SEC588: Cloud Penetration Testing

GIAC Cloud Penetration Tester (GCPN)
GIAC Cloud Penetration Tester (GCPN)
  • In Person (6 days)
  • Online
36 CPEs

SEC588 will equip you with the latest in cloud-focused penetration testing techniques and teach you how to assess cloud environments. The course dives into topics like cloud-based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers, as well as identifying and testing in cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and Amazon Web Services, particularly important given that AWS and Microsoft account for more than half the market. It's one thing to assess and secure a data center, but it takes a specialized skillset to truly assess and report on the risk that an organization faces if its cloud services are left insecure.

What You Will Learn

Aim Your Arrows To The Sky And Penetrate The Cloud

You have been asked to perform a Red Team penetration test assessment. The assets are located mainly in the cloud. What if you have to assess Azure Active Directory, Amazon Web Services (AWS) workloads, serverless functions, or Kubernetes? In this course, you will learn the latest penetration testing techniques focused on the cloud and how to assess cloud environments.

Computing workloads have been moving to the cloud for years. Analysts predict that most if not all companies will have workloads in public and other cloud environments very soon. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when assessing organizations' risks going forward, we need to be prepared to evaluate the security of cloud-delivered services.

The most commonly asked questions regarding cloud security are "Do I need training for cloud-specific penetration testing?" and "Can I accomplish my objectives with other pen test training and apply it to the cloud?" The answer to both questions is yes, but to understand why, we need to address the explicit importance of conducting cloud-focused penetration testing. In cloud-service-provider environments, penetration testers will not encounter a traditional data center design. Specifically, what we rely on to be true in a formal setting  such as who owns the Operating System and the infrastructure, and how the applications are running will likely be very different. Applications, services, and data will be hosted on a shared hosting environment unique to each cloud provider.

SEC588: Cloud Penetration Testing draws from many skill sets that are required to properly assess a cloud environment. If you are a penetration tester, the course will provide a pathway to understanding how to take your skills into cloud environments. If you are a cloud-security-focused defender or architect, the course will show you how the attackers are abusing cloud infrastructure to gain a foothold in your environments.

The course dives into topics of classic cloud Virtual Machines, buckets, and other new issues that appear in cloud-like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also covers Azure and AWS penetration testing, which is particularly important given that AWS and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies but rather to teach you how to assess and report on the actual risk that the organization could face if these services are left insecure.

Syllabus (36 CPEs)

Download PDF
  • Overview

    In this initial course section you will conduct the first phases of a cloud-focused penetration testing assessment. We'll get familiar with how the terms of service, demarcation points, and limits imposed by cloud service providers function. The section features labs on how to perform scans and discovery jobs at Internet scale that can be used in near real-time and through historical searches to uncover target infrastructure and vulnerabilities. We'll also describe how web-scale affects reconnaissance and how to best address it. The exercises are designed to walk you through how to discover valuable artifacts a virtual hacker treasure hunt!

    • Domain Discovery Lab
    • Portscans at Internet Scale
    • Creating and Using Powerful Wordlists with Commonspeak2 and Gobuster
    • Scaling Discovery with Technology Detection Tools such as Intrigue and Nuclei
    • Cloud Assessment Methodology
    • Infrastructure Cloud Components
    • Terms of Service and Demarcation Points
    • Recon at Cloud Scale
    • IP Addressing and Hosts in Cloud Service Providers
    • Mapping URLs to Services
    • Commonspeak2 and Wordlists
    • Visualizations Aids
    • Asset Discovery Frameworks

  • Overview

    This course section will have students work on identity and access management systems that include AWS IAM, Azure Active Directory, and standards-based protocols that underpin these technologies. Students will discover their target range environments and use the technologies to start finding entry points into systems. We'll also walk through standard identity systems for federated SSO, including Azure Active Directory and the underlying Oauth and SAML protocols. Students will learn how to perform username harvesting, look for authentication and unauthenticated file shares, and use standard tooling to automate discovery. We'll also dive into using developer tools such as Postman against systems.

    • Hunting for Key Material
    • AWS User Enumerations
    • Username Harvesting in Azure
    • Discovery Open File Shares
    • Postman and Oauth
    • The Mapping Process
    • Authentications and Key Material
    • AWS Command Line Interface (CLI) Introduction
    • Azure CLI Introduction
    • Username Harvesting
    • Unauthenticated Fileshares
    • Microsoft Identity Systems and Azure Active Directory
    • Authentication Standards in the Web
    • SAML and Golden SAML
    • Introduction to Postman
  • Overview

    Cloud infrastructure lends itself to the potential for priviledge escalation through mechanisms that are afforded to systems administrators and developers. We can abuse these features to move laterally, escalate priviledges, or change our permission sets. This course section walks students through several Compute automation structures in which we are able to perform attacks on cloud targets to show each use case. This course section is very heavy on labs to enforce the concepts of how these attacks operate with or without attacker tools.

    • Microsoft Graph API and Exfiltration
    • Shell Redirections with socat and ngrok
    • AWS Privilege Escalation with AWS Compute
    • Attacking with AWS with PACU
    • Azure Virtual Machines and Backdoors
    • Mimikatz and PRT
    • Microsoft Graph for Data Exfiltration
    • AWS IAM Privilege Escalation Paths
    • AWS Compute
    • Amazon KMS and Keys
    • PACU for AWS Attack Automation
    • Azure Virtual Machines
    • Code Execution on Azure VMs
  • Overview

    This course section focuses on what are referred to as cloud-native applications. While we look in particular at web applications themselves, the section is designed to show how cloud-native applications operate and how we can assess them. Applications in the wild are increasingly container-packaged and microservice-oriented. These applications will have their nuances. They will typically be deployed in a service mesh that at times could indicate a system like Kubernetes is being used. We will be exploring many questions in this section, including:

    • Which application vulnerabilities are critical in my environments?
    • How does Serverless and Lambda change my approach?
    • What is the continuous integration/continuous delivery (CI/CD) pipeline, and how can it be abused?
    • How do microservice applications operate?
    • Backdooring CI/CD Pipelines
    • SSRF Impacts on Cloud Environments
    • Command Line Injections
    • SQL Injections
    • Attacks on Serverless Functions
    • Databases, NoSQL, and Exposed Ports
    • TravisCI and Git Actions
    • Deployment Pipelines
    • Web Application Injections
    • Server Side Request Forgeries and Their Impacts
    • Command Line Injections
    • Serverless Functions in AWS
    • Serverless Functions in Azure
    • Exposed Databases and Ports
    • SQL Injections in Cloud Applications
  • Overview

    This course section explores the world of Kubernetes and infrastructures, then dives into exploitation and red teaming in the cloud. By this point in the course you have a base understanding of our target environments. From that vantage point, we will explore how to exploit what we have found, advance further into the environments, and finally move around laterally. This section will focus on breaking out of containers, understanding service meshes, and exfiltrating data in various ways to show the real business impact of these types of attacks.

    • Kubernetes and Gaining Access to Clusters
    • Backdooring Containers and Gaining a Foothold into Environments
    • Credential Stuffing and Leveraging Password Methodologies
    • Heavy and Lite Shells
    • Load Balancer and Proxy Abuse
    • Domain Fronting
    • Kubernetes and Kubernetes Clusters
    • Leveraging Backdoors in Clusters
    • Red Team and Methodologies
    • Heavy and Lite Shells
    • Data Smuggling
    • Domain Fronting
    • Avoiding Detections
  • Overview

    On your final course day, be prepared to work as a team and complete an end-to-end assessment in a new cloud environment. The applications and settings are all newly designed to imitate real-world environments. This course section is designed to allow students to put together the week's worth of knowledge, reinforce theory and practice, and simulate an end-to-end test. It is also a capstone event, as we will be asking students to write a report using a method that is easy to read for both developers and administrative staff. We will provide students with a few rubrics and ways to work through the scenarios. There are always new and novel solutions, and we like students to share what they have learned and how they did what they did with one another.

GIAC Cloud Penetration Tester

The GCPN certification validates a practitioner's ability to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies.

  • Cloud Penetration Testing Fundamentals, Environment Mapping, and Service Discovery
  • AWS and Azure Cloud Services and Attacks
  • Cloud Native Applications with Containers and CI/CD Pipelines
More Certification Details


Courses that can lead up to this course include:

SANS SEC488: Cloud Security Essentials

SANS SEC542: Web Application Penetration Testing and Ethical Hacking

SANS SEC540: Cloud Security and DevOps Automation

SANS SEC560: Network Penetration Testing and Ethical Hacking

This course has many labs, so it is critical that students come prepared with the following base level of knowledge:

  1. Familiarity with Linux bash - Not expert level, but a base understanding.
  2. Basic familiarity with Azure and AWS CLI tools - Watching a simple introductory video will suffice.
  3. Base understanding of networking and TCP/IP.
  4. Rudimentary understanding of the Metasploit CLI console.
  5. Understanding how pivots work.

Students who have taken SEC560 will have the knowledge needed on some of the topics above, but they may want to also look at the following:

Students coming from SEC540 or a different cloud course will want to look over the following materials:

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
    • VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
    • Windows users can use this article to learn more about their CPU and OS capabilities.
    • Apple users can use this support page to learn more information about Mac 64-bit capability.


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.


  • USB 3.0 Type-A port
  • At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.


  • 8 GB RAM (4 GB minimum) is required for the best experience. To verify on Windows 10, press Windows key to open Settings, then click "System," then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."

Hard Drive Free Space

  • 60 GB FREE of FREE space on the hard drive is critical to host the virtual machines and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Additional Hardware Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

  • Network, Wireless Connection
  • A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Additional Software Requirements

  • Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  • Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
  • VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

System Configuration Settings

  • Local Admin - Have an account with local admin privileges.
  • Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.
  • Disable VPN - The ability to disable your enterprise VPN client temporarily for some exercises.
  • Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.
  • Disable AV - The ability to disable your anti-virus tools temporarily for some exercises.
  • You will be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"When I was first asked about putting together a cloud penetration testing class, there were many questions. Could there be room for a class as 'niche' as this? We felt the need to have a class with all new material and topics that we had not covered in any of our other penetration testing classes. I believe we have met that need with this class in ways most could not have imagined. This class breaks the rules and allows us to help you test, assess, and secure cloud environments."

- Moses Frost


This emerging course perfectly complements the change in the direction of red team engagement scopes.
Kyle Spaziani
SANS course SEC588 taught me more than I expected. With the rapid development of new technologies offered by cloud providers, SEC588 has given me an important framework for cloud pen testing.
Jonus Gerrits
SEC588 taught me crucial information needed before putting data in a cloud.
Maria Lopez

    Register for SEC588