1. Search for Credentials - Services
To find and extract credentials from cloud services, attackers and penetration testers typically look in the following locations across AWS, Azure, and GCP.
🛠 AWS - Where Credentials Can Be Found
| Service |
Credential Type |
Location |
Extraction Method |
| EC2 Metadata API |
Temporary IAM Credentials |
http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
curl or wget from a compromised instance |
| AWS Systems Manager (SSM) Parameter Store |
API Keys, Secrets |
Stored parameters |
aws ssm get-parameter with IAM permissions |
| AWS Secrets Manager |
Passwords, Tokens |
AWS Console & CLI |
aws secretsmanager get-secret-value |
| S3 Buckets |
Embedded Secrets in Code |
Public/private S3 files |
Search for hardcoded secrets |
| Lambda Environment Variables |
API Keys, Credentials |
AWS Lambda env variables |
aws lambda get-function-configuration |
| ECS Task Definitions |
IAM Role, API Keys |
ECS Task JSON |
aws ecs describe-task-definition |
| Docker Images (ECR) |
Hardcoded Secrets |
Private/Public ECR |
docker pull and analyze layers |
| IAM Policies & Roles |
Overprivileged Roles |
AWS IAM |
aws iam list-attached-policies
|
| CloudTrail Logs |
Leaked API Calls |
AWS CloudTrail |
Search for aws_access_key_id |
| CodeCommit Repositories |
Hardcoded API Keys |
Git repositories |
git clone & grep sensitive data |
|
|
|
|
🛠 Azure - Where Credentials Can Be Found
| Service |
Credential Type |
Location |
Extraction Method |
| Azure Instance Metadata API |
Temporary IAM Tokens |
http://169.254.169.254/metadata/identity/oauth2/token |
curl or wget |
| Azure Key Vault |
API Keys, Secrets |
Vault stored secrets |
az keyvault secret show |
| Azure Managed Identity |
Temporary Access Tokens |
Metadata API |
curl to fetch tokens |
| Azure DevOps Repositories |
Hardcoded API Keys |
DevOps Repos |
git grep for secrets |
| Blob Storage |
Config Files with Secrets |
*.json or *.config |
az storage blob download |
| App Service Environment Variables |
API Keys |
App Configurations |
az webapp config appsettings list |
| Azure Automation Accounts |
Runbook Variables |
PowerShell stored credentials |
az automation variable list |
| Azure Functions |
Hardcoded Secrets |
Environment Variables |
az functionapp config appsettings list |
| Log Analytics (Azure Monitor) |
Sensitive Log Data |
Diagnostic Logs |
Query logs for exposed keys |
🛠 GCP - Where Credentials Can Be Found
| Service |
Credential Type |
Location |
Extraction Method |
| GCP Metadata API |
Service Account Tokens |
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token |
curl |
| Cloud Storage (GCS) |
Embedded Secrets in Files |
.json, .config files |
gsutil ls -R gs://BUCKET_NAME |
| Cloud IAM Roles |
Overprivileged IAM Users |
IAM Console |
gcloud iam roles list |
| Secret Manager |
API Keys, Passwords |
GCP Secret Store |
gcloud secrets versions access latest |
| GKE Kubernetes Configs |
K8s Secrets & Tokens |
Kubernetes YAML |
kubectl get secrets |
| Cloud Build Logs |
Leaked API Keys |
Cloud Build Logs |
Search logs for secrets |
| App Engine Environment Variables |
Hardcoded Credentials |
GCP App Engine Config |
gcloud app describe |
| Cloud Functions |
Environment Secrets |
GCP Function Variables |
gcloud functions describe |
| Firestore Database |
Unsecured Access Keys |
Firebase Database Rules |
Check for publicly accessible data |
|
|
|
|