AWS penetration testing

Research-led AWS pentest, IAM-to-S3, end to end.

CREST-accredited researchers attack AWS environments the way an adversary would: IMDSv1, AssumeRole loops, S3 ACL drift, cross-account role chains. Two weeks from kickoff to a report your auditor accepts.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most AWS pentests stop at the config audit. Attackers chain configs into root.

  • Config-audit reports flag 200 mediums; none prove a path to data, exactly what your auditor flags as low signal.

  • IAM bugs only become criticals when chained with metadata abuse and S3 ACL drift. Checklist firms miss the chain.

  • Cross-account role chains and federation seams sit where single-cloud testers blink.

Here is what we ship.

Why teams pick us

Path to S3, not 200 mediums.

  • AWS-specific bug classes

    IMDSv1 abuse, AssumeRole loops, S3 ACL drift, KMS key policy gaps, Lambda env-var leaks, EKS pod-identity abuse.

  • Chained to data, not config

    We do not stop at 'policy is overly permissive.' We prove the path to your bucket.

  • Evidence for the right auditor

    SOC 2, ISO 27001, FedRAMP, CIS AWS Foundations. Findings tagged to controls.

How it works

From intro to report in two weeks.

  1. Scope across accounts

    Tell us accounts, regions, and the data surface that matters. Read-only IAM role provisioned on the call.

  2. Researchers chain paths

    IAM-to-data and metadata-to-lateral chains. Federation and cross-account roles included.

  3. Findings with AWS CLI reproducers

    Each finding ships with reproducer, AWS CLI commands, and a fix per control.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

What access do you need?
Read-only IAM role per account, scoped to the engagement. No prod writes without explicit approval.
Will you find IAM escalation?
Yes. AssumeRole loops, condition gaps, IMDSv1 abuse, pod-identity bypass, KMS policy abuse.
Is it safe on production?
Yes. Read-only and recon by default. Destructive actions require explicit per-finding approval.
What about EKS and Lambda?
Covered. Container escape, pod identity, Lambda env-var exfil, IAM-role pass-through.
Do you map to CIS or FedRAMP?
Yes. Findings tagged to CIS AWS Foundations, SOC 2, FedRAMP Moderate, and ISO 27001 Annex A.

Ready to see the path from misconfig to data?

20-minute scoping call with the lead AWS pentester. Multi-account, federation, and the seams between them.

CREST · CERT-In · SOC 2 · ISO 27001