CloudConqueror is an open-source Python tool from ExaForce that demonstrates how the AWS CloudControl API, generally used for cloud management and automation, can be repurposed for offensive operations. It enumerates resources, brute-forces names, and creates persistence mechanisms through CloudControl-only policies. This makes it a valuable utility for red team operators testing detection coverage beyond traditional Identity and Access Management (IAM) vectors, and for defenders seeking to understand how attackers exploit under-monitored APIs.
Why it matters
Cloud management APIs are expanding rapidly to support automation and Infrastructure-as-Code workflows. As this surface grows, so does its attack potential. Many defenders still focus detection and monitoring primarily on IAM or CloudFormation events, leaving APIs like CloudControl under-instrumented. CloudConqueror shows how adversaries can abuse this gap to enumerate assets, escalate privileges, and persist through CloudControl-specific pathways, all while avoiding many standard logging and alerting mechanisms.
Key features
- Resource Listing — Enumerates AWS resources via
cloudcontrol:ListResourcesandcloudcontrol:GetResource. - Resource Name Bruteforce — Identifies hidden or unlisted resource names using CloudControl queries.
- Persistence Creation — Builds IAM users or roles with inline policies restricted to CloudControl operations, enabling stealthy persistence.
- Detection Testing — Lists CloudControl activity through CloudTrail to help defenders validate coverage.
Installation
CloudConqueror runs on Python 3 and includes a requirements.txt file for dependency management. You can install it locally or run it in Docker. The steps below are directly from the official repository.
# Clone and set up environment git clone https://github.com/ExaForce/CloudConqueror.git cd CloudConqueror python3 -m venv venv source venv/bin/activate pip install -r requirements.txt |
Alternatively, build and run via Docker:
docker build -t cloudconqueror . docker run --rm -it cloudconqueror |
Usage
The following --help output is taken verbatim from the repository and illustrates its supported commands and parameters:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
--------------------------------------------------------------------------------- _____ _ _ _____ / ____| | | |/ ____| | | | | ___ _ _ __| | | ___ _ __ __ _ _ _ ___ _ __ ___ _ __ | | | |/ _ \| | | |/ _` | | / _ \| '_ \ / _` | | | |/ _ \ '__/ _ \| '__| | |____| | (_) | |_| | (_| | |___| (_) | | | | (_| | |_| | __/ | | (_) | | \_____|_|\___/ \__,_|\__,_|\_____\___/|_| |_|___/ \__, |\__,_|\___|_| \___/|_| | | |_| --------------------------------------------------------------------------------- by gl4ssesbo1 @ Exaforce --------------------------------------------------------------------------------- usage: CloudConqueror.py [-h] {LISTRESOURCES,BRUTEFORCERESOURCES,IAMPERSISTENCE,CHECKUSAGE} ... CloudConqueror positional arguments: {LISTRESOURCES,BRUTEFORCERESOURCES,IAMPERSISTENCE,CHECKUSAGE} LISTRESOURCES Enumerate AWS resources via cloudcontrol:ListResources and GetResource BRUTEFORCERESOURCES Brute-force AWS resource names through CloudControl IAMPERSISTENCE Create IAM persistence paths limited to CloudControl API CHECKUSAGE Scan CloudTrail for evidence of CloudControl activity options: -h, --help Show this help message and exit |
Example attack scenario
Objective: Simulate a privilege escalation or persistence scenario in an AWS environment where CloudControl is accessible but under-monitored.
- Initial foothold: Operator obtains developer credentials with CloudControl read permissions.
- Discovery: Run
LISTRESOURCESto enumerate all accessible resource types and identify misconfigured objects. - Enumeration: Use
BRUTEFORCERESOURCESto reveal unlisted resource names that may contain sensitive policies or roles. - Persistence: Deploy
IAMPERSISTENCEto create an IAM user or role whose actions are limited to CloudControl, effectively bypassing conventional IAM restrictions. - Detection validation: Execute
CHECKUSAGEto audit CloudTrail events and verify if any detection rules trigger.
Disclaimer: Perform these steps only in authorized test environments. Never run offensive tooling on production cloud accounts.
Defensive guidance
Cloud defenders should treat CloudControl activity as a first-class data source. Key defensive strategies include:
- Monitor for anomalous spikes in
cloudcontrol:GetResourceorListResourcesAPI calls across accounts. - Alert on IAM principals or policies that restrict actions exclusively to CloudControl, as these may indicate persistence testing or compromise.
- Correlate CloudTrail events with IAM CreateRole or CreatePolicy operations for end-to-end mapping of persistence chains.
- Introduce CloudControl API allow-listing for authorized automation tools and enforce MFA for human users.
How it compares to other tools
Unlike general-purpose reconnaissance tools such as PyRIT, which focus on broad cloud attack surface mapping, CloudConqueror specifically targets the AWS CloudControl API. Its focus on a single management interface makes it ideal for testing privilege persistence paths that traditional recon tools often overlook. For deeper detection engineering coverage, pairing it with CFRipper allows teams to identify CloudFormation template misconfigurations that could lead to similar persistence opportunities.
Conclusion
CloudConqueror bridges the gap between academic research on API misuse and practical cloud exploitation techniques. For red teams, it enables controlled privilege escalation and persistence testing through lesser-known AWS APIs. For defenders, it highlights where monitoring and least-privilege policies often fail. As with all powerful utilities, use it responsibly and only with written authorization.
You can read more or download CloudConqueror here: https://github.com/ExaForce/CloudConqueror