AWS Pentesting

Post Exploitation

This is a good place to start if you've got credentials.

Set credentials for AWS cli

Add the credentials to ~/.aws/credentials. It should look something like this:

aws_session_token=AQoDYXdzEJr...<remainder of security token>

Make sure to set the proper region as well in ~/.aws/config, which you can get using this command on the compromised instance:


An alternative with wget:

wget -O - -q

It should look something like this (the region will obviously vary):

region = us-east-2


Set the keys

This will use the keys in ~/.aws/credentials from the default region:

import_keys default

Set the region

This will set the region to us-east-2:

set_regions us-east-2

Verify credentials


List modules


Run module

This will run a module to enumerate permissions the current account has:

run iam__enum_permissions