AWS Cloud Penetration Testing
35% of cloud intrusions in 2025 used valid accounts as initial access. Our CREST-accredited testers exploit misconfigured IAM roles, Lambda execution role escalation, S3 bucket policy bypasses, and EKS RBAC misconfigurations to show you what a real adversary would do in your AWS environment. Read-only access model, no production impact.
AWS Penetration Testing: Beyond the Benchmark
Prowler and SecurityHub find configuration deviations against benchmarks. Our testers chain those deviations into exploitable attack paths that reach production data, administrator credentials, and cross-account resources.
IAM & Privilege Escalation
The most impactful findings in AWS environments arise from misconfigured IAM. We enumerate all roles, policies, and trust relationships, then attempt chained escalation via iam:PassRole, sts:AssumeRole, and iam:CreatePolicyVersion to achieve administrator-level access. Cross-account trust relationships and federation configurations are reviewed for overly permissive conditions that permit lateral movement between accounts.
S3 & Storage Security
We test bucket policies, ACL grants, and the Block Public Access configuration at both account and bucket level, identifying scenarios where legacy ACL grants override account-level controls. Backup snapshots, EBS volumes, and RDS snapshot sharing are also reviewed for unintended public or cross-account exposure of sensitive data exports.
EC2 & Compute
EC2 instance profiles are a frequent escalation vector. We exploit over-privileged IMDS v1 metadata endpoints to retrieve IAM credentials without authentication tokens, test security group egress for unexpected outbound paths, and review UserData scripts for hardcoded secrets or command injection opportunities.
Lambda & Serverless
Lambda execution roles are among the most commonly over-privileged identities in AWS environments. We test for escalation via iam:PassRole and lambda:UpdateFunctionCode, event source injection via SQS, SNS, and S3 triggers, and environment variable exposure that leaks secrets, API keys, or database credentials to unauthorised callers.
EKS & Containers
We test EKS clusters for RBAC misconfigurations, including overly permissive ClusterRoleBindings and pod security policy gaps. IRSA (IAM Roles for Service Accounts) misconfigurations are tested for workload identity abuse, where a compromised pod can assume an AWS IAM role with permissions far exceeding its intended scope.
CloudTrail & Detection
We assess CloudTrail configuration for completeness, including management and data event logging, multi-region coverage, and log file integrity validation. GuardDuty alert coverage is reviewed against the attack techniques exercised during the engagement, and KMS key policies are assessed for over-permissive grants that allow unauthenticated decryption.
AWS Cloud Risk Profile
AWS IAM misconfigurations and storage policy gaps remain the leading cause of cloud account compromise. 35% of cloud intrusions in 2025 used valid account credentials as initial access.
Valid Account Abuse
Of cloud intrusions in 2025 used valid IAM credentials as the primary initial access technique, bypassing perimeter controls entirely.
S3 Misconfiguration Rate
Of AWS accounts have at least one misconfigured S3 bucket. Legacy ACL grants frequently override account-level Block Public Access controls.
Industry Benchmark Mapping
Every finding is mapped to industry standard security benchmarks, ISO 27001, SOC 2, and DORA controls for direct auditor submission.
Controls
What We Find in AWS Environments
Representative findings from recent AWS penetration tests. Findings are anonymised and sanitised.
Lambda iam:PassRole Escalation to Admin
Lambda execution role permitted iam:PassRole to EC2. Combined with an exposed SSM Session Manager session, this allowed privilege escalation from Lambda invocation access to AdministratorAccess within 12 minutes.
Business Impact: Full AWS account compromise via a single Lambda function's misconfigured execution role.
S3 Bucket Policy Bypass via ACL Override
Block Public Access was enabled at the account level but a legacy ACL grant on a specific bucket allowed cross-account read access. The bucket contained customer PII exports generated by a scheduled ETL pipeline.
Business Impact: Customer PII accessible to any AWS account via legacy ACL inheritance.
AWS Services Tested
A comprehensive AWS penetration test covers the services most commonly exploited by adversaries, not just the services easiest to automate.
iam:PassRole, AssumeRole, CreatePolicyVersion, cross-account trust
Bucket policies, ACLs, Block Public Access, presigned URLs, backup snapshots
Instance profiles, IMDS v1/v2, UserData, security groups, EBS snapshots
Execution roles, event sources, env vars, function URL auth
RBAC, pod security, IRSA, cluster role bindings, node group roles
Logging completeness, data events, alert coverage gaps
Key policies, secret access controls, cross-account decryption
Transit Gateway, PrivateLink, VPC peering, security group egress rules
You need AWS testing if...
Compliance Audit Finding
Your ISO 27001, SOC 2, or DORA audit has identified cloud penetration testing as a control gap requiring evidence of manual assessment.
AWS Estate Growth
Your organisation has expanded its AWS footprint with new accounts, regions, or services and has not conducted a security review since the original deployment.
Board Mandate
The board or a major client has requested a formal cloud security posture report with evidence of independent third-party penetration testing of your AWS environment.
Post-Incident Review
A security incident, GuardDuty alert, or AWS abuse notification has prompted a post-event review of your IAM configuration and cloud security posture.
Cyber Insurance Renewal
Your cyber insurance renewal questionnaire requires evidence of annual cloud penetration testing by a CREST-accredited provider against your AWS environment.
Multi-Account Migration
Your organisation is migrating to a multi-account AWS Organizations structure and requires validation of cross-account trust boundaries and service control policies.
Compliance Framework Coverage
Every finding is cross-referenced against the frameworks your auditors require. Reports are structured for direct submission to QSAs, ISO auditors, and insurance underwriters.
Full benchmark coverage across IAM, S3, CloudTrail, networking, and monitoring
Management of technical vulnerabilities in cloud-hosted systems
Logical access controls and change management testing evidence
ICT security testing requirements for financial entities using cloud
Asset identification, access control, and detection function mapping
CREST-certified test certificate for cloud environment questionnaires
AWS Penetration Testing Process
A structured four-stage engagement from access provisioning to compliance-ready report delivery.
Scoping & Access
Define account scope, AWS regions, and services in-scope during a 30-minute call. You provision ReadOnlyAccess and SecurityAudit managed policies to a dedicated IAM user. No elevated permissions required.
Enumeration & Config Review
Automated enumeration with Prowler and ScoutSuite is followed by manual review of IAM, S3 policies, EC2 instance profiles, Lambda configurations, and EKS RBAC settings to build the target index.
Exploitation & Escalation
Testers chain IAM misconfigurations, exploit IMDS v1 endpoints, attempt Lambda execution role escalation, and pivot across accounts. Critical findings are disclosed immediately via secure channel.
Report & Retest
Delivery of board-ready executive summary and Terraform HCL and CloudFormation YAML remediation snippets. Free retest within the assessment window included.
What You Receive
Every AWS penetration test engagement includes the following deliverables as standard.
- Executive Summary suitable for board, audit committee, and direct auditor submission
- Risk-rated findings with exploitability scores and proof-of-concept reproduction steps
- Terraform HCL and CloudFormation YAML remediation snippets for every finding
- Prioritised remediation roadmap with effort and impact scoring
- CREST-certified findings certificate for insurance and compliance submissions
- Free retest within the assessment window to verify remediated findings
Close the Loop.
Detect What We Found.
Your AWS penetration test surfaces the IAM escalation paths and storage misconfigurations that exist in your environment today. We feed those exact findings into our 24/7 Cloud Security Monitoring service, building custom GuardDuty and CloudTrail detection rules for the attack techniques exercised during your test.
Explore Cloud MDRCloud Security Monitoring
24/7 detection tuned to the AWS attack paths discovered in your test.
Azure Penetration Testing
Extend coverage to your Azure estate with the same CREST-accredited methodology.
Cloud Config Review
Continuous industry standard benchmark compliance review between annual penetration tests.
Cloud Penetration Testing Hub
Full multi-cloud testing coverage across AWS, Azure, GCP, and Microsoft 365.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Yes. Since 2019, AWS no longer requires prior approval for penetration testing against your own AWS infrastructure. You are permitted to test EC2, RDS, Aurora, CloudFront, API Gateway, Lambda, Lightsail, Elastic Beanstalk, and AWS Fargate resources under your account without submitting a penetration testing request. Prohibited activities include denial-of-service attacks, DNS zone walking, DNS amplification, and port flooding. Our engagement scoping call confirms the exact in-scope services and regions before testing begins. All testing is conducted with explicit written authorisation from the account owner, and we operate strictly within AWS Acceptable Use Policy boundaries.
Our AWS penetration tests cover IAM (role chaining, iam:PassRole, sts:AssumeRole, policy version escalation), S3 (bucket policies, ACL grants, Block Public Access bypass, presigned URL scope), EC2 (instance profiles, IMDS v1/v2, UserData scripts, security groups), Lambda (execution roles, event source injection, environment variable exposure), EKS (RBAC, pod security policies, IRSA, cluster role bindings), CloudTrail and GuardDuty (logging coverage, alert rule gaps), KMS and Secrets Manager (key policies, secret access controls, rotation configuration), and VPC (Transit Gateway, PrivateLink, VPC peering, security group egress). Multi-account environments are tested for cross-account trust misconfigurations and service control policy gaps.
For a standard AWS penetration test we require a dedicated IAM user provisioned with two AWS-managed policies: ReadOnlyAccess and SecurityAudit. This gives our testers visibility of your configuration without the ability to modify, delete, or create resources. No production impact is possible under this access model. For scenarios where you want us to test exploitation of specific privilege escalation paths, we may request a temporary role with scoped permissions to demonstrate the full attack chain. All access credentials are rotated and deprovisioned immediately after the engagement completes.
AWS penetration testing starts from £3,750 for a single AWS account, and £8,000 to £15,000 or more for multi-account environments with AWS Organizations. Pricing is influenced by the number of accounts in scope, the range of services deployed, and whether multi-region coverage is required. A standard single-account test covering IAM, S3, EC2, Lambda, and EKS typically runs £4,000 to £6,000 for 3 to 4 days of testing. Multi-account environments with complex cross-account trust relationships or extensive service footprints typically require 5 to 8 days. We provide fixed-price quotes after a scoping call. There are no day-rate overruns.
Prowler, ScoutSuite, and AWS SecurityHub are automated configuration audit tools. They compare your AWS configuration against known best-practice benchmarks and flag deviations. This is valuable for identifying individual misconfigurations in isolation. Manual AWS penetration testing goes further by chaining those individual misconfigurations into exploitable attack paths. For example, Prowler will flag that an IAM role has iam:PassRole permissions. A manual tester will determine whether that permission, combined with an accessible Lambda function and an overly permissive S3 bucket policy, creates a complete privilege escalation path to AdministratorAccess. Automated tools report configuration deviations. Manual testers demonstrate real-world exploitability and the business impact of the complete attack chain.
Yes. Every finding in our AWS penetration testing report can include a remediation section with both Terraform HCL and CloudFormation YAML code snippets where applicable. For IAM policy misconfigurations, we provide the corrected least-privilege policy document. For S3 issues, we provide the corrected bucket policy and ACL configuration. For EKS RBAC findings, we provide the corrected ClusterRole and ClusterRoleBinding manifests. This format is designed for engineering teams to apply fixes directly via their infrastructure-as-code pipeline without requiring translation from security recommendations to implementable code.