Cloud Red Team Harnesses

Module S10 · Course 2A

60 min · Offensive Architecture · IAM Privilege Escalation · Evidence & Client Deliverables

Prerequisite: S00–S09

S10.1 — Cloud-Specific Offensive Architecture

A network pentest harness scans ports. A cloud red team harness does none of that. The cloud is not a network — it is an API.

The attack surface is not open ports. It is identities, permissions, and configurations.

API-first, identity-first, no port scanning

API-first
every action is an API call
against the control plane
Identity-first
IAM is the primary attack
surface, not compute
No port scanning
an AWS account has
no ports to scan
Scope-enforced
every API call checked
against authorization

Tools change entirely: nmap/httpx/nuclei → Prowler, ScoutSuite, Pacu, Stormspotter

The cloud kill chain

Reconnaissance → enumerate assets & identities via API
Initial Access → exposed service or compromised credential
Privilege Escalation → IAM abuse (PassRole, CreatePolicy)
Lateral Movement → cross-account via trust relationships
Impact → demonstrated access (evidence-logged, read-only)

Same phases as network kill chain. Completely different execution at each phase.

S10.2 — IAM Privilege Escalation

IAM is the primary attack surface in cloud environments. A cloud breach is almost always an IAM abuse.

Canonical escalation paths

TechniqueRequiresGrants
PassRole + LambdaPassRole, CreateFunction, InvokeFunctionexecution-role perms
CreatePolicy + AttachCreatePolicy, AttachRolePolicyfull admin (*:*)
UpdateAssumeRolePolicyUpdateAssumeRolePolicytarget-role perms
AssumeRole chainssts:AssumeRole (trusted)assumed role perms

Each path is a node-and-edge graph. Current permissions = starting edges. Escalation technique = transition to higher-privilege state. Goal = target permission set.

Graph-based PE path finding

Same graph-based reasoning as S09.2 attack-path analysis, applied to the IAM layer.

Nodes = permission sets. Edges = escalation techniques. BFS from starting identity's permissions to target (e.g., s3:GetObject on sensitive bucket, or *:* admin). Output = the exact chain of techniques from initial access to target.

Demonstrated, not theoretical

Every escalation path must be backed by evidence — not asserted, demonstrated.

The client does not trust "Role-A can escalate to admin." The evidence shows the exact API calls, in order, that achieve it. Reproducible, verifiable, client-presentable.

S10.3 — Findings, Evidence & Deliverables

The auditor does not care about iam:PassRole chains. They care whether the org meets SOC 2, ISO 27001, or PCI DSS.

The compliance mapping is what translates technical findings into the auditor's language.

Cloud evidence schema

Hash-chained (from S02.3), extended with cloud-specific fields:

FieldValue
account_id, regionwhere the call happened
api_calle.g. s3:GetObject
resource_arnexact resource acted on
scope_refauthorization anchor
request / responseexact I/O
previous_hash / record_hashtamper-evidence

Finding → compliance mapping

SOC 2
CC6.3 — access
authorization
ISO 27001
A.9.2.5 — access
rights review
PCI DSS
7.2.1 — access
control system

An over-privileged IAM role is not "a misconfiguration." It is a violation of specific controls across three frameworks. The mapping makes the finding immediately actionable for the compliance team.

What you take forward

The cloud red team harness is operational: API-first architecture, IAM escalation path-finding, evidence-backed findings mapped to compliance frameworks.

Pillar 3 is complete. S11 moves to Smart Contract Audit Harnesses — a different attack surface (the blockchain), but the same discipline: scope enforcement, evidence chains, and client-ready deliverables.