cloud-iam-deep

## When to use Trigger when: - A cloud credential surfaces (key, secret, token, JSON file) - SSRF chain reaches IMDS / metadata endpoint - APK / git-leak reveals embedded cloud key - Recon shows public S3/GCS/Azure-blob with permissions you can verify - A Kubernetes API or service-account token is exposed - Post-RCE on a cloud-hosted instance — pivot to cloud control plane Do NOT use for: - On-prem-only environments (use AD attack skills — but those are out of scope per external-only boundary) - Web2 vulns that happen to be on AWS — use the relevant `hunt-*` skill --- ## Credential identification (first 60 seconds) ```bash # AWS access key patterns AKIA[0-9A-Z]{16} # IAM user access key (long-term) ASIA[0-9A-Z]{16} # STS temporary credential AGPA[0-9A-Z]{16} # IAM group AIDA[0-9A-Z]{16} # IAM user (user-id) AROA[0-9A-Z]{16} # IAM role ANPA[0-9A-Z]{16} # Managed policy # AWS secret pattern (40-char base64-ish — context required) [A-Za-z0-9/+=]{40} # AWS secret access key # Azure AccountKey=[A-Za-z0-9+/=]{86} # Storage account key client_secret pattern + UUID # Azure AD app credential # GCP service account JSON { "type": "service_account", "project_id": "...", "private_key_id": "...", "private_key": "-----BEGIN PRIVATE KEY-----..." } # K8s SA token (JWT format — decode to confirm) eyJhbGciOiJSUzI1... # decode kid claim to see issuer ``` --- ## AWS —...