TL;DR, What is Pacu?
Pacu is an open-source AWS exploitation framework, often described as the “Metasploit equivalent” for cloud security.
For security professionals, manual AWS penetration testing can be slow and miss complex, cloud-specific vulnerabilities. Pacu helps solve the problem by automating post-compromise attack simulations. The framework provides modular tools to identify and exploit misconfigurations, such as IAM privilege escalation paths, exposed S3 buckets, and vulnerable Lambda functions. By turning days of manual work into minutes of automated assessment, the tool helps penetration testers move from initial access to exploiting the full environment.
Pacu, developed and maintained by Rhino Security Labs, is a popular tool for modern cloud red teaming operations.
AWS Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.
At-A-Glance
GitHub: https://github.com/RhinoSecurityLabs/pacu
License: BSD-3-Clause
Primary Language: Python
Stars: 4.9k ⭐
Last Release: July 2025
Topics/Tags: aws, security, pentesting, exploitation-framework
Common use cases
1. AWS Penetration Testing: You can use Pacu to simulate real-world attacks against an AWS environment. After gaining initial access, security professionals use Pacu to perform deep reconnaissance, run `IAM privilege escalation` techniques, and exploit misconfigurations to show business impact. Using Pacu helps organizations identify and fix vulnerabilities before attackers can exploit them.
2. Cloud Red Team Operations: Teams can simulate the tactics of an advanced persistent threat (APT) to test an organization's detection and response capabilities. The simulation involves using Pacu for post-compromise activities like establishing persistence with backdoor IAM users, moving laterally between AWS accounts, exfiltrating sensitive data from S3 or RDS, and evading detection by manipulating logs. A simulation using Pacu provides a realistic assessment of an organization's security monitoring.
3. Automated Security and Configuration Audits: You can use the framework in a non-intrusive, read-only way to run security audits. By running only the reconnaissance and enumeration modules, your security team can quickly scan for common misconfigurations like public S3 buckets, overly permissive IAM policies, or exposed EC2 instances. The scan provides a clear baseline of your security posture without performing any disruptive actions.
4. Cloud Security Training and Education: Pacu works as a hands-on educational tool in controlled lab environments. Cybersecurity students and professionals can use Pacu to learn about cloud-specific attack vectors and methods. Blue teams can use the tool to better understand how attackers operate in AWS, while new penetration testers can gain practical experience with cloud exploitation techniques in a safe setting.
5. Incident Response and Breach Simulation:After a security incident, your response team can use Pacu to replicate a suspected attack path to understand how the breach occurred. By simulating the same TTPs an attacker might have used for lateral movement or privilege escalation, responders can check their theories, find the full scope of the compromise, and discover which security controls failed.
How does Pacu work?
Pacu is a modular framework you manage through a command-line interface. To start, you create a session, which sets up an isolated workspace with a local SQLite database. You then add AWS credentials, which Pacu stores in that session. From there, you can run over 35 specialized attack modules. The modules use the Boto3 SDK to interact with AWS services, saving any collected data back to the session's database to be used by other modules.
Session-Based Workspaces: Each session is a self-contained project with its own SQLite database to store credentials, enumerated data, and logs, preventing data overlap between different assessments.
Extensible Module System: The framework uses attack modules, sorted by function like reconnaissance and privilege escalation. Modules share data through the session database.
Centralized Credential Management: Pacu securely handles multiple AWS key pairs per session, using an active set for all module-based API calls to target services across any AWS region.
Core Capabilities:
1. Modular and Extensible Attack Framework: Pacu has a modular design with over 35 specialized modules for reconnaissance, privilege escalation, persistence, data exfiltration, and log manipulation. The design lets security professionals run targeted attacks against specific AWS services or conduct broader assessments. You can use modules on their own or link them together for complex attack sequences. Because the framework is extensible, you can create and add new modules to cover new AWS services and attack methods.
2. Advanced Session and Credential Management: Pacu includes a session management system that keeps separate, isolated workspaces for different AWS environments. Each workspace uses its own SQLite database to store collected data, credentials, and attack results for organized tracking. The system handles multiple AWS key pairs, temporary session tokens, and cross-account IAM roles in one session. The feature helps with assessments that span multiple AWS accounts or require switching between different permission levels, letting testers maintain context and manage credentials.
3. Automated IAM Privilege Escalation Engine: The tool's privilege escalation engine automates finding and mapping paths to higher permissions in AWS. Modules like privesc_scan can automatically detect more than 20 common IAM privilege escalation vectors by analyzing policies, roles, and trust relationships for misconfigurations. The feature reduces the manual effort needed to find weaknesses in complex IAM structures and allows security testers to quickly see how a low-privilege user could gain administrative access.
4. Comprehensive AWS Service Ecosystem Coverage: The framework covers many AWS services, including IAM, EC2, S3, Lambda, RDS, and CloudTrail. Pacu's modules interact with these services to list resources, check configurations, test for vulnerabilities, and exploit weaknesses. Broad service support helps make security assessments more thorough, giving a better picture of an organization's security posture. By checking how services depend on each other, Pacu can uncover risks that other tools might miss.
5. Persistent Data Storage and Forensic Reporting: Pacu automatically saves all data gathered during an assessment—including listed resources, discovered credentials, and module results—in a local SQLite database for the session. This feature allows for multi-stage assessments that you can pause and resume later. Data storage also works as a log of all activities: A detailed record helps with post-engagement analysis, report generation, and forensic investigations by providing a clear audit trail.
Limitations
1. AWS-Specific Focus: The tool is built only for the Amazon Web Services ecosystem. Its modules, commands, and logic are tied to AWS APIs and services. Pacu offers no support for other cloud providers like Microsoft Azure or Google Cloud Platform (GCP). If you have a multi-cloud or hybrid environment, you will need separate tools to assess your non-AWS infrastructure.
2. Requires Initial Credential Access: Pacu is a post-exploitation framework, which means you need valid AWS credentials (like an access key pair or session token) to use it. The tool does not include modules for getting initial access through methods like phishing or password spraying. Pacu's role begins after a compromise has already occurred, so you can’t use the tool to test perimeter security controls that prevent an initial breach.
3. Potential for Operational Disruption: As an offensive security tool, many of Pacu's modules perform actions that can change the state of an AWS environment. Actions like changing IAM policies, modifying security group rules, or deleting resources carry a risk of causing service disruption or data loss in a production environment. Using Pacu requires caution, expertise, and clear authorization. The tool is best used in isolated test environments or during carefully planned security assessments.
4. High Learning Curve for Novices: The framework's feature set, command-line interface, and large number of specialized modules can be difficult for beginners to learn. To use Pacu effectively, you need a strong understanding of AWS services, IAM, and general cloud security. A user without this knowledge may have trouble interpreting results, linking attacks, or configuring the tool, which could lead to incomplete or inaccurate assessments.
5. Detectable in Mature Security Environments: Actions performed by the framework's modules generate a high number of API calls, which AWS CloudTrail logs. In an environment with strong security—using services like Amazon GuardDuty, AWS Security Hub, or third-party SIEM and CSPM tools—the activity will likely trigger alerts. While some modules try to be quiet or change logs, the tool is not invisible. How well Pacu works against a defended environment depends on the user's ability to avoid detection.
If you're using Pacu for offensive security testing in AWS, you can get ahead of attackers with Wiz. While Pacu helps you simulate post-compromise attack paths, Wiz proactively visualizes those same paths for your defense team. By adding cloud context, you can see how an exploit found by Pacu connects to sensitive data and fix the most critical risks first.
Getting Started:
Step 1: Ensure you have Python 3.7+ and pip3 installed on your system.
Step 2: Upgrade pip and install Pacu by running:
pip3 install -U pip
pip3 install -U pacuStep 3: Start Pacu by executing:
pacuStep 4: On first launch, follow the prompt to create and name a new session.
Step 5: Use the set_keys command to supply your AWS access key, secret key, and session token if needed.
Step 6: Type help for a list of available commands and guidance on using modules.
FAQ
Alternatives
| Features | Pacu | ScoutSuite | Prowler | CloudSploit |
|---|---|---|---|---|
| Primary Focus | AWS exploitation framework (offensive) | Multi-cloud security auditing (read only) | Cloud security & compliance | Cloud security posture management (CSPM) |
| Key Feature | Modular attack framework for penetration testing | Comprehensive security auditing with detailed reports | Extensive compliance checks (CIS, NIST, etc.) | Automated detection of security risks and misconfigurations |
| Cloud Support | AWS | AWS, Azure, GCP, Kubernetes/OCI/DigitalOcean | AWS, Azure, GCP, Kubernetes, M365 | AWS, Azure, GCP, Oracle Cloud |
| License | BSD-3-Clause | GPL-2.0 | Apache-2.0 | GPL-3.0 |
| Primary Language | Python | Python | Python | Node.js |