Share
## https://sploitus.com/exploit?id=6F32B7A0-4E46-5E4A-A9F4-85C38487BB06
skycenter
  Attack Chain Security Analysis Engine for AWS, Azure, and GCP
  A Claude custom skill that thinks like an attacker, not a scanner.


---

## 🎯 The Problem

Cloud security scanners produce hundreds of isolated findings. This bucket is public. This role has wildcard permissions. MFA is not enabled. Each finding is correct in isolation but none of them answer the question that actually matters: **what can an attacker do with this?**

Security teams drown in findings executives ignore reports real attack paths hide in the gaps between individual misconfigurations that no scanner connects.

## ⚑ What skycenter Does

skycenter is not a scanner it never connects to your cloud account never makes API calls never enumerates resources.. You paste a cloud configuration an IAM policy, a Terraform file, a GCP IAM binding, a Kubernetes manifest and skycenter performs **attack chain reasoning** across five layers:

**Layer 1 β€” Surface Analysis.** Parse the input, identify individual misconfigurations, assess severity in isolation.

**Layer 2 β€” Relationship Mapping.** Map how resources connect to each other. An IAM role attached to a Lambda function that reads from an S3 bucket containing Terraform state files with plaintext database credentials. These relationships are where the real risk lives.

**Layer 3 β€” Attack Path Synthesis.** Chain findings into exploitable paths. Each path includes entry point, step by step exploitation, MITRE ATT&CK mapping, blast radius, likelihood, detection gaps and specific remediation.

**Layer 4 β€” Lateral Movement & Persistence.** Evaluate what an attacker can reach after initial compromise. Cross account role chaining, SSM SendCommand, managed identity pivoting, CI/CD pipeline access. Identify every persistence mechanism available.

**Layer 5 β€” Detection & Evasion Gap Analysis.** Assess whether each attack path would trigger alerts. Identify CloudTrail blind spots, missing GuardDuty configurations, Data Access logs off by default and specific evasion techniques.

**Predictable Attack Surface.** For every critical finding skycenter generates three things no scanner provides: the specific vulnerability class the configuration creates, a named real world breach where the exact same pattern was exploited with victim name and record count and financial impact, and a realistic attack scenario specific to your environment written as an adversary would plan it.

## πŸ“₯ Supported Input Types

skycenter is invoked explicitly. Type `/skycenter` or say "use skycenter to analyze this." Once active it auto-detects input format and selects the appropriate analysis methodology.

**AWS** β€” IAM Policy JSON, S3 Bucket Policies, Security Groups, CloudFormation/SAM templates, CloudTrail logs, AWS CLI output (`describe-*`, `list-*`, `get-*`)

**Azure** β€” ARM/Bicep templates, RBAC assignments, NSG rules, Entra ID configurations (App Registrations, Service Principals, Conditional Access), Azure Activity Logs

**GCP** β€” IAM Policy bindings, Service Account configurations, GCP Audit Logs, Deployment Manager configs, Firewall rules

**Cross-Platform** β€” Terraform HCL (all three providers with specific misconfig pattern detection), Kubernetes manifests (EKS/AKS/GKE β€” pod security, RBAC, network policies), CI/CD pipeline definitions (GitHub Actions YAML, Azure Pipelines, buildspec.yml, cloudbuild.yaml), OIDC trust policies, Workload Identity Federation configs

## 🧠 Knowledge Base

Curated offensive security knowledge across 14 reference files, loaded on-demand:

| Reference File | Coverage |
|---|---|
| `aws-attack-paths.md` | 58 validated IAM privilege escalation paths including PassRole + 12 exploitation paths, Organizations (SCPs, RCPs, delegated admin), SSO/Identity Center, Bedrock/GenAI (KB poisoning, agent injection, guardrail bypass), OIDC federation, ECScape, EKS Pod Identity, whoAMI, IAM Roles Anywhere |
| `gcp-attack-paths.md` | 39 validated IAM escalation paths, Deployment Manager, Jenga class (ConfusedFunction/ConfusedComposer/ImageRunner/CloudImposer), Vertex AI exploitation (ModeLeak/Agent Engine/Ray), Org Policy bypass, Pub/Sub + Dataflow poisoning, tag-based escalation (Mitiga 2025), DeleFriend DWD, Sys:All GKE |
| `azure-attack-paths.md` | RBAC escalation, SpecterOps SP abuse, first-party app exploitation (UnOAuthorized 2024, I SPy 2025), PIM bypass (eligible/active, policy manipulation), expanded Conditional Access bypass (device compliance, named locations, CAE, token lifetime), Workload Identity Federation, Managed Identity, nOAuth, Storage/Key Vault |
| `real-world-breaches.md` | 30+ unique breach case studies mapped to misconfiguration patterns. Capital One, BlueBleed, SolarWinds, Midnight Blizzard, Uber, Codefinger, IngressNightmare, Sys:All GKE, DeleFriend, ConfusedFunction and more |
| `identity-federation.md` | Golden/Silver SAML, OIDC trust exploitation (GitHub/GitLab/Terraform Cloud), GCP Domain-Wide Delegation, GCP Workload Identity Federation, Azure Workload Identity Federation, Entra ID Actor Token vulnerability |
| `persistence-evasion-exfil.md` | AWS/Azure/GCP persistence arsenals, HMAC key unauditability (Vectra), CloudTrail evasion hierarchy, GuardDuty bypass, GCS forensic indistinguishability (Mitiga), S3 ransomware (5 variants), GCP exfiltration (GCS/BigQuery/DWD/Pub-Sub/Serial C2), DNS/subdomain takeover |
| `container-serverless-cicd.md` | Bishop Fox Bad Pods (8 levels), EKS/AKS/GKE vectors, ECScape, IngressNightmare, Lambda/Cloud Functions/Cloud Run abuse, CI/CD pipeline exploitation, supply chain trends |
| `lateral-movement.md` | AWS SSM SendCommand, EC2 Instance Connect, Azure Pass-the-PRT, Intune code execution, cross-tenant sync, GCP SA impersonation chaining, metadata SSH injection, Cloud Functions code injection, DWD Workspace pivot, WIF cross-cloud pivot, OS Patch abuse, Dataproc exploitation, Serial Console access |
| `tools-resources.md` | 50+ offensive tools (incl. gcpwn, gcploit, DeleFriend, Patchy), awesome lists, research blogs, training labs |
| `mitre-cloud-matrix.md` | Full ATT&CK Cloud matrix with AWS/Azure/GCP-specific technique mappings, 13 pre-built attack chain β†’ MITRE mappings |
| `threat-hunting-queries.md` | Provider-specific hunting patterns for CloudTrail, Azure Activity Log and GCP Audit Log. Escalation, persistence, evasion, lateral movement, exfiltration indicators with detection blind spots |
| `toxic-combos.md` | Permission combination matrices (AWS, Azure, GCP, Cross-Cloud). Individual findings that become critical when combined |
| `source-registry.md` | Audit-proof source attribution index with confidence levels (Verified/Research/Community/Inferred) and validation types (Real-world/Vendor-confirmed/Lab-validated/Tool-implemented/Theoretical) for every claim |
| `exploitability-constraints.md` | Common blockers per cloud provider (SCPs, Permission Boundaries, Org Policies, Conditional Access, PIM, VPC Service Controls). Every attack path must be evaluated against these defensive controls |

## πŸ”₯ Attack Path Coverage

### AWS β€” 58 Validated Paths

Paths 1–7 (direct IAM policy manipulation), Paths 8–10 (credential theft), Paths 11–22 (PassRole + 12 exploitation paths), Paths 23–28 (permission boundary attacks), Paths 29–31 (Lambda-specific), Paths 32–35 (trust policy manipulation), Paths 36–42 (2024–2026 vectors: Bedrock AgentCore, OIDC federation, CVE-2024-28056 Amplify, ECScape, EKS Pod Identity, CodeBuild supply chain), Paths 43–48 (HackingThe.Cloud: GitLab/Terraform OIDC default-vulnerable, whoAMI AMI confusion, public resource playbook, Cognito self-signup, IAM Roles Anywhere persistence), Paths 49–52 (AWS Organizations: CreateAccount, SCP manipulation, delegated administrator abuse, account invitation), Paths 53–55 (SSO/Identity Center: permission set creation, account assignment, directory user creation), Paths 56–58 (Bedrock/GenAI expanded: Knowledge Base data poisoning, model access control bypass, agent prompt injection)

### Azure β€” Full Entra ID + RBAC

RBAC escalation (Elevated Access Toggle, Cloud Shell hijack), Service Principal abuse (SpecterOps), first-party app exploitation (UnOAuthorized 2024, I SPy 2025), PIM bypass (eligible/active assignments, policy manipulation, approval chain abuse), Conditional Access bypass (device compliance, named locations, CAE gaps, token lifetime, authentication strength), Workload Identity Federation (missing subject constraints, cross-cloud pivoting), Managed Identity escalation (4 Praetorian methods + Logic App + Automation Account), nOAuth vulnerability, Storage/Key Vault exploitation

### GCP β€” 39 Validated Paths

Deployment Manager escalation (most dangerous single GCP permission), direct IAM policy manipulation (project/org/folder), SA key & token creation (8 methods), actAs + 8 services (Compute, Cloud Functions, Cloud Run, Composer, Dataflow, Dataproc, Notebooks, Cloud Tasks), Jenga-class confused deputy vulnerabilities (ConfusedFunction TRA-2024-20, ConfusedComposer TRA-2025-03, ImageRunner TRA-2025-04, CloudImposer), Vertex AI exploitation (ModeLeak/Unit 42, Agent Engine/XM Cyber, Ray clusters), tag-based IAM condition escalation (Mitiga/DEF CON 2025), DeleFriend DWD exploitation (Hunters 2023), Sys:All GKE RBAC (Orca 2024, 250K+ clusters)

### Cross-Platform

Container/K8s (Bishop Fox Bad Pods, EKS/AKS/GKE-specific, IngressNightmare CVE-2025-1974), Serverless (Lambda/Cloud Functions/Cloud Run), CI/CD (GitHub Actions/GitLab/Terraform Cloud OIDC, Azure DevOps CVEs, CodeBuild supply chain), Identity federation (Golden/Silver SAML, OIDC, GCP Domain-Wide Delegation, Workload Identity Federation), Cloud ransomware (5 S3 variants including Codefinger SSE-C)

## πŸ’€ Real-World Breach Database

30+ unique case studies across 13 categories, mapped to the misconfiguration pattern that caused each breach:

- **Capital One (2019)** β€” SSRF β†’ IMDSv1 β†’ S3, 106M records, $80M penalty
- **BlueBleed / Microsoft (2022)** β€” Misconfigured Azure Blob, 2.4TB, 65K entities, 111 countries
- **SolarWinds / SUNBURST (2020)** β€” Golden SAML + overpermissioned SAs, 18K orgs
- **Midnight Blizzard β†’ Microsoft (2024)** β€” OAuth cross-tenant trust, senior leadership email exfil
- **Uber (2016)** β€” Hardcoded AWS keys in GitHub, 57M records, $148M settlement
- **Codefinger (2025)** β€” S3 SSE-C ransomware, permanent data loss
- **IngressNightmare (2025)** β€” CVE-2025-1974, unauthenticated K8s RCE, 48% of cloud environments
- **whoAMI (2025)** β€” AMI name confusion supply chain attack
- And more including Twitch, Booz Allen, Tesla, Codecov, CircleCI, Okta/Lapsus$, Power Apps, Sys:All GKE (250K clusters), DeleFriend DWD, ConfusedFunction, GCP cryptomining campaigns, North Korean UNC4899...

## πŸ§ͺ Example

A FinTech startup pastes their production Terraform config (~490 lines, AWS single-provider). Full analysis: [`skycenter-fintech-output.md`](assets/skycenter-fintech-output.md)


Input (abbreviated)

```hcl
backend "s3" {
  bucket = "fintech-prod-terraform-state"
  key    = "production/terraform.tfstate"
  # encrypt      = true   # COMMENTED OUT
  # dynamodb_table = "terraform-locks"  # DISABLED
}

resource "aws_iam_role" "github_actions" {
  assume_role_policy = jsonencode({
    Statement = [{
      Condition = {
        StringEquals = {
          "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
          # No "sub" condition
        }
      }
    }]
  })
}
resource "aws_iam_role_policy_attachment" "github_actions_policy" {
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

resource "aws_iam_role" "cicd_deploy" {
  permissions_boundary = aws_iam_policy.deploy_boundary.arn
  # has iam:PassRole + lambda:CreateFunction
}
resource "aws_iam_policy" "deploy_boundary" {
  # Denies iam:*, organizations:*, sts:AssumeRole
}
```




Output (abbreviated)

**skycenter β€” Attack Chain Analysis Report**

**Target:** FinTech Startup Production Environment (`fintech-prod`, `eu-west-1`)

---

**Executive Summary**

4 attack paths (3 CRITICAL, 1 HIGH) across 6 attacker profiles. Terraform state bucket is the **keystone**: plaintext credentials for every service, no Block Public Access, no encryption, no versioning. GitHub Actions OIDC trust without `sub` claim grants `AdministratorAccess` to any GitHub user globally. CI/CD permission boundary correctly blocks PassRole escalation.

---

**Critical Attack Paths**

**Attack Path 1: State Bucket β†’ Credential Harvest β†’ RDS + Stripe Compromise** β€” CRITICAL (18/20)
- **Attacker Profile**: External Authenticated (any AWS account)
- **Entry Point**: S3 bucket `fintech-prod-terraform-state` β€” no Block Public Access, no encryption
- **Chain**: Enumerate bucket β†’ read `terraform.tfstate` β†’ extract plaintext RDS password + Stripe live key β†’ connect to public RDS β†’ exfiltrate PII
- **Requires**: Bucket reachable, state contains resolved secrets (Terraform default)
- **Blocked if**: Account-level S3 Block Public Access enabled
- **Assumptions**: No account-level Block Public Access (verify: `aws s3control get-public-access-block`)
- **Toxic Combo**: Public S3 + Terraform state + publicly accessible RDS + hardcoded Stripe key
- **MITRE ATT&CK**: T1530 β†’ T1552.001 β†’ T1078.004 β†’ T1041
- **Blast Radius**: Customer database (PII), Stripe payment system, all infra secrets
- **Risk Score**: 18/20 β†’ CRITICAL (Complexity: 4 | Access: 3 | Prerequisites: 3 | Blast: 4 | Detection: 4)
- **Confidence**: Research β€” Terraform state credential exposure documented by HashiCorp
- **Validation**: Real-world observed β€” Uber (2016), 57M records, $148M settlement
- **Detection Gap**: No S3 access logging, no CloudTrail data events. Exfiltration likely invisible.
- **Remediation**: Add `aws_s3_bucket_public_access_block`, enable encryption, add state locking, rotate all credentials

**Attack Path 2: GitHub OIDC β†’ AdministratorAccess β†’ Full Account Takeover** β€” CRITICAL (19/20)
- **Attacker Profile**: External Authenticated (any GitHub user)
- **Entry Point**: OIDC trust checks `aud` only, no `sub` condition
- **Chain**: Any GitHub repo β†’ OIDC token β†’ `AssumeRoleWithWebIdentity` β†’ AdministratorAccess β†’ full account
- **Requires**: OIDC provider active (confirmed), no `sub` claim (confirmed), AdministratorAccess (confirmed)
- **Blocked if**: SCP restricts `sts:AssumeRoleWithWebIdentity`
- **Confidence**: Verified β€” documented by HackingThe.Cloud, tooling exists (oidc-scanner-aws)
- **Remediation**: Add `sub` condition, replace AdministratorAccess with least-privilege

**Attack Path 3: Hardcoded Creds + SSH + Public RDS β†’ Database + Payment Compromise** β€” CRITICAL (17/20)
- **Attacker Profile**: External Unauthenticated (via SSH) or Insider-Developer (via API)
- **Entry Point**: EC2 user_data contains plaintext `DB_PASSWORD` + `STRIPE_SECRET_KEY`, SSH open to `0.0.0.0/0`
- **Chain**: SSH to public EC2 β†’ read credentials from environment β†’ connect to public RDS β†’ customer PII
- **Blocked if**: SSH key-only auth with strong key, or secrets moved to Secrets Manager
- **Remediation**: Move secrets to Secrets Manager, restrict SSH to SSM Session Manager, set RDS `publicly_accessible = false`

**Attack Path 4: Wildcard Partner Trust β†’ Customer Data** β€” HIGH (16/20)
- **Attacker Profile**: External Authenticated (any AWS account)
- **Chain**: `sts:AssumeRole` with `"Principal": {"AWS": "*"}`, no ExternalId β†’ S3 read on customer data
- **Blocked if**: RCP restricts cross-account access
- **Remediation**: Replace `"AWS": "*"` with specific partner account ID, add ExternalId

---

**Predictable Attack Surface**

**Unencrypted Terraform State as Credential Store**
- *Vulnerability Genesis*: Terraform stores passwords, API keys and connection strings in plaintext state. `sensitive = true` prevents console output but NOT state storage. No encryption + no locking = single point of credential harvest.
- *Exploitation Method*: `aws s3 cp s3://fintech-prod-terraform-state/production/terraform.tfstate .` β†’ parse with `jq`
- *Real-World Precedent*: Uber (2016) β€” credentials in accessible file, 57M records, $148M settlement
- *Attack Scenario*: Ransomware operator discovers bucket via automated enumeration. Downloads state, extracts RDS + Stripe credentials, connects to public database, exfils PII, initiates fraudulent transactions. Under 15 minutes.

---

**Individual Findings**

F1: EC2 reuses Lambda role β€” shared identity, no defense in depth. F2: SSH open to `0.0.0.0/0`. F3: RDS `publicly_accessible = true` with open SG. F4: ECR PutImage on CI/CD role β€” supply chain risk. F5: Lambda wildcard resource scope.

*Defenses acknowledged: CI/CD permission boundary blocks PassRole (dead letter code). KMS properly configured. IMDSv2 enforced. Customer data bucket hardened. Not flagged as findings.*

---

**Lateral Movement** β€” State bucket is primary keystone (credentials feed Paths 3/5). OIDC is total keystone (AdministratorAccess reaches everything). Partner role independently exploitable.

**Persistence** β€” Post-OIDC: new IAM users, modified trust policies, EventBridge self-healing rules, federation backdoor. Post-state: Stripe key usable until rotated, RDS access until password changed AND public access removed.

**Missing Context** β€” CloudTrail status, account-level S3 Block Public Access, SCPs, RCPs, GuardDuty, SSH key config, ECS cluster, WAF/CDN, network routing tables.



## πŸ—‚οΈ Repository Structure

```
skycenter/
β”œβ”€β”€ README.md                                   
β”œβ”€β”€ SKILL.md                                    Core analysis methodology and checklists
└── references/
    β”œβ”€β”€ aws-attack-paths.md                     58 AWS IAM privilege escalation paths
    β”œβ”€β”€ azure-attack-paths.md                   Azure RBAC, Entra ID, Managed Identity abuse
    β”œβ”€β”€ gcp-attack-paths.md                     39 GCP IAM paths, Jenga class, Vertex AI, DWD
    β”œβ”€β”€ lateral-movement.md                     Cross-service movement (AWS + Azure + GCP)
    β”œβ”€β”€ container-serverless-cicd.md            K8s, Lambda, Cloud Run, CI/CD pipelines
    β”œβ”€β”€ identity-federation.md                  SAML, OIDC, DWD, Workload Identity Federation
    β”œβ”€β”€ persistence-evasion-exfil.md            Persistence, CloudTrail evasion, ransomware
    β”œβ”€β”€ real-world-breaches.md                  30+ unique breach case studies
    β”œβ”€β”€ mitre-cloud-matrix.md                   MITRE ATT&CK Cloud matrix
    β”œβ”€β”€ threat-hunting-queries.md                CloudTrail, Azure, GCP hunting patterns
    β”œβ”€β”€ toxic-combos.md                         Permission combination matrices
    β”œβ”€β”€ source-registry.md                      Audit-proof source attribution index
    β”œβ”€β”€ exploitability-constraints.md            Common blockers per cloud provider
    └── tools-resources.md                      Offensive tools, labs, resources
```

## πŸ“š Sources & References

All techniques are documented by their original researchers. No proprietary or non-public information is included.

### Research Sources

- **[Rhino Security Labs](https://rhinosecuritylabs.com)** β€” AWS IAM Privilege Escalation (original 21 paths), [Pacu](https://github.com/RhinoSecurityLabs/pacu), [GCP IAM Privilege Escalation](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation)
- **[SpecterOps](https://specterops.io)** β€” Azure SP abuse, [AzureHound](https://github.com/BloodHoundAD/AzureHound)/BloodHound, [PowerZure](https://github.com/hausec/PowerZure)
- **[Wiz Research](https://wiz.io/blog)** β€” EKS Pod Identity, IngressNightmare (CVE-2025-1974), CodeBuild supply chain
- **[Datadog Security Labs](https://securitylabs.datadoghq.com)** β€” [Stratus Red Team](https://github.com/DataDog/stratus-red-team), [pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud), I SPy Entra ID
- **[HackingThe.Cloud](https://hackingthe.cloud)** β€” Cloud security encyclopedia by Nick Frichette
- **[HackTricks Cloud](https://cloud.hacktricks.xyz)** β€” Cloud/SaaS hacking encyclopedia by Carlos Polop
- **[NetSPI](https://netspi.com/blog)** β€” [MicroBurst](https://github.com/NetSPI/MicroBurst), [gcpwn](https://github.com/NetSPI/gcpwn) GCP pentest framework, Managed Identity escalation
- **[Tenable](https://tenable.com/blog)** β€” ConfusedFunction, ConfusedComposer (TRA-2025-03), ImageRunner, CloudImposer, Looker Studio SQLi, Vertex AI Workbench takeover. Most prolific GCP vuln researcher (Liv Matan)
- **[Hunters Security](https://hunters.security/blog)** — [DeleFriend](https://github.com/axon-git/DeleFriend) DWD exploitation, GCP→Workspace attack chain
- **[Orca Security](https://orca.security/resources/blog)** β€” Sys:All GKE RBAC (250K+ clusters), Bad.Build, Dataproc unauthenticated access
- **[Varonis](https://varonis.com/blog)** β€” Dataflow Rider shadow resource abuse in GCP Dataflow
- **[XM Cyber](https://xmcyber.com/blog)** β€” Vertex AI Agent Engine exploitation, Ray on Vertex AI escalation
- **[Vectra AI](https://vectra.ai/blog)** β€” GCP HMAC key unauditability research (Kat Traxler)
- **[Bishop Fox](https://bishopfox.com/blog)** β€” [Bad Pods](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation), [CloudFox](https://github.com/BishopFox/cloudfox), [IAM Vulnerable](https://github.com/BishopFox/iam-vulnerable)
- **[Palo Alto Unit 42](https://unit42.paloaltonetworks.com)** β€” Cloud lateral movement, EC2 Instance Connect, K8s RBAC escalation
- **[Praetorian](https://praetorian.com/blog)** β€” GCP SA privilege escalation, Azure Managed Identity escalation
- **[Semperis](https://semperis.com)** β€” UnOAuthorized (Black Hat 2024), Silver SAML, nOAuth
- **[Mitiga](https://mitiga.io/blog)** β€” GCP tag-based escalation (2025), ConsentFix, GCP exfil guide
- **[Dirk-jan Mollema](https://dirkjanm.io)** β€” [ROADtools](https://github.com/dirkjanm/ROADtools), Entra ID Actor Token, TAP abuse
- **[GitLab Red Team](https://about.gitlab.com/blog/plundering-gcp-escalating-privileges-in-google-cloud-platform/)** β€” "Plundering GCP" research
- **[Dylan Ayrey / gcploit](https://github.com/dxa4481/gcploit)** β€” GCP privilege escalation scanner + exploit framework (DEF CON 28 / Black Hat 2020)
- **[SOCRadar](https://socradar.io)** β€” BlueBleed discovery
- **[CyberArk](https://cyberark.com)** β€” Golden SAML, [SkyArk](https://github.com/cyberark/SkyArk)
- **[Microsoft MSRC](https://msrc.microsoft.com)** β€” [Azure Threat Research Matrix](https://microsoft.github.io/Azure-Threat-Research-Matrix/), CVE-2025-53767
- **[Red Canary](https://redcanary.com/blog)** β€” GCP SA key persistence (2025)
- **[Trend Micro](https://trendmicro.com/research)** β€” S3 ransomware taxonomy (2025)

### Community Awesome Lists

- **[awesome-aws-security](https://github.com/jassics/awesome-aws-security)** β€” AWS security links and exploits
- **[awesome-azure-security](https://github.com/kmcquade/awesome-azure-security)** β€” Azure security tools and guides
- **[Awesome-Azure-Pentest](https://github.com/Kyuu-Ji/Awesome-Azure-Pentest)** β€” Azure pentesting resources
- **[awesome-gcp-pentesting](https://github.com/Littlehack3r/awesome-gcp-pentesting)** β€” GCP offensive security resources
- **[awesome-cloud-security](https://github.com/4ndersonLin/awesome-cloud-security)** β€” Multi-cloud security resources
- **[my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)** β€” AWS security tool collection
- **[OffensiveCloud](https://github.com/lutzenfried/OffensiveCloud)** β€” Offensive TTP for AWS/Azure/GCP

## ℹ️ Accuracy & Maintenance

All content is based on publicly available verifiable research. CVE numbers reference [NVD](https://nvd.nist.gov/) and [MSRC](https://msrc.microsoft.com/) entries. Breach case studies cite publicly reported incidents.


## ⚠️ Disclaimer

This skill is intended for authorized security assessments and penetration testing and defensive security operations only. The attack techniques documented here should be used exclusively by professionals authorized to perform security testing. Always obtain proper written authorization before assessing any cloud environment. The authors are not responsible for misuse of this information.