Skills aws-penetration-testing

🛡️

aws-penetration-testing

Name: aws-penetration-testing
Author: sickn33

High Risk ⚙️ External commands🌐 Network access📁 Filesystem access🔑 Env variables

Perform AWS Penetration Testing and Security Assessment

Organizations need to validate their AWS cloud security posture against real-world attack techniques. This skill provides authorized security teams with comprehensive methodologies for IAM enumeration, SSRF exploitation testing, S3 bucket assessment, and privilege escalation detection.

Supports: Claude Codex Code(CC)

⚠️ 54 Poor

Download the skill ZIP

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

Toggle on and start using

Test it

Using "aws-penetration-testing". Enumerate current IAM identity and permissions

Expected outcome:

Identity: arn:aws:iam::ACCOUNT:user/test-user
Attached Policies: AmazonS3ReadOnlyAccess, CloudWatchLogsReadOnly
Inline Policies: None
Escalation Risk: LOW - No privilege escalation permissions detected

Using "aws-penetration-testing". Check S3 bucket public access configuration

Expected outcome:

Bucket: company-assets
Public Access Block: Enabled
Bucket Policy: Denies public access
ACL: Bucket-owner-enforced
Status: SECURE - No public access vectors identified

Using "aws-penetration-testing". Test metadata endpoint accessibility

Expected outcome:

IMDS Version: IMDSv2 enabled
Token Required: Yes
Metadata Access: Protected
Status: SECURE - IMDSv2 token requirement prevents SSRF exploitation

Security Audit

High Risk

v1 • 2/24/2026

Static analysis detected 287 patterns across 2 files (881 lines). Most findings are FALSE POSITIVEs because files contain Markdown documentation (not executable code). However, content includes sensitive offensive security techniques (SSRF exploitation, privilege escalation, persistence mechanisms) requiring explicit authorization warnings. Recommend: publish with prominent authorization disclaimers and user acknowledgment requirements.

Files scanned

881

Lines analyzed

findings

Total audits

High Risk Issues (3)

SKILL.md:98-125

SSRF to AWS Metadata Endpoint Documentation

Skill documents SSRF exploitation technique targeting AWS Instance Metadata Service (IMDS). While educational for authorized testing, this technique can extract IAM role credentials from compromised EC2 instances. Static analyzer correctly identified metadata endpoint patterns (169.254.169.254).

SKILL.md:158-196

Privilege Escalation Techniques

Documents multiple AWS IAM privilege escalation paths including CreateAccessKey, AttachUserPolicy, and Lambda code injection. These are legitimate security testing techniques but require explicit authorization.

SKILL.md:129-136 SKILL.md:276-299

Credential Extraction Methods

Documents techniques for extracting credentials from Lambda environment variables, EBS volumes, and container metadata. Educational for defensive security but offensive in nature.

Medium Risk Issues (3)

SKILL.md:56-65 references/advanced-aws-pentesting.md:33-57

Static Analysis False Positives - External Commands

Static analyzer flagged 140 'external_commands' patterns. These are FALSE POSITIVEs - the patterns appear in Markdown code blocks (documentation), not executable scripts. Commands are educational examples for AWS CLI usage during authorized penetration testing.

references/advanced-aws-pentesting.md:225-227

Static Analysis False Positives - Cryptographic Patterns

Static analyzer flagged 'weak cryptographic algorithm' patterns. These are FALSE POSITIVEs - no actual cryptographic implementations exist. Pattern matches likely triggered on documentation text mentioning encryption concepts.

SKILL.md:158-184

Static Analysis False Positives - C2/Malware Keywords

Static analyzer flagged 'C2 keywords' and 'malware type keywords'. These are FALSE POSITIVEs - terms like 'backdoor' appear in educational security context (e.g., 'Lambda Backdooring' as a technique to detect/test for). No actual malware or C2 infrastructure present.

Low Risk Issues (2)

SKILL.md:39-43 SKILL.md:98-104

Hardcoded URLs and IP Addresses

Static analyzer flagged hardcoded URLs and IP addresses. These are FALSE POSITIVEs - URLs are AWS service endpoints (s3.amazonaws.com), documentation references (github.com), or AWS metadata IPs (169.254.169.254) documented for educational purposes.

SKILL.md:72-88

System Reconnaissance Commands

Static analyzer flagged reconnaissance patterns. These are standard AWS CLI commands (describe-instances, list-users) for authorized security auditing. Low risk in educational documentation context.

Risk Factors

⚙️ External commands (3)

SKILL.md:39-44 SKILL.md:56-65 references/advanced-aws-pentesting.md:33-57

🌐 Network access (3)

SKILL.md:98-124 SKILL.md:347-380 references/advanced-aws-pentesting.md:40-68

📁 Filesystem access (2)

SKILL.md:131 SKILL.md:286-288

🔑 Env variables (1)

SKILL.md:383-385

Detected Patterns

AWS Credential Export PatternEBS Volume Mount for Credential ExtractionCloudTrail Disabling Techniques

Audited by: claude

Quality Score

Architecture

100

Maintainability

Content

Community

Security

Spec Compliance

What You Can Build

Authorized Red Team Engagement

Security consultants performing authorized penetration testing against client AWS environments to identify misconfigurations and privilege escalation paths before malicious actors exploit them.

Cloud Security Audit

Internal security teams assessing their organization's AWS security posture against known attack techniques to validate defensive controls and monitoring capabilities.

Security Research and Training

Security researchers and students learning AWS attack techniques in controlled lab environments (AWSGoat, CloudGoat) to improve defensive security skills.

Try These Prompts

Basic IAM Enumeration

Help me enumerate IAM permissions for the current AWS identity. I have authorized access and need to document what permissions this identity has. Start with sts get-caller-identity and show me how to list attached policies.

S3 Bucket Security Assessment

I need to assess S3 bucket configurations for public access vulnerabilities. Show me the AWS CLI commands to list buckets, check bucket policies, and identify publicly accessible objects in our authorized test environment.

SSRF to Metadata Testing

We're testing our web application for SSRF vulnerabilities that could access AWS metadata endpoints. Document the IMDSv1 and IMDSv2 techniques so we can verify our instance metadata protection controls are working.

Privilege Escalation Path Analysis

Analyze the IAM permissions we've enumerated and identify potential privilege escalation paths. Check for dangerous permissions like iam:CreateAccessKey, iam:AttachUserPolicy, and lambda:UpdateFunctionCode that could lead to admin access.

Best Practices

Always obtain written authorization documenting scope, systems, and testing window before beginning any penetration testing activities
Enable CloudTrail logging before testing begins and preserve all logs for post-engagement analysis and client reporting
Use dedicated test credentials and avoid testing against production environments without explicit change approval and rollback procedures

Avoid

Never test AWS resources outside the authorized scope - unauthorized access violates computer crime laws even with good intentions
Do not disable security controls (CloudTrail, GuardDuty, Security Hub) permanently - temporary bypasses must be documented and restored
Avoid leaving persistent backdoors or access mechanisms after engagement completion - all test artifacts must be removed during cleanup

Frequently Asked Questions

What authorization do I need before using this skill?

You must have written authorization from the AWS account owner documenting: specific accounts/resources in scope, testing time window, approved techniques, and emergency contact procedures. Unauthorized testing violates AWS Acceptable Use Policy and computer crime laws.

Can this skill execute AWS commands automatically?

No. This skill provides guidance and documentation for AWS CLI commands. You must manually execute commands in your own terminal with your own credentials. The skill cannot access your AWS account directly.

Is it legal to test AWS services I don't own?

No. You may only test AWS resources you own or have explicit written authorization to test. AWS prohibits unauthorized penetration testing in their Acceptable Use Policy. Contact AWS Security for their penetration testing policy if testing AWS infrastructure.

What tools do I need to use this skill effectively?

Required: AWS CLI configured with credentials, Python 3, and boto3 library. Recommended: Pacu (AWS exploitation framework), Prowler or ScoutSuite (security auditing), enumerate-iam (permission enumeration). All tools should only be used in authorized environments.

How do I prevent GuardDuty alerts during testing?

GuardDuty will likely generate alerts during penetration testing. This is expected behavior. Coordinate with the security operations team to whitelist test activity or temporarily adjust alerting thresholds. Never disable GuardDuty without authorization.

What cleanup is required after testing?

Remove all created resources (IAM users, access keys, Lambda functions, EC2 instances). Delete any backdoored code or persistence mechanisms. Restore modified configurations. Document all changes made for client verification. Preserve testing logs for the final report.

Developer Details

Author

sickn33

License

MIT

Repository

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/aws-penetration-testing

Ref

main

File structure

📁 references/

📄 advanced-aws-pentesting.md

📄 SKILL.md