LazyHackers.in — Checklist
☁️ Cloud Pentest Checklist
AWS / GCP / Azure / OCI, item by item: scenario · command · steps · the finding · the fix
☰ How to use this guide
Cloud compromise is rarely one exploit — it's a chain: a leaked key or metadata-reachable credential, an over-permissive IAM policy, and over-shared storage, walked into privilege escalation and lateral movement. Identity is the perimeter. This guide turns every line of the cloud checklist into how-to-test, provider-agnostic first, then AWS/GCP/Azure/OCI primitives. Pair with the web/API checklists for the app layer.
Assumes an authorised assessment (config review + credentialed + external). Chase privesc + lateral-movement chains (§9 + provider primitives), not just isolated public-bucket findings. Each section ends with a coverage table covering every line.
⚠ Run automated scanners read-only first; treat any write/exploit action as in-scope only. Never touch another tenant/account you aren't authorised for.
# Read-only posture scanners (run these first, then verify by hand)
prowler aws # or: prowler gcp / azure / oci
scoutsuite aws # multi-cloud config audit -> HTML report
# Credentialed enum / privesc mapping
pacu # AWS exploitation framework (enum + privesc modules)
cloudsplaining scan --input-file account-authz.json # IAM least-privilege gaps
# Secrets in repos/images/CI
trufflehog filesystem ./repo ; trufflehog docker --image registry/img:tag0 Recon & external attack surface
Map the external footprint across all accounts/projects/subscriptions, and hunt for leaked credentials — the fastest path in.
External surface & leaked secrets
# Public buckets / blobs
cloud_enum -k target # AWS S3 + GCP + Azure blob brute
# Dangling DNS -> takeover of deleted cloud resources
subfinder -d target.tld | nuclei -t http/takeovers/
# Secrets in public Git / CI logs / IaC state
trufflehog github --org target ; gitleaks detect
# Terraform state / CloudFormation publicly readable -> secrets
curl -s https://bucket.s3.amazonaws.com/terraform.tfstate | jq '.. | .secret? // empty'⚑ Report as: “Public cloud storage bucket / secrets leaked in public repo or IaC state”
🛡 Fix: Block public access at the org level; remove DNS records when resources are deleted; keep IaC state in a private encrypted backend; scan repos/CI for secrets pre-commit; rotate any exposed key immediately.
Recon & external surface — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Public IP/asset enumeration | cloud provider CLI + amass | External asset exposure |
| DNS → dev/staging endpoints | subfinder/dnsx | Exposed non-prod endpoint |
| Dangling DNS → takeover | nuclei takeovers | Subdomain takeover |
| Public buckets/blobs | cloud_enum | Public storage |
| Exposed management consoles | httpx on known panels | Management console exposed |
| Cloud metadata in leaked code | trufflehog/grep | Credential/account-ID leak |
| Secrets in Git/paste/CI/images | trufflehog, gitleaks | Secret leak |
| Exposed CI/CD endpoints | probe Jenkins/GitLab | CI/CD endpoint exposed |
| Public IaC state leaking secrets | fetch tfstate | IaC state exposure |
| Org/account ID enumeration | enumerate IDs | Account ID disclosure |
1 Identity & access management
The core of cloud security. Look for wildcard policies, self-escalation, long-lived keys, missing MFA, and over-broad trust.
# AWS: who am I, what can I do, where can I escalate
aws sts get-caller-identity
aws iam get-account-authorization-details > authz.json
cloudsplaining scan --input-file authz.json # flags *:* , privesc, data-exfil perms
# Wildcards in any attached policy:
aws iam list-attached-user-policies --user-name X
# GCP: roles on the project
gcloud projects get-iam-policy PROJECT --format=json | jq '.bindings[]'
# Azure: role assignments
az role assignment list --all -o table⚑ Report as: “Overly permissive IAM policy (wildcard actions/resources) / identity can self-escalate”
🛡 Fix: Least privilege: no
*:*; deny identities the ability to modify their own policies; rotate/disable static keys; enforce MFA (especially privileged/root); apply permission boundaries / SCPs / org policies; restrict cross-account trust with external IDs/conditions.IAM — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Overly permissive policy (*:*) | cloudsplaining / policy review | Wildcard IAM policy |
| Privesc path via IAM | pacu / cloudsplaining privesc | IAM privilege-escalation path |
| Long-lived static credentials | check key age | Unrotated access keys |
| Stale identities/keys not disabled | audit last-used | Stale credentials |
| MFA not enforced | check MFA on users/root | MFA not enforced |
| Root/global-admin daily use | review root activity | Root account in daily use |
| Service account over-privileged | review SA roles | Over-privileged service account |
| Cross-account trust too broad | review trust policy | Permissive cross-account trust |
| Confused-deputy (no external ID) | check AssumeRole condition | Confused-deputy risk |
| Weak password policy / no rotation | review policy | Weak password policy |
| Federation/SSO trust too broad | review SAML/OIDC trust | Over-broad federation trust |
| No permission boundary / SCP | check org guardrails | Missing IAM guardrails |
| No conditional access/IP restriction | check console conditions | Missing conditional access |
| Inline policy hiding grants | enumerate inline policies | Excessive inline policy |
| Identity self-escalation | check policy-edit perms | Self-escalation capability |
2 Compute / instances
The instance metadata service (IMDS) is the cloud's crown-jewel pivot: an SSRF or shell on an instance reaches metadata and steals the attached role's credentials.
Instance metadata & credential theft
# AWS IMDSv1 (no token) -> role creds directly. From the instance (or via app SSRF):
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE>
# IMDSv2 requires a token first (good); if v1 still works it's a finding:
TOKEN=$(curl -s -X PUT http://169.254.169.254/latest/api/token \
-H 'X-aws-ec2-metadata-token-ttl-seconds: 60')
# GCP / Azure metadata (need the Metadata header):
curl -H 'Metadata-Flavor: Google' http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
curl -H 'Metadata: true' 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/'⚑ Report as: “IMDSv1 enabled / SSRF to instance metadata yields role credentials”
🛡 Fix: Enforce IMDSv2 (token + hop-limit 1) and disable v1; least-privilege instance roles; restrict SSH/RDP source ranges; patch instances; keep secrets out of user-data; encrypt disks; don't over-share snapshots/images.
Compute / instances — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| IMDS reachable & abusable | curl metadata (above) | Instance metadata credential theft |
| IMDSv1 still enabled (AWS) | curl without token works | IMDSv1 enabled |
| SSRF in app → metadata | app SSRF to 169.254.169.254 | SSRF to cloud metadata |
| SSH/RDP open to 0.0.0.0/0 | check SG/firewall | Management port exposed |
| Default/weak instance creds | try defaults | Default credentials |
| Instance role over-privileged | review role perms | Over-privileged instance role |
| Unpatched OS/packages | version check | Outdated software |
| User-data leaks secrets | read user-data | Secrets in user-data |
| Public/over-shared snapshot/image | check share settings | Public snapshot/image |
| Disk/volume unencrypted | check encryption | Unencrypted volume |
| Launch template embeds secrets | inspect template | Secrets in launch template |
3 Storage
Public or over-permissive object storage is the classic cloud breach. Test read, write, listing and pre-signed URL scope.
# AWS S3
aws s3 ls s3://bucket --no-sign-request # anonymous list?
aws s3 cp test.txt s3://bucket/ --no-sign-request # anonymous write?
# GCP / Azure
gsutil ls gs://bucket ; az storage blob list --container-name c --account-name a --auth-mode login⚑ Report as: “Publicly readable/writable storage bucket”
🛡 Fix: Enable Block Public Access / uniform access; encrypt at rest; enable versioning + logging; scope pre-signed/SAS URLs tightly and short; deny anonymous listing; restrict cross-account bucket policies.
Storage — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Publicly readable | anonymous list/get | Public read storage |
| Publicly writable | anonymous put | Public write storage |
| Authenticated-users ACL grant | check ACL | Any-cloud-user access |
| Unencrypted at rest | check encryption | Unencrypted storage |
| No versioning | check versioning | No versioning (ransomware risk) |
| Over-permissive/long-lived presigned/SAS | inspect URL TTL/scope | Over-permissive signed URL |
| Logging disabled | check access logging | Storage logging disabled |
| Anonymous listing enabled | list without creds | Anonymous object listing |
| Cross-account policy too broad | review bucket policy | Broad cross-account policy |
| Backups/snapshots unencrypted/public | check backups | Exposed/unencrypted backup |
4 Networking
Find sensitive ports open to the world, flat networks, and missing egress filtering.
# AWS: security groups open to the world on sensitive ports
aws ec2 describe-security-groups --query \
"SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp,'0.0.0.0/0')]].GroupId"
# Then confirm reachability:
nmap -Pn -p 22,3389,3306,5432,6379,9200,27017 <public-ip>⚑ Report as: “Security group allows 0.0.0.0/0 on a sensitive port”
🛡 Fix: Restrict ingress to required sources; keep DB/cache/admin private; segment VPCs/VNets; remove default permissive rules; add egress filtering; enable flow logs.
Networking — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| 0.0.0.0/0 on sensitive ports | SG/firewall review + nmap | Open sensitive port |
| Internal services exposed | probe DB/cache/admin | Internal service exposed |
| No segmentation (flat) | review topology | No network segmentation |
| Default VPC/VNet permissive | check default network | Permissive default network |
| Peering/transit trust too broad | review peering | Broad peering trust |
| No egress filtering | test outbound | No egress filtering |
| LB/gateway weak TLS or open | testssl.sh | Weak edge TLS |
| Public DB endpoint | check DB exposure | Public database endpoint |
| VPN/bastion bypassable | test bypass | Bastion/VPN bypass |
| Flow logs disabled | check flow logs | Flow logging disabled |
5 Serverless & containers
Functions and Kubernetes inherit cloud credentials — over-privileged execution roles, public invocation, and exposed K8s APIs are the pivots.
# Kubernetes exposure
kube-hunter --remote <k8s-ip> # or run in-cluster
kubectl auth can-i --list # what the default/pod SA can do
# Function env secrets (AWS Lambda)
aws lambda get-function-configuration --function-name F --query Environment⚑ Report as: “Over-privileged function role / exposed Kubernetes API / public function”
🛡 Fix: Least-privilege execution roles; no plaintext secrets in env (use a secrets manager); require auth on functions; lock down K8s API + RBAC; don't mount default SA tokens; add pod security + network policies; private registries.
Serverless & containers — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Over-privileged function role | review role | Over-privileged function |
| Plaintext secrets in env vars | read env config | Secrets in function env |
| Publicly invokable function | invoke unauthenticated | Public function |
| Event-source injection | poison trigger source | Function event injection |
| Public registry / image secrets | pull & scan image | Registry/image secret leak |
| Container as root/privileged | inspect securityContext | Privileged container |
| K8s API server exposed | kube-hunter | Exposed Kubernetes API |
| RBAC over-permissive / default SA | kubectl auth can-i | Over-permissive RBAC |
| K8s secrets unencrypted/accessible | check secret encryption | Exposed K8s secrets |
| No pod security/network policy | check policies | Missing pod/network policy |
| Kubelet/dashboard exposed | probe 10250 / dashboard | Kubelet/dashboard exposed |
| Workload identity over-scoped | review pod→cloud creds | Over-scoped workload identity |
6 Secrets & key management
Where keys and secrets live and who can use them. Over-permissive KMS policies let anyone decrypt.
⚑ Report as: “Over-permissive KMS key policy / secrets in plaintext config”
🛡 Fix: Tight KMS key policies (only intended principals decrypt); enable key rotation; least-privilege secrets-manager access; separate keys per environment; no hardcoded keys; use CMEK where required.
Secrets & key management — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Secrets in env/user-data/IaC/config | grep config & IaC | Plaintext secret |
| KMS key policy over-permissive | review key policy | Over-permissive KMS policy |
| Key rotation disabled | check rotation | Key rotation disabled |
| Secrets manager access too broad | review access | Broad secrets access |
| Keys shared across environments | review key scope | Cross-environment key reuse |
| Hardcoded keys in code/images | trufflehog | Hardcoded key |
| No CMEK where required | check encryption type | Missing customer-managed key |
7 Logging, monitoring & detection
Detection gaps. Disabled audit logs and tamperable logs mean an attacker operates blind to the defender.
⚑ Report as: “Audit logging disabled (CloudTrail / Audit Logs / Activity Log)”
🛡 Fix: Enable audit logging in all regions/projects; centralise and make logs immutable; alert on privileged/anomalous actions; enable the native threat-detection service (GuardDuty/SCC/Defender).
Logging, monitoring & detection — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Audit logging disabled | check trail/log config | Audit logging disabled |
| Logs not centralized/immutable | review log sinks | Logs not immutable |
| Log tampering by workloads | check write perms | Log tampering possible |
| No alerting on privileged actions | review alerts | Missing security alerting |
| Threat-detection disabled | check GuardDuty/SCC/Defender | Threat detection disabled |
| Logging gap in regions/projects | audit all regions | Logging coverage gap |
| No detection for cred exfil | review anomaly rules | No credential-exfil detection |
8 Data & databases
Managed databases exposed publicly or with weak/default creds, and PII sitting in non-prod.
⚑ Report as: “Managed database publicly accessible / default credentials”
🛡 Fix: Keep managed DBs private; encrypt at rest and in transit; strong unique creds; don't share snapshots; least-privilege grants; no real PII in non-prod.
Data & databases — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Managed DB publicly accessible | check endpoint exposure | Public managed database |
| DB unencrypted at rest/in transit | check encryption | Unencrypted database |
| DB default/weak credentials | try defaults | Weak database credentials |
| DB snapshot public/shared | check snapshot sharing | Public DB snapshot |
| Data warehouse over-shared | review access | Over-shared analytics store |
| No least-privilege DB grants | review grants | Excessive DB privileges |
| PII in non-prod | inspect non-prod data | PII in non-production |
9 Privilege escalation & lateral movement
The story of a cloud pentest: turn an initial credential into account/org takeover via IAM privesc primitives and service chaining.
# AWS PassRole + service privesc (classic): pass a high-priv role to a service you control
aws iam pass-role ... ; aws lambda create-function --role <highPrivRole> ... # then invoke
# Pacu automates discovery of these:
pacu > run iam__privesc_scan
# GCP SA impersonation
gcloud auth print-access-token --impersonate-service-account=PRIV_SA@proj.iam.gserviceaccount.com⚑ Report as: “Privilege escalation via iam:PassRole / role-assignment / SA impersonation”
🛡 Fix: Remove dangerous privesc primitives (PassRole+service, policy self-attach, actAs, role-assignment) from non-admin identities; least privilege on CI/CD roles; constrain trust; tie every finding back to blast radius.
Privilege escalation & lateral movement — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| PassRole / role-assignment abuse | pacu privesc / manual | IAM privilege escalation |
| Create/modify policy on self | attach policy to self | Self-escalation |
| Assume higher-priv role | AssumeRole via broad trust | Role-assumption escalation |
| Function/compute role escalate | function→role abuse | Compute-role escalation |
| CI/CD role over-privileged | review pipeline role | CI/CD takeover path |
| Resource policy cross-account pivot | abuse resource policy | Cross-account pivot |
| Metadata creds → broader access | pivot with stolen creds | Lateral movement via metadata |
| Service chaining (compute→storage→IAM) | map chain | Service-chain escalation |
| Backup/restore to bypass controls | restore to weaker env | Control bypass via restore |
| Org-level escalation | reach org/admin | Organization-level escalation |
Provider-specific checks
A AWS
AWS privesc lives in IAM/STS primitives plus S3, IMDS and broad resource policies.
⚑ Report as: “AWS: iam:PassRole + service privesc / public S3 / IMDSv1”
🛡 Fix: Enforce IMDSv2 + SCP guardrails; remove PassRole/CreatePolicyVersion from non-admins; Block Public Access on S3; AssumeRole with external ID; multi-region CloudTrail + GuardDuty on.
AWS — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| IMDSv1 enabled | curl metadata w/o token | IMDSv1 enabled |
| PassRole + service privesc | pacu iam__privesc_scan | PassRole privilege escalation |
| CreatePolicyVersion / AttachUserPolicy self-escalate | attempt self-attach | IAM self-escalation |
| AssumeRole broad / no external ID | review trust | Confused-deputy / broad trust |
| Access keys not rotated; root keys | check key age | Unrotated / root keys |
| No SCP guardrails | check org SCPs | Missing SCPs |
| * resource on iam/kms/s3 | policy review | Wildcard on sensitive actions |
| Public S3 (ACL/policy) | s3 ls --no-sign-request | Public S3 bucket |
| Block Public Access disabled | check BPA | Block Public Access off |
| EC2 SSRF → IMDS role creds | app SSRF to IMDS | SSRF to IMDS |
| SG 0.0.0.0/0 sensitive ports | describe-security-groups | Open security group |
| Public AMI / EBS snapshot | check share settings | Public AMI/snapshot |
| Lambda env secrets / public URL | get-function-configuration | Lambda exposure |
| RDS public/unencrypted | describe-db-instances | RDS exposure |
| Secrets Manager/SSM over-permissive | review resource policy | Broad secrets access |
| KMS broad decrypt | review key policy | Over-permissive KMS |
| CloudTrail disabled/single-region | describe-trails | CloudTrail gap |
| GuardDuty disabled | check GuardDuty | GuardDuty disabled |
| ECR public / ECS task role broad | review ECR/ECS | ECR/ECS misconfig |
| EKS public endpoint / loose aws-auth | review EKS | EKS misconfig |
B Google Cloud (GCP)
GCP privesc centers on service-account impersonation and key creation, plus default-SA scopes and public GCS.
⚑ Report as: “GCP: SA impersonation (actAs / getAccessToken) or key creation privesc”
🛡 Fix: Avoid primitive roles (owner/editor); remove actAs/serviceAccountKeys.create from non-admins; uniform bucket access; conceal GCE metadata + minimal default-SA scopes; enable Data Access audit logs + SCC.
Google Cloud (GCP) — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| actAs / getAccessToken → SA impersonation | gcloud impersonate | SA impersonation privesc |
| serviceAccountKeys.create privesc | mint key for priv SA | SA key-creation privesc |
| owner/editor granted broadly | review bindings | Primitive-role over-grant |
| SA key (JSON) leaked/long-lived | find key files | Leaked SA key |
| Primitive instead of predefined roles | review roles | Primitive roles in use |
| allUsers/allAuthenticatedUsers binding | check IAM bindings | Public IAM binding |
| Project-level where resource-level needed | review scope | Over-broad binding scope |
| GCS public (allUsers) | gsutil iam get | Public GCS bucket |
| Uniform access disabled / legacy ACLs | check bucket config | Legacy ACLs enabled |
| GCE metadata reachable / default SA scopes | curl metadata | Metadata / default-SA exposure |
| setMetadata → add SSH key privesc | compute.instances.setMetadata | SSH-key metadata privesc |
| Firewall 0.0.0.0/0 sensitive ports | review firewall | Open firewall rule |
| Cloud Function/Run public | invoke unauthenticated | Public function/service |
| Cloud SQL public IP / weak auth | review Cloud SQL | Cloud SQL exposure |
| Secret Manager too broad | review access | Broad secret access |
| GKE legacy auth/public/loose RBAC/metadata | review GKE | GKE misconfig |
| Data Access audit logs disabled | check audit config | Audit logging disabled |
| SCC not enabled | check SCC | Security Command Center off |
C Microsoft Azure
Azure privesc is role-assignment and app/service-principal Graph permissions, plus managed identity and public blob/SAS.
⚑ Report as: “Azure: role-assignment privesc / over-permissioned app or managed identity”
🛡 Fix: Least-privilege RBAC at the right scope; review app/SP Graph permissions and rotate secrets/certs; enforce Conditional Access + MFA; constrain managed-identity scope; disable anonymous blob; tight Key Vault access; enable Activity Log + Defender for Cloud.
Microsoft Azure — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Owner/Contributor at sub/MG scope | az role assignment list | Over-privileged role assignment |
| User Access Administrator privesc | check role-assignment rights | Role-assignment privesc |
| SP/app over-permissioned | review app perms | Over-permissioned service principal |
| App high Graph permissions | review Graph consent | Excessive Graph permissions |
| Stale/leaked app secrets & certs | check credentials | Leaked app secret |
| Conditional Access / MFA gaps | review CA policies | Conditional Access gap |
| Guest user over-privileged | review guest roles | Over-privileged guest |
| Managed identity over-scoped | review MI roles | Over-scoped managed identity |
| Dynamic group rule abuse | review group rules | Dynamic-group privesc |
| Public blob container | az storage blob list | Public blob container |
| Anonymous blob access | anonymous request | Anonymous blob access |
| Over-permissive/long-lived SAS | inspect SAS | Over-permissive SAS |
| Storage account key exposed | find key | Storage key exposure |
| VM IMDS → MI token | curl IMDS | Managed-identity token theft |
| NSG 0.0.0.0/0 sensitive ports | review NSG | Open NSG rule |
| Public IP on sensitive VM | check public IPs | Exposed VM |
| Key Vault access too broad | review access policy/RBAC | Broad Key Vault access |
| Function App public / secrets in settings | review Function App | Function App exposure |
| Azure SQL firewall allows all | review firewall | Azure SQL exposure |
| AKS public API / loose RBAC | review AKS | AKS misconfig |
| Activity Log / diagnostics disabled | check logging | Logging disabled |
| Defender for Cloud disabled | check Defender | Defender disabled |
D Oracle Cloud (OCI)
OCI privesc is broad tenancy policies and instance/dynamic-group principals, plus public buckets and PARs.
⚑ Report as: “OCI: overly broad tenancy policy / instance-principal abuse”
🛡 Fix: Scope policies to compartments, not tenancy; rotate API signing keys; least-privilege dynamic groups; MFA on admins; constrain federation trust; private buckets; tight, short PARs; enable Audit + Cloud Guard across compartments.
Oracle Cloud (OCI) — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Broad policy (manage all-resources) | review policies | Over-broad tenancy policy |
| Policy at tenancy where compartment fits | review scope | Excessive policy scope |
| Stale API signing keys | check key age | Unrotated API key |
| Over-privileged dynamic group | review dynamic groups | Dynamic-group privesc |
| Admin group too broad / no MFA | review admins | Weak admin controls |
| Cross-tenancy policy permissive | review cross-tenancy | Broad cross-tenancy trust |
| Federation/IdP misconfig | review federation | Federation misconfig |
| Object Storage public | check visibility | Public bucket |
| PAR over-permissive/long-lived | inspect PAR | Over-permissive PAR |
| Bucket not CMEK where required | check encryption | Missing CMEK |
| Instance metadata → principal token | curl metadata | Instance-principal abuse |
| SSH exposed to 0.0.0.0/0 | review security list | Open SSH |
| Security list/NSG open ports | review rules | Open network rule |
| Public DB / Autonomous DB | check exposure | Public database |
| Vault/secret access too broad | review access | Broad secret access |
| Functions over-privileged/public | review functions | Function exposure |
| OKE public API / loose RBAC | review OKE | OKE misconfig |
| Audit/logging not enabled | check audit | Audit disabled |
| Cloud Guard not enabled | check Cloud Guard | Cloud Guard disabled |
✓ Coverage map & how to run it
Run universal 0–9 on every cloud assessment, then the provider block. The highest-value work is the privesc + lateral-movement chains, not isolated public buckets.
| Section | Run on | Focus |
|---|---|---|
| Universal 0–9 | Every cloud assessment | Recon, IAM, compute/metadata, storage, networking, serverless, secrets, logging, data, privesc |
| AWS | AWS accounts | PassRole, policy self-attach, IMDSv1, S3, AssumeRole trust |
| GCP | GCP projects | SA impersonation, key creation, default-SA scopes, GCS allUsers |
| Azure | Azure tenants | Role-assignment privesc, app/SP Graph, managed identity, public blob/SAS |
| OCI | OCI tenancies | Broad tenancy policy, instance/dynamic-group principals, PAR, public buckets |
Core principle: identity is the perimeter. Most cloud compromise is misconfigured IAM + metadata-reachable credentials + over-shared storage, chained. Map every finding back to least-privilege and blast radius, and report the chain, not just the list. Tick a box only when you've actually verified it.