In March 2019, a former AWS employee exploited a misconfigured Web Application Firewall on a Capital One EC2 instance. A Server-Side Request Forgery (SSRF) vulnerability allowed the attacker to query the EC2 Instance Metadata Service (IMDS) at 169.254.169.254, retrieving temporary IAM role credentials. Those credentials granted access to over 100 million customer records stored in S3. The entire pivot β from SSRF to credential theft to data exfiltration β was possible because the cloud attack surface included not just ports and services, but metadata endpoints invisible to traditional network scanners.
Traditional network pentesting assumes a relatively static inventory: servers, switches, firewalls with known IPs. Cloud environments violate every one of those assumptions. Resources spin up and down with autoscaling groups. IP addresses are ephemeral. Hundreds of managed services β object stores, serverless functions, managed databases, message queues β expose attack surface through APIs rather than TCP ports.
The authoritative model for cloud attack surface is not a network diagram but an IAM policy graph. Every cloud resource has an identity; every identity has attached permissions; permissions can be chained. Enumerating the cloud attack surface means enumerating identities, permissions, trust relationships, and resource configurations β not just open ports.
The IMDS endpoint (169.254.169.254 on AWS, 169.254.169.254/metadata on Azure, metadata.google.internal on GCP) is reachable only from within the instance and is not blocked by traditional perimeter controls. SSRF flaws in any web application running on a cloud instance become a direct path to credential theft.
Cloud enumeration during a pentest follows a structured progression. Phase 1 β Passive Recon: certificate transparency logs (crt.sh), cloud-specific subdomain patterns (e.g., *.s3.amazonaws.com, *.blob.core.windows.net), GitHub/GitLab leaks of cloud credentials, DNS enumeration for cloud-hosted zones. Phase 2 β Unauthenticated Surface: public S3 buckets (GrayhatWarfare, bucket brute-forcing), open Azure Blob containers, exposed GCP Cloud Storage, publicly accessible serverless function endpoints. Phase 3 β Authenticated Enumeration: once any credential is obtained, enumerate IAM policies, list roles, describe EC2/VM instances, list storage buckets, describe RDS/Cloud SQL, enumerate Lambda/Cloud Functions.
Each phase generates a large volume of data. A single AWS account can have thousands of IAM policies, hundreds of roles, and dozens of services active simultaneously. This is where AI assistance becomes operationally significant.
LLMs are not cloud API clients β they cannot directly call aws iam list-roles. Their value is in reasoning over output. A penetration tester pipes raw AWS CLI JSON into a conversation and asks: "Which of these IAM roles has a trust policy allowing cross-account assumption? Which policies contain wildcard Resource statements? Which EC2 instances have public IPs and are in security groups allowing inbound 0.0.0.0/0 on port 22?"
In the 2023 HackerOne report on cloud misconfigurations, researchers found that manual review of a mid-size AWS account's IAM policies averaged 4β6 hours. AI-assisted review of the same JSON outputs, asking structured questions about privilege escalation paths and overly permissive policies, reduced that to under 45 minutes in controlled tests.
AI can also generate enumeration command sequences. Given a description of an engagement scope (e.g., "AWS account, read-only credentials for an assumed role called SecurityAudit"), an LLM can produce a complete ordered checklist of enumeration commands, organized by service, including which require specific permissions and which are likely to succeed with the SecurityAudit managed policy.
ScoutSuite β multi-cloud security auditing tool that generates structured JSON findings. Prowler β AWS/Azure/GCP CIS benchmark checker. CloudMapper β visualizes AWS network attack surface. PACU β AWS exploitation framework (Rhino Security Labs). ROADtools β Azure AD enumeration. All produce JSON/text output suitable for AI-assisted analysis.
Most enterprise cloud deployments are hybrid β on-premises infrastructure connected to cloud via VPN, Direct Connect, or ExpressRoute. This creates bidirectional attack paths. A compromised on-premises machine may have access to cloud resources via synced credentials (Azure AD Connect). A compromised cloud workload may be able to reach on-premises systems via private connectivity. Enumeration must cover both directions: cloud-from-on-prem and on-prem-from-cloud.
The 2020 SolarWinds campaign exploited exactly this boundary. After compromising on-premises SolarWinds infrastructure, attackers used token-forging techniques (Golden SAML) to authenticate to Azure Active Directory as any user, bypassing MFA entirely. The enumeration phase for that campaign β identifying which on-premises AD accounts had Azure AD equivalents with privileged roles β was conducted quietly over months using native cloud API calls that blended into normal telemetry.
Lesson 1 establishes that cloud enumeration is fundamentally a data-analysis problem as much as a technical execution problem. The surface is too large and too dynamic for manual review alone. AI tools that can parse structured cloud API output, identify misconfigurations, and surface privilege escalation paths represent a genuine force multiplier β a theme that runs through all subsequent lessons in this module.
You have obtained read-only AWS credentials during an engagement. You've run ScoutSuite and AWS CLI enumeration commands and have raw JSON output. Your task is to use the AI to help you analyze findings, identify the most critical misconfigurations, and plan your next exploitation steps.
Spencer Gietzen at Rhino Security Labs documented over 21 distinct IAM privilege escalation methods in AWS, published incrementally from 2018 through 2022. Each method exploits a combination of permissions that individually seem benign but together allow a low-privilege principal to obtain administrative access. The iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction chain β creating a Lambda with an admin execution role and invoking it β is among the most replicated in actual cloud penetration tests. In multiple real engagements, testers found developers had been granted exactly these permissions to "just deploy Lambda functions," unaware of the escalation path.
IAM privilege escalation is difficult to audit manually because the dangerous condition is rarely a single overly permissive policy β it is a combination of permissions across multiple policies. A principal might have iam:PassRole from one policy, lambda:CreateFunction from another, and lambda:InvokeFunction from a third. Each permission, reviewed in isolation, appears reasonable. The escalation path only emerges when you model the complete effective permission set and reason about indirect action chains.
This is precisely the kind of multi-step relational reasoning that LLMs perform well. Given a dump of effective permissions for a principal, an LLM can systematically check all documented escalation patterns, reason about which permissions are present, and identify viable chains β work that would require a security engineer to manually cross-reference a 21-item checklist against potentially hundreds of permissions.
Compute-based escalation: Using permissions to create or modify compute resources (EC2, Lambda, ECS tasks, Glue jobs) with privileged IAM execution roles. The attacker doesn't need admin permissions directly β they need permissions to create something that runs with admin permissions. Key permissions: iam:PassRole combined with any of: ec2:RunInstances, lambda:CreateFunction, ecs:RegisterTaskDefinition, glue:CreateJob, sagemaker:CreateTrainingJob.
IAM direct escalation: Permissions that directly modify IAM state. iam:CreatePolicyVersion allows creating a new version of an existing policy β including adding AdministratorAccess. iam:AttachUserPolicy on oneself attaches any policy including AdministratorAccess. iam:CreateAccessKey for another user creates credentials for that user. iam:UpdateAssumeRolePolicy modifies a role's trust policy to allow the attacker's principal to assume it.
STS-based escalation: sts:AssumeRole with wildcard or overly broad conditions. If the trust policy of a high-privilege role includes a condition like aws:PrincipalAccount equals "123456789012" without further restriction, any principal in the account can assume it. Cross-account trust with weak external ID requirements.
In a disclosed bug bounty report on HackerOne (target anonymized per program rules), a researcher found a developer role with iam:CreatePolicyVersion permission scoped with a condition: StringLike iam:PolicyARN arn:aws:iam::*:policy/Dev*. The intent was to allow developers to update only their own dev policies. The researcher created a new version of an existing Dev policy that included sts:AssumeRole with resource *, then assumed the organization's OrganizationAccountAccessRole. Full administrative access to the account achieved in two API calls.
The workflow: export effective permissions for a principal using aws iam simulate-principal-policy or tools like PACU's iam__privesc_scan module. Feed the permission list to an LLM with a structured prompt: "Given these IAM permissions, identify all privilege escalation paths documented in the Rhino Security Labs research. For each viable path, list the required permissions, confirm all are present, and describe the exploitation steps."
LLMs add value beyond simple pattern matching because they can reason about partial paths. A principal might have iam:PassRole and lambda:CreateFunction but not lambda:InvokeFunction β but does have lambda:AddPermission, which allows adding a resource-based policy that lets an external principal trigger invocation. An LLM prompted to "find alternative completion steps" may surface this variant where a checklist tool would mark the primary path as blocked.
PACU (the AWS exploitation framework from Rhino Security Labs) includes an iam__privesc_scan module that automates some of this analysis. The tool's output β a list of potential escalation paths with confidence levels β is well-suited to LLM summarization and triage in engagements where time is limited.
Privilege escalation exists across all major cloud platforms, though the mechanics differ. In Azure, the Microsoft.Authorization/roleAssignments/write permission allows assigning any role to any principal β including assigning Owner to yourself. In GCP, iam.serviceAccounts.actAs combined with the ability to create cloud functions or Compute Engine instances allows the same compute-based escalation pattern seen in AWS. The cross-platform nature of these patterns means AI prompts that reason about "which of these permissions are dangerous in combination" are valuable regardless of cloud provider.
You have obtained IAM credentials for a principal named dev-deploy-user during an engagement. Your enumeration reveals the following effective permissions: iam:PassRole, lambda:CreateFunction, lambda:ListFunctions, lambda:AddPermission, s3:GetObject, s3:PutObject, logs:CreateLogGroup, sts:GetCallerIdentity. You need to identify viable privilege escalation paths and plan the exploitation sequence.
The SUNBURST campaign, publicly attributed by the US Government to SVR (Russian Foreign Intelligence Service), demonstrated the most consequential cloud-to-on-premises pivot documented to date. Having compromised the SolarWinds Orion build pipeline, attackers planted a backdoor in software updates distributed to 18,000 organizations. In victim environments where SolarWinds was deployed on-premises with Azure AD integration, attackers forged SAML tokens β exploiting trust relationships between on-premises AD FS and Azure AD β to authenticate as any user in the cloud tenant, bypassing MFA. Microsoft's investigation, published in December 2020, described this as a "Golden SAML" attack: analogous to a Kerberos Golden Ticket but targeting federated identity across the hybrid boundary.
Hybrid cloud architectures connect on-premises infrastructure to cloud environments through several mechanisms: VPN tunnels (IPSec or SSL-based, routing RFC 1918 address space to cloud VNets/VPCs), dedicated connectivity (AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect β private circuits bypassing the public internet), identity federation (Azure AD Connect syncing on-premises Active Directory to Azure AD, enabling single sign-on across the boundary), and cloud-native management agents (AWS Systems Manager, Azure Arc, Google Ops Agent β installed on on-premises servers and communicating outbound to cloud control planes).
Each connectivity mechanism creates a potential pivot path. VPN and direct connect tunnels route IP traffic bidirectionally. Identity federation means a credential valid on one side may be valid on the other. Cloud management agents β installed for convenience on legacy servers β may provide code execution capability from a cloud console to on-premises infrastructure.
Golden SAML, documented by CyberArk researchers Shaked Reiner and Omer Tsarfati in 2017, exploits the trust relationship between an on-premises AD FS server and a cloud identity provider (Azure AD, Okta, etc.). The attack requires: (1) access to the AD FS server's token-signing certificate, typically extracted by a principal with NTLM admin or WMI access to the AD FS server; (2) knowledge of any valid username in the directory (no password required). With these two elements, an attacker forges a signed SAML assertion for any user with any attributes β including claims that normally require MFA completion β and presents it to the cloud IdP.
In the SolarWinds campaign, threat actors moved this direction in reverse: starting with network access to an on-premises server running SUNBURST, they escalated to domain admin via existing Kerberos attack paths (documented in Microsoft's January 2021 analysis), then targeted the AD FS server specifically to extract the token-signing certificate. The pivot to cloud was seamless β once the SAML token was forged, cloud monitoring saw a normal federated authentication.
The PowerShell module AADInternals (Dr. Nestori Syynimaa, 2018βpresent) provides tested implementations of multiple Azure AD attack techniques, including Golden SAML token forging, Azure AD token extraction from Azure AD Connect servers, and Pass-the-PRT (Primary Refresh Token) attacks for bypassing conditional access. These represent the documented offensive toolkit used in research and red team engagements against hybrid environments.
Cloud management agents installed on on-premises servers present a particularly underappreciated pivot path. Azure Arc enrolls on-premises servers into Azure Resource Manager, allowing them to be managed like native Azure resources β including execution of script extensions and configuration via Azure Automation. An attacker who gains sufficient Azure RBAC permissions (Microsoft.HybridCompute/machines/extensions/write on an Arc-enrolled server) can execute arbitrary code on the on-premises server without any direct network access to that server. The command traverses outbound from the on-premises agent to Azure's control plane and back.
AWS Systems Manager (SSM) provides an identical capability for servers enrolled via the SSM Agent. ssm:SendCommand permission allows running shell commands on any instance registered with SSM β including on-premises servers enrolled via SSM Hybrid Activations. In a 2021 red team engagement documented by Bishop Fox, testers found seven on-premises servers enrolled in AWS SSM that were unreachable by other means. Obtaining ssm:SendCommand via IAM privilege escalation provided shell access to those servers without requiring any network path.
The challenge in hybrid environments is modeling what's reachable from a given foothold. An LLM can serve as a structured reasoning engine: given a description of what the attacker currently controls (e.g., "EC2 instance with role X, VPN connectivity to 10.0.0.0/8, Azure AD Connect server visible at 10.1.2.50"), the AI can reason through which pivot paths are viable, what additional enumeration is needed, and in what sequence to proceed.
AI tools are particularly valuable for choke point identification β determining which single control point, if compromised, grants the widest access across the hybrid environment. In most organizations, this is the Azure AD Connect server (holds credentials for the on-premises AD Connector account, which has DCSync-equivalent privileges) or the AD FS server (holds the token-signing certificate). An LLM asked to reason about "what is the highest-value single target in a hybrid Microsoft environment" will reliably identify these systems and explain why.
The primary detection opportunity for Golden SAML attacks is monitoring for SAML tokens with claims inconsistent with actual authentication events. Azure AD sign-in logs include the authentication method; a federated authentication event with no corresponding on-premises AD FS authentication event (or with claimed MFA completion when MFA was not actually performed) is a high-fidelity indicator. Microsoft Sentinel includes analytic rules for this pattern.
You are conducting a red team engagement against a financial services firm. You have obtained an IAM role on an EC2 instance. Enumeration shows: VPN connectivity to 10.0.0.0/8 (the corporate LAN), an Azure AD Connect server at 10.1.5.22, an AD FS server at 10.1.5.23, and 12 on-premises servers enrolled in AWS SSM Hybrid Activations. The EC2 role has ssm:SendCommand and ssm:ListCommandInvocations permissions.
In April 2021, Codecov β a code coverage reporting tool used by thousands of organizations β disclosed that attackers had modified its Bash uploader script hosted on codecov.io. The modification exfiltrated CI/CD environment variables (including AWS credentials, GitHub tokens, and API keys) to an attacker-controlled server. The tampered script had been in place for two months before discovery. Victims included Twilio, HashiCorp, Confluent, and Rapid7. The attack required no exploitation of victim systems β the pipeline itself, configured to download and execute a trusted script during build, was the vector. CI/CD pipelines routinely execute downloaded scripts with broad credentials attached.
Modern software delivery pipelines create a dense attack surface. A typical pipeline: code is pushed to GitHub/GitLab β a webhook triggers a build runner (GitHub Actions, GitLab CI, Jenkins, CircleCI) β the runner executes arbitrary commands in a context that holds cloud deployment credentials β artifacts are pushed to registries and deployed to production. Every stage is a potential attack point.
Credential exposure: CI/CD systems inject secrets (cloud credentials, API keys, signing certificates) as environment variables or files during build. A compromised dependency, a misconfigured runner with overly broad permissions, or a malicious PR that exfiltrates environment variables (via DNS exfiltration or HTTP callback) can steal these credentials. GitHub's 2022 investigation into the Travis CI credential exposure found that secrets from public repositories were accessible to pull request builds from forked repositories β a misconfiguration affecting potentially millions of builds.
Pipeline code injection: GitHub Actions workflows can be triggered by pull requests from external contributors. If the workflow includes actions/checkout followed by execution of repository code with access to secrets, an external PR can inject commands. The pull_request_target event type, intended for cross-fork PRs, runs in the context of the base repository's secrets β a documented dangerous pattern (GitHub Security Lab, 2021).
The "Pwn Requests" pattern, documented by Adnan Khan at GitHub Security Lab in 2021, describes workflows triggered by pull_request_target that checkout the PR's code and execute it with access to repository secrets. Researchers found this pattern in repositories belonging to Google, Microsoft, and hundreds of major open-source projects. The fix requires separating untrusted code checkout from secrets-requiring steps into separate jobs with explicit permission grants.
Serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) present a unique attack surface characterized by: ephemeral execution environments, execution roles with attached IAM permissions, environment variables containing secrets, and event-driven triggers from other cloud services. Exploitation patterns include:
Event injection: Many Lambda functions process data from untrusted sources β API Gateway requests, S3 event notifications, SQS messages, DynamoDB streams. If the function passes event data to shell commands, SQL queries, or deserialization routines without sanitization, injection attacks (command injection, SQLi, deserialization) execute within the function's IAM context. A Lambda function with s3:GetObject, s3:PutObject, ec2:DescribeInstances attacked via command injection provides those permissions to the attacker.
Environment variable extraction: Lambda environment variables are accessible at runtime and may contain plaintext secrets. If the function is vulnerable to SSRF or command injection, environment variables can be extracted. Additionally, Lambda execution roles' temporary credentials are available from the IMDS-equivalent at http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI β analogous to EC2 IMDS credential theft.
The 2022 Lacework research report on serverless security found that 57% of sampled Lambda functions had environment variables containing hardcoded credentials β a finding consistent with multiple bug bounty reports from the same period.
Kubernetes clusters in cloud environments combine container workload attacks with cloud IAM attacks. Key patterns documented in red team literature:
Workload Identity abuse: Cloud-managed Kubernetes clusters (EKS, AKS, GKE) support workload identity β binding a Kubernetes service account to a cloud IAM role. A compromised pod running with a service account that has a workload identity binding can request cloud credentials via the pod's metadata endpoint. If that service account is bound to a high-privilege IAM role, container compromise escalates directly to cloud privilege escalation.
Kubernetes API server exposure: In multiple documented cases (CyberArk 2019, Palo Alto Unit 42 2020), managed Kubernetes clusters were deployed with the API server endpoint exposed to the public internet with default or weak RBAC configuration. The anonymous user binding to system:discovery in default configurations reveals cluster structure; broader misconfigurations provide cluster-admin via unauthenticated access.
AI tools add significant value in three specific areas of serverless and CI/CD pentesting. First, code review for injection points: Lambda function source code obtained via aws lambda get-function can be pasted into an LLM conversation with the prompt "identify all injection points where event data reaches shell execution, database queries, or deserialization β and assess the IAM context of each." This accelerates vulnerability identification in function code considerably faster than manual review. Second, GitHub Actions workflow analysis: workflow YAML files can be reviewed by AI for dangerous patterns (pull_request_target with checkout, secrets in run steps accessible to PR code, third-party actions pinned to mutable tags rather than commit SHAs). Third, Kubernetes RBAC analysis: kubectl get clusterrolebindings -o json output fed to an LLM can surface overly permissive bindings, default service account misuses, and workload identity escalation paths.
The Codecov, SolarWinds, and XZ Utils (2024) incidents establish a consistent pattern: attackers who compromise a widely-used tool or dependency gain transitive access to every pipeline that uses it. CI/CD environments are particularly high-value targets because they aggregate credentials for many downstream systems. Penetration testers assessing organizations that consume third-party CI components should enumerate which external scripts and actions are downloaded and executed with what credential context.
Module 6 has traced the cloud and hybrid attack surface from initial enumeration through IAM privilege escalation, hybrid boundary crossing, and modern DevOps pipeline exploitation. Throughout, AI reasoning tools serve as force multipliers β not replacing technical execution, but accelerating the analysis of complex, high-volume data that defines cloud security assessments. The module test consolidates all four lessons into a comprehensive assessment.
During a cloud security assessment, you've discovered: (1) a GitHub Actions workflow YAML that uses pull_request_target with actions/checkout@v3 and then runs npm test with AWS_ACCESS_KEY_ID injected; (2) a Lambda function that processes SQS messages by running os.system("process_order --id=" + event['orderId']) with an execution role that has s3:* on the company data bucket; (3) an EKS cluster where the system:anonymous user has get, list on pods in the default namespace.