Do you file an AWS pentest request?

Most categories no longer need pre-approval. Where one is needed — RDS, distributed-load testing — we file via the customer's AWS Support before week-1.

Which IAM paths matter under FCA SS2/21?

Cross-account assume-role, role-chaining and federated-identity edges. Findings cite SS2/21 paragraphs 4.6 and 5.3 on outsourcing access control.

Do you cover EKS in the AWS engagement?

Lightweight EKS coverage — control plane and node IAM — sits in the AWS scope. Full Kubernetes assessment is a separate SoW.

Where is the report stored?

S3 bucket in eu-west-2 (London) with KMS CMK. UK GDPR Art. 32(1)(a) encryption-at-rest documented in the SoW.

Find the rolethat owns your AWS Org.

Manual AWS penetration testing across IAM, EC2, S3, Lambda, ECS, Cognito, KMS, and CloudTrail, exercised by hand for IMDSv2-bypass via SSRF, sts:AssumeRole chain to AdministratorAccess, S3 bucket-policy bypass, Lambda execution-role over-scope, and Cognito user-pool misconfig. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

CREST-conducted · CERT-In empanelled · Org-wide vantage

See the AWS attack paths

Four AWS surfaces, Identity, Compute, Data, Posture, converging on an AssumeRole-chain proof-of-exploit at the centre, with the Identity tile highlighted as the path that reached org admin.

One AWS, full depth

Every service under your IAM Identity Center umbrella, IAM, EC2, S3, Lambda, ECS, KMS, CloudTrail. One method, one Org.

Working proof-of-exploit

Real STS session captures, IAM policy diffs, and SDK traces, not a CSPM scan score.

Re-test included

Every finding re-tested after your team ships the fix. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why a config audit isn't a pentest

A flag passed is not a path closed.

AWS Config, Security Hub, and Trusted Advisor grade configurations, and an Org with every control green can still hand an attacker AdministratorAccess. SecureLayer7's operators chain the flags an audit calls 'low': IMDSv2 reachable through a public Lambda, an over-permissive instance profile, an unloved sts:AssumeRole trust policy. Then we walk you through the proof your auditor will accept and your team will fix.

Two columns, passing config-audit findings on the left, and the chained pentest path each one becomes on the right.

IN SCOPE.

Where we look across your AWS Org.

IDENTITY

IAM role chains

Cross-account assume-role, SCP gaps, OIDC trust, identity-center to org-root paths.

WORKLOAD

EC2, ECS, Lambda

IMDSv1 fallthrough, container escape, function role over-privilege, layer poisoning.

DATA

S3, RDS, KMS

Bucket policies, snapshot sharing, KMS key grants, RDS public-snapshot exposure.

NETWORK

VPC + Org perimeter

VPC peering, transit gateway, PrivateLink, security-group drift across the org.

AWS BUG FAMILIES WE NAME.

The IAM and service chains an AWS auditor will not catch.

01
AssumeRole confused deputy
Cross-account sts:AssumeRole with weak ExternalId, principal wildcard in trust policy, lateral pivot to victim account.
02
PassRole to admin
iam:PassRole on a higher-tier role, attach to a Lambda or EC2 launch, escalate from app role to administrator.
03
SSRF to IMDS
Server-side fetch into 169.254.169.254, IMDSv1 left enabled, EC2 instance-role credentials stolen from the metadata service.
04
Lambda role overscope
Function execution role granted * on S3 or DynamoDB, attacker abuses the function trigger to read every bucket in the account.
05
S3 bucket-policy bypass
Public ACL plus signed-URL replay, or Condition keys that fail open on missing aws:SourceVpce.
06
KMS grant abuse
CreateGrant on a customer master key from a compromised role, decrypt RDS snapshots and EBS volumes from outside the account.
07
Cognito identity drift
Identity-pool unauthenticated role grants real AWS credentials, signup-then-pivot from anonymous web client to data plane.
08
CloudTrail blind spot
Multi-region trail disabled, S3 data-events off, attacker stages exfil through a region where logging never landed.

What we test —

Four AWS surfaces. One Org-wide engagement.

Every AWS pentest is threat-modelled to your Org structure, IAM graph, and account topology — then exercised by hand against named bug classes across identity, compute, data, and posture controls.

Identity & access

IAM role chaining, sts:AssumeRole over-scope, IAM Identity Center / SSO permission-set drift, Cognito user-pool ID-token confusion, instance-profile credential reuse, federated-role trust-policy bypass, IAM Access Analyzer blind spots, root-account fallback paths.

Compute & runtime

EC2 IMDSv2-bypass via SSRF, Lambda execution-role over-scope, EKS service-account abuse, ECS task-role chaining, Fargate trust-policy reuse, EBS snapshot exfil, AMI-based persistence, Systems Manager Session Manager impersonation.

Data & storage

S3 bucket-policy bypass, Object Ownership confusion, KMS key-policy misuse, Secrets Manager rotation drift, RDS IAM-auth gap, DynamoDB stream replay, EBS snapshot public exposure, Glue catalog data leakage.

Posture & detection

CloudTrail trail-tampering, GuardDuty finding suppression, AWS Config rule drift, AWS Organizations SCP gaps, CloudWatch log-group ACL bypass, EventBridge rule reuse, Audit Manager evidence drift, IAM Access Analyzer false-clean.

AWS PENTEST METHODOLOGY.

Eight phases. Org-wide, closed-loop.

Threat-modelled to your Org structure, IAM graph, and account topology. Not a template we run against every cloud.

01
Scope & threat-model
02
Recon & enumeration
03
Configuration review
04
Identity exploitation
05
Workload exploitation
06
Vulnerability analysis
07
Remediation guidance
08
Patch verification

Insights

AWS security Resources.

STS assume-role chains, S3 bucket drift, and the IAM mistakes our reviewers keep finding in AWS estates.

AWS Amplify Studio CVE-2025-4318 RCE diagram

AWS

CVE-2025-4318: RCE in AWS Amplify Studio via unsafe property expression

SL7 Lab disclosure: managed-property evaluation in Amplify Studio yields RCE. Working PoC + remediation.

AWS

Enhancing Data Security with KMS Encryption in S3 Buckets

Where KMS bucket-key policy actually closes risk, and where it gives a false sense of safety.

AWS cloud security best-practices checklist

AWS

AWS Cloud Security: Practices & Checklist

Operator-grade checklist of the AWS controls that matter under a manual pentest, not a CSPM scan.

Meet our expert

One named lead on every AWS engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AWS engagements against your Org structure, IAM Identity Center scope, and account topology. He guides the pod from kick-off through final report and re-test.

Scopes single-account, multi-account, and IAM Identity Center engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
Drives remediation review and re-test until every Org-wide path is closed.

SL7 Lab. Published CVE research.

Ready to scope an AWS pentest? Book 30 minutes with John to walk through your Org structure, IAM graph, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant SaaS on AWS, IAM-role chains, cross-account isolation.

See Tech SaaS pentest

FinTech

Banking workloads on AWS, KMS / Cognito boundaries, treasury access patterns.

See FinTech pentest

HealthTech

HIPAA-scoped AWS workloads, S3 PHI exposure, Lambda EHR integrations.

See HealthTech pentest

Built for United Kingdom engagements

What changes when we deliver here.

Compliance scoping
NCSC Cloud Principle 7 separation-of-services evidence on every IAM finding
Regulatory framework
PRA SS2/21 outsourcing-access-control paragraph mapping
Local engagements
London neobank rotated 480 IAM roles after AWS pentest
Local pricing
GBP per-account fee, fixed regardless of resource count
Compliance scoping
UK GDPR Art. 32(1)(a) encryption-at-rest evidence built in

AWS testing, UK detail.

Do you file an AWS pentest request?
Most categories no longer need pre-approval. Where one is needed — RDS, distributed-load testing — we file via the customer's AWS Support before week-1.
Which IAM paths matter under FCA SS2/21?
Cross-account assume-role, role-chaining and federated-identity edges. Findings cite SS2/21 paragraphs 4.6 and 5.3 on outsourcing access control.
Do you cover EKS in the AWS engagement?
Lightweight EKS coverage — control plane and node IAM — sits in the AWS scope. Full Kubernetes assessment is a separate SoW.
Where is the report stored?
S3 bucket in eu-west-2 (London) with KMS CMK. UK GDPR Art. 32(1)(a) encryption-at-rest documented in the SoW.

Delivery in United Kingdom

AWS pentest. NCSC Principles and IAM-first.

IAM, KMS, S3 and VPC findings tied to NCSC Cloud Principle 7 and PRA SS2/21 outsourcing controls. London region tenancy default.

Direct line: +44-20-0000-0000
Office: London, United Kingdom

Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.

Sample AWS pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full Org-wide kill chain, working PoC traces, IAM policy diffs, and re-test scope. Sent on request after a 5-minute scoping call.