AWS

These get taught in flaws.cloud, I wanted to put them all together in one spot for myself and anyone else.

Determine the IP of the target:

dig +nocmd <url> any +multiline +noall +answer

See if the IP falls within the “amazonaws.com” servers

nslookup <IP>

Can anyone read the bucket contents (aws-cli)

aws s3 ls  s3://<url> --no-sign-request --region <region>

Can anyone read the bucket contents (browser)

http://<url>.s3.amazonaws.com/

Configure current/new profile (aws-cli)

aws configure --profile <name>

Can we list the bucket directory with an AWS account? (aws-cli)

aws s3 --profile <name> ls s3://<url>

Can we download the bucket with an AWS account? (aws-cli)

aws s3 sync s3://<url> /path/to/save --no-sign-request --region <region>

List all buckets for that profile, great for after gaining target keys (aws-cli)

aws --profile <name> s3 ls

Obtain the account id of the profile (aws-cli)

aws --profile <name> sts get-caller-identity

Has this profile created any publicly readable snapshots? (aws-cli)

aws --profile <name>  ec2 describe-snapshots --region <region>

Filter any publicly readable snapshots via the owner id (aws-cli)

aws --profile <name>  ec2 describe-snapshots --owner-id <id> --region <region>