AWS Enumeration

intermediate40 minWriteup

Enumerating AWS environments for attack opportunities

Learning Objectives

  • Enumerate S3 buckets
  • Find exposed resources
  • Use AWS CLI for enumeration
  • Enumerate IAM permissions

AWS enumeration is the process of discovering what resources, permissions, and attack surfaces exist in an AWS environment. Think of it like casing a building before a heist - you need to know where the doors are, which ones are locked, and what's inside. In AWS, enumeration helps you understand the blast radius of compromised credentials.

Enumeration can be done with no credentials (finding public resources), with limited credentials (understanding what you can access), or from outside (discovering an organization's AWS footprint). Each approach reveals different information and attack opportunities.

Enumeration vs Exploitation

Enumeration is about discovery and mapping. You're not exploiting anything yet - you're building a picture of the environment. Good enumeration often reveals misconfigurations that are immediately exploitable.

Unauthenticated Enumeration

bash
1606070;"># Finding Public AWS Resources (No Credentials Needed)
2 
3606070;"># S3 Bucket Discovery
4─────────────────────────────────────────────────────────────────────
5606070;"># Common bucket naming patterns:
6606070;"># company-name, company-backup, company-dev, company-prod
7606070;"># company.com-assets, company-internal, company-logs
8 
9606070;"># Check if bucket exists (returns 200, 403, or 404)
10curl -I https:606070;">//company-backup.s3.amazonaws.com
11606070;"># 403 = exists but no access
12606070;"># 404 = doesn't exist
13606070;"># 200 = public access!
14 
15606070;"># List public bucket contents
16aws s3 ls s3:606070;">//company-backup --no-sign-request
17 
18606070;"># Download from public bucket
19aws s3 cp s3:606070;">//company-backup/sensitive.txt . --no-sign-request
20 
21606070;"># Tools for S3 enumeration
22606070;"># S3Scanner
23python3 s3scanner.py -l bucket-names.txt
24 
25606070;"># Bucket Finder
26bucket_finder.rb --wordlist wordlist.txt company
27 
28606070;"># CloudBrute
29cloudbrute -d company.com -k company -m storage
30 
31 
32606070;"># DNS Enumeration for AWS Resources
33─────────────────────────────────────────────────────────────────────
34606070;"># AWS services have predictable DNS patterns
35 
36606070;"># Check for AWS-hosted services
37dig company.com ANY
38dig _amazonses.company.com TXT      606070;"># SES verification
39dig _dmarc.company.com TXT          606070;"># Email security
40 
41606070;"># Common AWS CNAME patterns to look for:
42*.s3.amazonaws.com                  606070;"># S3
43*.s3-website-*.amazonaws.com        606070;"># S3 website
44*.cloudfront.net                    606070;"># CloudFront
45*.elb.amazonaws.com                 606070;"># Elastic Load Balancer
46*.elasticbeanstalk.com              606070;"># Elastic Beanstalk
47*.execute-api.*.amazonaws.com       606070;"># API Gateway
48*.awsapps.com                       606070;"># WorkMail, WorkDocs
49 
50606070;"># Subdomain enumeration
51subfinder -d company.com | grep aws
52amass enum -d company.com | grep -i 606070;">#a5d6ff;">'amazon|aws'
bash
1606070;"># Finding Exposed AWS Services
2 
3606070;"># GitHub Dorks for AWS Credentials
4─────────────────────────────────────────────────────────────────────
5606070;"># Search GitHub for exposed AWS keys
6606070;">#a5d6ff;">"AKIA" company                       # Access key prefix
7606070;">#a5d6ff;">"aws_access_key_id" company
8606070;">#a5d6ff;">"aws_secret_access_key" company
9filename:.env AWS_ACCESS
10filename:credentials aws_access_key_id
11extension:tf aws_access_key          606070;"># Terraform files
12 
13606070;"># Automated credential scanning
14trufflehog git https:606070;">//github.com/company/repo
15gitleaks detect -r /path/to/repo
16 
17606070;"># Check if found keys are valid
18aws sts get-caller-identity
19606070;"># Success = valid credentials!
20 
21 
22606070;"># Google Dorks for AWS Resources
23─────────────────────────────────────────────────────────────────────
24site:s3.amazonaws.com 606070;">#a5d6ff;">"company"
25site:s3.amazonaws.com 606070;">#a5d6ff;">"index of"
26site:s3.amazonaws.com filetype:sql
27site:s3.amazonaws.com filetype:bak
28site:elasticbeanstalk.com 606070;">#a5d6ff;">"company"
29 
30 
31606070;"># Shodan/Censys for AWS IP Ranges
32─────────────────────────────────────────────────────────────────────
33606070;"># Find AWS-hosted services
34shodan search 606070;">#a5d6ff;">"org:Amazon.com" company
35shodan search 606070;">#a5d6ff;">"ssl.cert.subject.cn:company.com" port:443
36 
37606070;"># AWS IP ranges are public
38curl https:606070;">//ip-ranges.amazonaws.com/ip-ranges.json

Authenticated Enumeration

bash
1606070;"># AWS CLI Setup and Identity
2─────────────────────────────────────────────────────────────────────
3606070;"># Configure credentials
4aws configure
5606070;"># Or use environment variables:
6export AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
7export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
8export AWS_SESSION_TOKEN=xxxxxxxx  606070;"># If using temporary credentials
9export AWS_DEFAULT_REGION=us-east-1
10 
11606070;"># Verify your identity
12aws sts get-caller-identity
13{
14    606070;">#a5d6ff;">"UserId": "AIDAXXXXXXXXXXXXXXXXX",
15    606070;">#a5d6ff;">"Account": "123456789012",
16    606070;">#a5d6ff;">"Arn": "arn:aws:iam::123456789012:user/compromised-user"
17}
18 
19606070;"># Get account information
20aws sts get-access-key-info --access-key-id AKIAXXXXXXXXXXXXXXXX
21 
22 
23606070;"># IAM Enumeration (If you have iam:* permissions)
24─────────────────────────────────────────────────────────────────────
25606070;"># List users
26aws iam list-users
27 
28606070;"># Get user details
29aws iam get-user --user-name admin
30 
31606070;"># List groups
32aws iam list-groups
33 
34606070;"># List roles (important for privilege escalation!)
35aws iam list-roles
36 
37606070;"># List policies
38aws iam list-policies --scope Local
39 
40606070;"># Get your own permissions
41aws iam list-attached-user-policies --user-name YOUR_USER
42aws iam list-user-policies --user-name YOUR_USER
43 
44606070;"># Get group memberships
45aws iam list-groups-for-user --user-name YOUR_USER
46 
47606070;"># For each group, list policies:
48aws iam list-attached-group-policies --group-name GROUP_NAME
bash
1606070;"># Enumerate What You Can Access
2 
3606070;"># EC2 Enumeration
4─────────────────────────────────────────────────────────────────────
5606070;"># List all instances
6aws ec2 describe-instances --query 606070;">#a5d6ff;">'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress,PrivateIpAddress,Tags[?Key==`Name`].Value|[0]]' --output table
7 
8606070;"># Get security groups
9aws ec2 describe-security-groups
10 
11606070;"># Find instances with public IPs
12aws ec2 describe-instances --filters 606070;">#a5d6ff;">"Name=ip-address,Values=*" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text
13 
14606070;"># List key pairs (you can't get private keys)
15aws ec2 describe-key-pairs
16 
17606070;"># List snapshots (may contain sensitive data!)
18aws ec2 describe-snapshots --owner-ids self
19 
20 
21606070;"># S3 Enumeration
22─────────────────────────────────────────────────────────────────────
23606070;"># List all buckets
24aws s3 ls
25 
26606070;"># List bucket contents
27aws s3 ls s3:606070;">//bucket-name --recursive
28 
29606070;"># Check bucket policy
30aws s3api get-bucket-policy --bucket bucket-name
31 
32606070;"># Check bucket ACL
33aws s3api get-bucket-acl --bucket bucket-name
34 
35606070;"># Check if bucket allows public access
36aws s3api get-public-access-block --bucket bucket-name
37 
38 
39606070;"># Lambda Enumeration
40─────────────────────────────────────────────────────────────────────
41606070;"># List functions
42aws lambda list-functions
43 
44606070;"># Get function details (includes environment variables!)
45aws lambda get-function --function-name FUNCTION_NAME
46 
47606070;"># Get function configuration
48aws lambda get-function-configuration --function-name FUNCTION_NAME
49 
50606070;"># List versions
51aws lambda list-versions-by-function --function-name FUNCTION_NAME

Enumerate Everything

When you have credentials, enumerate all services systematically. The permissions may allow unexpected access. An "s3 read-only" user might also have EC2 describe permissions you didn't expect.

Service-Specific Enumeration

bash
1606070;"># RDS (Databases)
2─────────────────────────────────────────────────────────────────────
3aws rds describe-db-instances
4aws rds describe-db-snapshots  606070;"># May be public!
5aws rds describe-db-cluster-snapshots
6 
7606070;"># Check for public snapshots
8aws rds describe-db-snapshots --snapshot-type public
9 
10 
11606070;"># Secrets Manager / Parameter Store
12─────────────────────────────────────────────────────────────────────
13606070;"># List secrets (often contains credentials!)
14aws secretsmanager list-secrets
15aws secretsmanager get-secret-value --secret-id SECRET_NAME
16 
17606070;"># Systems Manager Parameter Store
18aws ssm describe-parameters
19aws ssm get-parameters --names PARAM_NAME --with-decryption
20 
21 
22606070;"># DynamoDB
23─────────────────────────────────────────────────────────────────────
24aws dynamodb list-tables
25aws dynamodb describe-table --table-name TABLE_NAME
26aws dynamodb scan --table-name TABLE_NAME  606070;"># Dump all data
27 
28 
29606070;"># SQS / SNS
30─────────────────────────────────────────────────────────────────────
31aws sqs list-queues
32aws sqs get-queue-attributes --queue-url URL --attribute-names All
33 
34aws sns list-topics
35aws sns list-subscriptions
36 
37 
38606070;"># CloudFormation (Infrastructure as Code)
39─────────────────────────────────────────────────────────────────────
40aws cloudformation list-stacks
41aws cloudformation describe-stacks
42aws cloudformation get-template --stack-name STACK_NAME
43606070;"># Templates often contain hardcoded secrets!
44 
45 
46606070;"># ECS / EKS (Containers)
47─────────────────────────────────────────────────────────────────────
48aws ecs list-clusters
49aws ecs describe-clusters --clusters CLUSTER_ARN
50aws ecs list-tasks --cluster CLUSTER_ARN
51 
52aws eks list-clusters
53aws eks describe-cluster --name CLUSTER_NAME
54 
55 
56606070;"># API Gateway
57─────────────────────────────────────────────────────────────────────
58aws apigateway get-rest-apis
59aws apigateway get-resources --rest-api-id API_ID
60aws apigateway get-stages --rest-api-id API_ID

Permission Enumeration

bash
1606070;"># Understanding Your Permissions
2 
3606070;"># Manual Permission Testing
4─────────────────────────────────────────────────────────────────────
5606070;"># Try common operations and see what works
6aws s3 ls                           606070;"># S3 list
7aws ec2 describe-instances          606070;"># EC2 read
8aws iam list-users                  606070;"># IAM read
9aws iam create-user --user-name test  606070;"># IAM write (will fail if no perms)
10 
11606070;"># IAM simulation (if you have iam:SimulatePrincipalPolicy)
12aws iam simulate-principal-policy   --policy-source-arn arn:aws:iam::123456789012:user/compromised   --action-names s3:GetObject s3:PutObject ec2:RunInstances
13 
14 
15606070;"># Automated Permission Enumeration with enumerate-iam
16─────────────────────────────────────────────────────────────────────
17606070;"># enumerate-iam.py brute forces API calls
18python enumerate-iam.py --access-key AKIA... --secret-key xxx
19 
20606070;"># Output shows which services/actions are accessible
21 
22 
23606070;"># Pacu - AWS Exploitation Framework
24─────────────────────────────────────────────────────────────────────
25606070;"># Install
26pip install pacu
27 
28606070;"># Start Pacu
29pacu
30 
31606070;"># Import credentials
32> import_keys compromised
33606070;"># Enter access key and secret
34 
35606070;"># Enumerate permissions
36> run iam__enum_permissions
37 
38606070;"># Enumerate everything
39> run all_enum
40 
41606070;"># Check for privilege escalation paths
42> run iam__privesc_scan
43 
44 
45606070;"># Prowler - Security Assessment
46─────────────────────────────────────────────────────────────────────
47606070;"># Run security assessment
48prowler aws
49 
50606070;"># Specific checks
51prowler aws --checks s3_bucket_public_access
52prowler aws --severity critical high
53 
54606070;"># Output formats
55prowler aws -M csv json-asff

Permission Errors Are Information

Access Denied errors tell you the permission exists but you don't have it. No error + empty result might mean no resources exist. Track all responses - they map out the security boundaries.

Account-Level Enumeration

bash
1606070;"># Account and Organization Enumeration
2 
3606070;"># Get account alias (if set)
4aws iam list-account-aliases
5 
6606070;"># Check organization membership
7aws organizations describe-organization
8 
9606070;"># List accounts in org (if you have perms)
10aws organizations list-accounts
11 
12606070;"># Get organization root
13aws organizations list-roots
14 
15 
16606070;"># CloudTrail Configuration (are you being logged?)
17─────────────────────────────────────────────────────────────────────
18aws cloudtrail describe-trails
19aws cloudtrail get-trail-status --name TRAIL_NAME
20 
21606070;"># Check if logging is actually enabled
22aws cloudtrail get-event-selectors --trail-name TRAIL_NAME
23 
24 
25606070;"># Cost Explorer (account spending info)
26─────────────────────────────────────────────────────────────────────
27aws ce get-cost-and-usage   --time-period Start=2024-01-01,End=2024-01-31   --granularity MONTHLY   --metrics 606070;">#a5d6ff;">"BlendedCost"
28 
29 
30606070;"># Config (compliance and resource inventory)
31─────────────────────────────────────────────────────────────────────
32aws configservice describe-configuration-recorders
33aws configservice describe-delivery-channels
34 
35606070;"># Get all discovered resources
36aws configservice list-discovered-resources --resource-type AWS::S3::Bucket
37 
38 
39606070;"># Service Quotas (understand scale)
40─────────────────────────────────────────────────────────────────────
41aws service-quotas list-services
42aws service-quotas list-service-quotas --service-code ec2

Enumeration Tools

bash
1606070;"># AWS Enumeration Tool Summary
2 
3606070;"># ScoutSuite - Multi-cloud security auditing
4─────────────────────────────────────────────────────────────────────
5pip install scoutsuite
6scout aws -r us-east-1
7606070;"># Generates HTML report with findings
8 
9 
10606070;"># CloudMapper - AWS visualization
11─────────────────────────────────────────────────────────────────────
12git clone https:606070;">//github.com/duo-labs/cloudmapper
13cd cloudmapper
14pip install -r requirements.txt
15 
16cloudmapper configure
17cloudmapper collect --account my_account
18cloudmapper prepare --account my_account
19cloudmapper webserver  606070;"># Visual network diagram
20 
21 
22606070;"># enumerate-iam - Permission brute forcing
23─────────────────────────────────────────────────────────────────────
24git clone https:606070;">//github.com/andresriancho/enumerate-iam
25python enumerate-iam.py --access-key AKIA... --secret-key xxx
26 
27 
28606070;"># WeirdAAL - AWS Attack Library
29─────────────────────────────────────────────────────────────────────
30git clone https:606070;">//github.com/carnal0wnage/weirdAAL
31606070;"># Comprehensive AWS enumeration and attack modules
32 
33 
34606070;"># Pacu - AWS Exploitation Framework
35─────────────────────────────────────────────────────────────────────
36pip install pacu
37pacu
38> help                    606070;"># List modules
39> run iam__enum_permissions
40> run ec2__enum
41> run s3__enum
42 
43 
44606070;"># Cloud_enum - Multi-cloud enumeration (unauthenticated)
45─────────────────────────────────────────────────────────────────────
46git clone https:606070;">//github.com/initstring/cloud_enum
47python3 cloud_enum.py -k company -k prod
48 
49 
50606070;"># S3Scanner - S3 bucket enumeration
51─────────────────────────────────────────────────────────────────────
52pip install s3scanner
53s3scanner -l buckets.txt

AWS Enumeration Methodology

Systematic AWS Enumeration

1
External ReconnaissanceFind AWS resources from outside: S3 buckets via DNS/brute force, subdomains on AWS, GitHub credential leaks, Shodan for AWS IPs.
2
Validate CredentialsIf you have credentials, run sts get-caller-identity. Understand what identity you have (user/role/assumed role).
3
Permission DiscoveryUse enumerate-iam or Pacu to brute force permissions. Document what API calls succeed vs fail.
4
Service EnumerationEnumerate each accessible service: EC2, S3, Lambda, RDS, IAM. Look for public resources, sensitive data.
5
Privilege Escalation PathsCheck IAM permissions for privesc: iam:PassRole, lambda:CreateFunction, policy modification permissions.
6
Data DiscoverySearch for secrets in Lambda env vars, Secrets Manager, Parameter Store, S3 buckets, CloudFormation templates.

Knowledge Check

Quick Quiz
Question 1 of 3

How can you list S3 bucket contents without any AWS credentials?

Challenges

AWS Enumeration Checklist

Challenge
🔥 intermediate

Create a comprehensive AWS enumeration checklist with CLI commands for each service. Include commands for: identity verification, IAM, EC2, S3, Lambda, RDS, Secrets Manager, and CloudFormation.

Need a hint? (4 available)

Key Takeaways

  • Enumeration maps the attack surface - do it thoroughly before exploitation
  • Public S3 buckets can be accessed with --no-sign-request flag
  • sts get-caller-identity is your first command with any credentials
  • Tools like Pacu, ScoutSuite, and enumerate-iam automate enumeration
  • Check Secrets Manager, Parameter Store, Lambda env vars for credentials
  • Access Denied errors still provide information about permission boundaries