Hacking The Cloud

Detect Public Resource Exposure via Session Policy Error Messages

Sun, 15 Mar 2026 13:50:26 +0000

Use session policy denials and verbose IAM error messages to determine if AWS resources have public resource-based policies.

GCP Cloud Workstations Privilege Escalation

Mon, 09 Feb 2026 22:33:10 +0000

Break out of a Cloud Workstations container through an exposed Docker socket, then access project credentials from instance metadata.

Call for research: AI and LLM security

Sun, 25 Jan 2026 20:11:12 +0000

Hacking the Cloud is opening the door to AI and LLM security research.

Break LLM Workflows with Claude's Refusal Magic String

Wed, 21 Jan 2026 01:18:49 +0000

How Anthropic's refusal test string can be abused to stop streaming responses and create sticky failures.

2025 Hacking the Cloud: Year in Review

Sun, 04 Jan 2026 20:47:57 +0000

An end of year summary for Hacking the Cloud in 2025.

IAM Persistence through Eventual Consistency

Sun, 14 Dec 2025 12:53:39 +0000

Abuse IAM's eventual consistency to maintain persistence against incident response containment.

Apps Script project impersonation / Google Apps Script persistence

Wed, 08 Oct 2025 18:22:21 +0000

Google Workspace Apps Script projects create hidden GCP projects (sys-<...>) that can be impersonated by attackers. This technique enables stealthy persistence (service accounts, hidden compute, cryptomining) and can bypass common console inspections.

AWS Network Firewall Egress Filtering Bypass

Sun, 28 Sep 2025 20:45:11 +0000

Bypass AWS Network Firewall Egress Filtering using SNI spoofing and Host Header manipulation.

IAM Roles Anywhere Persistence

Sun, 21 Sep 2025 15:49:23 +0000

Abusing IAM Roles Anywhere to obtain persistent AWS access from outside the cloud.

AWS CodeBuild GitHub Runner Persistence

Sun, 21 Sep 2025 15:22:21 +0000

Abusing the CodeBuild managed GitHub Actions runner integration to obtain long‑term access to an AWS environment.

Enumerate services via AWS Backup

Tue, 06 May 2025 06:06:53 +0000

Enumerate AWS services via AWS Backup

Why Recreating an IAM Role Doesn't Restore Trust: A Gotcha in Role ARNs

Mon, 05 May 2025 14:08:51 +0000

In AWS, deleting and recreating an IAM role results in a new identity that breaks existing trust policies. This behavior improves security by preventing identity spoofing but can cause failures in cross-account access and third-party integrations if not properly understood.

Tag Your Way In - GCP Privilege Escalation Using Tags

Fri, 02 May 2025 10:10:37 +0000

A new privilege escalation technique in Google Cloud that leverages tag bindings to bypass IAM conditions and gain unauthorized access to sensitive resources.

IAM Rogue OIDC Identity Provider Persistence

Thu, 06 Mar 2025 14:44:42 +0000

Obtain persistence by creating a rogue OIDC Identity Provider.

2024 Cloud Security Highlights: Hacking the Cloud’s Year in Review

Mon, 23 Dec 2024 00:48:06 +0000

An end of year summary for Hacking the Cloud in 2024.

Exploiting Misconfigured Terraform Cloud OIDC AWS IAM Roles

Fri, 13 Dec 2024 12:28:24 +0000

Discover how to identify and exploit misconfigured AWS IAM roles using Terraform Cloud OIDC

Exploiting Public AWS Resources Programmatically - The Playbook

Thu, 05 Dec 2024 17:37:27 +0000

A playbook on how to exploit AWS resources that can be misconfigured via resource-based policies.

AWS CLI Tips and Tricks

Mon, 04 Nov 2024 03:15:10 +0000

A collection of tips and tricks for using the AWS CLI.

Run Command Abuse

Sat, 05 Oct 2024 05:04:44 +0000

Utilise Azure RunCommands for execution and lateral movement.

Exploiting Misconfigured GitLab OIDC AWS IAM Roles

Sun, 01 Sep 2024 22:46:15 +0000

Discover how to identify and exploit misconfigured AWS IAM roles using GitLab OIDC, with a detailed, step-by-step guide.

CVE-2024-28056: Exploit an AWS Amplify Vulnerability in Same-Account Scenarios

Wed, 31 Jul 2024 20:37:36 +0000

An in-depth explanation of how to still abuse CVE-2024-28056, a vulnerability in AWS Amplify that exposed IAM roles to takeover.

Prevent Expensive AWS API Actions with SCPs

Tue, 30 Jul 2024 00:15:57 +0000

Avoid AWS bill surprises by blocking known-expensive API calls with an SCP.

Enumerate Org/Folder/Project Permissions + Individual Resource Permissions

Sun, 14 Jul 2024 21:08:01 +0000

Brute force the permissions of all resources above to see what permissions you have. Includes example of brute forcing ~9500 permissions at the end. Also introduces tool that passively collections permissions allowed as run (gcpwn)

Discover secrets in public AMIs

Tue, 28 May 2024 16:27:11 +0000

How to find public AMIs and get stored secrets.

Enumerate Root User Email Address from the AWS Console

Tue, 21 May 2024 20:10:23 +0000

Identify if an email address belongs to the root user of an AWS account.

Abusing Misconfigured Role Trust Policies with a Wildcard Principal

Mon, 29 Jan 2024 03:39:38 +0000

How to take advantage of misconfigured role trust policies that have wildcard principals.

EC2 Privilege Escalation Through User Data

Sun, 21 Jan 2024 17:59:06 +0000

How to escalate privileges on an EC2 instance by abusing user data.

Bypass Cognito Account Enumeration Controls

Sun, 07 Jan 2024 21:28:56 +0000

Leverage a flaw in Cognito's API to enumerate accounts in User Pools.

DNS and CloudFront Domain Takeover via Deleted S3 Buckets

Wed, 20 Dec 2023 14:50:27 +0000

How orphaned Route53 records and CloudFront distributions can be taken over if the backing S3 bucket is deleted.

2023 Wrap-up

Wed, 20 Dec 2023 01:25:13 +0000

An end of year summary for Hacking the Cloud in 2023.

Data Exfiltration through S3 Server Access Logs

Thu, 07 Dec 2023 10:12:13 +0000

Exfiltrate data via S3:GetObject and S3 server access logs.

Derive a Principal ARN from an AWS Unique Identifier

Mon, 20 Nov 2023 00:54:35 +0000

How to convert an unique identifier to a principal ARN.

Survive Access Key Deletion with sts:GetFederationToken

Mon, 25 Sep 2023 13:24:44 +0000

Use sts:GetFederationToken to maintain access, even if the original IAM credentials are revoked.

AWS IAM Persistence Methods

Tue, 01 Aug 2023 01:58:06 +0000

A catalog of methods to maintain access to the AWS control plane.

Download Tools and Exfiltrate Data with the AWS CLI

Thu, 13 Jul 2023 03:46:27 +0000

Using the AWS CLI as a LOLScript to download and exfiltrate data.

Abusing Overpermissioned AWS Cognito Identity Pools

Tue, 20 Jun 2023 17:26:14 +0000

How to take advantage of misconfigured Amazon Cognito Identity Pools.

Abusing Unintended Self-Signup in AWS Cognito

Tue, 20 Jun 2023 17:26:14 +0000

How to take advantage of misconfigured Amazon Cognito User Pools.

Unauthenticated Enumeration of Azure Active Directory Email Addresses

Tue, 11 Apr 2023 13:31:32 +0000

Discover how to exploit information disclosure configurations in Azure Active Directory to enumerate valid email addresses.

Unauthenticated Enumeration of Google Workspace Email Addresses

Tue, 11 Apr 2023 13:31:32 +0000

Discover how to exploit information disclosure configurations in Google Workspace to enumerate valid email addresses.

Create a Console Session from IAM Credentials

Mon, 20 Feb 2023 16:48:45 +0000

How to use IAM credentials to create an AWS Console session.

S3 Streaming Copy

Fri, 10 Feb 2023 15:12:48 +0000

Utilizng standard out to standard in with aws-cli utilizing multiple profiles to avoid logging and detection in a victim environment

Exfiltrating S3 Data with Bucket Replication Policies

Thu, 26 Jan 2023 01:02:06 +0000

Backdooring S3 buckets with Bucket Replication Policies.

2022 Wrap-up

Wed, 14 Dec 2022 03:27:50 +0000

An end of year summary for Hacking the Cloud in 2022.

Loot Public EBS Snapshots

Mon, 05 Dec 2022 02:08:42 +0000

How to find and take advantage of exposed EBS snapshots.

Misconfigured Resource-Based Policies

Thu, 24 Nov 2022 22:14:38 +0000

Common misconfigurations of resource-based policies and how they can be abused.

Abusing Misconfigured ECR Resource Policies

Thu, 24 Nov 2022 22:14:38 +0000

How to take advantage of misconfigured AWS ECR private repositories.

AWS Organizations Defaults & Pivoting

Sat, 05 Nov 2022 00:02:54 +0000

How to abuse AWS Organizations' default behavior and lateral movement capabilities.

Abusing Elastic Container Registry for Lateral Movement

Thu, 13 Oct 2022 01:37:41 +0000

With ECR permissions you can easily distribute a backdoor to production servers, developer's laptops, or CI/CD pipelines and own the environment by gaining privileged permissions.

Hacking The Cloud v2: New Look

Sun, 18 Sep 2022 21:18:30 +0000

All about the new look for Hacking The Cloud v2.

GCP Goat

Mon, 29 Aug 2022 00:18:19 +0000

GCP Goat is the Vulnerable application for learning the GCP Security

Thunder CTF

Mon, 29 Aug 2022 00:18:19 +0000

GCP themed CTF

Hunting GCP Buckets

Mon, 29 Aug 2022 00:18:19 +0000

How to find valid and invalid GCP Buckets using tools

Privilege Escalation in Google Cloud Platform

Wed, 24 Aug 2022 12:25:09 +0000

Privilege escalation techniques for Google Cloud Platform (GCP)

Enumerate Service Account Permissions

Tue, 23 Aug 2022 14:34:53 +0000

Brute force the permissions of a service account to see what you have access to.

Terraform ANSI Escape

Sat, 09 Jul 2022 00:02:47 +0000

Using ANSI Escape Sequences to Hide Malicious Terraform Code

Default Account Information

Sun, 29 May 2022 13:26:35 +0000

Default information on how accounts and service accounts exist in GCP

Security and Constraints

Sun, 29 May 2022 13:26:35 +0000

Security considerations and constraints that are unique to GCP

Using Stolen IAM Credentials

Sat, 14 May 2022 21:51:44 +0000

How to work with stolen IAM credentials and things to consider.

Run Shell Commands on EC2 with Send Command or Session Manager

Mon, 11 Apr 2022 23:11:43 +0000

Leverage privileged access in an AWS account to run arbitrary commands on an EC2 instance.

Abusing Managed Identities

Sun, 27 Mar 2022 16:57:50 +0000

Abusing Managed Identities

Anonymous Blob Access

Sat, 19 Mar 2022 16:57:37 +0000

Finding and accessing files stored in Azure Storage Accounts without authentication.

Soft Deleted Blobs

Thu, 17 Mar 2022 14:35:54 +0000

Recovering and accessing files in private Storage Accounts that have been deleted.

AWS API Call Hijacking via ACM-PCA

Sun, 13 Mar 2022 23:45:47 +0000

By modifying the route53 entries and utilizing the acm-pca private CA one can hijack the calls to AWS API inside the AWS VPC

CI/CDon't

Sat, 05 Mar 2022 04:00:57 +0000

An AWS/GitLab CICD themed CTF.

Enumerate AWS Account ID from an EC2 Instance

Sun, 27 Feb 2022 22:50:13 +0000

With access to an ec2 instance, you will be able to identify the AWS account it runs in.

[Deprecated] Whoami - Get Principal Name From Keys

Wed, 09 Feb 2022 04:00:32 +0000

During an assessment you may find AWS IAM credentials. Use these tactics to identify the principal of the keys.

Modify GuardDuty Configuration

Sun, 30 Jan 2022 10:32:26 +0000

Modify existing GuardDuty configurations in the target account to hinder alerting and remediation capabilities.

Terraform Enterprise: Attack the Metadata Service

Thu, 23 Dec 2021 21:59:38 +0000

Leverage a default configuration in Terraform Enterprise to steal credentials from the Metadata Service

Hacking The Cloud

Tue, 30 Nov 2021 05:00:09 +0000

The encyclopedia for offensive security in the cloud

AWS IAM Privilege Escalation Techniques

Thu, 04 Nov 2021 21:03:24 +0000

Common techniques that can be leveraged to escalate privileges in an AWS account.

Metadata in Google Cloud Instances

Sun, 24 Oct 2021 17:41:56 +0000

Information about the data an attacker can access via GCP's API endpoints

Lambda Persistence

Thu, 16 Sep 2021 15:02:21 +0000

How to establish persistence on a Lambda function after getting remote code execution.

Get IAM Credentials from a Console Session

Wed, 14 Jul 2021 20:46:17 +0000

Convert access to the AWS Console into IAM credentials.

[Deprecated] Enumerate Permissions without Logging to CloudTrail

Tue, 18 May 2021 19:13:08 +0000

Leverage a bug in the AWS API to enumerate permissions for a role without logging to CloudTrail and alerting the Blue Team.

S3 File ACL Persistence

Tue, 13 Apr 2021 02:53:30 +0000

Maintain access to S3 resources by configuring Access Control Lists associated with S3 Buckets or Objects.

Enumerate AWS Account ID from a Public S3 Bucket

Sat, 03 Apr 2021 01:39:08 +0000

Knowing only the name of a public S3 bucket, you can ascertain the account ID it resides in.

Bypass GuardDuty Tor Client Findings

Sat, 20 Feb 2021 04:07:08 +0000

Connect to the Tor network from an EC2 instance without alerting GuardDuty.

Intercept SSM Communications

Sat, 06 Feb 2021 17:17:59 +0000

With access to an EC2 instance you can intercept, modify, and spoof SSM communications.

Role Chain Juggling

Wed, 03 Feb 2021 03:20:50 +0000

Keep your access by chaining assume-role calls.

User Data Script Persistence

Wed, 03 Feb 2021 03:20:50 +0000

Maintain access to an EC2 instance and it's IAM role via user data scripts.

Introduction to the Instance Metadata Service

Sun, 20 Dec 2020 20:10:43 +0000

An introduction to the Instance Metadata Service and how to access it.

Introduction to User Data

Sun, 20 Dec 2020 20:10:43 +0000

An introduction to EC2 User Data and how to access it.

Brute Force IAM Permissions

Sun, 20 Dec 2020 18:58:26 +0000

Brute force the IAM permissions of a user or role to see what you have access to.

Get Account ID from AWS Access Keys

Sun, 27 Sep 2020 16:06:37 +0000

Techniques to enumerate the account ID associated with an AWS access key.

Whoami - Get Principal Name From Keys

Fri, 21 Aug 2020 17:00:02 +0000

During an assessment you may find AWS IAM credentials. Use these tactics to identify the principal of the keys.

Steal IAM Credentials and Event Data from Lambda

Wed, 12 Aug 2020 23:15:50 +0000

Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda.

Unauthenticated Enumeration of IAM Users and Roles

Wed, 05 Aug 2020 14:32:32 +0000

Discover how to exploit cross-account behaviors to enumerate IAM users and roles in another AWS account without authentication.

Steal EC2 Metadata Credentials via SSRF

Sat, 01 Aug 2020 17:43:14 +0000

Old faithful; How to steal IAM Role credentials from the EC2 Metadata service via SSRF.

Connection Tracking

Thu, 30 Jul 2020 23:28:52 +0000

Abuse security group connection tracking to maintain persistence even when security group rules are changed.

IAM unique identifiers

Mon, 27 Jul 2020 19:47:46 +0000

Chart of the IAM unique ID prefixes.

Bypass GuardDuty Pentest Findings for the AWS CLI

Wed, 22 Jul 2020 02:58:24 +0000

Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string when using the AWS CLI.

Bypass Credential Exfiltration Detection

Wed, 22 Jul 2020 02:58:24 +0000

When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using VPC Endpoints.