| IAM Enumeration |
IAM, Discovery |
Use the AWS CLI to enumerate IAM users, roles and groups. |
| Basic S3 Enumeration |
S3, Discovery |
Pivot from publicly hosted S3 backed website to IAM access keys |
| Discover AWS account ID from S3 bucket |
S3, Discovery, s3-account-search |
Use S3:ResourceAccount and s3-account-search to locate an AWS account ID using a S3 bucket |
| Utilise Public EBS Snapshots |
EBS, Credential theft, Discovery |
Enumerate and use publicly accessible EBS snapshots |
| Unauthenticated IAM principal enumeration - IAM role trust policy |
IAM, Discovery, pacu |
Enumerate IAM principals via IAM role trust policies |
| Unauthenticated IAM principal enumeration - S3 and Lambda |
S3, IAM, Lambda, Discovery |
Enumerate IAM principals via S3 and Lambda |
| Uncover credentials with TruffleHog |
Discovery, Credential Access, Trufflehog |
Utilise TruffleHog to find credentials in source code |
| AWS Enumerator and SecretsManager for credential access |
Discovery, aws-enumerator, SecretsManager, cloudshell |
Utilise aws-enumerator, SecretsManager and CloudShell to enumerate users and compromise credentials |
| IAM policy rollback for Privilege Escalation |
IAM, Privilege Escalation |
Utilise the iam:SetDefaultPolicyVersion permission for privilege escalation |