Enumerate IAM permissions, escalate to administrator, harvest credentials from IMDS and Secrets Manager, plant persistent backdoors, and exfiltrate from S3 — across AWS, Azure, and GCP in a single engagement workflow.
Cloud environments fail at the identity layer. Misconfigured IAM policies, overly permissive roles, and credentials stored in compute metadata have made cloud account compromise one of the most reliably achievable goals in a modern red team engagement.
Nebula models the adversary who enters through a single set of credentials — often leaked from source code, exposed on EC2 user-data, or harvested from IMDSv1 — and escalates to full cloud administrator:
| Stage | What Fails | Adversary Action |
|---|---|---|
| Reconnaissance | sts:GetCallerIdentity is unrestricted — any credential can reveal its identity |
Identify who we are, what account we're in, and what permissions are attached |
| Permission Analysis | Inline policies + managed policies + group policies are rarely audited as a combined set | Enumerate all effective permissions across inline, attached, and group-level policy documents |
| Privilege Escalation | Overly permissive IAM policies (iam:AttachUserPolicy, iam:CreatePolicyVersion, iam:PassRole) |
Chain 14 mapped escalation techniques — from policy version replacement to SSM EC2 command execution |
| Credential Harvesting | IMDSv2 not enforced, Secrets Manager lacks resource policies, Lambda env vars store plaintext secrets | Harvest credentials from IMDS, Secrets Manager, SSM Parameter Store, Lambda environment, EC2 user-data |
| Persistence | No alerting on IAM user creation or cross-account trust policy modification | Create backdoor IAM user with admin access; plant external cross-account role with custom ExternalId |
| Lateral Movement | Role trust policies allow cross-account assumption without conditions | Enumerate all assumable roles, sort by admin-level and cross-account priority, assume each |
| Exfiltration | S3 buckets holding backups, PII, and production data without lifecycle alerts | Enumerate all accessible buckets by keyword; list and selectively download high-value objects |
Scope: Authorized red team engagements and cloud security assessments where the goal is to demonstrate the blast radius of a compromised cloud identity.
Cloud security is primarily an IAM problem. Every significant cloud breach in the public record — from CapitalOne to Code Spaces to countless S3 exposure incidents — traces back to an identity with permissions it never needed, configured without understanding the attack paths those permissions created.
Standard cloud security tools audit configuration against benchmarks. Nebula attacks the configuration.
The difference: a benchmark scanner tells you that IMDSv2 is not enforced. Nebula harvests the IAM role credentials from IMDSv1 and shows you what an attacker does with them in the next step.
Nebula is built around EngagementContext — a shared state object that carries harvested credentials, discovered roles, and confirmed escalation paths from one module to the next. The credential Nebula harvests from IMDS in the CredDump module is the same credential it uses in the Lateral module for role assumption. Findings compound.
AWS:
STS GetCallerIdentity— confirm identity, account ID, ARN- Effective permissions enumeration — fetch inline policies, attached managed policies, and group policies; merge into a complete permission set
- IAM user listing — enumerate all users, last key usage, and MFA status
- Assumable role enumeration — identify all roles with trust policies allowing assumption by the current identity (cross-account first)
- Active region sweep — identify which AWS regions have running EC2 instances
Azure:
- Subscription enumeration — list all accessible subscriptions
- Privileged role assignment detection — identify Owner, Contributor, and User Access Administrator assignments
GCP:
- IAM policy retrieval — get organization or project-level IAM bindings
- High-value binding identification — flag
roles/owner,roles/editor,roles/iam.securityAdminassignments
14 mapped escalation techniques keyed to specific IAM permissions:
| Permission | Escalation Path |
|---|---|
iam:AttachUserPolicy |
Attach AdministratorAccess to current user |
iam:PutUserPolicy |
Create inline admin policy on current user |
iam:CreatePolicyVersion |
Replace existing managed policy version with admin policy |
iam:CreateAccessKey |
Create access key for any user — including admin accounts |
iam:UpdateAssumeRolePolicy |
Inject current identity into admin role trust policy |
ssm:SendCommand + ec2:DescribeInstances |
Execute command on EC2 via SSM; retrieve IMDS credentials |
iam:SetDefaultPolicyVersion |
Revert a managed policy to an earlier permissive version |
iam:PassRole + ec2:RunInstances |
Launch EC2 with admin role attached |
iam:PassRole + lambda:CreateFunction |
Deploy Lambda with admin role; invoke for credential extraction |
iam:CreateRole + iam:AttachRolePolicy |
Create new admin role; assume it |
sts:AssumeRole (wildcard) |
Assume any role without conditions |
iam:AddUserToGroup |
Add current user to an admin group |
glue:CreateDevEndpoint |
Create Glue dev endpoint with admin role; SSH for credentials |
cloudformation:CreateStack + iam:PassRole |
Deploy CloudFormation stack with admin role |
Azure: Assign Owner role to current identity.
GCP: Set IAM policy binding granting current identity roles/owner.
- IMDSv2 harvest — PUT for token → retrieve role name → GET credentials (AccessKeyId, SecretAccessKey, SessionToken)
- Secrets Manager dump — list and retrieve up to 20 secrets across the account; scan for credential patterns in secret values
- SSM Parameter Store — retrieve all SecureString parameters with automatic decryption; scan for patterns
- Lambda environment variables — list all functions; extract environment variables; flag credential patterns
- EC2 user-data — retrieve base64-encoded user-data for running instances; decode and scan for hardcoded credentials, bootstrap scripts containing secrets
- IAM backdoor user — create IAM user with randomized name from
BACKDOOR_NAMES(aws-health-monitor,ec2-metrics-agent,lambda-log-processor,cloud-telemetry-sync,iam-audit-reader,cost-allocation-helper); attachAdministratorAccess; create access key pair; output cleanup command - Cross-account backdoor role — create IAM role with external account trust policy and custom
ExternalIdcondition; attach admin policy; allows operator to re-enter from external account even after initial credentials are rotated
- Enumerate all IAM roles with
sts:AssumeRoletrust policies - Sort by priority: cross-account roles first, then admin-named roles
- Attempt
sts:AssumeRolefor each; store returned credentials per role - Support specific role ARN targeting for direct assumption
- Enumerate all accessible S3 buckets — filter by keyword:
backup,prod,secret,credential,pii,data,database,private,sensitive,internal,config,logs - List matched bucket contents — object count and total size
- Download mode: selectively retrieve high-value objects
- Dry-run mode: report what would be exfiltrated without downloading
Credentials (AWS / Azure / GCP)
│
▼
EngagementContext
┌──────────────────────────────────┐
│ provider · region · session │
│ harvested_creds · roles │
│ escalation_paths · loot │
└──────────────────────────────────┘
│
┌─────────┼─────────┐
▼ ▼ ▼
ReconModule PrivEsc CredDump
IAM/STS Module IMDS/SM/SSM
identity 14 AWS Lambda/UserData
paths
│
├──────────────────┐
▼ ▼
PersistModule LateralModule
backdoor user role chaining
cross-acct role assume all
│
▼
ExfilModule
S3 keyword hunt
selective download
│
▼
JSON Report
(provider · action · finding)
- Identity confirmation —
STS GetCallerIdentityconfirms current identity, account, and ARN across all configured providers - Permission mapping — enumerate inline, attached, and group-level IAM policies; construct effective permission set; identify escalation-relevant permissions
- Escalation evaluation — compare effective permissions against 14 escalation path definitions; execute feasible escalation techniques in priority order
- Credential harvest sweep — IMDSv2 (if running on EC2 or reachable from inside a VPC/EKS); Secrets Manager full dump; SSM SecureString decryption; Lambda env var extraction; EC2 user-data decode
- Persistence plant — create backdoor IAM user with admin access; create cross-account trust role; output credentials and cleanup commands to operator
- Role assumption chain — enumerate all assumable roles across the account; attempt assumption sorted by cross-account and admin-naming priority; store all successful credentials
- S3 exfiltration — enumerate all buckets, filter by high-value keyword patterns, assess total data volume, selectively download in non-dry-run mode
- Report —
--output report.jsonwith full finding list, credentials extracted, escalation paths confirmed, and roles assumed
# Install dependencies
pip install -r requirements.txt
# AWS: identify current identity and enumerate permissions
python nebula.py --provider aws --modules recon
# AWS: test all 14 privilege escalation paths
python nebula.py --provider aws --modules privesc
# AWS: harvest credentials from IMDS, Secrets Manager, SSM, Lambda
python nebula.py --provider aws --modules credharvest
# AWS: plant backdoor IAM user
python nebula.py --provider aws --modules persist
# AWS: enumerate and assume all reachable roles
python nebula.py --provider aws --modules lateral
# AWS: find and exfiltrate from S3 (dry-run)
python nebula.py --provider aws --modules exfil --dry-run
# Azure: enumerate subscriptions and privileged assignments
python nebula.py --provider azure --modules recon
# GCP: enumerate IAM bindings and high-value roles
python nebula.py --provider gcp --modules recon
# Full AWS engagement chain
python nebula.py --provider aws --modules all --output cloud-findings.json
# Non-interactive mode
python nebula.py --provider aws --modules all --yes --output results.json16:03:21 [INFO] [Recon] Identity: arn:aws:iam::123456789012:user/dev-deploy
16:03:21 [INFO] [Recon] Account: 123456789012 | Region: eu-west-1
16:03:22 [INFO] [Recon] Effective permissions: 47 actions across 12 services
16:03:23 [CRIT] [PrivEsc] Path available: iam:CreatePolicyVersion
16:03:23 [CRIT] [PrivEsc] Executed: replaced policy → admin policy version set as default
16:03:24 [CRIT] [PrivEsc] iam:CreateAccessKey path available — admin user: admin-ops
16:03:24 [CRIT] [PrivEsc] Access key created for admin-ops: AKIAIOSFODNN7EXAMPLE / ...
16:03:25 [CRIT] [CredDump/IMDS] IMDSv2 token acquired — role: ec2-app-role
16:03:25 [CRIT] [CredDump/IMDS] Credentials: AccessKeyId=ASIA... Expiration=+1h
16:03:26 [CRIT] [CredDump/SM] Secret: prod/database/master-password — postgresql://admin:C0nf!dential@db.internal
16:03:27 [CRIT] [CredDump/Lambda] Function: order-processor — env var DB_SECRET=hardcoded-value
16:03:28 [CRIT] [Persist] Backdoor IAM user created: aws-health-monitor
16:03:28 [CRIT] [Persist] AccessKey: AKIAIOSFODNN7EXAMPLE | SecretKey: [stored in output]
16:03:28 [INFO] [Persist] Cleanup: aws iam delete-user --user-name aws-health-monitor
16:03:29 [INFO] [Lateral] Assumable roles: 8 found
16:03:30 [CRIT] [Lateral] Assumed: arn:aws:iam::987654321098:role/OrganizationAccountAccess (cross-account)
16:03:30 [CRIT] [Lateral] Assumed: arn:aws:iam::123456789012:role/AdminRole
16:03:31 [INFO] [Exfil] S3 buckets matching keywords: prod-backups (2.3GB), internal-configs (447MB)
16:03:31 [WARN] [Exfil] Dry-run mode — 2.7GB would be exfiltrated
[✓] Cloud engagement complete — 10 critical findings | report: cloud-findings.json
| Technique | ID | Module |
|---|---|---|
| Valid Accounts: Cloud Accounts | T1078.004 | ReconModule |
| Abuse Elevation Control Mechanism | T1548 | PrivEscModule |
| Unsecured Credentials: Cloud Instance Metadata API | T1552.005 | CredDumpModule (IMDS) |
| Unsecured Credentials: Credentials in Files | T1552.001 | CredDumpModule (user-data, env vars) |
| Account Manipulation: Additional Cloud Credentials | T1098.001 | PersistModule |
| Create Account: Cloud Account | T1136.003 | PersistModule |
| Use Alternate Authentication Material | T1550 | LateralModule (role assumption) |
| Transfer Data to Cloud Account | T1537 | ExfilModule |
| Permission Groups Discovery: Cloud Groups | T1069.003 | ReconModule |
Tactics: TA0001 Initial Access · TA0003 Persistence · TA0004 Privilege Escalation · TA0006 Credential Access · TA0008 Lateral Movement · TA0009 Collection · TA0010 Exfiltration
| CWE | Description | Where |
|---|---|---|
| CWE-250 | Execution with Unnecessary Privileges | IAM privilege escalation paths |
| CWE-269 | Improper Privilege Management | Overly permissive IAM policies |
| CWE-306 | Missing Authentication for Critical Function | IMDSv1 (no token requirement), Secrets Manager without resource policies |
| CWE-522 | Insufficiently Protected Credentials | Lambda env vars, EC2 user-data, SSM parameters |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | IAM role trust policies, S3 bucket policies |
| CWE-200 | Exposure of Sensitive Information | Secrets Manager, parameter store without KMS |
Nebula is designed exclusively for authorized penetration testing and cloud security assessment activities where explicit written permission has been obtained from the cloud account owner. Creating IAM resources, assuming roles, or accessing cloud credentials without authorization violates cloud provider terms of service and is illegal in most jurisdictions. The author assumes no liability for misuse.