aws

aws-cli is Amazon’s official command-line tool for interacting with AWS services. Unlike most automation tools, it can resolve both S3 API and website endpoints, allowing object enumeration in scenarios where API listing is blocked but website listings are exposed.

Usage

Creds

$ aws configure --profile cloudgoat
AWS Access Key ID [None]: AKIAVUZR3DVG2LOEV4S2
AWS Secret Access Key [None]: Ew...<REDACTED>...zn
Default region name [None]: us-east-1
Default output format [None]: json

# If output opens within a pager, add this to the ~/.zhrc
$ export AWS_PAGER=""

Users

# Whoami of AWS
aws sts get-caller-identity --profile cloudgoat

# A more detailed whoami
aws iam get-user --profile iam_enum

# List groups memberships
aws iam list-groups-for-user --user-name [user-name]

# List IAM users
aws iam list-users

# List attached managed policies
aws iam list-attached-user-policies --user-name [user-name]

# List inline policies
aws iam list-user-policies --user-name [user-name]

# List inline policy details
aws iam get-user-policy --user-name [user-name] --policy-name [policy-name]

Each AWS account can have two different access keys. If an account has only one, a backdoor can be created, via a second access key, in order to compromise it.

aws iam list-access-keys --profile iam_enum

Groups

# List all groups
aws iam list-groups --profile iam_enum

# List group members
aws iam get-group --group-name introduction-to-aws-iam-enumeration-1757146849172-Developers --profile iam_enum

# List group policies
aws iam list-attached-group-policies --group-name [group-name]

# List inline group policy details
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]

Roles

AWS roles are similar to users but have no long-term credential, i.e. they expire after a defined period of time. Instead, they have temporary ones via role assumption.

# List all roles
aws iam list-roles | grep -i "rolename"

# Details about a specific role
aws iam list-roles --query "Roles[?RoleName=='SupportRole']" --profile iam_enum

# List role details (trust policy)
aws iam get-role --role-name [role-name]

# List attached policies
aws iam list-attached-role-policies --role-name [role-name]

# List inline policies
aws iam list-role-policies --role-name [role-name]

# List inline role policy details
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]

Policies

# Get a managed policy document (by ARN or name)
aws iam get-policy --policy-arn [policy-arn] 
aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id]

# Dump all IAM permissions (users, roles, groups, policies). This can be used to build a full IAM permissions map. --filter can be added to target roles/users/groups specifically
aws iam get-account-authorization-details

Other

# Enable tab autocompletion
echo -e '\nexport PATH=/usr/local/bin/:$PATH\nautoload bashcompinit && bashcompinit\nautoload -Uz compinit && compinit\ncomplete -C "/usr/local/bin/aws_completer" aws' >> ~/.zshrc

S3

# List all buckets in the authenticated AWS account
aws s3 ls

# List all buckets from a custom endpoint
aws s3 ls --endpoint=http://s3.thetoppers.htb

# Check if a bucket exists (no authentication required)
aws s3 ls s3://[bucket-name] --no-sign-request

# List the target bucket's content from a custom endpoint
aws s3 ls s3://thetoppers.htb --endpoint=http://s3.thetoppers.htb

# List the contents of a public or accessible bucket (optionally specify a path)
aws s3 ls s3://[bucket-name]/[optional-path] --no-sign-request --recursive

# Download an object from a public or accessible bucket
aws s3 cp s3://[bucket-name]/[key] [local-file] --no-sign-request

# Upload a file to test write access (only works if bucket allows writes)
aws s3 cp test.txt s3://[bucket-name]/test.txt

# Upload a file
aws s3 cp shell.php s3://thetoppers.htb --endpoint=http://s3.thetoppers.htb 

# Enumerate bucket permissions 
# Get the bucket policy (authenticated)
aws s3api get-bucket-policy --bucket [bucket-name]

# Get the bucket Access Control List (ACL) (authenticated)
aws s3api get-bucket-acl --bucket [bucket-name]

# Get the Public Access Block settings (authenticated)
aws s3api get-bucket-public-access-block --bucket [bucket-name]

# Get the CORS configuration (may provide hints for XSS or other client-side issues)
aws s3api get-bucket-cors --bucket [bucket-name]

# List all buckets in the account
aws s3api list-buckets

# List objects in a specific bucket (output formatted as a table)
aws s3api list-objects --bucket [bucket-name] --output table

EC2

# ------------------------------------------------------------
# 1. List EC2 Instances in a Region
# ------------------------------------------------------------
aws ec2 describe-instances --region [region]

# Cleaner output with JMESPath (Instance ID, Public IP, State, KeyName, IAM role ARN)
aws ec2 describe-instances \
  --query "Reservations[].Instances[].[InstanceId,PublicIpAddress,State.Name,KeyName,IamInstanceProfile.Arn]"

# ------------------------------------------------------------
# 2. Get Detailed Info on a Specific Instance
# ------------------------------------------------------------
aws ec2 describe-instances --instance-ids [i-xxxxxxxxxxxxxxx]

# ------------------------------------------------------------
# 3. Identify IAM Role Attached to the Instance
# ------------------------------------------------------------
# Get the IAM Instance Profile ARN
aws ec2 describe-instances \
  --query "Reservations[].Instances[].IamInstanceProfile.Arn"

# Then get details on the instance profile
aws iam get-instance-profile --instance-profile-name [name]

# ------------------------------------------------------------
# 4. List Security Groups
# ------------------------------------------------------------
aws ec2 describe-security-groups

# Check for overly permissive inbound rules
aws ec2 describe-security-groups \
  --query "SecurityGroups[].IpPermissions[].{From:FromPort,To:ToPort,CIDR:IpRanges[].CidrIp}"

# ------------------------------------------------------------
# 5. Describe Network Interfaces
# ------------------------------------------------------------
aws ec2 describe-network-interfaces
# Shows public/private IPs, subnet info, VPC IDs, attachments, etc.

# ------------------------------------------------------------
# 6. List AMIs (Amazon Machine Images) Owned by You
# ------------------------------------------------------------
aws ec2 describe-images --owners self
# Useful for spotting custom AMIs with secrets or sensitive software

# ------------------------------------------------------------
# 7. Check EBS Volumes and Snapshots
# ------------------------------------------------------------
aws ec2 describe-volumes
# Look for unencrypted or large/attached volumes

# Snapshot enumeration (potentially sensitive data)
aws ec2 describe-snapshots --owner-ids self

# ------------------------------------------------------------
# 8. Enumerate Key Pairs
# ------------------------------------------------------------
aws ec2 describe-key-pairs
# Only shows key pair names (private keys cannot be retrieved)

# ------------------------------------------------------------
# 9. Describe Regions & Availability Zones
# ------------------------------------------------------------
aws ec2 describe-regions
aws ec2 describe-availability-zones

Lambda

# ------------------------------------------------------------
# 1. List All Lambda Functions in a Region
# ------------------------------------------------------------
aws lambda list-functions --region [region]

# ------------------------------------------------------------
# 2. Get Detailed Info on a Function
# ------------------------------------------------------------

# 2a. Get full function configuration (IAM role, runtime, env vars, etc.)
aws lambda get-function-configuration --function-name [function-name]

# 2b. Get code download URL + deployment details
# (returns a pre-signed S3 URL to download the function code)
aws lambda get-function --function-name [function-name]

# ------------------------------------------------------------
# 3. Check Invocation Access
# ------------------------------------------------------------

# Retrieve the resource-based policy of the function
# (Look for "Principal": "*" or cross-account permissions)
aws lambda get-policy --function-name [function-name]

# ------------------------------------------------------------
# 4. Identify Triggers / Event Sources
# ------------------------------------------------------------

# 4a. For async event sources like SQS, DynamoDB, Kinesis
aws lambda list-event-source-mappings --function-name [function-name]

# 4b. For function URLs (direct HTTP endpoints)
# (If AuthType is NONE, it may be publicly invokable)
aws lambda get-function-url-config --function-name [function-name]

# ------------------------------------------------------------
# 5. Invoke the Function (if you have invoke permissions)
# ------------------------------------------------------------

# Basic invocation (output saved to output.json)
aws lambda invoke --function-name [function-name] output.json

# Invoke with a JSON payload
aws lambda invoke --function-name [function-name] \
  --payload '{"key": "value"}' output.json

# ------------------------------------------------------------
# 6. Investigate Attached IAM Role
# ------------------------------------------------------------

# First get the role name from "get-function-configuration"
# Then enumerate details and policies attached to the role:

# Get IAM role details
aws iam get-role --role-name [role-name]

# List managed policies attached to the role
aws iam list-attached-role-policies --role-name [role-name]

# List inline policies inside the role
aws iam list-role-policies --role-name [role-name]

# ------------------------------------------------------------
# 7. Modify or Replace the Function (if authorized)
# ------------------------------------------------------------

# Update function code with a local zip package
aws lambda update-function-code \
  --function-name [function-name] \
  --zip-file fileb://payload.zip

# Update function configuration (e.g., environment variables)
aws lambda update-function-configuration \
  --function-name [function-name] \
  --environment "Variables={VAR=value}"