> For the complete documentation index, see [llms.txt](https://ttp.parzival.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ttp.parzival.sh/pentesting/cloud/amazon-web-services-aws.md). # Amazon Web Services (AWS) ### External * Look for open S3 buckets, you might be able to exfiltrate a large amount of information and/or identify credentials. * We are primarily looking for AWS Access Keys and Secret Keys (Regex online) * We can sometimes access the AWS Metadata using an SSRF vulnerability * Regular application vulnerabilities - SSRF, outdated software, etc. * Scour GitHub to identify artifacts related to AWS accounts such as ARNs (Amazon Resource Names) ### Initial Access 1. Use the `get-session-token` command to ensure that if the permanent credentials are deleted/disabled, there will still be access to the environment. 2. Run the `list-user-policies`, `list-attached-user-policies`, and `list groups for users` commands to see what permissions are attached. 3. Look at CloudTrail orgs to identify if there is anything interesting. 1. In some instances you may observe that the user you have ran the 'AssumeRole' command to obtain another role (priv esc) ### AWS Cognito Misconfigurations * If AWS Cognito is misconfigured and allows for the sign-up of a new user, an attacker can login and obtain a temporary AWS token for authenticated identities. ### Internal * After compromising a users account you can utilize a script such as enumerate-iam.py to brute-force permissions available to the account. * We can also check for quick privilege escalation opportunities using RhinoSecurityLab's AWS Escalate.py script. * We need to enumerate buckets that we have read access to - we can sync the information and enumerate the information locally. * We can use the Security Token Service API to enumerate what user we are running under. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ttp.parzival.sh/pentesting/cloud/amazon-web-services-aws.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.