Performing Cloud Penetration Testing with Pacu

When to Use

• When conducting authorized penetration testing of AWS environments
• When validating the effectiveness of IAM policies, SCPs, and permission boundaries
• When assessing the blast radius of a compromised set of AWS credentials
• When testing detection capabilities of GuardDuty, Security Hub, and custom alerting
• When building red team exercises against AWS cloud infrastructure

Do not use for unauthorized testing of any AWS account, for testing AWS infrastructure itself (covered by shared responsibility), for DDoS or volumetric attacks without AWS approval, or for production account testing without explicit authorization and breakglass procedures.

Prerequisites

• Written authorization from the AWS account owner with defined scope and rules of engagement
• Pacu v1.5+ installed (pip install pacu)
• Test AWS credentials with limited starting permissions (simulates compromised credential scenario)
• CloudTrail logging enabled to capture all Pacu activity for post-engagement review
• GuardDuty enabled to validate detection of Pacu activities