Enumeration
Check Metadata From EC2
TOKEN = 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"'
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
Identify the AWS Account ID from Access Keys
aws sts get-access-key-info --access-key-id=AKIA...
Identify the AWS Account ID from Public S3 Bucket
Note: The AWS account ID needs to have the role with the Enumerate S3 privileges
s3-account-search arn:aws:iam::[accountID]:role/[roleName] [bucketName]
Identify the AWS Account ID from EC2 Metadata
TOKEN = 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"'
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
Get Username from an Access Key ID
Note: Needs access key inside same account
aws iam get-access-key-last-used --access-key-id AKIA...
Get Public Snapshots with Account ID
aws ec2 describe-snapshots --owner-ids [AccountID] --query "Snapshots[*].[SnapshotId, VolumeId, StartTime]" --output table
Enumerate Snapshot Permissions
aws ec2 describe-snapshot-attribute --attribute createVolumePermission --snapshot-id [snapshotId] --region [region]
Enumerate a Snapshot Details
aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all --no-paginate --region [region]
CloudFox Enumeration
Password Spraying
./GoAWSConsoleSpray -a [AccountID] -u users.txt -p passwords.txt