AWS Penetration Testing Training
AWS dominates the cloud market with over 30% share, which means the majority of cloud penetration testing engagements will involve AWS infrastructure. Yet most security professionals approach AWS assessments with network-centric methodologies that miss the real attack surface: IAM policies, cross-account trust relationships, and the implicit permissions granted to managed services.
Threat groups like SCARLETEEL and AMBERSQUID have shown what effective AWS attacks look like. SCARLETEEL didn't scan for open ports. They stole credentials from a Kubernetes pod, used them to enumerate Lambda functions, found Terraform state files in S3, and extracted secrets that gave them access to entirely separate AWS accounts. AMBERSQUID targeted AWS-native services directly, cryptojacking Amplify, CodeCommit, and SageMaker by abusing the permissions those services granted to build pipelines.
Effective AWS penetration testing training must teach you to think like these attackers, to follow the permission graph, not the network diagram.
AWS Attack Techniques Covered
IAM Privilege Escalation
IAM is the most critical attack surface in AWS. Over 20 documented privilege escalation paths exist through IAM alone. Key techniques include:
iam:PassRole+lambda:CreateFunction, create a Lambda function that assumes a high-privilege roleiam:CreatePolicyVersion, write a new version of an existing policy with admin permissions and set it as defaultsts:AssumeRoletrust policy abuse, assume roles with overly permissive trust policies across accountsiam:AttachUserPolicy/iam:AttachGroupPolicy, directly attach AdministratorAccess to your identity- SSM Parameter Store and Secrets Manager enumeration, harvest credentials stored in plaintext
Tools like Pacu (the AWS exploitation framework) automate discovery of these paths, but understanding the underlying permission chains is essential for non-standard environments.
S3 Exploitation
S3 buckets remain one of the most common sources of sensitive data exposure in AWS. Beyond simple misconfigured public buckets, advanced techniques include:
- Enumerating bucket policies for overly permissive principal grants
- Exploiting S3 bucket versioning to recover deleted secrets
- Object-level ACL abuse where bucket policies are restrictive but individual objects are publicly readable
- CloudTrail log manipulation, if you can write to the trail's S3 bucket, you can tamper with audit evidence
Lambda and Serverless Abuse
Lambda functions execute with IAM roles that often have excessive permissions. Attack patterns include:
- Event injection, triggering Lambda functions with crafted payloads through S3, SNS, or API Gateway events
- Environment variable extraction, Lambda environment variables frequently contain database credentials, API keys, and other secrets
- Layer poisoning, injecting malicious code through shared Lambda layers
- Function URL abuse, publicly accessible Lambda endpoints without proper authentication
EC2 and Metadata Service Attacks
The EC2 Instance Metadata Service (IMDS) at 169.254.169.254 is a pivotal attack target. IMDSv1 allows unauthenticated credential theft via SSRF vulnerabilities in web applications running on EC2. Even with IMDSv2's token requirement, misconfigured hop limits and containerized workloads can still expose credentials. Stolen instance profile credentials provide whatever permissions the EC2 role grants, often far more than the application needs.
CI/CD Pipeline Exploitation
AWS CodeBuild, CodePipeline, and CodeCommit create attack paths that most assessments overlook. Build environments have IAM roles, access to artifact buckets, and often contain hardcoded credentials in buildspec files. Compromising a CI/CD pipeline provides persistent access and the ability to inject backdoors into deployed applications.
CloudTrail Evasion
Understanding what AWS logs, and what it doesn't, is critical for both attackers and defenders. Not all API calls generate CloudTrail events. Data plane operations (S3 GetObject, DynamoDB GetItem) require separate data event logging that most organizations don't enable. Certain read-only reconnaissance calls can be performed without generating alerts if the organization only monitors write events.
The ACRTP Bootcamp
The Amazon Cloud Red Team Professional (ACRTP) bootcamp at Pwned Labs covers all of these techniques and more through hands-on labs on real AWS infrastructure. You don't read about S3 bucket exploitation. You execute it against a live environment where GuardDuty, CloudTrail, and Security Hub are actively monitoring.
The bootcamp curriculum is mapped to real-world threat actor tradecraft from groups like SCARLETEEL and AMBERSQUID, covering:
- AWS identity exploitation and IAM privilege escalation
- S3, Lambda, EC2, and serverless attack chains
- CI/CD pipeline compromise (CodeBuild, CodePipeline)
- AWS incident response and detection engineering
- Amazon Bedrock and AI workload security
- Purple team methodology, attack + detect for every technique
The ACRTP certification exam is hands-on: you execute a realistic multi-stage attack chain against a live AWS environment, document your findings, and demonstrate both offensive execution and detection recommendations.
Why Hands-On AWS Labs Matter
AWS has over 200 services, each with its own permission model, API surface, and security considerations. You cannot learn to pentest AWS effectively by watching videos or reading documentation. The skill requires repetition, executing aws sts assume-role with stolen credentials, parsing IAM policies for escalation paths, and pivoting through services until you reach the objective.
Pwned Labs provides real AWS infrastructure for every lab. Not LocalStack. Not Docker containers mocking AWS APIs. Real accounts with real services where your actions generate real CloudTrail events that the detection engineering labs teach you to identify.
Who This Is For
AWS penetration testing training at Pwned Labs is built for penetration testers expanding into cloud, AWS engineers who want to understand the attacker perspective, security architects designing AWS environments that resist real attacks, and detection engineers writing GuardDuty custom rules and CloudWatch alerts. If AWS is in your scope, the ACRTP bootcamp is where to build the skills that matter.