Cloud misconfigurations are behind some of the most significant data breaches of the last decade. AWS, being the dominant cloud provider globally, is also the most heavily targeted. If you are performing a cloud penetration test or security assessment, ScoutSuite is one of the most powerful open-source tools available for auditing AWS environments at scale. This guide walks you through everything: installation, configuration, service-by-service checklists, real commands, and how to interpret findings like a professional cloud pentester.
ScoutSuite is a multi-cloud security auditing tool developed by NCC Group. It collects configuration data from cloud APIs and maps it against security best practices, producing a detailed HTML report with risk ratings and actionable findings. Unlike many cloud scanners that require agent installation, ScoutSuite operates entirely through API calls using your configured credentials, making it non-intrusive and ideal for both external assessments and internal audits.
For AWS specifically, ScoutSuite covers over 20 services including IAM, S3, EC2, RDS, Lambda, CloudTrail, CloudWatch, KMS, ECS, EKS, and more. It flags issues ranging from publicly accessible S3 buckets to overly permissive IAM roles, giving you a structured starting point for deeper manual exploitation.
If you are working toward hands-on AWS cloud security skills, the AWS Pentesting Course at Redfox Cybersecurity Academy teaches you how to move beyond automated scanning and exploit real misconfigurations in lab environments.
Before running ScoutSuite, you need a properly configured AWS environment with appropriate credentials. During a penetration test, this typically means working with credentials provided by the client during scoping.
ScoutSuite requires read-only access across the services it audits. The minimum recommended managed policy is ReadOnlyAccess, but for a more precise scope, attach the following AWS-managed policies to your assessment IAM user or role:
ReadOnlyAccessSecurityAuditFor engagements where you want to limit scope precisely, you can create a custom policy based on the ScoutSuite IAM permissions list.
aws configure
# Enter your Access Key ID, Secret Access Key, region, and output format
# Verify identity before running any tools
aws sts get-caller-identity
[cta]
If you are testing with a role rather than a user, assume the role first:
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/PentestAuditRole \
--role-session-name scoutsuite-session \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text
[cta]
Export the returned credentials as environment variables:
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
[cta]
ScoutSuite runs on Python 3 and is best installed inside a virtual environment to avoid dependency conflicts.
# Clone the repository
git clone https://github.com/nccgroup/ScoutSuite.git
cd ScoutSuite
# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Verify installation
python scout.py --help
[cta]
python scout.py aws
[cta]
This runs ScoutSuite using your default AWS CLI profile and scans all supported services across all regions. The results are written to a local folder called scoutsuite-report/.
python scout.py aws --profile pentest-client
[cta]
python scout.py aws --regions us-east-1,eu-west-1
[cta]
python scout.py aws --role-arn arn:aws:iam::123456789012:role/PentestAuditRole \
--role-session-name scoutsuite
[cta]
python scout.py aws --exclude-services guardduty shield
[cta]
Once the scan completes, open the HTML report:
cd scoutsuite-report
python3 -m http.server 8080
# Navigate to http://localhost:8080 in your browser
[cta]
The following checklist mirrors how a professional cloud pentester works through ScoutSuite findings. For each service, we cover what ScoutSuite checks and the manual AWS CLI commands you should run to validate and expand on findings.
IAM misconfigurations are the root cause of most serious AWS compromises. ScoutSuite flags the following:
* actions and * resourcesManual validation commands:
# List all IAM users and their MFA status
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d
# Find users with no MFA device
aws iam list-users --query 'Users[*].UserName' --output text | \
xargs -I {} sh -c 'echo -n "{}: "; aws iam list-mfa-devices --user-name {} --query "length(MFADevices)"'
# Identify wildcard policies
aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \
xargs -I {} aws iam get-policy-version \
--policy-arn {} \
--version-id $(aws iam get-policy --policy-arn {} --query 'Policy.DefaultVersionId' --output text) \
--query 'PolicyVersion.Document'
[cta]
For a deeper dive into IAM privilege escalation paths beyond ScoutSuite's automated checks, the Redfox Cybersecurity Academy AWS Pentesting Course covers manual IAM exploitation techniques including AssumeRole chaining and policy boundary bypasses.
Public S3 buckets remain one of the most common critical findings on AWS assessments. ScoutSuite checks:
Manual validation commands:
# List all buckets
aws s3api list-buckets --query 'Buckets[*].Name' --output text
# Check public access block configuration per bucket
aws s3api get-public-access-block --bucket TARGET_BUCKET
# Check bucket ACL
aws s3api get-bucket-acl --bucket TARGET_BUCKET
# Check bucket policy for public access
aws s3api get-bucket-policy --bucket TARGET_BUCKET
# Enumerate bucket contents if accessible
aws s3 ls s3://TARGET_BUCKET --recursive --human-readable
# Check encryption settings
aws s3api get-bucket-encryption --bucket TARGET_BUCKET
[cta]
ScoutSuite audits EC2 instances, security groups, key pairs, AMIs, snapshots, and VPC configurations. Key findings include:
0.0.0.0/0 on sensitive ports (22, 3389, 1433, 3306)Manual validation commands:
# Find security groups with open inbound rules
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].{GroupId:GroupId,GroupName:GroupName,Ports:IpPermissions[*].FromPort}'
# Find public EBS snapshots
aws ec2 describe-snapshots --owner-ids self \
--query 'Snapshots[?State==`completed`].[SnapshotId,Description]' \
--filters Name=attribute,Values=createVolumePermission
# Check all instances for public IPs and attached roles
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].{ID:InstanceId,PublicIP:PublicIpAddress,Role:IamInstanceProfile.Arn,State:State.Name}'
[cta]
ScoutSuite checks whether CloudTrail is enabled across all regions and flags gaps in logging that would impede incident detection. Key checks include:
# List all trails and their status
aws cloudtrail describe-trails --include-shadow-trails true
# Check if log validation is enabled
aws cloudtrail get-trail-status --name YOUR_TRAIL_NAME
# Verify log file integrity
aws cloudtrail validate-logs \
--trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/management-events \
--start-time 2024-01-01T00:00:00Z
[cta]
Database exposure findings are high-severity on nearly every AWS assessment. ScoutSuite checks:
# Find publicly accessible RDS instances
aws rds describe-db-instances \
--query 'DBInstances[?PubliclyAccessible==`true`].{ID:DBInstanceIdentifier,Engine:Engine,Endpoint:Endpoint.Address}'
# Check for public snapshots
aws rds describe-db-snapshots \
--query 'DBSnapshots[?PubliclyAccessible==`true`]'
# Verify encryption at rest
aws rds describe-db-instances \
--query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted}'
[cta]
Lambda functions are an increasingly common attack surface. ScoutSuite flags:
# List all Lambda functions and their roles
aws lambda list-functions \
--query 'Functions[*].{Name:FunctionName,Runtime:Runtime,Role:Role}'
# Check environment variables for secrets
aws lambda get-function-configuration --function-name TARGET_FUNCTION \
--query 'Environment.Variables'
# Check function URL configuration
aws lambda list-function-url-configs --function-name TARGET_FUNCTION
[cta]
Learning how to chain Lambda misconfigurations with IAM privilege escalation is a core module in the AWS Pentesting Course at Redfox Cybersecurity Academy, where you practice these techniques in a purpose-built cloud lab.
# List all customer-managed keys
aws kms list-keys
# Check key rotation status
aws kms get-key-rotation-status --key-id KEY_ID
# Describe key policies
aws kms get-key-policy --key-id KEY_ID --policy-name default
[cta]
ScoutSuite flags KMS keys without automatic rotation enabled and keys with overly permissive policies that allow cross-account access.
Container security is an area where ScoutSuite provides a useful starting inventory, though deeper container-specific tools are needed for full assessment. ScoutSuite checks EKS clusters for public API endpoints and ECS task definitions for hardcoded secrets in environment variables.
# List EKS clusters
aws eks list-clusters
# Describe cluster endpoint access
aws eks describe-cluster --name CLUSTER_NAME \
--query 'cluster.resourcesVpcConfig.{PublicAccess:endpointPublicAccess,PrivateAccess:endpointPrivateAccess,CIDRs:publicAccessCidrs}'
# List ECS task definitions and check for secrets
aws ecs list-task-definitions
aws ecs describe-task-definition --task-definition TASK_DEF_NAME \
--query 'taskDefinition.containerDefinitions[*].environment'
[cta]
ScoutSuite assigns each finding a danger level: danger, warning, and informational. During a pentest, prioritize findings in this order:
danger findings that are directly exploitable from the internet (public S3, public RDS, open security groups on critical ports, unauthenticated Lambda URLs)danger findings that enable lateral movement or privilege escalation (IAM wildcard policies, assumable roles, EC2 instance profiles with excessive permissions)warning findings that reduce visibility or harden circumvention (CloudTrail gaps, missing GuardDuty, no MFA on root)informational findings that represent best-practice deviations without immediate exploitabilityWhen writing your pentest report, always trace the blast radius: if an attacker exploited finding X, what else becomes accessible? ScoutSuite provides the map; your job as the pentester is to walk the path.
ScoutSuite is an excellent starting point, but a complete AWS assessment uses additional tooling for areas ScoutSuite does not cover in depth.
Pacu is an AWS exploitation framework designed specifically for post-exploitation and privilege escalation. After ScoutSuite identifies misconfigurations, Pacu helps you validate exploitability:
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
pip3 install -r requirements.txt
python3 main.py
[cta]
Prowler provides a complementary check set aligned with CIS Benchmarks, NIST, and AWS Well-Architected Framework, and works well alongside ScoutSuite for compliance-focused assessments:
pip install prowler
prowler aws --profile pentest-client -M json html csv
[cta]
CloudMapper provides network visualization of AWS environments, helping you understand what is exposed to the internet:
git clone https://github.com/duo-labs/cloudmapper.git
cd cloudmapper
pip install -r requirements.txt
python cloudmapper.py collect --account ACCOUNT_NAME
python cloudmapper.py report --account ACCOUNT_NAME
[cta]
For organizations running continuous cloud security assessments, ScoutSuite can be integrated into automated pipelines. The following approach runs ScoutSuite using a JSON output format suitable for ingestion by SIEM platforms or custom dashboards:
# Run ScoutSuite with JSON output only (no HTML report)
python scout.py aws --profile production \
--report-name production-audit \
--no-browser
# Parse findings for high-severity issues using jq
cat scoutsuite-report/scoutsuite_results_aws-*.js | \
sed 's/^scoutsuite_results\s*=\s*//' | \
jq '.services | to_entries[] |
.key as $svc |
.value.findings |
to_entries[] |
select(.value.level == "danger") |
{service: $svc, finding: .key, level: .value.level, items: .value.items}'
[cta]
This JSON parsing approach lets you extract all danger-level findings across services and pipe them into ticketing systems or reporting tools automatically.
ScoutSuite is one of the most complete open-source tools available for AWS security auditing, but its value depends entirely on how well you understand the findings it surfaces. Running the tool is the easy part. Validating findings with manual CLI commands, chaining misconfigurations into attack paths, and producing a report that a client can actually act on requires deep AWS knowledge and hands-on practice.
The checklist in this guide covers IAM, S3, EC2, CloudTrail, RDS, Lambda, KMS, and container workloads, giving you a structured methodology for any AWS assessment. Pair ScoutSuite with Pacu, Prowler, and CloudMapper for complete coverage, and always go beyond the automated output with manual validation.
If you want to build the skills to conduct these assessments professionally, including hands-on labs covering IAM privilege escalation, S3 exploitation, Lambda abuse, and cloud post-exploitation tradecraft, the AWS Pentesting Course at Redfox Cybersecurity Academy is the most practical resource available. Start learning with Redfox Cybersecurity Academy and take your cloud security testing capability to the next level.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
