Bottom line: Cloud pentesting without the right toolchain is slow and error-prone. Pacu owns AWS post-exploitation, ScoutSuite handles multi-cloud audits, Prowler covers compliance and misconfiguration hunting, and CloudMapper visualizes what everything connects to. You need all of them.

Why Cloud Pentesting Tools Matter

Cloud infrastructure is not a server you can Nmap. The attack surface is IAM policies, S3 bucket permissions, Lambda function roles, EC2 metadata endpoints, VPC peering configurations, and a thousand other abstractions that have no equivalent in traditional on-prem pentesting.

Manual enumeration of a mature AWS environment is theoretically possible. It’s also a path to missing 80% of the attack surface while spending a week on the rest. Purpose-built tools solve this.

The tools covered here aren’t a replacement for understanding the underlying attack techniques — that knowledge lives in our AWS Pentesting Guide and Azure Pentesting Guide . These tools are how you apply that knowledge at scale.

The Core Toolchain

ToolPrimary UseCloud Coverage
PacuAWS exploitation frameworkAWS only
ScoutSuiteMulti-cloud security auditAWS, Azure, GCP, more
ProwlerCompliance + misconfiguration scanningAWS, Azure, GCP
CloudMapperNetwork visualization + exposure analysisAWS
Enumerate-iamIAM permission enumerationAWS
CloudFoxAttack path discoveryAWS, Azure
WeirdAALAWS attack libraryAWS

Pacu — The AWS Exploitation Framework

Pacu is the Metasploit of AWS pentesting. It’s an open-source exploitation framework built specifically for attacking AWS environments — developed and maintained by Rhino Security Labs, the same team that documented most of the IAM privilege escalation techniques the industry now uses.

What Pacu Does

Pacu organizes AWS attacks into modules. You start with enumeration, then move to privilege escalation, persistence, and lateral movement — all from a single interface that tracks your session state, keeps findings organized, and handles credential management automatically.

Core module categories:

  • Enumeration — Pull IAM users, roles, policies, S3 buckets, EC2 instances, Lambda functions, RDS databases, and more. Pacu handles pagination and aggregates results across regions.
  • Privilege Escalation — 30+ techniques for escalating from limited IAM permissions to admin. These map directly to the Rhino Security IAM escalation research.
  • Persistence — Backdoor IAM users, create hidden access keys, establish Lambda-based persistence.
  • Exfiltration — S3 bucket data exfiltration, Secrets Manager dumping, SSM Parameter Store enumeration.
  • Lateral Movement — Cross-account role assumption, EC2 instance role abuse.

Getting Started with Pacu

git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
pip3 install -r requirements.txt
python3 pacu.py

First step in any engagement:

Pacu (session) > set_keys
Pacu (session) > run iam__enum_users_roles_policies_groups
Pacu (session) > run iam__bruteforce_permissions

The iam__bruteforce_permissions module is particularly valuable — it determines exactly which IAM permissions your current credentials hold by testing each one against the API, without relying on iam:GetPolicy or iam:ListPolicies (which are often blocked).

Pacu’s Limitations

Pacu is AWS-only and focused on exploitation. It doesn’t do compliance reporting, multi-cloud coverage, or the kind of comprehensive misconfiguration inventory that Prowler or ScoutSuite provide. Use it as your exploitation layer, not your audit layer.

ScoutSuite — Multi-Cloud Security Auditing

ScoutSuite is NCC Group’s open-source multi-cloud security auditing tool. Where Pacu is an exploitation framework, ScoutSuite is an auditor — it pulls configuration data from cloud APIs and evaluates it against a rule set that identifies misconfigurations, excessive permissions, and dangerous patterns.

What ScoutSuite Does

ScoutSuite collects cloud configuration data — IAM policies, security group rules, S3 bucket ACLs, encryption settings, logging configurations, network rules — and outputs an HTML report with findings grouped by service and severity.

Coverage:

  • AWS (most complete)
  • Azure
  • GCP
  • Alibaba Cloud
  • Oracle Cloud

Running ScoutSuite

pip3 install scoutsuite
scout aws --report-dir ./scout-output

For Azure:

az login
scout azure --cli --report-dir ./scout-output

For GCP:

scout gcp --service-account key.json --report-dir ./scout-output

ScoutSuite produces an interactive HTML report you can open locally. Findings are rated by level (danger, warning, good) and organized by service. A full AWS audit of a mid-size environment typically completes in 15–30 minutes depending on the number of regions enabled.

What to Focus On

The findings that consistently matter most:

  • IAM — Overly permissive policies, users with admin access, unused access keys, no MFA
  • S3 — Public buckets, buckets without server-side encryption, buckets with public ACLs
  • EC2 — Security groups with 0.0.0.0/0 ingress on sensitive ports, EBS snapshots shared publicly
  • CloudTrail — Logging disabled or not enabled in all regions
  • RDS — Publicly accessible instances, unencrypted snapshots

For a dedicated lab environment to test these findings against live infrastructure, Vultr gives you clean VPS instances you can spin up and tear down per engagement. DigitalOcean works equally well for isolated cloud practice environments.

Prowler — Compliance and Deep Misconfiguration Scanning

Prowler is the tool when you need more than a snapshot — it’s a comprehensive security assessment tool originally built for AWS CIS benchmarks that has grown into the most complete open-source cloud compliance scanner available.

What Prowler Does

Prowler runs thousands of individual checks across cloud services, mapped to major compliance frameworks:

  • CIS Benchmarks (AWS, Azure, GCP)
  • AWS Foundational Security Best Practices
  • SOC 2
  • HIPAA
  • PCI DSS
  • GDPR
  • NIST 800-53
  • ISO 27001

This makes Prowler essential for two use cases: red team engagements where you need a complete misconfiguration inventory fast, and compliance assessments where you need mapped evidence.

Running Prowler

pip3 install prowler
prowler aws
prowler azure --az-cli-auth
prowler gcp --credentials-file key.json

Prowler outputs findings to multiple formats (JSON, CSV, HTML) and integrates with AWS Security Hub for continuous monitoring deployments.

For red team use, start with a targeted run on the highest-value services:

prowler aws -s iam s3 ec2 cloudtrail kms -M html json

The IAM checks alone are worth running on every engagement — Prowler catches things like:

  • IAM password policy not enforcing minimum complexity
  • Root account access keys exist
  • MFA not enabled on accounts with console access
  • Policies with wildcards on sensitive actions
  • Cross-account trust relationships that are overly permissive

Prowler vs ScoutSuite

They overlap significantly in what they check, but approach it differently. ScoutSuite is better for initial visual triage — the HTML report is easier to navigate for broad understanding of an environment’s posture. Prowler is better for comprehensive enumeration and compliance output. On a full engagement, run both.

CloudMapper — Network Visualization and Exposure Analysis

Understanding cloud network topology is harder than it sounds. VPCs, subnets, peering connections, Transit Gateways, security groups, NACLs — the logical network that connects everything in a cloud environment is not visible in any single dashboard, and manual reconstruction is error-prone.

CloudMapper solves this by generating network graphs that show what’s connected to what, what’s exposed to the internet, and where traffic can flow.

What CloudMapper Does

CloudMapper collects AWS VPC, EC2, ELB, RDS, and related configuration data and produces:

  • Network visualizations — Interactive graphs showing VPCs, subnets, instances, and connections
  • Exposure analysis — Identifies which resources are publicly accessible and from where
  • Audit checks — Flags misconfigurations in network configuration

Running CloudMapper

git clone https://github.com/duo-labs/cloudmapper
cd cloudmapper
pip3 install -r requirements.txt
python3 cloudmapper.py collect --account my-account
python3 cloudmapper.py report --account my-account
python3 cloudmapper.py webserver

Open http://localhost:8000 to view the interactive network graph.

The report command runs security checks and outputs findings to a JSON file. The exposure analysis (audit command) is particularly useful early in an engagement to understand what attack surface is internet-facing before diving into exploitation.

Enumerate-IAM — Brute Force IAM Permissions

When you have AWS credentials and need to know exactly what they can do — without iam:GetPolicy access — enumerate-iam brute-forces permissions by attempting every possible API call and recording what succeeds.

git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
pip3 install -r requirements.txt
python3 enumerate-iam.py --access-key AKIA... --secret-key ... --region us-east-1

This is aggressive and will generate significant CloudTrail entries. Use it when you want a complete picture and don’t care about operational noise — or when CloudTrail is confirmed to be disabled.

For quieter enumeration, Pacu’s iam__bruteforce_permissions module does the same thing but with better rate limiting and session tracking.

CloudFox — Attack Path Discovery

CloudFox is a newer tool from Bishop Fox designed specifically for finding exploitable attack paths in cloud environments. It’s less focused on compliance and more focused on “what can an attacker do with this?”

# Install via release binary
cloudFox aws -p default all-checks

CloudFox’s standout features:

  • Outbound connections analysis — Finds EC2 instances, Lambda functions, and containers that can reach sensitive endpoints
  • Permission set analysis — Maps what principals can do what actions on what resources
  • Secret hunting — Identifies SSM parameters, Secrets Manager entries, and environment variables containing credentials
  • Endpoint enumeration — Finds internal and external service endpoints

It integrates well with BloodHound-style attack path visualization — there’s an active project to export CloudFox findings into a Neo4j-compatible format for graph-based analysis.

WeirdAAL — AWS Attack Library

WeirdAAL (AWS Attack Library) is a collection of AWS attack and reconnaissance modules written in Python. Less polished than Pacu but covers some techniques that Pacu doesn’t, particularly around recon and service-specific attacks.

Notable modules:

  • EC2 metadata service abuse
  • STS token enumeration
  • Cross-region resource enumeration
  • Cost Explorer abuse (detecting budget exhaustion as a disruption technique)

Use it as a supplement to Pacu for techniques not yet implemented in the main framework.

Putting It Together: The Engagement Workflow

A typical cloud penetration test workflow using these tools:

Phase 1: Initial Enumeration (30-60 min)

# Get a complete picture of the environment
scout aws --report-dir ./recon/scoutsuite
prowler aws -s iam ec2 s3 cloudtrail -M json html

Phase 2: IAM Analysis (20-40 min)

# Enumerate available permissions with current creds
python3 enumerate-iam.py --access-key $KEY --secret-key $SECRET --region us-east-1

# If you have more permissive access, use Pacu
python3 pacu.py
# > run iam__enum_users_roles_policies_groups
# > run iam__privesc_scan

Phase 3: Network Mapping (15-30 min)

# Visualize network topology
python3 cloudmapper.py collect --account target
python3 cloudmapper.py report --account target

Phase 4: Attack Path Analysis

cloudFox aws -p target all-checks

Phase 5: Exploitation Back to Pacu for privilege escalation, persistence, and lateral movement based on what the recon revealed.

Practice Environments

Hands-on practice with cloud attack techniques requires actual cloud environments. A few options:

Intentionally vulnerable AWS environments:

  • CloudGoat — Rhino Security’s deliberately vulnerable AWS environment. Pairs perfectly with Pacu.
  • flaws.cloud — Free online cloud security challenge.
  • flaws2.cloud — Attacker and defender perspective challenges.

For spinning up isolated practice infrastructure:

  • Vultr — Fast provisioning, pay-per-hour billing, good for short-lived test environments
  • DigitalOcean — Solid documentation, slightly better onboarding for cloud beginners

Books worth having:

  • Hacking the Cloud — Free, community-maintained reference for cloud attack techniques. Pair with these tools for technique → tool mapping.
  • AWS Security — For understanding the defensive side, which makes you a better attacker.

Quick Reference: Which Tool for What

ScenarioTool
Initial environment auditScoutSuite + Prowler
IAM permission enumerationenumerate-iam or Pacu
Privilege escalationPacu
Network topology mappingCloudMapper
Attack path discoveryCloudFox
Compliance reportingProwler
Persistent exploitation sessionPacu
Multi-cloud (Azure/GCP)ScoutSuite + Prowler

Final Take

These tools are the standard cloud pentesting stack for a reason. ScoutSuite and Prowler give you the audit layer. CloudMapper and CloudFox give you the visualization and attack path layer. Pacu gives you the exploitation layer.

The gap between “I know cloud attacks conceptually” and “I can execute a cloud pentest efficiently” is largely a tooling and practice gap. These tools close it — but only if you understand what they’re doing and why, not just how to run them.

Start with CloudGoat and Pacu together. That combination, in a controlled environment, will teach you more about AWS attack technique execution than any certification course.

Need cloud security content written for your organization? CipherWrite handles technical articles, white papers, and documentation for security teams.

Disclosure: This article contains affiliate links. If you purchase through these links, RedTeamGuide.com earns a small commission at no additional cost to you.