Open-Awesome
CategoriesAlternativesStacksSelf-HostedExplore
Open-Awesome

© 2026 Open-Awesome. Curated for the developer elite.

TermsPrivacyAboutGitHubRSS
  1. Home
  2. Web Security
  3. aws_pwn

aws_pwn

Python

A collection of Python scripts for AWS penetration testing, reconnaissance, exploitation, and persistence.

GitHubGitHub
1.2k stars193 forks0 contributors

What is aws_pwn?

AWS pwn is a collection of Python scripts designed for AWS penetration testing and security assessment. It helps security professionals identify misconfigurations, escalate privileges, maintain persistence, and exfiltrate data from AWS environments. The toolkit covers reconnaissance, exploitation, stealth, and post-compromise activities across various AWS services.

Target Audience

Security researchers, penetration testers, and red teamers who need to assess the security of AWS infrastructure. It's also useful for blue teams and defenders looking to understand attack techniques.

Value Proposition

It provides a focused, script-based approach to AWS security testing without the overhead of larger frameworks. The tools are purpose-built for real-world scenarios, though they may require updates as AWS changes.

Overview

A collection of AWS penetration testing junk

Use Cases

Best For

  • AWS penetration testing engagements
  • Red team exercises targeting cloud infrastructure
  • Identifying IAM misconfigurations and privilege escalation paths
  • Gathering reconnaissance data on AWS accounts and resources
  • Maintaining persistence in compromised AWS environments
  • Testing CloudTrail evasion and stealth techniques

Not Ideal For

  • Teams needing stable, commercially-supported tools with regular updates and warranties
  • Penetration testers who require fully automated, GUI-based platforms for efficiency
  • Organizations with strict compliance audits needing thorough documentation and vendor support
  • Projects where script modifications and manual configuration are not feasible due to time constraints

Pros & Cons

Pros

Comprehensive Reconnaissance Tools

Includes scripts like validate_iam_access_keys.py and validate_s3_buckets.py for checking access keys, buckets, principals, and accounts, enabling detailed pre-compromise intelligence gathering.

Real-World Exploitation Scripts

Provides practical tools such as assume_roles.py for role assumption and add_iam_policy.py for privilege escalation, tailored for hands-on AWS penetration testing scenarios.

Stealth and Persistence Mechanisms

Offers mechanisms like disrupt_cloudtrail.py to evade detection and Lambda backdoor scripts for maintaining access, addressing post-compromise activities in engagements.

Community-Driven Development

Acknowledges contributions from others like Mike Fuller and encourages updates, helping adapt tools as AWS evolves, though reliance on community upkeep is a trade-off.

Cons

Poor Code Quality and Stability

The README admits scripts are 'horribly written' and may break due to AWS API changes, requiring frequent manual fixes and updates, which adds maintenance overhead.

Manual Configuration and Editing

Some scripts, like backdoor_all_roles.py, require editing constants within the file instead of using arguments, increasing setup complexity and risk of errors.

Incomplete and Noisy Features

The 'To do' list highlights missing functionalities such as stack resource dumping, and tools like dump_account_data.sh are 'very noisy,' potentially alerting defenders during testing.

Frequently Asked Questions

Quick Stats

Stars1,222
Forks193
Contributors0
Open Issues2
Last commit2 years ago
CreatedSince 2016

Tags

#cloudtrail#aws-security#penetration-testing#reconnaissance#iam-security#security-toolkit#python-scripts#persistence#privilege-escalation#cloud-security

Built With

P
Python
b
boto3

Included in

Web Security13.2k
Auto-fetched 1 day ago

Related Projects

AstraAstra

Automated Security Testing For REST API's

Stars2,650
Forks413
Last commit2 years ago
TIDoS-FrameworkTIDoS-Framework

The Offensive Manual Web Application Penetration Testing Framework.

Stars1,866
Forks391
Last commit3 years ago
grayhatwarfaregrayhatwarfare

Public buckets by grayhatwarfare

Stars0
Forks0
Last commit
Burp SuiteBurp Suite

Burp Suite is an integrated platform for performing security testing of web applications by portswigger

Stars0
Forks0
Last commit
Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a projectStar on GitHub