performing-cloud-penetration-testing-with-pacu

# Performing Cloud Penetration Testing with Pacu ## When to Use - When conducting authorized penetration testing of AWS environments - When validating the effectiveness of IAM policies, SCPs, and permission boundaries - When assessing the blast radius of a compromised set of AWS credentials - When testing detection capabilities of GuardDuty, Security Hub, and custom alerting - When building red team exercises against AWS cloud infrastructure **Do not use** for unauthorized testing of any AWS account, for testing AWS infrastructure itself (covered by shared responsibility), for DDoS or volumetric attacks without AWS approval, or for production account testing without explicit authorization and breakglass procedures. ## Prerequisites - Written authorization from the AWS account owner with defined scope and rules of engagement - Pacu v1.5+ installed (`pip install pacu`) - Test AWS credentials with limited starting permissions (simulates compromised credential scenario) - CloudTrail logging enabled to capture all Pacu activity for post-engagement review - GuardDuty enabled to validate detection of Pacu activities - Emergency contact and rollback procedures documented ## Workflow ### Step 1: Initialize Pacu Session and Configure Credentials Set up a Pacu session with the test credentials and define the engagement scope. ```bash # Install Pacu pip install pacu # Start Pacu pacu # Create a new session for the engagement Pacu > set_keys --key-alias pentest-target # Enter A...