added info to aws and did some linting

Enumeration/AWS.md

@@ -1,21 +1,34 @@
 # AWS S3 Enumeration
 
-## Usage
+## Regions
 
-* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
-    * `--region`
+[A list of services by region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) is maintained by AWS
+There are global and regional services.
 
-### Simple Storage Service (S3)
-* [S3](https://aws.amazon.com/s3/)
-* Methods of access control are as follows
-    * [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
-    * [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
+Watch out for the global and regional __Security Token Service__ (STS) which
+provides temporary access to third party identities, since regional STS are
+also valid in other regions. Global STS are only valid in default regions.
+
+In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region`
+
+## Simple Storage Service (S3)
+
+[S3](https://aws.amazon.com/s3/) is an object storage without volume limits.
+The names of buckets are unique and the namespace of buckets is global but they
+are stored regionally.
+
+ Methods of access control are as follows
+1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
+2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
+
+The aws cli scheme is
 
-* Scheme is
 ```sh
 http://<bucketname>.s3.amazonaws.com/file.name
 ```
+
 or
+
 ```sh
 http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
 ```
@@ -24,55 +37,107 @@ http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
 ```sh
 aws s3 ls s3://<bucketname>/ --no-sign-request
 ```
-* Download via `curl`, `wget` or `s3` cli via
+
+Download via `curl`, `wget` or `s3` cli via
+
 ```sh
 aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
 ```
 
-#### ACL
+### ACL
+
+If the ACL is set to
 
 * `Anyone`, just `curl`
 * `AuthenticatedUsers`, `s3` cli with aws key
 
 ## IAM
 
-* Not necessarily used by s3
-* Access key ID, starts with `AKIA` + 20 chars
-* Secret access key
-* Session token, `ASIA` + sessionToken
+Permissions are granted directly through user accounts or indirectly through
+roles the user has joined.
+![users and groups](./include/iam-intro-users-and-groups.diagram.png)
+
+Gaining access to important roles like maintenance opens the door to higher permissions.
+An always unique AWS Account ID has a length of 12 digits.
+
+The IAM is not necessarily used by S3. AK/SK is sufficient for authentication
+and authorization.
+
+* Access key ID, starts with `AKIA` + 20 chars
+* Secret access key (SK)
+* Session token, `ASIA` + sessionToken
+* AWS Organizations control accounts who joined
+* Third party identity providers are supported
+* IAM identity center of an organization allows provision of accounts from third parties through the AWS SSO
+
+### Root Accounts
+
+Every AWS account has a single root account bound to an email address. This
+account has got the all privileges over the account. A root account has MFA
+disabled by default.
+
+The account is susceptible to an attack if the mail address is accessible but
+MFA is not activated.
+
+If the MFA is not set, it is an opportunity for a password reset attack when
+the account the vulnerable root belongs to is part of an AWS Organization.
+
+### User Policies
+
+After authentication of a user (or principal) policies of the account are
+checked if the request is allowed.
+Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
+The following graph is taken from the documentation, it shows the evaluation
+logic inside an account
+![policy evaluation](./include/PolicyEvaluationHorizontal111621.pnhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-login.htmlg)
+
+Policies like `assume-role` and `switch-role` can lead to the gain of roles
+with higher permissions
+
+### User Provisioning
+
+When using the cli command, the aws configuration and credentials are stored at `~/.aws`
+
+Add credentials to profile via
 
-* Add credentials to profile via
 ```sh
 aws configure --profile PROFILENAME
 ```
-* Config and credentials is stored at `~/.aws`
-* Sanity test profile via
+
+Sanity test a profile through checking its existance via
+
 ```sh
 aws s3 ls --profile PROFILENAME
 ```
-* Find account ID to an access key
+
+Find account ID to an access key
+
 ```sh
 aws sts get-access-key-info --access-key-id AKIAEXAMPLE
 ```
-* Find username to an access key
+
+Find username to an access key
+
 ```sh
 aws sts get-caller-identity --profile PROFILENAME
 ```
-* Listing EC2 instances of an account
+
+Listing EC2 instances of an account
+
 ```sh
 aws ec2 describe-instances --output text --profile PROFILENAME
 ```
-* aws ec2 describe-instances --output text --profile PROFILENAME
-```sh
-aws ec2 describe-instances --output text --profile PROFILENAME
-```
-    * In another region
+
+In another region
+
 ```sh
 aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
 ```
 
 ### AWS ARN
-* Unique ID is create via the following scheme
+
+Unique ID is create through the following scheme
+
 ```sh
 arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
 ```
@@ -87,8 +152,8 @@ ws secretsmanager get-secret-value --secret-id <Name> --region <region>
 
 ## Check Permissions on S3 Bucket
 
-* Do a `PUT` method to see if the bucket may be writeable to upload a file via
+Do a `PUT` method to see if the bucket may be writeable to upload a file via
+
 ```sh
 curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
 ```
-