Hacking the Cloud
@hackingthe.cloud
An open source encyclopedia of offensive security techniques that can be used in cloud environments. Created and maintained by @frichetten.com
Ever wonder how attackers discover valid Google Workspace emails without authentication? Learn about this technique using Quiet Riot and the potential implications for password spraying attacks and AWS Root User testing. Understanding these tactics is crucial for cloud security.
Unauthenticated Enumeration of Google Workspace Email Addresses - Hacking The Cloud
Discover how to exploit information disclosure configurations in Google Workspace to enumerate valid email addresses.
buff.ly
November 19, 2025 at 3:05 PM
Ever wonder how attackers discover valid Google Workspace emails without authentication? Learn about this technique using Quiet Riot and the potential implications for password spraying attacks and AWS Root User testing. Understanding these tactics is crucial for cloud security.
Explore unique GCP security strategies with us! Learn about project hierarchies and how policy constraints can enhance security but remember, most aren't retroactive. Dive into scenarios and constraints that shape your cloud environment securely. More insights here:
Security and Constraints - Hacking The Cloud
Security considerations and constraints that are unique to GCP
buff.ly
November 13, 2025 at 3:04 PM
Explore unique GCP security strategies with us! Learn about project hierarchies and how policy constraints can enhance security but remember, most aren't retroactive. Dive into scenarios and constraints that shape your cloud environment securely. More insights here:
ver worried about detection when using AWS CLI from specific Linux distros? Modify the User-Agent string to bypass GuardDuty alerts. Our blog dives into using Burp Suite for this, ensuring you leave no suspicious trails. Take control of what your requests reveal. Read more: buff.ly/ycJiEvz
Bypass GuardDuty Pentest Findings for the AWS CLI - Hacking The Cloud
Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string when using the AWS CLI.
hackingthe.cloud
November 11, 2025 at 3:04 PM
ver worried about detection when using AWS CLI from specific Linux distros? Modify the User-Agent string to bypass GuardDuty alerts. Our blog dives into using Burp Suite for this, ensuring you leave no suspicious trails. Take control of what your requests reveal. Read more: buff.ly/ycJiEvz
Exploring Lambda persistence? Our latest blog reveals how to establish persistence on AWS Lambda after gaining remote code execution using Python and Ruby runtimes as examples. Learn how to backdoor runtime files effectively while keeping things "warm." Check it out here:
Lambda Persistence - Hacking The Cloud
How to establish persistence on a Lambda function after getting remote code execution.
buff.ly
November 5, 2025 at 3:03 PM
Exploring Lambda persistence? Our latest blog reveals how to establish persistence on AWS Lambda after gaining remote code execution using Python and Ruby runtimes as examples. Learn how to backdoor runtime files effectively while keeping things "warm." Check it out here:
Deleting compromised AWS IAM keys might not be enough! Attackers can use `sts:GetFederationToken` to create temporary access credentials. Explore this technique and learn defensive measures like monitoring and using a "DenyAll" policy. Stay one step ahead. Read more:
Survive Access Key Deletion with sts:GetFederationToken - Hacking The Cloud
Use sts:GetFederationToken to maintain access, even if the original IAM credentials are revoked.
buff.ly
October 30, 2025 at 2:05 PM
Deleting compromised AWS IAM keys might not be enough! Attackers can use `sts:GetFederationToken` to create temporary access credentials. Explore this technique and learn defensive measures like monitoring and using a "DenyAll" policy. Stay one step ahead. Read more:
Learn the risks of AWS Elastic Container Registry (ECR) misuse. An attacker could use ECR permissions to implant backdoors in containers, gaining control over systems. Understand how this is done and adopt security measures like least privilege access and Docker image signing.
Abusing Elastic Container Registry for Lateral Movement - Hacking The Cloud
With ECR permissions you can easily distribute a backdoor to production servers, developer's laptops, or CI/CD pipelines and own the environment by gaining privileged permissions.
buff.ly
October 28, 2025 at 2:05 PM
Learn the risks of AWS Elastic Container Registry (ECR) misuse. An attacker could use ECR permissions to implant backdoors in containers, gaining control over systems. Understand how this is done and adopt security measures like least privilege access and Docker image signing.
Curious about cybersecurity tactics? Discover how ANSI escape sequences can hide malicious Terraform code from unsuspecting devs. Learn more about this sneaky technique and how it can obfuscate terminal output during Terraform apply operations. Check out the full blog post here:
Terraform ANSI Escape - Hacking The Cloud
Using ANSI Escape Sequences to Hide Malicious Terraform Code
buff.ly
October 22, 2025 at 2:06 PM
Curious about cybersecurity tactics? Discover how ANSI escape sequences can hide malicious Terraform code from unsuspecting devs. Learn more about this sneaky technique and how it can obfuscate terminal output during Terraform apply operations. Check out the full blog post here:
AWS EC2 instances can be vulnerable to persistence via user data scripts. If someone gains access, modifying these scripts or resources they call can backdoor your instance. Learn how to secure your cloud with insights on script modification techniques. Follow the full post here:
User Data Script Persistence - Hacking The Cloud
Maintain access to an EC2 instance and it's IAM role via user data scripts.
buff.ly
October 16, 2025 at 2:04 PM
AWS EC2 instances can be vulnerable to persistence via user data scripts. If someone gains access, modifying these scripts or resources they call can backdoor your instance. Learn how to secure your cloud with insights on script modification techniques. Follow the full post here:
Threat actors exploit the AWS CLI to discreetly download tools and exfiltrate data by blending into AWS environments where it's often pre-installed. This method, seen in attacks like SCARLETEEL, utilizes non-standard endpoints for covert actions. Enhance security awareness! Link:
Download Tools and Exfiltrate Data with the AWS CLI - Hacking The Cloud
Using the AWS CLI as a LOLScript to download and exfiltrate data.
buff.ly
October 14, 2025 at 2:02 PM
Threat actors exploit the AWS CLI to discreetly download tools and exfiltrate data by blending into AWS environments where it's often pre-installed. This method, seen in attacks like SCARLETEEL, utilizes non-standard endpoints for covert actions. Enhance security awareness! Link:
Dive into the power—and risk—of metadata in Google Cloud instances. Users and potential attackers alike can glean critical instance information through HTTP requests to specific endpoints. It’s essential to understand what data can be accessed and how to secure it. Learn more:
Metadata in Google Cloud Instances - Hacking The Cloud
Information about the data an attacker can access via GCP's API endpoints
buff.ly
October 8, 2025 at 2:04 PM
Dive into the power—and risk—of metadata in Google Cloud instances. Users and potential attackers alike can glean critical instance information through HTTP requests to specific endpoints. It’s essential to understand what data can be accessed and how to secure it. Learn more:
GuardDuty configurations can be subtly altered by attackers to avoid detection after compromising an account. Modifying detectors, IP lists, Cloudwatch rules, suppression filters, and alert destinations can reduce alerting efficacy. Learn more:
Modify GuardDuty Configuration - Hacking The Cloud
Modify existing GuardDuty configurations in the target account to hinder alerting and remediation capabilities.
buff.ly
October 2, 2025 at 2:04 PM
GuardDuty configurations can be subtly altered by attackers to avoid detection after compromising an account. Modifying detectors, IP lists, Cloudwatch rules, suppression filters, and alert destinations can reduce alerting efficacy. Learn more:
Discover key AWS IAM persistence methods, from creating access keys to modifying IAM role policies. These techniques allow adversaries to maintain access and carry out continued operations in a compromised AWS environment. A must-read for security professionals.
AWS IAM Persistence Methods - Hacking The Cloud
A catalog of methods to maintain access to the AWS control plane.
buff.ly
September 30, 2025 at 2:04 PM
Discover key AWS IAM persistence methods, from creating access keys to modifying IAM role policies. These techniques allow adversaries to maintain access and carry out continued operations in a compromised AWS environment. A must-read for security professionals.
Reposted by Hacking the Cloud
New on @hackingthe.cloud! A great post by Federico Lucini on bypassing AWS Network Firewall egress filtering!
hackingthe.cloud/aws/post_exp...
hackingthe.cloud/aws/post_exp...
AWS Network Firewall Egress Filtering Bypass - Hacking The Cloud
Bypass AWS Network Firewall Egress Filtering using SNI spoofing and Host Header manipulation.
hackingthe.cloud
September 29, 2025 at 2:30 PM
New on @hackingthe.cloud! A great post by Federico Lucini on bypassing AWS Network Firewall egress filtering!
hackingthe.cloud/aws/post_exp...
hackingthe.cloud/aws/post_exp...
AWS Cognito misconfigurations can expose your user pool to unauthorized sign-ups. Attackers can exploit this by finding User Pool Client IDs via web or mobile sources, then using AWS CLI for sign-ups. Ensure ‘Admin Only’ signup settings are enabled to protect your applications.
Abusing Unintended Self-Signup in AWS Cognito - Hacking The Cloud
How to take advantage of misconfigured Amazon Cognito User Pools.
buff.ly
September 24, 2025 at 2:08 PM
AWS Cognito misconfigurations can expose your user pool to unauthorized sign-ups. Attackers can exploit this by finding User Pool Client IDs via web or mobile sources, then using AWS CLI for sign-ups. Ensure ‘Admin Only’ signup settings are enabled to protect your applications.
Managed Identities streamline access between Azure resources. They can, however, be a double-edged sword if poorly configured. Our recent blog explores how misconfigured identities can provide unauthorized access, illustrating potential risks and mitigation strategies.
Read more at
Read more at
Abusing Managed Identities - Hacking The Cloud
Abusing Managed Identities
buff.ly
September 18, 2025 at 2:03 PM
Managed Identities streamline access between Azure resources. They can, however, be a double-edged sword if poorly configured. Our recent blog explores how misconfigured identities can provide unauthorized access, illustrating potential risks and mitigation strategies.
Read more at
Read more at
Explore how a user can escalate privileges in Google Cloud by leveraging tags used in IAM conditions. Discover how someone with viewer and tagUser roles can gain admin access without changing any policies. Uncover potential risks for unauthorized access and persistent threats.
Tag Your Way In - GCP Privilege Escalation Using Tags - Hacking The Cloud
A new privilege escalation technique in Google Cloud that leverages tag bindings to bypass IAM conditions and gain unauthorized access to sensitive resources.
buff.ly
September 16, 2025 at 2:05 PM
Explore how a user can escalate privileges in Google Cloud by leveraging tags used in IAM conditions. Discover how someone with viewer and tagUser roles can gain admin access without changing any policies. Uncover potential risks for unauthorized access and persistent threats.
Explore how to execute commands on AWS EC2 instances with Cloud Security techniques! This guide covers using ssm:SendCommand and ssm:StartSession for remote management and accessing outputs. Perfect for security pros looking to drive insights from AWS environments. Learn more at:
Run Shell Commands on EC2 with Send Command or Session Manager - Hacking The Cloud
Leverage privileged access in an AWS account to run arbitrary commands on an EC2 instance.
buff.ly
September 10, 2025 at 2:05 PM
Explore how to execute commands on AWS EC2 instances with Cloud Security techniques! This guide covers using ssm:SendCommand and ssm:StartSession for remote management and accessing outputs. Perfect for security pros looking to drive insights from AWS environments. Learn more at:
Ever thought of using S3 server access logs for data exfiltration? If you control an IAM identity with `s3:GetObject`, you could receive log details including denied requests alongside the data you aim to exfiltrate. It's a unique take on cloud security worth exploring. Learn more:
Data Exfiltration through S3 Server Access Logs - Hacking The Cloud
Exfiltrate data via S3:GetObject and S3 server access logs.
buff.ly
September 4, 2025 at 2:03 PM
Ever thought of using S3 server access logs for data exfiltration? If you control an IAM identity with `s3:GetObject`, you could receive log details including denied requests alongside the data you aim to exfiltrate. It's a unique take on cloud security worth exploring. Learn more:
Discover how attackers can maintain access in AWS by setting up a rogue OIDC Identity Provider. This complex method can evade detection longer than standard techniques. Learn about configuring the environment to ensure persistence with role policies in AWS. More here:
IAM Rogue OIDC Identity Provider Persistence - Hacking The Cloud
Obtain persistence by creating a rogue OIDC Identity Provider.
buff.ly
September 2, 2025 at 2:04 PM
Discover how attackers can maintain access in AWS by setting up a rogue OIDC Identity Provider. This complex method can evade detection longer than standard techniques. Learn about configuring the environment to ensure persistence with role policies in AWS. More here:
Unlocking the power of AWS! If you've gained privileged access in an AWS account, learn how to run shell commands on EC2 instances using ssm:SendCommand or Session Manager. These tactics provide ways to execute and interact with environments securely. Dive into the details:
Run Shell Commands on EC2 with Send Command or Session Manager - Hacking The Cloud
Leverage privileged access in an AWS account to run arbitrary commands on an EC2 instance.
buff.ly
August 27, 2025 at 2:03 PM
Unlocking the power of AWS! If you've gained privileged access in an AWS account, learn how to run shell commands on EC2 instances using ssm:SendCommand or Session Manager. These tactics provide ways to execute and interact with environments securely. Dive into the details:
Cloud attackers keep evolving. So should defenses.
Enumeration through AWS Resource Explorer used to be invisible. Not anymore.
Breakdown from @securitylabs.datadoghq.com: securitylabs.datadoghq.com/articles/enu...
Enumeration through AWS Resource Explorer used to be invisible. Not anymore.
Breakdown from @securitylabs.datadoghq.com: securitylabs.datadoghq.com/articles/enu...
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.
securitylabs.datadoghq.com
August 21, 2025 at 5:43 PM
Cloud attackers keep evolving. So should defenses.
Enumeration through AWS Resource Explorer used to be invisible. Not anymore.
Breakdown from @securitylabs.datadoghq.com: securitylabs.datadoghq.com/articles/enu...
Enumeration through AWS Resource Explorer used to be invisible. Not anymore.
Breakdown from @securitylabs.datadoghq.com: securitylabs.datadoghq.com/articles/enu...
Did you know that GCP IAM Conditions can sometimes do the opposite of what they're meant for? Explore how tags can be exploited for privilege escalation in GCP. A user can achieve admin access without changing any IAM policies. Dive in here:
Tag Your Way In - GCP Privilege Escalation Using Tags - Hacking The Cloud
A new privilege escalation technique in Google Cloud that leverages tag bindings to bypass IAM conditions and gain unauthorized access to sensitive resources.
buff.ly
August 21, 2025 at 2:03 PM
Did you know that GCP IAM Conditions can sometimes do the opposite of what they're meant for? Explore how tags can be exploited for privilege escalation in GCP. A user can achieve admin access without changing any IAM policies. Dive in here:
Discovering your AWS account ID from access keys is a useful skill in cloud security assessments. Use the `sts:GetAccessKeyInfo` API or decode the key itself with Python to find the associated account ID. Understand your scope and ensure compliance seamlessly.
Get Account ID from AWS Access Keys - Hacking The Cloud
Techniques to enumerate the account ID associated with an AWS access key.
buff.ly
August 19, 2025 at 2:09 PM
Discovering your AWS account ID from access keys is a useful skill in cloud security assessments. Use the `sts:GetAccessKeyInfo` API or decode the key itself with Python to find the associated account ID. Understand your scope and ensure compliance seamlessly.
Ever heard of Role Chain Juggling in AWS? By chaining "assume-role" calls, you can maintain longer access without creating new users or keys. Dive into this technique and learn about the AWSRoleJuggler tool by Daniel Heinsen. A must-know for AWS assessments!
Role Chain Juggling - Hacking The Cloud
Keep your access by chaining assume-role calls.
buff.ly
August 13, 2025 at 2:03 PM
Ever heard of Role Chain Juggling in AWS? By chaining "assume-role" calls, you can maintain longer access without creating new users or keys. Dive into this technique and learn about the AWSRoleJuggler tool by Daniel Heinsen. A must-know for AWS assessments!
Explore how misusing EC2 user data can lead to privilege escalation. If you have `ec2:ModifyInstanceAttribute` permissions, you can execute custom scripts as root on EC2 instances. This involves modifying user data and leveraging cloud-init to execute scripts at boot. Details here:
EC2 Privilege Escalation Through User Data - Hacking The Cloud
How to escalate privileges on an EC2 instance by abusing user data.
buff.ly
August 7, 2025 at 2:04 PM
Explore how misusing EC2 user data can lead to privilege escalation. If you have `ec2:ModifyInstanceAttribute` permissions, you can execute custom scripts as root on EC2 instances. This involves modifying user data and leveraging cloud-init to execute scripts at boot. Details here: