Find the rolethat owns your AWS Org.

Manual AWS penetration testing across IAM, EC2, S3, Lambda, ECS, Cognito, KMS, and CloudTrail, exercised by hand for IMDSv2-bypass via SSRF, sts:AssumeRole chain to AdministratorAccess, S3 bucket-policy bypass, Lambda execution-role over-scope, and Cognito user-pool misconfig. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

CREST-conducted · CERT-In empanelled · Org-wide vantage

See the AWS attack paths
Four AWS surfaces, Identity, Compute, Data, Posture, converging on an AssumeRole-chain proof-of-exploit at the centre, with the Identity tile highlighted as the path that reached org admin.

One AWS, full depth

Every service under your IAM Identity Center umbrella, IAM, EC2, S3, Lambda, ECS, KMS, CloudTrail. One method, one Org.

Working proof-of-exploit

Real STS session captures, IAM policy diffs, and SDK traces, not a CSPM scan score.

Re-test included

Every finding re-tested after your team ships the fix. One engagement, closed loop.

Why now

One forgotten IAM-PassRole or AssumeRole chain hands an attacker your AWS Org.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • AICPA SOC 2 Type II
  • ISO/IEC 27001

Why a config audit isn't a pentest

A flag passed is not a path closed.

AWS Config, Security Hub, and Trusted Advisor grade configurations, and an Org with every control green can still hand an attacker AdministratorAccess. SecureLayer7's operators chain the flags an audit calls 'low': IMDSv2 reachable through a public Lambda, an over-permissive instance profile, an unloved sts:AssumeRole trust policy. Then we walk you through the proof your auditor will accept and your team will fix.

Two columns, passing config-audit findings on the left, and the chained pentest path each one becomes on the right.
Two columns, passing config-audit findings on the left, and the chained pentest path each one becomes on the right.

IN SCOPE.

Where we look across your AWS Org.

IDENTITY
IAM role chains

Cross-account assume-role, SCP gaps, OIDC trust, identity-center to org-root paths.

WORKLOAD
EC2, ECS, Lambda

IMDSv1 fallthrough, container escape, function role over-privilege, layer poisoning.

DATA
S3, RDS, KMS

Bucket policies, snapshot sharing, KMS key grants, RDS public-snapshot exposure.

NETWORK
VPC + Org perimeter

VPC peering, transit gateway, PrivateLink, security-group drift across the org.

AWS BUG FAMILIES WE NAME.

The IAM and service chains an AWS auditor will not catch.

9
  1. 01
    AssumeRole confused deputy

    Cross-account sts:AssumeRole with weak ExternalId, principal wildcard in trust policy, lateral pivot to victim account.

  2. 02
    PassRole to admin

    iam:PassRole on a higher-tier role, attach to a Lambda or EC2 launch, escalate from app role to administrator.

  3. 03
    SSRF to IMDS

    Server-side fetch into 169.254.169.254, IMDSv1 left enabled, EC2 instance-role credentials stolen from the metadata service.

  4. 04
    Lambda role overscope

    Function execution role granted * on S3 or DynamoDB, attacker abuses the function trigger to read every bucket in the account.

  5. 05
    S3 bucket-policy bypass

    Public ACL plus signed-URL replay, or Condition keys that fail open on missing aws:SourceVpce.

  6. 06
    KMS grant abuse

    CreateGrant on a customer master key from a compromised role, decrypt RDS snapshots and EBS volumes from outside the account.

  7. 07
    Cognito identity drift

    Identity-pool unauthenticated role grants real AWS credentials, signup-then-pivot from anonymous web client to data plane.

  8. 08
    CloudTrail blind spot

    Multi-region trail disabled, S3 data-events off, attacker stages exfil through a region where logging never landed.

What we test —

Four AWS surfaces. One Org-wide engagement.

Every AWS pentest is threat-modelled to your Org structure, IAM graph, and account topology — then exercised by hand against named bug classes across identity, compute, data, and posture controls.

Identity & access

IAM role chaining, sts:AssumeRole over-scope, IAM Identity Center / SSO permission-set drift, Cognito user-pool ID-token confusion, instance-profile credential reuse, federated-role trust-policy bypass, IAM Access Analyzer blind spots, root-account fallback paths.

Compute & runtime

EC2 IMDSv2-bypass via SSRF, Lambda execution-role over-scope, EKS service-account abuse, ECS task-role chaining, Fargate trust-policy reuse, EBS snapshot exfil, AMI-based persistence, Systems Manager Session Manager impersonation.

Data & storage

S3 bucket-policy bypass, Object Ownership confusion, KMS key-policy misuse, Secrets Manager rotation drift, RDS IAM-auth gap, DynamoDB stream replay, EBS snapshot public exposure, Glue catalog data leakage.

Posture & detection

CloudTrail trail-tampering, GuardDuty finding suppression, AWS Config rule drift, AWS Organizations SCP gaps, CloudWatch log-group ACL bypass, EventBridge rule reuse, Audit Manager evidence drift, IAM Access Analyzer false-clean.

AWS PENTEST METHODOLOGY.

Eight phases. Org-wide, closed-loop.

Threat-modelled to your Org structure, IAM graph, and account topology. Not a template we run against every cloud.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Configuration review
  4. 04
    Identity exploitation
  5. 05
    Workload exploitation
  6. 06
    Vulnerability analysis
  7. 07
    Remediation guidance
  8. 08
    Patch verification

Insights

AWS security Resources.

STS assume-role chains, S3 bucket drift, and the IAM mistakes our reviewers keep finding in AWS estates.

Meet our expert

One named lead on every AWS engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AWS engagements against your Org structure, IAM Identity Center scope, and account topology. He guides the pod from kick-off through final report and re-test.

  • Scopes single-account, multi-account, and IAM Identity Center engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
  • Drives remediation review and re-test until every Org-wide path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an AWS pentest? Book 30 minutes with John to walk through your Org structure, IAM graph, and timeline.

Book a 30-min call

Common procurement questions

What buyers ask about AWS penetration testing.

Six questions procurement teams send before signing an AWS pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Have a procurement question not listed here?

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant SaaS on AWS, IAM-role chains, cross-account isolation.

See Tech SaaS pentest

FinTech

Banking workloads on AWS, KMS / Cognito boundaries, treasury access patterns.

See FinTech pentest

HealthTech

HIPAA-scoped AWS workloads, S3 PHI exposure, Lambda EHR integrations.

See HealthTech pentest
Sample AWS pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full Org-wide kill chain, working PoC traces, IAM policy diffs, and re-test scope. Sent on request after a 5-minute scoping call.