1. Search for Credentials - Services

To find and extract credentials from cloud services, attackers and penetration testers typically look in the following locations across AWS, Azure, and GCP.


🛠 AWS - Where Credentials Can Be Found

Service Credential Type Location Extraction Method
EC2 Metadata API Temporary IAM Credentials http://169.254.169.254/latest/meta-data/iam/security-credentials/ curl or wget from a compromised instance
AWS Systems Manager (SSM) Parameter Store API Keys, Secrets Stored parameters aws ssm get-parameter with IAM permissions
AWS Secrets Manager Passwords, Tokens AWS Console & CLI aws secretsmanager get-secret-value
S3 Buckets Embedded Secrets in Code Public/private S3 files Search for hardcoded secrets
Lambda Environment Variables API Keys, Credentials AWS Lambda env variables aws lambda get-function-configuration
ECS Task Definitions IAM Role, API Keys ECS Task JSON aws ecs describe-task-definition
Docker Images (ECR) Hardcoded Secrets Private/Public ECR docker pull and analyze layers
IAM Policies & Roles Overprivileged Roles AWS IAM aws iam list-attached-policies


CloudTrail Logs Leaked API Calls AWS CloudTrail Search for aws_access_key_id
CodeCommit Repositories Hardcoded API Keys Git repositories git clone & grep sensitive data

🛠 Azure - Where Credentials Can Be Found

Service Credential Type Location Extraction Method
Azure Instance Metadata API Temporary IAM Tokens http://169.254.169.254/metadata/identity/oauth2/token curl or wget
Azure Key Vault API Keys, Secrets Vault stored secrets az keyvault secret show
Azure Managed Identity Temporary Access Tokens Metadata API curl to fetch tokens
Azure DevOps Repositories Hardcoded API Keys DevOps Repos git grep for secrets
Blob Storage Config Files with Secrets *.json or *.config az storage blob download
App Service Environment Variables API Keys App Configurations az webapp config appsettings list
Azure Automation Accounts Runbook Variables PowerShell stored credentials az automation variable list
Azure Functions Hardcoded Secrets Environment Variables az functionapp config appsettings list
Log Analytics (Azure Monitor) Sensitive Log Data Diagnostic Logs Query logs for exposed keys

🛠 GCP - Where Credentials Can Be Found

Service Credential Type Location Extraction Method
GCP Metadata API Service Account Tokens http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token curl
Cloud Storage (GCS) Embedded Secrets in Files .json, .config files gsutil ls -R gs://BUCKET_NAME
Cloud IAM Roles Overprivileged IAM Users IAM Console gcloud iam roles list
Secret Manager API Keys, Passwords GCP Secret Store gcloud secrets versions access latest
GKE Kubernetes Configs K8s Secrets & Tokens Kubernetes YAML kubectl get secrets
Cloud Build Logs Leaked API Keys Cloud Build Logs Search logs for secrets
App Engine Environment Variables Hardcoded Credentials GCP App Engine Config gcloud app describe
Cloud Functions Environment Secrets GCP Function Variables gcloud functions describe
Firestore Database Unsecured Access Keys Firebase Database Rules Check for publicly accessible data