exploiting-aws-with-pacu
Exploiting AWS with Pacu
Legal Notice: This skill is for authorized penetration testing and educational purposes only. Pacu performs active enumeration, privilege escalation, persistence, and backdooring against live AWS accounts. Run it ONLY against accounts you own or have explicit written authorization (scope/Rules of Engagement) to test. Many modules create durable changes (new IAM users, access keys, policies); track and remove everything. Unauthorized use is illegal under the CFAA and equivalent laws.
Overview
Pacu is the open-source AWS exploitation framework from Rhino Security Labs. It is the cloud-pentest analogue of Metasploit: a modular Python console that manages target sessions, enumerates an AWS account, identifies privilege-escalation paths, and executes persistence/backdooring/exfiltration modules — all backed by a local SQLite database that records every enumerated resource so modules can chain off one another's findings.
A Pacu engagement follows a consistent arc. You create a named session, load AWS keys (with set_keys or by importing from ~/.aws/credentials), confirm the identity with whoami, then enumerate IAM and the rest of the account. The flagship workflow is iam__enum_permissions followed by iam__privesc_scan, which checks the compromised principal against ~20 known AWS IAM privilege-escalation primitives (e.g. iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PassRole + lambda:CreateFunction, sts:AssumeRole) and can auto-exploit them. Persistence modules such as iam__backdoor_users_keys mint a second access key on an existing user, and iam__backdoor_assume_role adds a trust to a role so the attacker can assume it later.
This skill covers installing Pacu, session and credential management, IAM enumeration, automated privilege-escalation scanning and exploitation, persistence/backdooring, and data access — every command and module name verified against the Rhino Security Labs project. Source: github.com/RhinoSecurityLabs/pacu.
When to Use
- Conducting an authorized AWS cloud penetration test or red-team engagement
- Assessing the blast radius of a single compromised IAM credential (privesc scanning)
- Demonstrating persistence/backdoor techniques to drive remediation
- Generating realistic attacker telemetry to test cloud detections (purple team)
- Mapping an unfamiliar AWS account's IAM, EC2, S3, and Lambda exposure