AWS exploitation framework — modular post-exploitation toolkit for compromised AWS credentials.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
pipx
pipx install pacu
Source
git clone https://github.com/RhinoSecurityLabs/pacu && cd pacu && pip install -e .
Run
pacu
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Set up session
pacu → set_keys → enter access_key + secret
Whoami / current context
whoami
Run permission enumeration
run iam__enum_permissions
Privesc enum
run iam__privesc_scan
Backdoor IAM users
run iam__backdoor_users_keys
CloudTrail manipulation
run detection__disruption
List all available modules
list
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Pacu is INTERACTIVE-first. For automation:
pacu --session NAME --module-name X --module-args "..."headless. - AWS API rate-limits: most modules respect them but
iam__enum_permissionson big accounts (1000+ resources) takes 30+ min. Run sequentially. set_regionsto limit scope beforeaws_enum*modules — full account scan across 30 regions is slow.- SQLite session DB at
~/.local/share/pacu/sessions/— back it up after big enumerations to avoid re-running.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- GuardDuty detects most enumeration patterns. Modern AWS engagements assume detection within 5-15 min.
iam__backdoor_users_keyscreates real backdoors — make sure scope authorises this. Cleanup withiam__detect_honeytokensafter.- Some modules require admin-level perms to test fully — they will fail silently on lesser creds.
- CloudTrail logs Pacu API calls with module-specific User-Agent strings — defenders can detect from logs.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- CloudFox (BishopFox) — newer enumeration-focused tool, less destructive.
- aws_consoler — pivot creds to console session.
- weirdAAL — older, larger module catalog.
India context and engagement notes
For Indian cloud audits (RBI ITS / SEBI CSCRF): Pacu’s permission-enum + privesc-scan are the authoritative test set. Always run with read-only flag set + skip destructive modules. CloudFox is becoming the new default for non-destructive enumeration — consider for audit work.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.