instances, Run Command paths |
| 17 | S3 Version History | s3_versions.py |
Deleted object recovery, suspicious historical versions |
| 18 | Amazon MQ | mq_enum.py |
Broker exposure, users, version indicators |
| 19 | STS Cross-Account | sts_cross_account.py |
Trust policy weaknesses, OIDC conditions, role chains |
| 20 | API Gateway | api_gateway.py |
Auth bypass, WAF gaps, resource policy, CORS |
| 21 | Cognito | cognito.py |
Identity pools, unauthenticated access, MFA policy |
| 22 | DynamoDB | dynamodb.py |
Encryption, streams, PITR, access policy |
| 23 | SQS / SNS | sqs_sns.py |
Public queue/topic policy, endpoint leakage, SSE |
| 24 | CloudFormation | cloudformation.py |
Secret outputs, stack role privilege, drift |
| 25 | Route53 / DNS | route53.py |
Takeover candidates, DNSSEC, NS delegation |
| 26 | CodeBuild / Pipeline | codebuild_pipeline.py |
Plaintext env secrets, buildspec secrets, privileged builds |
| 27 | WAF Analysis | waf_analysis.py |
Default allow, missing managed rules, rate limits, logging |
| 28 | SCP Audit | scp_audit.py |
AWS Organizations guardrail coverage |
| 29 | Step Functions / EventBridge | stepfunctions_eventbridge.py |
Public buses, cross-account targets, logging gaps, hardcoded secrets |
Each audit run creates a timestamped Markdown report:
reports/aws_audit_report_YYYYMMDD_HHMMSS.md
The report includes:
- Assessment metadata: generated time, AWS account, caller ARN, overall risk rating
- Executive summary with Critical, High, Medium, and Low counts
- Service-by-service findings and evidence tables
- Proof-of-concept commands where useful for validation
- Remediation guidance sorted by security impact
- Optional auto-backdoor capability assessment when enabled
Top-level report sections:
1. Account Information
2. IAM Identity & Access
3. STS Cross-Account Trust Analysis
4. S3 Storage
5. Compute - EC2
6. Network Exposure & Security Groups
7. Lambda Function Analysis
8. EKS Cluster Analysis
9. ECR Container Analysis
10. Instance Metadata (IMDS) & Credential Exposure
11. SSM-Managed EC2
12. RDS Databases & Snapshots
13. KMS / Secrets Manager / SSM Parameters
14. EBS Snapshot Exposure
15. CloudTrail Exfiltration Risks
16. Logging & Detection Posture
17. Amazon MQ / ActiveMQ
18. API Gateway Security
19. Cognito / Identity Pool Analysis
20. DynamoDB Security
21. SQS / SNS Security
22. CloudFormation Security
23. Route53 / DNS Security
24. CodeBuild / CodePipeline Secret Exposure
25. AWS WAF Rule Analysis
26. Service Control Policy Audit
27. Step Functions / EventBridge Exposure
28. Consolidated Recommendations
29. Auto-Backdoor Capability Assessment
╭────────────────────────────────────────────╮
│ AWS Cloud Security Audit │
│ Profile: default/env Region: us-east-1 │
╰────────────────────────────────────────────╯
Audit complete ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 33/33 0:02:14
Assessment Overview
Metric Value
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Overall Risk CRITICAL
Finding Totals 4 critical / 9 high
AWS Account 123456789012
Execution Scope mode=all / region=us-east-1
Modules 33/33 completed, 0 skipped/error
Report Directory reports
Audit Summary
Assessment Area Inventory Finding
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Account 123456789012
IAM Users / Roles 4 users / 12 roles CRITICAL: 2
S3 Buckets 8 total Public: 3
SG Admin Ports Exposed 2 Exposed: 2
Logging / GuardDuty CloudTrail: Enabled / GuardDuty: Disabled
Route53 Zones 3 Takeover candidates: 2
Report saved:
reports/aws_audit_report_20260502_114503.md
Priority Findings
- CRITICAL IAM wildcard policies: 2
- HIGH Public S3 buckets: 3
- CRITICAL Route53 takeover candidates: 2
| Audit Dashboard | IAM Privilege Escalation | S3 Scanner |
|---|---|---|
 |
 |
 |
| EKS Clusters | Backdoor Dry Run | Executive Report |
|---|---|---|
 |
 |
 |
- Python 3.8+
- AWS credentials available through one of:
python3 aws_agent.py configure- environment variables
- AWS named profile
- instance or container role
- Recommended AWS permissions:
SecurityAuditReadOnlyAccess- narrowly approved additional permissions for explicit exploit validation
Install dependencies:
pip install -r requirements.txtCurrent Python dependencies:
click
rich
python-dotenv
boto3
botocore
requests
aws-pentest/
├── aws_agent.py # CLI entrypoint
├── core/
│ ├── session_manager.py # AWS session and region management
│ ├── orchestrator.py # Multi-module scan pipeline
│ └── reporter.py # Markdown report generator
├── modules/ # Individual AWS service assessment modules
├── screenshots/ # README and documentation images
├── tools/
│ └── convert_report.py # Report conversion helper
├── requirements.txt
├── LICENSE
└── README.md
backdoor-createcreates a real IAM user withAdministratorAccesswhen run without--dry-run.exploit-iam --auto-assume-rolemakes live STS calls and will be visible in CloudTrail.- DNS and takeover checks may make real DNS lookups.
- Some modules enumerate multiple AWS regions and may produce noticeable API activity.
- Store generated reports carefully; they can contain account IDs, ARNs, resource names, and security-sensitive evidence.
MIT License. See LICENSE.
Created by tmrswrr.