killchain-compendium/enumeration/docs/aws.md

2.0 KiB

AWS S3 Enumeration

Usage

Simple Storage Service (S3)

http://<bucketname>.s3.amazonaws.com/file.name

or

http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
  • List content of public bucket via
aws s3 ls s3://<bucketname>/ --no-sign-request
  • Download via curl, wget or s3 cli via
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request

ACL

  • Anyone, just curl
  • AuthenticatedUsers, s3 cli with aws key

IAM

  • Not necessarily used by s3

  • Access key ID, starts with AKIA + 20 chars

  • Secret access key

  • Session token, ASIA + sessionToken

  • Add credentials to profile via

aws configure --profile PROFILENAME
  • Config and credentials is stored at ~/.aws
  • Sanity test profile via
aws s3 ls --profile PROFILENAME
  • Find account ID to an access key
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
  • Find username to an access key
aws sts get-caller-identity --profile PROFILENAME
  • Listing EC2 instances of an account
aws ec2 describe-instances --output text --profile PROFILENAME
  • aws ec2 describe-instances --output text --profile PROFILENAME
aws ec2 describe-instances --output text --profile PROFILENAME
* In another region
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME

AWS ARN

  • Unique ID is create via the following scheme
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>

Secrets

aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>