Cloud Pentests Start Like External Ones
AWS penetration testing often begins before you touch the console: public S3 buckets, open security groups, exposed API Gateway stages, and subdomain takeovers on forgotten CloudFront distributions. Map the external cloud attack surface first, then request role credentials for authenticated testing.
High-Impact Checks
- S3 bucket enumeration and ACL/policy misconfigurations
- IAM username enumeration and weak password policies on SSO portals
- EC2 metadata SSRF from web apps (IMDSv1 vs v2)
- Lambda URLs and API keys in public GitHub repos
- Over-permissive cross-account trust policies
Unify Cloud and Traditional Recon
Store bucket names, ARNs, and exposed endpoints alongside IP-based Attack Surface entries. When a web finding leads to IAM credentials, the chain should be obvious in one project view — not split between a cloud notes doc and a VLAN spreadsheet.