Abstract
“You can’t audit a cloud environment without access keys!!”.
Well. That’s not completely true.
There is a good number of tools that help security teams find cloud misconfiguration issues. They work inside-out way where you give read-only access tokens to the tool and the tool gives you misconfigurations.
There’s no single tool that helps Red Teamers and Bug Hunters find cloud misconfiguration issues the outside-in way.
This outside-in approach can find issues like:
- S3 directory listing due to misconfigured Cloudfront settings
- Amazon Cognito misconfiguration to generate AWS temporary credentials
- Public snapshots
- Generate Account takeover Phishing links for AWS SSO
- Leaked Keys permission enumeration
- IAM role privilege escalation a) From leaked keys b) Lambda Function
This exploitation framework also helps teams within organizations to do red teaming activities or run it across the accounts to learn more about misconfigurations from AWS and how badly they can be exploited.
ThunderCloud version 2 will now support GCP and Azure exploitation. Additionally will be releasing an open source “CLOUD OFFENSIVE” gitbook along with the same