Cloud Pentesting: Resource & Lab Collection

A curated compilation of cloud-focused penetration testing, red teaming, and offensive security resources. Contributions welcome via pull request.

---

Table of Contents

• Overview
• General Resources
  • Cheatsheets & Compilations
  • Methodologies & Encyclopedias
  • Awesome Lists
  • Training & Certifications
  • CTFs & Challenges
• AWS
• Azure / Entra ID
• Google Cloud Platform (GCP)
• Kubernetes & Containers
• Multi-Cloud Tools
• CI/CD & Infrastructure as Code
• Research Blogs

---

Overview

The major cloud providers and orchestration platforms covered by this collection:

• Amazon Web Services (AWS)
• Microsoft Azure / Entra ID (formerly Azure AD)
• Google Cloud Platform (GCP)
• Kubernetes
• IBM Cloud
• DigitalOcean

---

General Resources

Cheatsheets & Compilations

• dafthack/CloudPentestCheatsheets
• TROUBLE-1/Cloud-Pentesting
• vengatesh-nagarajan/Cloud-pentest
• kh4sh3i/cloud-penetration-testing
• lutzenfried/OffensiveCloud

Methodologies & Encyclopedias

• HackTricks Cloud — comprehensive, provider-agnostic methodology
• Hacking The Cloud — offensive cloud security encyclopedia
• PentestBook — Cloud
• PayloadsAllTheThings — Methodology & Resources
• MITRE ATT&CK Cloud Matrix
• Bishop Fox — Cloud Pen-Testing Tools
• AWS/Azure/GCP resource roundup (Medium)
• jassics/security-study-plan

Awesome Lists

• toniblyx/my-arsenal-of-aws-security-tools
• jassics/awesome-aws-security
• 4ndersonLin/awesome-cloud-security
• RyanJarv/awesome-cloud-sec
• iknowjason/Awesome-CloudSec-Labs

Training & Certifications

• SANS SEC588 — Cloud Penetration Testing (paid)
• Altered Security — CARTP (Azure Red Teaming) (paid)
• Altered Security — CARTE (Advanced Azure Red Teaming) (paid)
• Pwned Labs — guided multi-cloud labs

CTFs & Challenges

• Wiz CTF Hub
• The Big IAM Challenge
• Cloud Security Championship
• appsecco — Breaking & Pwning Apps and Servers on AWS and Azure

---

AWS

AWS: Resources

• HackTricks — AWS Security
• PentestBook — AWS
• PayloadsAllTheThings — AWS Pentest
• HackTheBox — AWS Pentesting Guide
• Rhino Security Labs — Pentesting AWS
• Rhino Security Labs — AWS IAM Privilege Escalation Methods
• RhinoSecurityLabs/AWS-IAM-Privilege-Escalation — canonical IAM privesc reference
• Deep Dive into AWS Penetration Testing
• pop3ret/AWSome-Pentesting Cheatsheet
• CyberSecArmy/AWS-Offensive-Exploitation-Pentesting
• rootcathacking/cloudcat — AWS CLI notes
• NickTheSecurityDude/AWS-Pentesting-Notes
• 0xdeadpool/AWS-Essentials-for-Pentest

AWS: Tools

• RhinoSecurityLabs/pacu — AWS exploitation framework
• BishopFox/cloudfox — attack path discovery
• DataDog/stratus-red-team — adversary emulation for AWS/Azure/GCP/K8s
• ReversecLabs/leonidas — YAML-defined cloud attack simulation
• nccgroup/PMapper — IAM privilege escalation graphing
• DataDog/pathfinding.cloud — curated IAM privesc path library
• tenable/EscalateGPT — AI-assisted IAM privesc discovery
• salesforce/cloudsplaining — IAM least-privilege assessment
• andresriancho/enumerate-iam — IAM permission brute forcer
• shabarkin/aws-enumerator — API action enumerator
• sebastian-mora/AWS-Loot
• DavidDikker/endgame — resource exposure testing
• gwen001/s3-buckets-finder
• Ebryx/S3Rec0n
• carnal0wnage/weirdAAL
• ajinabraham/aws_security_tools
• adanalvarez/TrailDiscover — CloudTrail events mapped to attack techniques

AWS: Labs

• RhinoSecurityLabs/cloudgoat — vulnerable-by-design AWS scenarios
• ine-labs/AWSGoat — vulnerable AWS web-app + infra lab
• BishopFox/iam-vulnerable — 31 IAM privesc paths
• juanjoSanz/aws-pentesting-lab
• torque59/AWS-Vulnerable-Lambda
• stafordtituss/HazProne
• applied-network-security/aws-pentesting-lab
• marcosValle/auto-pentest-lab
• HackTricks AWS Security

AWS: Key Topics

• IAM users, roles, managed & inline policies, trust policies
• S3 bucket ACLs, public objects, and SSE key misconfigurations
• EC2 instance metadata (IMDSv1/v2), SSRF to credential theft
• Lambda function permissions, environment variables, and API Gateway abuse
• VPC, security groups, and peering misconfigurations
• SNS/SES abuse for exfiltration and phishing
• iam:PassRole + ec2:RunInstances privilege escalation via instance profiles
• CloudTrail evasion and identity obfuscation techniques

AWS: First Lab Setup (High Level)

1. Create an AWS account.
2. In IAM, create a user/group with policies appropriate for your chosen lab (CloudGoat, for example, typically needs: AdministratorAccess, AmazonRDSFullAccess, IAMFullAccess, AmazonS3FullAccess, CloudWatchFullAccess, AmazonDynamoDBFullAccess).
3. Confirm S3 bucket creation is permitted in the target region.
4. Configure the AWS CLI locally with the access key, secret, and region from the IAM user you created.
5. Enable S3 bucket ACLs if the lab requires them (set via bucket permissions).

---

Azure / Entra ID

Azure: Resources

• HackTricks — Azure Security
• PentestBook — Azure
• PayloadsAllTheThings — Azure Pentest
• CMEPW/azure-mindmap
• Kyuu-Ji/Awesome-Azure-Pentest
• rootsecdev/Azure-Red-Team
• Cobalt — Azure AD Pentesting Fundamentals
• Astra — Azure Penetration Testing
• mburrough/pentestingazureapps
• badchars/AzureAD-Pentest
• sabrinalupsan/pentesting-azure-ad

Azure: Tools

• dafthack/GraphRunner — Microsoft Graph API post-exploitation toolset
• dirkjanm/ROADtools — Python framework for Entra ID recon
• Gerenios/AADInternals — comprehensive Entra ID attack/audit PowerShell module
• SpecterOps/AzureHound — BloodHound collector for Azure/Entra
• NetSPI/MicroBurst — Azure security assessment PowerShell
• blacklanternsecurity/TREVORspray — distributed password spraying
• dafthack/MFASweep — MFA configuration enumeration
• nyxgeek/TokenTactics — Entra ID token manipulation
• nyxgeek/onedrive_user_enum
• ZephrFish/AzureAttackKit
• AlteredSecurity/365-Stealer
• optionalCTF/SSOh-No

Azure: Labs

• ine-labs/AzureGoat — vulnerable-by-design Azure infrastructure
• esell/azure-sec-lab
• uc-cyberclub/azure-pentesting-lab-tf

Azure: Key Topics

• Storage account blobs and public container misconfigurations
• Azure Files / AFR shares
• Leaked tokens and credentials in DevOps/Automation artifacts
• Password spraying and OAuth device code / token-theft attacks against Entra ID
• Privileged role elevation via PIM, service principals, and managed identities
• Conditional Access and MFA bypass techniques
• Consent phishing and illicit grant abuse against Microsoft 365

---

Google Cloud Platform (GCP)

GCP: Resources

• HackTricks — GCP Security
• PentestBook — GCP
• RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
• Rhino Security Labs — GCP Privilege Escalation (Blog)

GCP: Tools

• NetSPI/gcpwn — GCP pentest framework modeled after Pacu
• RhinoSecurityLabs/GCPBucketBrute

GCP: Labs

• ine-labs/GCPGoat — vulnerable-by-design GCP infrastructure

GCP: Key Topics

• IAM bindings, custom roles, and service account impersonation
• iam.serviceAccounts.actAs and iam.serviceAccounts.getAccessToken privesc
• Cloud Storage bucket ACL and public access misconfigurations
• Cloud Functions and Cloud Run environment-variable / metadata abuse
• Organization vs. project hierarchy boundary crossing

---

Kubernetes & Containers

Kubernetes: Resources

• HackTricks — Kubernetes Security
• PentestBook — Docker & Kubernetes
• SunWeb3Sec/Kubernetes-security
• jarvarbin/Kubernetes-Pentesting
• magnologan/awesome-k8s-security
• ksoclabs/awesome-kubernetes-security
• g3rzi/HackingKubernetes
• PayloadsAllTheThings — Kubernetes
• CyberArk — Kubernetes Pentest Methodology
• Kubernetes Pentest Recon Checklist
• Complete Kubernetes Config Review Methodology
• Pentesting Kubernetes (hannahsuarez)
• Kubernetes Security Checklist

Kubernetes: Tools

• aquasecurity/kube-hunter — remote cluster vulnerability scanner
• inguardians/peirates — post-exploitation & privesc
• quarkslab/kdigger — in-pod context discovery
• cyberark/KubiScan — RBAC permission auditing
• cyberark/kubesploit — containerized C2 framework
• Metarget/k0otkit — post-exploitation persistence rootkit
• r0binak/MTKPI — multi-tool Kubernetes pentest container image
• cdk-team/CDK — container escape & auditing toolkit
• 4ARMED/kubeletmein
• madhuakula/hacker-container
• collabnix/kubetools
• Krew — kubectl plugin index

Kubernetes: Labs

• madhuakula/kubernetes-goat
• nabilblk/k8s-security

Kubernetes: Key Topics

• Clusters, namespaces, and control plane exposure
• RBAC roles, role bindings, and privilege escalation paths
• Service account tokens, secrets, and auto-mounted credentials
• Pod security (privileged pods, hostPath, hostNetwork, capabilities)
• Container escape techniques and kubelet API abuse
• Ingress, API server, and etcd exposure

---

Multi-Cloud Tools

Tools that apply across providers or are provider-agnostic.

• awscli
• Terraform
• prowler-cloud/prowler — AWS/Azure/GCP/K8s audit & hardening
• nccgroup/ScoutSuite — multi-cloud auditing
• turbot/steampipe — SQL interface for cloud APIs
• cloud-custodian/cloud-custodian
• 0xsha/CloudBrute
• Macmod/STARS
• Zeus-Labs/ZeusCloud
• rams3sh/Aaia
• RhinoSecurityLabs/ccat — Container Cloud Attack Tool
• 404tk/cloudtoolkit
• iknowjason/edge
• lord-alfred/ipranges
• trufflesecurity/trufflehog — secret scanning across code and cloud

Cloud C2 Frameworks

• gl4ssesbo1/Nebula — cloud-focused C2

---

CI/CD & Infrastructure as Code

CI/CD pipelines and IaC are frequent initial-access and privilege-escalation vectors against cloud environments.

Resources

• HackTricks — CI/CD Pentesting
• HackTricks — Terraform Security

Tools

• carlospolop/PurplePanda — cloud & IdP attack path mapping
• aquasecurity/trivy — IaC, container, and dependency scanner
• bridgecrewio/checkov — IaC static analysis
• Checkmarx/kics — IaC misconfiguration scanner

---

Research Blogs

Keep up with new cloud attack techniques and tooling.

• Datadog Security Labs
• Rhino Security Labs Blog
• Bishop Fox Blog
• Wiz Research Blog
• Black Hills Information Security Blog
• NetSPI Blog

---

Walkthroughs & Writeups

• appsecco/attacking-cloudgoat2
• Rhino — CloudGoat RCE Web App Walkthrough
• InfoSec Institute — CloudGoat Walkthrough Series
• gainsec — CloudGoat Setup Guide