killchain-compendium/Enumeration/AWS.md

# AWS S3 Enumeration

## Usage

* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
    * `--region`
### Simple Storage Service (S3)
* [S3](https://aws.amazon.com/s3/)
* Methods of access control are as follows
    * [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
    * [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)

* Scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```

* __List content of public bucket via__
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
* Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```

#### ACL
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key

## IAM
* Not necessarily used by s3
* Access key ID, starts with `AKIA` + 20 chars
* Secret access key
* Session token, `ASIA` + sessionToken

* Add credentials to profile via
```sh
aws configure --profile PROFILENAME
```
* Config and credentials is stored at `~/.aws`
* Sanity test profile via
```sh
aws s3 ls --profile PROFILENAME
```
* Find account ID to an access key
```sh
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
```
* Find username to an access key
```sh
aws sts get-caller-identity --profile PROFILENAME
```
* Listing EC2 instances of an account
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* aws ec2 describe-instances --output text --profile PROFILENAME
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
    * In another region
```sh
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
```

### AWS ARN
* Unique ID is create via the following scheme
```sh
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
```

### Secrets

```sh
aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
```
restructured enumeration 2022-11-13 01:16:26 +01:00			`# AWS S3 Enumeration`

			`## Usage`

			`* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)`
			* `--region`
			`### Simple Storage Service (S3)`
			`* [S3](https://aws.amazon.com/s3/)`
			`* Methods of access control are as follows`
			`* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)`
			`* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)`

			`* Scheme is`
			```sh
			`http://<bucketname>.s3.amazonaws.com/file.name`
			```
			`or`
			```sh
			`http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext`
			```

			`* __List content of public bucket via__`
			```sh
			`aws s3 ls s3://<bucketname>/ --no-sign-request`
			```
			* Download via `curl`, `wget` or `s3` cli via
			```sh
			`aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request`
			```

			`#### ACL`
			* `Anyone`, just `curl`
			* `AuthenticatedUsers`, `s3` cli with aws key

			`## IAM`
			`* Not necessarily used by s3`
			* Access key ID, starts with `AKIA` + 20 chars
			`* Secret access key`
			* Session token, `ASIA` + sessionToken

			`* Add credentials to profile via`
			```sh
			`aws configure --profile PROFILENAME`
			```
			* Config and credentials is stored at `~/.aws`
			`* Sanity test profile via`
			```sh
			`aws s3 ls --profile PROFILENAME`
			```
			`* Find account ID to an access key`
			```sh
			`aws sts get-access-key-info --access-key-id AKIAEXAMPLE`
			```
			`* Find username to an access key`
			```sh
			`aws sts get-caller-identity --profile PROFILENAME`
			```
			`* Listing EC2 instances of an account`
			```sh
			`aws ec2 describe-instances --output text --profile PROFILENAME`
			```
			`* aws ec2 describe-instances --output text --profile PROFILENAME`
			```sh
			`aws ec2 describe-instances --output text --profile PROFILENAME`
			```
			`* In another region`
			```sh
			`aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME`
			```

			`### AWS ARN`
			`* Unique ID is create via the following scheme`
			```sh
			`arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>`
			```

			`### Secrets`

			```sh
			`aws secretsmanager help`
			`aws secretsmanager list-secrets`
			`ws secretsmanager get-secret-value --secret-id <Name> --region <region>`
			```