cloud-iam-deep

Solid

Cloud IAM red-team attack chain across AWS, Azure, GCP — focused on EXTERNAL exploitation paths and post-credential-discovery privilege analysis. Covers IAM enumeration (aws iam, az role, gcloud iam), STS/AssumeRole chaining, Azure Managed Identity abuse (via SSRF/leak), GCP service account JSON abuse, IMDSv1/v2 attacks via SSRF, K8s ServiceAccount token exfil, role-trust-policy confused-deputy, cross-account assume-role enumeration, IAM privilege escalation patterns (24+ AWS, 8+ Azure, 6+ GCP), and AWS Cognito Identity Pool unauthenticated-role attack chain (GetId → GetCredentialsForIdentity → IAM role abuse). Built for the case where recon yields a credential (key, JSON, token) and you need to know what it grants and how to escalate. Use when an AWS key / Azure secret / GCP service account JSON / K8s SA token surfaces from a code repo, JS bundle, APK, breach corpus, or SSRF chain.

DevOps & Infrastructure 1,478 stars 216 forks Updated 5 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

## When to use Trigger when: - A cloud credential surfaces (key, secret, token, JSON file) - SSRF chain reaches IMDS / metadata endpoint - APK / git-leak reveals embedded cloud key - Recon shows public S3/GCS/Azure-blob with permissions you can verify - A Kubernetes API or service-account token is exposed - Post-RCE on a cloud-hosted instance — pivot to cloud control plane Do NOT use for: - On-prem-only environments (use AD attack skills — but those are out of scope per external-only boundary) - Web2 vulns that happen to be on AWS — use the relevant `hunt-*` skill --- ## Credential identification (first 60 seconds) ```bash # AWS access key patterns AKIA[0-9A-Z]{16} # IAM user access key (long-term) ASIA[0-9A-Z]{16} # STS temporary credential AGPA[0-9A-Z]{16} # IAM group AIDA[0-9A-Z]{16} # IAM user (user-id) AROA[0-9A-Z]{16} # IAM role ANPA[0-9A-Z]{16} # Managed policy # AWS secret pattern (40-char base64-ish — context required) [A-Za-z0-9/+=]{40} # AWS secret access key # Azure AccountKey=[A-Za-z0-9+/=]{86} # Storage account key client_secret pattern + UUID # Azure AD app credential # GCP service account JSON { "type": "service_account", "project_id": "...", "private_key_id": "...", "private_key": "-----BEGIN PRIVATE KEY-----..." } # K8s SA token (JWT format — decode to confirm) eyJhbGciOiJSUzI1... # decode kid claim to see issuer ``` --- ## AWS —...

Details

Author: elementalsouls
Repository: elementalsouls/Claude-BugHunter
Created: 3 weeks ago
Last Updated: 5 days ago
Language: Python
License: NOASSERTION

Integrates with

Anthropic · AI Google Cloud · Cloud Azure · Cloud Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

Testing & QA Featured

aws-penetration-testing

Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.

39,350 Updated today

sickn33

DevOps & Infrastructure Solid

aws-penetration-testing

This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.

27,705 Updated today

davila7

DevOps & Infrastructure Solid