enumerating-cloud-with-cloudfox
Enumerating Cloud with CloudFox
Legal Notice: This skill is for authorized cloud penetration testing and assessment only. CloudFox makes read/describe API calls against the cloud account whose credentials you supply. Run it ONLY against accounts you own or are authorized to test under a signed scope. Although CloudFox is read-only by design, the enumeration it performs is reconnaissance against a live environment and must be in scope.
Overview
CloudFox is an open-source command-line tool from Bishop Fox that helps penetration testers and red teamers gain situational awareness in unfamiliar cloud environments. Where tools like ScoutSuite focus on a defender-style configuration audit, CloudFox is built from the attacker's perspective: it answers questions like "what are the most attackable secrets, endpoints, and instances in this account, and what can the identity I just compromised actually reach?" It is read-only — it only performs Describe/List/Get style calls — and writes its findings to per-command CSV/TXT/loot files plus a combined report directory, so output can be triaged offline.
CloudFox covers AWS most deeply (30+ commands) and supports Azure. The workhorse is cloudfox aws all-checks, which runs the full battery of enumeration commands with sensible defaults: inventory, internet-reachable endpoints, EC2 instances (with IPs and instance-profile roles), iam-simulator and permissions for IAM analysis, principals, secrets from Secrets Manager/SSM, buckets, role-trusts (which identities can assume which roles — a core attack-path primitive), access-keys, route53, ecr, lambda, and more. CloudFox also emits ready-to-run command suggestions (e.g. aws s3 ls lines, aws ssm start-session lines) in its "loot" files so an operator can pivot immediately.
This skill covers installing CloudFox, authenticating to AWS and Azure, running targeted and full enumeration, interpreting the high-value outputs (role-trusts, secrets, endpoints), and feeding the results into attack-path planning. Source: github.com/BishopFox/cloudfox.
When to Use
- Establishing situational awareness immediately after compromising a cloud credential
- Quickly identifying internet-exposed endpoints, instances, and exposed secrets
- Mapping
sts:AssumeRoletrust relationships to plan lateral movement / privesc - Triaging an unfamiliar AWS or Azure account during an authorized assessment
- Producing attacker-centric inventory artifacts that complement a defensive audit